Thursday, July 05, 2018

Security failures are often management failures. This is especially true when management fails to learn from their mistakes.
Peter Cowan reports:
For the second year in a row the provincial government’s salary disclosure includes names and salaries that shouldn’t have been released.
The list, which is often called the “sunshine list” reveals the names and salary information for anyone making more than $100,000.
Read more on CBC.

(Related) I never have to look far to find really good “Bad Examples” for my Computer Security class.
Nico Arboleda and Steven Kiernan report what is pretty much a total destruction breach:
Digital marketing and web provider Cyanweb Solutions lost nearly all customer data and backups after a “criminal hacking incident” that compromised one of its servers last week.
The three-staff, Perth-based company provides web design, hosting, online marketing and search engine optimisation for around 500 clients. The company did not have offsite backups in place.
According to an advisory posted on its website, “A professional hacking group attacked, infiltrated the server and destroyed all data, including all available backup data.
Read more on CRN.

Should we expect more lawsuits in Richmond?
Joseph J. Lazzarotti, Jason C. Gavejian and Maya Atrakchi of Jackson Lewis write:
Cybersecurity incidents are on the rise, and so too is data breach litigation brought by plaintiffs who allege they were harmed by the unauthorized exposure of their personal information. Federal circuits across the United States are grappling with the issue of what satisfies the Article III standing requirement in data breach litigation, when often only a “risk of future harm” exists.
The United States Court of Appeals for the Fourth Circuit (“the Fourth Circuit”) is the latest circuit court to weigh in on standing in data breach litigation. In Hutton v. National Board of Examiners in Optometry, the court held that the plaintiffs satisfied the Article III standing requirement by alleging hackers stole and misused their personally identifiable information (PII), even though no financial loss was incurred.

Will right-wing hackers start sending compromising data to immigrant phones?
Europe is using smartphone data as a weapon to deport refugees
Smartphones have helped tens of thousands of migrants travel to Europe. A phone means you can stay in touch with your family – or with people smugglers. On the road, you can check Facebook groups that warn of border closures, policy changes or scams to watch out for. Advice on how to avoid border police spreads via WhatsApp.
Now, governments are using migrants' smartphones to deport them.
Across the continent, migrants are being confronted by a booming mobile forensics industry that specialises in extracting a smartphone’s messages, location history, and even WhatsApp data. That information can potentially be turned against the phone owners themselves.
In 2017 both Germany and Denmark expanded laws that enabled immigration officials to extract data from asylum seekers’ phones. Similar legislation has been proposed in Belgium and Austria, while the UK and Norway have been searching asylum seekers’ devices for years.
… Over the six months after Germany’s phone search law came into force, immigration officials searched 8,000 phones. If they doubted an asylum seeker’s story, they would extract their phone’s metadata – digital information that can reveal the user’s language settings and the locations where they made calls or took pictures.
… If a person says they were in Turkey in September, for example, but phone data shows they were actually in Syria, they can see more investigation is needed.
Denmark is taking this a step further, by asking migrants for their Facebook passwords. Refugee groups note how the platform is being used more and more to verify an asylum seeker’s identity.

Good or bad, it is another way for governments to tax citizens.
Uganda leader says social media used for 'lying', defends tax for access
Uganda’s President Yoweri Museveni has defended the country’s new social media tax, saying Ugandans were using such platforms for “lying”, and squandering the nation’s hard currency on fees to foreign-owned telecoms firms.
In May Uganda’s parliament passed new tax laws that introduced a levy of 200 shillings ($0.05) per day for access to a range of online services.
The platforms that have been identified by the country’s revenue service for the tax include Facebook, Twitter, WhatsApp, Google Hangouts, YouTube, Skype, Yahoo Messenger and many others.
The tax, collected by mobile phone internet service providers since July 1, is equivalent to about 20 percent of what typical Ugandan users pay for their mobile phone data plans.

Clearing the path?
Facebook Ads Offer Peek at Looming Supreme Court Fight
Even before President Trump’s new Supreme Court nominee is announced, a fight over the choice is raging on social media.
In the days since Justice Anthony M. Kennedy said he would retire, partisan groups have turned to Facebook, Twitter and other social networks with political ads. Some of the ads urge voters to pressure their senators to block or speed the confirmation process for Mr. Trump’s eventual nominee. Others oppose allowing specific jurists to fill the vacant seat.
Judicial Crisis Network, an organization that promotes conservative judicial nominees, announced last week that it would spend more than $1 million to support Mr. Trump’s nominee. So far, the group has spent as much as $140,000 on a series of nearly two dozen Facebook ads. Many of the Facebook ads are targeted at users in North Dakota, Indiana and West Virginia, all red states with vulnerable Democratic senators who are up for re-election this year.
… Demand Justice, an organization formed this year by veterans of the Hillary Clinton and Barack Obama campaigns, began running Facebook ads on Monday urging voters to “stop Trump’s SCOTUS takeover.” The group, which has said it plans to raise $10 million this year, has also run ads opposing Brett Kavanaugh, Amy Coney Barrett and Amul Thapar, three judges who are reported to be on Mr. Trump’s shortlist for the Supreme Court.
… These groups, which are classified as 501(c)(4) advocacy groups, are not required to identify their donors or disclose much of their spending. But new Facebook ad policies are for the first time giving a glimpse of how money from these organizations flows through social media.
In an attempt to avoid a repeat of 2016, when Russian disinformation campaigns successfully exploited flaws in its network, Facebook recently began requiring political advertisers to authenticate themselves as residents of the United States and label every ad with a “paid for by” indication. The company also began archiving all paid political content on Facebook and Instagram, including promoted news, in a searchable public database, along with information about how much was spent on the ads and basic details about how they were targeted.

Are we ready for this election? I doubt it.
Intel Committee Releases Unclassified Summary of Initial Findings on 2017 Intelligence Community Assessment
News release: “Today [July 3, 2018], Senate Select Committee on Intelligence Chairman Richard Burr (R-NC) and Vice Chairman Mark Warner (D-VA) released the Committee’s unclassified summary of its initial findings on the Intelligence Community Assessment (ICA) on Russian activities in the 2016 U.S. elections. The Committee finds that the overall judgments issued in the ICA were well-supported and the tradecraft was strong. The course of the Committee’s investigation has shown that the Russian cyber operations were more extensive than the hack of the Democratic National Committee and continued well through the 2016 election.
“The Committee has spent the last 16 months reviewing the sources, tradecraft and analytic work underpinning the Intelligence Community Assessment and sees no reason to dispute the conclusions,” said Chairman Burr. “The Committee continues its investigation and I am hopeful that this installment of the Committee’s work will soon be followed by additional summaries providing the American people with clarity around Russia’s activities regarding U.S. elections.”
“Our investigation thoroughly reviewed all aspects of the January 2017 ICA, which assessed that Russian President Vladimir Putin ordered an influence campaign to target our presidential election and to destabilize our democratic institutions,” said Vice Chairman Warner. “As numerous intelligence and national security officials in the Trump administration have since unanimously re-affirmed, the ICA findings were accurate and on point. The Russian effort was extensive and sophisticated, and its goals were to undermine public faith in the democratic process, to hurt Secretary Clinton and to help Donald Trump. While our investigation remains ongoing, we have to learn from 2016 and do more to protect ourselves from attacks in 2018 and beyond.”
The summary is the second unclassified installment in the Committee’s report on Russian election activities. The Committee held a closed door hearing in May to review the ICA on “Assessing Russian Activities and Intentions in Recent U.S. Elections.” Members heard testimony from former Director of National Intelligence James Clapper, former Director of the Central Intelligence Agency John Brennan and former Director of the National Security Agency Mike Rogers, which informed the Committee’s report. You can read a copy of the unclassified summary here.”

Where do your experiences fall?
Stories From Experts About the Impact of Digital Life
“While many technology experts and scholars have concerns about the social, political and economic fallout from the spread of digital activities, they also tend to report that their own experience of digital life has been positive… Over the years of canvassings by Pew Research Center and Elon University’s Imagining the Internet Center, many experts have been anxious about the way people’s online activities can undermine truth, foment distrust, jeopardize individuals’ well-being when it comes to physical and emotional health, enable trolls to weaken democracy and community, compromise human agency as algorithms become embedded in more activities, kill privacy, make institutions less secure, open up larger social divisions as digital divides widen, and wipe out untold numbers of decent-paying jobs. An early-2018 expert canvassing of technology experts, scholars and health specialists on the future of digital life and well-being contained references to some of those concerns. The experts who participated in that research project were also asked to share anecdotes about their own personal experiences with digital life. This report shares those observations…”

Re-purposing an e-discovery tool? Seems like an obvious step to me.
AI spots legal problems with tech T&Cs in GDPR research project
Technology is the proverbial double-edged sword. And an experimental European research project is ensuring this axiom cuts very close to the industry’s bone indeed by applying machine learning technology to critically sift big tech’s privacy policies — to see whether AI can automatically identify violations of data protection law.
The still-in-training privacy policy and contract parsing tool — which is called ‘Claudette‘: Aka (automated) clause detector — is being developed by researchers at the European University Institute in Florence.
… Early results from this project have been released today, with BEUC saying the AI was able to automatically flag a range of problems with the language being used in tech T&Cs.
… In theory, all 15 parsed privacy policies should have been compliant with GDPR by June, as it came into force on May 25. However some tech giants are already facing legal challenges to their interpretation of ‘consent’. And it’s fair to say the law has not vanquished the tech industry’s fuzzy language and logic overnight. Where user privacy is concerned, old, ugly habits die hard, clearly.

Another article for my Security collection.
Do You Know What Apps Have Access To Your Gmail? Here’s How to Find and Remove Them

No comments: