Thursday, June 01, 2017

How vulnerable are these card processing systems? 
Kmart Payment Systems Infected With Malware
Big box department store chain Kmart informed customers on Wednesday that cybercriminals may have stolen their credit or debit card data after installing malware on the company’s payment processing systems.
Kmart, a subsidiary of Sears Holdings, has not provided any information on which stores are affected and for how long hackers had access to its systems.  The retailer operates more than 700 stores, but blogger Brian Krebs learned from his sources in the financial industry that the breach does not appear to impact all locations.
It’s unclear what point-of-sale (PoS) malware has been used in the attack, but the retailer has described it as “a new form of malware” and “undetectable by current antivirus systems.”
The company’s investigation showed that names, addresses, social security numbers, dates of birth, email addresses and other personally identifiable information (PII) have not been compromised.  Kmart believes the attackers may have only accessed payment card numbers.
   This is not the first time Kmart discloses a data breach.  In October 2014, the company told customers that their credit and debit cards may have been stolen after hackers installed malware on payment systems.

Don’t knock Social Security.  At least they did something!  Maybe in a few years they will catch up to NIST.
Social Security Administration Adopts What NIST is Deprecating
As of June 10 2017, users of the Social Security Administration (SSA) website will be required to use two-factor (2FA) authentication to gain access.  Potentially, this could affect a vast number of American adults, who will be required to enter both their password and a separate code sent to them either by SMS or email text.
What is surprising is that in July 2016, NIST deprecated SMS-based 2FA in special publication 800-63B: Draft Digital Identity Guidelines.  It should be noted this is still a draft, and not yet a formal standard that government agencies are required to meet; but nevertheless, it specifically says, "OOB [2FA] using SMS is deprecated, and may no longer be allowed in future releases of this guidance."  It seems strange, then, that the SSA should introduce precisely what NIST deprecates.

Silicon Valley jumps on this every year, so it is probably worth a look.
Annual Internet Trends Presentation from Mary Meeker – 2017
by Sabrina I. Pacifici on May 31, 2017
“Here are a few initial takeaways via TechCrunch:
  • Smartphone sales and Internet penetration growth are both slowing
  • It’s not really a “shift to mobile” as much as “the addition of mobile”, since desktop usage hasn’t declined much while mobile usage has skyrocketed to over three hours per day per person in the US
  • There’s still more time spent on mobile than ad spend, indicating forthcoming windfalls for mobile ad platforms
  • Google and Facebook control 85% of online ad growth
  • Internet ad spend will surpass TV spend within six months
  • Streaming music led by Spotify surpassed physical music sales, giving recorded music its first revenue growth in 16 years
  • eSports are exploding, with viewing time up 40% year over year, and an equal number of millennials strongly preferring eSports vs traditional sports
  • Email spam with malicious attachments is exploding as cloud usage increases, so be careful what you click
  • Tech companies drive wealth creation in China, where people pay for livestreaming, and bike sharing usage is skyrocketing
  • Falling data costs are driving increasing Internet adoption in India, but smartphone prices remain too high
  • 60% of the most-highly valued tech companies in America were founded by first or second generation Americans while 50% of the top private startups were founded by first-gen immigrants…”

The start of a trend?
Rebecca Yergin writes:
On May 16, 2017, Governor Jay Inslee signed into law H.B. 1493—Washington’s first statute governing how individuals and non-government entities collect, use, and retain “biometric identifiers,” as defined in the statute.  The law prohibits any “person” from “enroll[ing] a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.”  It also places restrictions on the sale, lease, and other disclosure of enrolled biometric identifiers.  With the new law, Washington has become only the third state after Illinois and Texas to enact legislation that regulates business activities related to biometric information.  Although the three laws seek to provide similar consumer protections around the collection, use, and retention of biometric data, the Washington law defines the content and activity it regulates in different terms, and, similar to Texas, but unlike Illinois, the Washington law does not provide a private right of action.
Read more on Covington & Burling Inside Privacy.

Not intended to be amusing.
China’s New Cybersecurity Law Leaves Foreign Firms Guessing
As China moves to start enforcing a new cybersecurity law, foreign companies face a major problem: They know very little about it.
   The law would require that companies store their data within China, and would impose security checks on companies in sectors like finance and communications.  Individual users, meanwhile, would have to register with their real names to use messaging services.
But Mr. Chang said that officials had conveyed “less than half” of the specifics of how the law would be implemented.
“A wide range of companies are doing data transfers — it’s the lifeblood of their business,” he said.
Executives have complained that the wording of the law is ambiguous, fearing that it gives China’s ruling Communist Party substantial leeway to target them.

(Related).  Perhaps this will eventually help.
The Global Law Search Engine
by Sabrina I. Pacifici on May 31, 2017
“Global-Regulation Inc. Vision: To make all of the world’s laws accessible to users in a way that’s as easy as a Google search.  The Global Law Search Engine – Search 1,610,446 laws from 90 countries, in English.  Find, compare and analyse more than 825,000 laws translated into English from 26 languages.  If our database was a book it would be approximately 7.67 million pages (2,108,193,898 words).” 

Perspective.  I had not considered the impact on organ donation.  A good article to start the debate.
How Robo Cars Will Impact Everything Else
• Programmers will be forced to make life-and-death decisions in advance, until regulators create guidelines.  For example, if a pedestrian darts out in front of a passenger-carrying robo-car, should the computer prioritize the life of the passenger or the pedestrian?  Does it matter if there are two pedestrians and one passenger?  Will consumers embrace self-driving cars that don’t give their lives, and their lives of their families, top priority in all cases?
• Waiting lists for organ donations will grow longer, as car accidents, especially fatal ones, become rarer.

Okay, Blockchain has arrived.
$35 Million in 30 Seconds: Token Sale for Internet Browser Brave Sells Out
Brave, the upstart web browser founded by Mozilla co-founder Brendan Eich, completed an initial coin offering (ICO) today that is likely to be distinguished for its speed and earnings.
Overall, the sale for Brave's ethereum-based Basic Attention Token (BAT) generated about $35m and was sold out within blocks, or under 30 seconds.

Somehow, I have little sympathy for anyone who could not out poll Donald Trump.  This seems far more like “sour grapes” than I would have expected.  How long will we need to listen to this whining?
Hillary Clinton Was the First Casualty in the New Information Wars
The former presidential nominee made her case that a Russian-backed “conspiracy” to “weaponize” social media took down her campaign.
   “I take responsibility for every decision I made,” Clinton said, “but that is not why I lost.”

No comments: