Saturday, December 16, 2017

Coming soon to an airport near us?
Australian airport hack was “a near miss” says government’s cybersecurity expert
A 31-year-old Vietnamese man has been jailed for a hacking attack that compromised the computer network of Perth International Airport, and reportedly resulted in the theft of building plans and sensitive security protocols.
Alistair MacGibbon, cybersecurity advisor to Australian Prime Minister Malcolm Turnbull, told local media that “a significant amount of data” was taken by the hacker, although radars and other systems linked to aircraft operations were not accessed.
… What is perhaps most interesting to us is just how the hacker managed to breach sensitive computer systems at the international airport.
The answer is sadly predictable. The hacker simply used the login credentials of a third-party contractor to gain unauthorised access to what should have been a well-secured network.
… it should never be acceptable for someone to log into a corporate network remotely with just a username and password. At the very least, additional measures such as two-factor authentication and IP whitelisting can be used to reduce the chances of an unauthorised hacker crowbarring their way onto the network.
In the case of this particular attack, with the hacker apparently being based in Vietnam, a simple geo-IP lookup could have ascertained that an attempt was being made to log into the airport’s network from a country where external contractors may not be expected to be located.




Is this the future?
Estonia, the Digital Republic
Its government is virtual, borderless, blockchained, and secure. Has this tiny post-Soviet nation found the way of the future?




For my Data Management students.
Study Examines Value of Data
In mitigating an asset-risk by risk transfer (such as an insurance policy), the value of the asset is directly related to the cost of the transfer (the insurance premium). The same principle should be applied to other forms of risk mitigation, such as defending the asset. Where the asset is data, an information security policy should reflect the value of the data -- but this assumes that the value of data is understood.
Trustwave, a Chicago, IL-based threat, vulnerability and compliance management firm, wanted to see how organizations value the prime categories of the data they hold -- which it assumes to be personally identifiable information (PII), payment card data (PC), intellectual property (IP), and email content information. It commissioned Quocirca to analyze the financial value placed by different industry segments in different geographical regions on these four categories of data. Five hundred IT and risk managers were surveyed in the U.S., Canada, Australia, Japan and the UK (100 for each region).
Two specific metrics are used in the ensuing report (PDF): the per capita value (PCV) for data; and a data risk vigilance (DRV) score. PCV is calculated by dividing the overall value of a data set by the number of records it contains. It consequently provides a subjective view for each organization. The same principle was also applied to discover the comparative data PCVs for the criminal fraternity and regulators.
The second metric, the DRV score, isn't simply a question of security budgets, but aggregates ten factors -- four relating directly to risk, four to data value assessments and two to the impact of data theft.




Looks like we don’t have universal agreement on this topic.
Radio NZ reports that John Edwards, New Zealand’s Privacy Commissioner, has taken a position opposing the United States in its case involving information held in an Irish centre owned by Microsoft.
America’s government wants to access private information about a US citizen accused of drug trafficking, which is held in an Irish centre owned by Microsoft.
Rather than asking Ireland to hand over the information, the government wants to seize it under US search warrant laws.
Mr. Edwards’s submission took the position that if the U.S. were to prevail, that would enable them to seize information held in New Zealand under a U.S. search warrant, which is… well… not acceptable.
How many countries have to push back against the long arm of a U.S. search warrant, and will the U.S. Supreme Court care what they say/think?




If we don’t say these words out loud, people will forget they exist.”
CDC gets list of forbidden words: fetus, transgender, diversity
… Policy analysts at the Centers for Disease Control and Prevention in Atlanta were told of the list of forbidden words at a meeting Thursday with senior CDC officials who oversee the budget, according to an analyst who took part in the 90-minute briefing. The forbidden words are “vulnerable,” “entitlement,” “diversity,” “transgender,” “fetus,” “evidence-based” and “science-based.”




For my Spreadsheet and my Statistics students.




I’m going to save this for later…




An update on the Dotcom case.
New Zealand judge dismisses 7 of Kim Dotcom's 8 arguments against extradition to US
… The arguments were part of Dotcom's appeal of a High Court decision made earlier this year, which states that he is eligible to be extradited to the US. That appeal will be heard in February, according to the New Zealand Herald.
,,, The eighth argument, which was allowed to remain, involves a decision by the deputy solicitor-general in June to order that clones be made of the electronic devices seized from Dotcom's home, so that they could be sent to the US.
… Dotcom has been fighting extradition to the US since 2012, when his now defunct Megaupload file-hosting site was shut down by the US government and Dotcom and his associates were arrested in New Zealand.


No comments: