Thursday, June 28, 2018

Another ‘under the radar’ data aggregation firm screws the pooch. Another breach the company had to be told about! Just in time for my new Computer Security class to examine their errors. (Rather depressing how frequently this happens.)
Exactis said to have exposed 340 million records, more than Equifax breach
If you're a US citizen, your personal information – your phone number, home address, email address, even how many children you have – may have just become easily available to hackers in an alleged massive data leak.
Florida-based marketing and data aggregation firm Exactis exposed a database containing nearly 340 million individual records on a publicly accessible server, Wired reported. Earlier this month, security researcher Vinny Troia found that nearly 2 terabytes of data was exposed, which seems to include personal information on hundreds of millions of US adults and millions of businesses, the report said.
"It seems like this is a database with pretty much every US citizen in it," Troia told Wired.
… Because Exactis hasn't confirmed the leak, and the data is reportedly no longer accessible, it's hard to know exactly how many people are affected. But Troia found two versions of the database that each had around 340 million records, with roughly 230 million on consumers and 110 million on business contacts, according to Wired. Exactis says on its website that it has over 3.5 billion consumer, business and digital records.
The data leak is noteworthy not only for its breadth, but also for the depth of information the records have on people. Every record reportedly has entries that include more than 400 variables on characteristics like whether the person smokes, what their religion is and whether they have dogs or cats. But Wired noted that in some instances, the information is inaccurate or outdated.

Dan M. Clark reports on six major actions Equifax agreed to take to settle eight states’ charges against them over the 2017 data breach. From his report, because I cannot find a copy of the actual consent decree online just yet:
  • The company’s board members will have to review and approve a written risk assessment plan for future digital threats.
  • Equifax will also have to improve oversight of its information security program.
  • The board is also tasked with reviewing digital security policies and keeping them up to date and applicable to current threats.
  • An audit committee of the Equifax board will also be tasked with evaluating information technology controls at the company.
  • Similar rules apply to vendors with the company.
Read more on New York Law Journal.

Dan Clark reports:
Credit reporting agencies will now be required to register with the state and comply with its cybersecurity regulations, the state Department of Financial Services announced Monday.
The new rules are the state’s response to last year’s data breach at Equifax, a credit reporting agency, that exposed the personal information of 143 million people. If a credit reporting agency is found to have violated the new regulations, the DFS will now have the power to block them from serving New York state residents.
Under the new rules, any credit reporting agency that ran more than 1,000 credit reports in New York state in the last year will have to register with the DFS by the beginning of September and then again at the beginning of February each year.
Read more on New York Law Journal (free sub. Required)

The ignorant leading the incompetent?
UK Publishes Minimum Cyber Security Standard for Government Departments
The UK government's Cabinet Office has published the first iteration of its Minimum Cyber Security Standard, which will be incorporated into the Government Functional Standard for Security. The standard is mandatory for all government departments (which includes 'organizations, agencies, Arm’s Length Bodies and contractors'); but provides an excellent security checklist/framework for all commercial organizations.
It is a surprisingly short document (PDF); just seven pages comprising 10 sections under five categories: Identify, Protect, Detect, Respond and Recover. It largely follows the wider European approach of mandating outcomes rather than specific means to achieve those outcomes – but is not entirely devoid of specific instructions.

An increase suggests they are getting better. A decrease would signal that they have won the battle.
Twitter’s spam removal is up 214 percent compared to 2017
Twitter dropped a blog post yesterday explaining how it’s currently handling malicious spam and bots. The company says that in May, its system found and questioned over 9.9 million accounts for spamming or being automated.
Twitter says it’s also monitoring its APIs more strictly. During Q1 this year, it suspended more than 142,000 apps that violated rules and tweeted out over 130 million spam tweets, and kept up the momentum in the following months, removing an average of 49,000 apps each month.
Compared to last year, Twitter says it has removed 214 percent more accounts for violating spam policies. It also notes that the average number of spam reports has dropped from 25,000 a day in March to 17,000 a day in May, which Twitter is taking to mean that spam is being effectively combatted, but it could really just mean that people are getting tired of reporting spam.

Facebook’s fight against fake news has gone global. In Mexico, just a handful of vetters are on the front lines.
This spring, a doctored image claiming that the wife of the leading Mexican presidential candidate was the granddaughter of a Nazi ricocheted across Facebook and its messaging service, WhatsApp.
The post, shared 8,000 times before it was disproved, was part of a flood of fabricated stories that have spread on Facebook and its other services, including Instagram, ahead of Mexico’s July 1 presidential election — the country’s own version of the divisive misinformation that sought to influence the 2016 campaign across the border.
Determined to prevent a repeat of the abuses of its platform ahead of the U.S. midterm elections in November, Facebook has poured resources into election integrity, hiring thousands of content moderators and fact-checkers, deploying artificial intelligence, and conducting large sweeps of problematic accounts. Each new election is a test: Facebook’s security and civic teams are actively tracking 50 different elections in 2018 — and triaging for those deemed “high risk” — amounting to a national election practically every week.

Facebook’s Latest Problem: It Can’t Track Where Much of the Data Went
Company’s internal probe finds that some developers who scooped up data are now out of business, and others won’t cooperate
… Three months after CEO Mark Zuckerberg pledged to investigate all apps that had access to large amounts of Facebook data, the company is still combing its system to locate the developers behind those products and find out how they used the information between 2007 and 2015, when the company officially cut data access...

Should be interesting.
Mike Stunson reports:
Lexington must release information about the city’s surveillance cameras and the policies surrounding their use, a judge ordered last week.
Mike Maharrey, an activist and organizer for “We See You Watching Lexington,” said his victory over the city is huge for the people of Lexington.
“Now, hopefully, we will get the kind of transparency we deserve,” Maharrey wrote.

So, Google will be listening on even more phones. Paranoia?
Google invests in OS that will put its Assistant on feature phones
Google has just invested $22 million in KaiOS, the company that built an app-packed operating system for feature phones. The move, which gives Google access to previously-untapped markets, will see KaiOS integrate Google services such as maps, Assistant, YouTube and search into devices, which are considered mid-point phones between basic phones and smartphones.

Facebook, Google Manipulate Users to Share Personal Data Despite GDPR
Despite the new GDPR regulation entering into effect across Europe, Facebook and Google are manipulating users into sharing personal data by leveraging misleading wording and confusing interfaces, according to a report released today by the Norwegian Consumer Council (NCC).
In its 44-page report, the Norwegian agency accuses Google and Facebook of using so-called "dark patterns" user interface elements into "nudging" users towards accepting privacy options.
These dark patterns include misleading privacy-intrusive default settings, misleading wording, giving users an illusion of control, hiding away privacy-friendly choices, take-it-or-leave-it choices, and choice architectures where choosing the privacy-friendly option requires more effort for the users.

Perspective. Is Amazon Uber-izing the delivery business?
Amazon’s new blue crew: Tech giant enlists entrepreneurs to own the ‘last mile,’ delivering packages in Prime vans and uniforms
Amazon is expanding further into package delivery and promising to support a new wave of small business owners with the launch of a program that helps entrepreneurs start and run their own companies — delivering items purchased on in distinctive blue Prime-branded shirts and vans.
It’s “the next big building block of our end-to-end supply chain,” said Dave Clark, the Amazon executive who oversees the worldwide delivery logistics infrastructure for the e-commerce giant
… The new program lets anyone run their own package delivery fleet of up to 40 vehicles with up to 100 employees. Amazon works with the entrepreneurs — referred to as “Delivery Service Partners” — and pays them to deliver packages while providing discounts on vehicles, uniforms, fuel, insurance, and more. They operate their own businesses and hire their own employees, though Amazon requires them to offer healthcare, paid time off, and competitive wages. Amazon said entrepreneurs can get started with as low as $10,000 and earn up to $300,000 annually in profit.

Distracted Driving Is Out of Control, and There's No Single Cure
One study found that young drivers spend 12 percent of time behind the wheel looking at their phones. This is getting bad, people.
… a new, small study released today by AAA’s Foundation for Traffic Safety suggests that those infotainment systems built into vehicles’ consoles make driving a bit more dangerous, by demanding too much of those who are supposed to be watching the road.

Perspective. Give up Michael Porter? Never! Well, maybe….
Why Companies Need a New Playbook to Succeed in the Digital Age
… A new playbook requires companies to move beyond Michael Porter’s idea of controlled value chains, where companies focus on control and doing one thing really well. In a value chain, companies know a lot about their products, including where they are physically and when they are sold.
In the digital world, companies need to move to more complex, networked systems. They must create ecosystems or webs of relationships with partners that help them become a go-to for customers. The key is using digital to differentiate a company, offering customers something new and compelling — to create a destination they want to visit.

A resource to draw from.
BBC releases computer history archive
BBC Technology – “A slice of computing history has been made public, giving people the opportunity to delve into an archive that inspired a generation of coders. The Computer Literacy Project led to the introduction of the BBC Micro alongside programmes which introduced viewers to the principles of computing. It included interviews with innovators such as Bill Gates and Steve Wozniak. The BBC hopes the 1980s archive will encourage today’s youngsters to become involved in computing. With the release of the archive, viewers can now search and browse all of the programmes from the project. They will be able to:
  • watch any of the 267 programmes
  • explore clips by topic or text search
  • run 166 BBC Micro programmes that were used on-screen
  • find out the history of the Computer Literacy Project…”

The new ROTC uniform?
Make The Galaxy Great Again T-Shirt