Monday, October 09, 2017

A short “How to fail my computer security class” look at Equifax.
Five takeaways from Equifax's brutal week
… The company took more than two weeks to publicly disclose the breach, Smith said, because Equifax’s outside counsel, King & Spaulding, and cybersecurity firm Mandiant advised the company to first have a plan in place to protect consumers affected by the breach. [So much for thinking ahead. Breaches WILL happen, so why not do at least some planning (or thinking) in advance? Bob]
… Hackers exploited a vulnerability in a version of Apache Struts software that was used by Equifax but had not been patched, despite a March alert from the Department of Homeland Security (DHS) directing companies to apply the patch.
… The individual designated to notify personnel to apply the patch failed to do so, Smith said. [Why not share DHS notices with more than one person? Bob]
… Smith also revealed that the personal data accessed was not encrypted at the time it was accessed, prompting further scrutiny. [That would have been their ‘Get Out of Jail’ card! Bob]
… Smith offered up little information on the hackers behind the breach, repeatedly referring to an FBI investigation. When questioned, Smith would not rule out that the hackers were sponsored by a nation state.
“We've engaged the FBI at this point, that's all I'll say,” he said Tuesday.
Bloomberg reported last week that hackers used techniques that have been previously linked to state-sponsored hackers.
While Smith said that investigators tracked the IP addresses of the criminals, he said their identities and whereabouts remain unknown.
Smith did, however, acknowledge the sophistication with which the criminals moved through the company’s system, evading the company’s security personnel for more than a month. [139 days by my count. Bob]

(Related). Compare and contrast.
Disqus Demonstrates How to Do Breach Disclosure Right
… I first saw the Disqus data first thing Friday morning my time in Australia. Verification wasn't difficult because my own record was in there (there's nothing like finding your own data in a breach to help expedite verification!) I reached out to an existing contact I had at Disqus via email as soon as I had a reasonable degree of confidence that the data was accurate (a couple of hours after I received it). From that moment, the timeline in their public disclosure began which I highlighted in this tweet:

U.S. Banking Regulator Hit by 54 Breaches in 2015, 2016
The report, made public last week, focuses on the FDIC’s processes for responding to data breaches, and it’s based on an audit conducted in response to concerns raised by the chairman of the Senate Committee on Banking, Housing, and Urban Affairs.
The OIG’s audit focused on 18 of 54 suspected or confirmed breaches discovered by FDIC between January 1, 2015 and December 1, 2016. The 18 incidents reviewed by auditors affected more than 113,000 individuals.
The audit found that in 13 of the 18 cases the FDIC did not complete some key breach investigation activities, such as assessing impact and convening the data breach management team, within the timeframe established in the agency’s Data Breach Handling Guide (DBHG). [Something every organization should have? Bob]
It took the organization, on average, more than 9 months to notify affected individuals after discovering a breach. It took between 145 days and 215 days to send out notifications to impacted people after the decision was made to notify victims. In one incident that affected nearly 34,000 people, the FDIC sent out the notifications exactly one year after the breach was discovered.
A report published last year by the House of Representatives Science, Space and Technology Committee revealed that threat actors believed to be from China breached the systems of the FDIC in 2010, 2011 and 2013, and planted malware on a significant number of servers and workstations. The committee concluded that the agency’s CIO had attempted to cover up the incident.

Can the Internet use broadcast radio and TV rules?
Democrat senator pushes for transparency on social media political ads
Sen. Amy Klobuchar (D-Minn.) said Sunday that she is working on legislation that would mandate online political advertisements be subject to the same rules as broadcast ads.
“And the rules that apply for ads when they’re put on TV or radio, where you have to register them and say how much you paid, that doesn’t apply to these online ads. And so our laws need to catch up with what’s going on with our campaigns,” Klobuchar told CNN’s “Reliable Sources.”
The effort comes amid the growing controversy over Facebook’s political advertising during the 2016 election.

Perspective. A look at our future?
Cash is already pretty much dead in China as the country lives the future with mobile pay
  • Mainland Chinese stores and services are increasingly centered around mobile pay apps like WeChat Pay and Alipay.
  • Chinese mobile payment volume more than doubled to $5 trillion in 2016, according to Analysys data cited by Hillhouse Capital.
  • Mobile pay is growing so rapidly in mainland China that as a foreigner, I sometimes found it difficult to complete basic transactions without it.
  • The dominance of mobile transactions lends itself to greater data collection by the Chinese government.

Perspective. A bit rambling, but quite interesting.
The secret lives of children and their phones

For my Spreadsheet students.
Excel’s Custom View setting makes it easy to view specific information on a crowded spreadsheet or to create different layouts for your data. You can use it to create custom headers or footers, create a print-friendly version of your spreadsheet, or you can create a view in which freeze panes or split rows are activated.

No comments: