Saturday, November 24, 2018

It seems silly to deny that a breach happened when anyone can check for themselves.
Bob Diachenko recently reported on yet another massive data exposure:
On November 12th, when auditing the search results for open/exposed Elasticsearch databases with Binaryedge.ioplatform, we have found what appeared to be a collection of personal records compiled by FIESP, the Federation of Industries of the State of São Paulo. FIESP is the largest class entity in the Brazilian industry. It represents about 130 thousand industries in various sectors, of all sizes and different production chains, distributed in 131 employers’ unions.
Records were stored in Elasticsearch with the total count of 180,104,892.
[…]
The largest collection of data (FIESP collection) had 34,817,273 personal records with exposed info like:
  • name
  • personal ID number (RG number)
  • taxpayer registry identification (CPF)
  • sex
  • date of birth
  • full address
  • email
  • phone number
Read more on Hackenproof.com. As has happened waaaaay too many times to Bob and others, including yours truly, he had difficulty making notification.
But when notification was finally made after someone on Twitter got thru to FIESP, it was not received as one might hope. Angelica Mari of ZDNet reported today that:
FIESP said it is “investigating the alleged access to its database by a company that claims to work in digital security,” but it has pretty much denied that anything serious has happened at all.
The trade body argued that the databases Hacken Proof is talking about didn’t contain sensitive information or passwords and that “so far, there is no news that any personal information from the database has been exposed.”
“FIESP contacted [Hacken Proof], who said it had not made the data public and subsequently destroyed the information that it claims to have had access to. [Hacken Proof] also stated that its objective was to expose possible vulnerabilities to prevent potential leaks.”




It’s all in the language you choose.
Rohan Pearce has an update to a breach that was first disclosed in June, 2018:
HR software company PageUp says that a forensic expert it engaged to examine its systems has found “no specific evidence” that data was stolen during a security breach earlier this year.
Read more on Computerworld.
[From the article:
After an initial investigation the company said that it believed on the “balance of probabilities” that “data relating to our clients, placement agencies, applicants, references and our employees” was accessed during the breach.
Data that it believed may have been vulnerable included the personal details of employees of PageUp customers, details of job applications lodged with the company’s customers, and employment reference information.
PageUp said though there was no evidence that data had been exfiltrated. [Note that is is somewhat different than saying, “there was evidence that the data was not exfiltrated.” Perhaps they kept no records (logs) of data movement. Bob]




The question should have been asked and answered prior to implementing the new meters. The same for any IoT device. If it was, why not mention that as part of the release. If it was not, are you ready for the lawsuits?
Bill Cameron reports:
As utility companies across the state roll out new Internet-connected electrical meters, Smithfield Township supervisors are calling on Met-Ed to show how they’re protecting customers’ information. The Board of Supervisors penned a letter this week to FirstEnergy Corp., Met-Ed’s parent company, and state regulatory officials asking what protections are in place to keep private consumer data from unwanted eyes.
“What limits have been placed on data collection and permissions for data collection beyond monthly billing cycle totals?” it says in the letter, dated Nov. 14, to FirstEnergy’s president, regional president, state president, the state Office of Consumer Advocates and the Pennsylvania Public Utility Commission. “The notice sent to our residents makes no mention of this, yet is it is of prime concern to us in order to protect and secure data of our residential households.”
Read more on GovTech.
Bravo. We need more agencies and watchdogs asking – and demanding – answers to these important questions.




’Tis the season! “Hey, if it works for Amazon...”
Matthew Field reports:
Hackers are offering Black Friday discounts for stolen credit card details being bought and sold on the dark web as they seek to cash in on an online shopping bonanza.
Security experts including the FBI, the UK’s cyber defence agency and online security firms have warned of a wave of hacking and fraud as criminals exploit Britain’s biggest weekend of online shopping across Black Friday and Cyber Monday.
Read more on The Telegraph.




..for the defense of Privacy everywhere?
Facebook Appeals its UK Fine in Cambridge Analytica Scandal
Facebook has appealed its 500,000-pound ($644,000) fine for failing to protect the privacy of its users in the Cambridge Analytica scandal, arguing that U.K regulators failed to prove that British users were directly affected.
Britain's Information Commissioner Office leveled the fine after concluding Facebook processed the personal information of users unfairly by giving app developers access to their information without informed consent.
"Their reasoning challenges some of the basic principles of how people should be allowed to share information online, with implications which go far beyond just Facebook, which is why we have chosen to appeal," said Facebook lawyer Anna Benckert in a statement. "For example, under ICO's theory people should not be allowed to forward an email or message without having agreement from each person on the original thread. These are things done by millions of people every day on services across the internet."




This could be an interesting source of privacy horror stories. Stay tuned.
Thai Minister Defends Controversial Cybersecurity Bill
A Thai government official on Wednesday defended a sweeping cybersecurity bill which experts have decried for allowing the wholesale seizure of private computers and property, saying that "every country has a need" to protect itself.
… In rare comments hitting out at the government, a senior judge at the Thai Appeals Court condemned the bill, calling it redundant.
"This law ignores the people's rights and freedom," said Sriamporn Saligupta.
"If the next government is not good and uses this as a tool, we will no longer have privacy rights."




The President and his minions are correct in their assumption that people are more interested in shopping and feasting than in worrying about the future. Much harder to change that than asking the President to change his mind. Maybe.
Trump administration criticized over timing of climate change report
The bombshell report, which warns of large-scale climate disasters if the U.S. continues down the track it's headed, was released without much rollout midday Friday.
Known as Black Friday, it's a day in which people are likely more concerned with shopping than national affairs. Late Friday in general is famous in Washington for being a "news dump," in which an administration quietly releases less-than-optimal news.




Clearly, it’s too late.


No comments: