Sunday, February 18, 2018

A reminder: Just because we rarely see their name in the list of ‘usual suspects’ does not mean they aren’t capable.
Saudi foreign minister calls Iran most dangerous nation for cyber attacks
… Asked who he believed was the most dangerous nation in terms of cyber attacks and Al-Jubeir was unequivocal.
"The most dangerous nation behind cyber attacks? Iran," Al-Jubeir said.
"Iran is the only country that has attacked us repeatedly and tried to attack us repeatedly. In fact they tried to do it on a virtually weekly basis."
… Last September, the U.S. Treasury Department added two Iran-based hacking networks and eight individuals to a U.S. sanctions list, accusing them of taking part in cyber-enabled attacks on the U.S. financial system in 2012 and 2013, Reuters reported.

(Related) Our allies have some skills too.
… The hack had targeted Belgacom, Belgium’s largest telecommunications provider, which serves millions of people across Europe. The company’s employees had noticed their email accounts were not receiving messages. On closer inspection, they made a startling discovery: Belgacom’s internal computer systems had been infected with one of the most advanced pieces of malware security experts had ever seen.
As The Intercept reported in 2014, the hack turned out to have been perpetrated by U.K. surveillance agency Government Communications Headquarters, better known as GCHQ. The British spies hacked into Belgacom employees’ computers and then penetrated the company’s internal systems. In an eavesdropping mission called “Operation Socialist,” GCHQ planted bugs inside the most sensitive parts of Belgacom’s networks and tapped into communications processed by the company.

For my future managers: How do you fail to notice that you only sent 100,000 letters to notify 600,000 people? I would never call this a programming error, the program correctly did what the manager asked it to do.
Jack Corrigan reports:
A programming error kept the IRS from notifying hundreds of thousands of identity theft victims about criminals using their Social Security numbers to get themselves jobs in 2017, according to an internal investigation.
Last year, more than half a million Americans had their identities used by others to get hired, but only first-time victims received a notification from the IRS, the Treasury Inspector General for Tax Administration found. As a result, nearly 460,000 previous victims of employment identity theft were left in the dark about their information getting stolen yet again.
“Most identified victims remain unaware that their identities are being used by other individuals for employment,” TIGTA wrote in its report.
Read more on NextGov.

For my “Why you need a lawyer” lecture.
Revision Legal has a post about insider leaks. The article starts by discussing the Morrisons case in the UK, where an employee vindictively leaked data. In a ruling that surprised many, the court held that although Morrisons was a victim of their employee, other employees who sued Morrisons could hold Morrisons liable:
This creates, in effect, a form a strict liability for an employee data leak (at least in the UK). If the ruling is upheld, Morrisons will face a massive legal liability and, without question, the remaining 94,500 employees will join the class action or file their own lawsuits. Further, it is possible that British regulators will follow the court’s ruling and impose heavy regulatory fines and penalties.
The article then turns to legal principles in the U.S. that would relate to holding an employer liable for an intentional leak by an employee. As the authors note, it’s “complicated.”
Read more on JDSupra.

Just in time for the chapter on Law & Regulation.
David M. Stauss and Gregory Szewczyk of Ballard Spahr LLP write:
As we first reported in our January 22, 2018, alert, the Colorado legislature is considering legislation that, if enacted, would significantly change Colorado privacy and data security law. On Wednesday, February 14, 2018, the bill’s sponsors submitted an amended bill that addresses issues raised by numerous stakeholders, including Ballard Spahr. The amended bill also was heard before the House Committee on State, Veterans, and Military Affairs, where it was unanimously approved.
The most significant changes are highlighted below.
Read more on The National Law Review. And yes, read more, as the state statute has some interesting overlap but also differences between the proposed state law and HIPAA and GLBA. And if adopted, HIPAA-covered entities would no longer have a 60-day window from discovery to notify – they might have only 30 days.

Now we have to depend on the Postal Service to safeguard the elections? So I have to get a code for Facebook before I can place an ad like “Bob for President.” Can I get that code now? I don’t want to wait until Russia send me the text of the ad they want me to run. (Let’s hope no one else reads this “secret” code that is written on the postcard!)
Facebook plans to use U.S. mail to verify IDs of election ad buyers
Facebook Inc will start using postcards sent by U.S. mail later this year to verify the identities and location of people who want to purchase U.S. election-related advertising on its site, a senior company executive said on Saturday.
… The process of using postcards containing a specific code will be required for advertising that mentions a specific candidate running for a federal office, Katie Harbath, Facebook’s global director of policy programs, said. The requirement will not apply to issue-based political ads, she said.
“If you run an ad mentioning a candidate, we are going to mail you a postcard and you will have to use that code to prove you are in the United States,” Harbath said at a weekend conference of the National Association of Secretaries of State, where executives from Twitter Inc and Alphabet Inc’s Google also spoke.
“It won’t solve everything,” Harbath said in a brief interview with Reuters following her remarks.
But sending codes through old-fashioned mail was the most effective method the tech company could come up with to prevent Russians and other bad actors from purchasing ads while posing as someone else, Harbath said.

No comments: