Saturday, May 23, 2020

What are the signs of a hack in progress? Take Computer Security 101 for most of the answers. It’s not hard, but you have to manage it correctly. (I have recommended this site to my students)
Mathway investigates data breach after 25M records sold on dark web
A data breach broker is selling a database that allegedly contains 25 million Mathway user records on a dark web marketplace.
Mathway is a calculator that allows users to type in math questions and receive an answer for free through their website or via Android and iOS apps.
The Mathway app is top-rated, with over 10 million installs on Android and ranked as #4 under education in the Apple Store.
This week, a data breach seller known as Shiny Hunters began to publicly sell an alleged Mathway database on a dark web marketplace for $4,000.
In a sample of the database shared with BleepingComputer, the most concerning of the exposed data are the email addresses and hashed passwords. Otherwise, the data is mostly what appears to be system data.
If you use Mathway and want to check if your account is part of this breach, you can use Cyble's AmIBreached data breach lookup service.

As hackers sell 8 million user records, Home Chef confirms data breach
Meal kit and food delivery company Home Chef has confirmed that hackers breached its systems, making off with the personal information of customers.
Quite how the hackers breached Home Chef’s systems is unclear. In its own FAQ about the security breach, the business shares no details other than to say that it “recently learned of a data security incident impacting select customer information.”
However, earlier this month – weeks before Home Chef went public about its security breach – Bleeping Computer reported that the company was one of eleven whose breached data was being offered for sale on a dark web marketplace.

(Related) Some of those signs… Do you know what is ‘normal’ for your employees?
Flight risk’ employees involved in 60% of insider cybersecurity incidents
According to the Securonix 2020 Insider Threat Report, published on Wednesday, "flight risk" employees, generally deemed to be individuals on the verge of resigning or otherwise leaving a job, often change their behavioral patterns from two months to two weeks before conducting an insider attack.
Securonix says that the exfiltration of sensitive data continues to be the most common insider threat, often taking place via email transfers or web uploads to cloud storage services including Box and Dropbox. This attack vector is followed by privileged account abuse.
After examining hundreds of insider incidents across different industry verticals, the cybersecurity firm said that roughly 80% of flight risk employees will try to take proprietary data with them.
In total, 43.75% of insiders forwarded content to personal emails; 16% abused cloud collaboration privileges and 10% performed downloads of aggregated data during attacks analyzed in the report. Unauthorized USB and removable storage devices are also commonly used to swipe data.

A couple of reasons why hacking is an interesting hobby. It’s cheap and often undetectable.
Hacker Used £270 of TV Equipment to Eavesdrop on Sensitive Satellite Communications
An Oxford University-based security researcher says he used £270 ($300) of home television equipment to capture terabytes of real-world satellite traffic — including sensitive data from “some of the world’s largest organisations.”
James Pavur, a Rhodes Scholar and DPhil student at Oxford, will detail the attack in a session at the Black Hat security conference in early August.
Pavur will also demonstrate that, “under the right conditions” attackers can hijack active sessions via satellite link, a session overview reveals.
A synopsis warns hat these communications can be spied on “from thousands of miles away with virtually no risk of detection”.
While full details of the attack will not be revealed until the Black Hat conference, an 2019 conference paper published by Pavur gives a sneak peak into some of the challenges of security in the satellite communications space.
It appears to boil down in large part to the absence of encryption-in-transit for satellite-based broadband communications.

Forewarned is forearmed?
Understanding the “World of Geolocation Data”
How is location data generated from mobile devices, who gets access to it, and how? As debates over companies and public health authorities using device data to address the current global pandemic continue, it is more important than ever for policymakers and regulators to understand the practical basics of how mobile operating systems work, how apps request access to information, and how location datasets can be more or less risky or revealing for individuals and groups. Today, Future of Privacy Forum released a new infographic, “The World of Geolocation Data” that explores these issues.

A podcast.
In this episode of Horns of a Dilemma, Doyle Hodges, executive editor of the Texas National Security Review, talks with Dr. Erik Lin-Greenberg about his article, “Allies and Artificial Intelligence: Obstacles to Operations and Decision-Making,” which is featured in Volume 3 Issue 2 of TNSR. Dr. Lin-Greenberg is a post-doctoral fellow at the University of Pennsylvania’s Perry World House and an incoming assistant professor of political science at the Massachusetts Institute of Technology. His research examines how military technology affects conflict dynamics in the regulation of the use of force and how remote warfighting technologies, like drones and cyber warfare, shape crisis escalation. He also explores how technology influences alliance relationships and public attitudes toward the use of force.

Why? I have a hard time understanding the political mindset. Why not use every tool in the toolbox?
Who’s advising Joe Biden on tech policy? No one in particular.
The presumptive Democratic nominee does not have a top adviser focused on tech policy, according to campaign materials and party veterans, including some who have offered informal advice to Biden on tech.
The lack of tech leadership in the campaign marks a contrast with his Democratic predecessors, as well as some of Biden's competitors in the Democratic primary, and reflects a belief that issues like online misinformation, privacy regulation and alleged anticompetitive behavior by tech's giants will not be pivotal to unseating President Trump. To some advocates for reforming the tech industry, though, Biden — whose written policy prescriptions largely avoid venturing into tech — is missing an opportunity to lead in areas that have gained new prominence and urgency.

Friday, May 22, 2020

A really simple question.
Who Owns Privacy?
With GDPR, CCPA, and a US federal bill being actively considered by Congress, we’ve reached a regulatory ‘point of no return’ with privacy compliance. GDPR alone has generated over 30 large fines worth more than 400 million euros in less than 24 months…. And we’ve yet to observe the initial cost of non-compliance with CCPA.
Regulation aside, we’re seeing a dramatic increase in awareness among customers, employees, and ‘data subjects’ about how their information is used in the data economy. This rising awareness has spurred demands for more transparency and control over data access, deletion, and rectification — with our recent DataGrail study finding that 65% of participants desire to know what information is collected on them.
As of today, most of the means for organizations to deliver on privacy expectations are unsustainable. Another DataGrail survey from 2019 found that the average company involved 26 different stakeholders across almost as many functional groups to deliver an access request [link]. The pervasiveness of personal data across a modern business — from marketing, to customer support, to finance, to business intelligence — has forced a sprawl in responsibility.

The GDPR doesn’t apply, except when it does.
Grandmother ordered to delete Facebook photos under GDPR
It ended up in court after a falling-out between the woman and her daughter.
The judge ruled the matter was within the scope of the EU's General Data Protection Regulation (GDPR).
The case went to court after the woman refused to delete photographs of her grandchildren which she had posted on social media.
The mother of the children had asked several times for the pictures to be deleted.
The GDPR does not apply to the "purely personal" or "household" processing of data.
However, that exemption did not apply because posting photographs on social media made them available to a wider audience, the ruling said.
"With Facebook, it cannot be ruled out that placed photos may be distributed and may end up in the hands of third parties," it said.

Interesting. Like twisting the knob to see if a door is locked?
Just turning your phone on qualifies as searching it, court rules
Smartphones are a rich data trove not only for marketers but also for law enforcement. Police and federal investigators love to get their hands on all that juicy personal information during an investigation. But thanks to the Fourth Amendment of the US Constitution and all the case law built upon it, police generally need a warrant to search your phone—and that includes just looking at the lock screen, a judge has ruled (PDF).
Usually when the topic of a phone search comes up in court, the question has to do with unlocking. Generally, courts have held that law enforcement can compel you to use your body, such as your fingerprint (or your face ), to unlock a phone but that they cannot compel you to share knowledge, such as a PIN. In this recent case, however, the FBI did not unlock the phone. Instead, they only looked at the phone's lock screen for evidence.
In his ruling, the judge determined that the police looking at the phone at the time of the arrest and the FBI looking at it again after the fact are two separate issues. Police are allowed to conduct searches without search warrant under special circumstances, Coughenour wrote, and looking at the phone's lock screen may have been permissible as it "took place either incident to a lawful arrest or as part of the police's efforts to inventory the personal effects" of the person arrested. Coughenour was unable to determine how, specifically, the police acted, and he ordered clarification to see if their search of the phone fell within those boundaries.
But where the police actions were unclear, the FBI's were both crystal clear and counter to the defendant's Fourth Amendment rights, Coughenour ruled. "Here, the FBI physically intruded on Mr. Sam's personal effect when the FBI powered on his phone to take a picture of the phone's lock screen." That qualifies as a "search" under the terms of the Fourth Amendment, he found, and since the FBI did not have a warrant for that search, it was unconstitutional.
Attorneys for the government argued that Sam should have had no expectation of privacy on his lock screen—that is, after all, what everyone who isn't you is meant to see when they try to access the phone. Instead of determining whether the lock screen is private or not, though, Coughenour found that it doesn't matter. "When the Government gains evidence by physically intruding on a constitutionally protected area—as the FBI did here—it is 'unnecessary to consider' whether the government also violated the defendant’s reasonable expectation of privacy," he wrote.

Sounds a lot like Phrenology to me.
Artificial intelligence can make personality judgments based on photographs
Russian researchers from HSE University and Open University for the Humanities and Economics have demonstrated that artificial intelligence is able to infer people's personality from 'selfie' photographs better than human raters do. Conscientiousness emerged to be more easily recognizable than the other four traits. Personality predictions based on female faces appeared to be more reliable than those for male faces. The technology can be used to find the 'best matches' in customer service, dating or online tutoring.
The article, "Assessing the Big Five personality traits using real-life static facial images," will be published on May 22 in Scientific Reports.
The average effect size of r = .24 indicates that AI can make a correct guess about the relative standing of two randomly chosen individuals on a personality dimension in 58% of cases as opposed to the 50% expected by chance.

Worth considering.
A Buyer’s Guide to AI and Machine Learning
One limitation of some AI or ML products is that for certain applications of the technology, there is no source of absolute truth to compare against the accuracy of the output. For example, neither humans nor machines know how to produce the perfect set of end-to-end tests for any given application. This is the test oracle problem: there is no objective standard of truth. No one wants to introduce this kind of uncertainty into their sales process. Yet, our buyers deserve well-informed answers about our products.
Regardless of how you plan to use a product, it’s important to ask the right questions to understand the product and build resiliency around its accuracy levels. The next time a seller tells you “AI is doing this,” you can ask the following:

Six things CCOs need to know about ICO’s AI guidance
The 122-page publication, called “Explaining decisions made with AIand written in conjunction with The Alan Turing Institute, the U.K.’s national center for AI, hopes to ensure organizations can be transparent about how AI-generated decisions are made, as well as ensure clear accountability about who can be held responsible for them so that affected individuals can ask for an explanation.

Thursday, May 21, 2020

Move fast and break things.” It’s not just a Big Tech strategy, it’s an explanation of most “rush job” failures.
Ohioans’ and Coloradans’ personal info exposed in pandemic unemployment data breaches
    Two more states have reported breaches or issues with state portals to apply for pandemic-related unemployment benefits.
In Ohio, Maggy McDonel reports:
The personal information of Ohioans receiving pandemic unemployment assistance was recently exposed to a data breach, according to Ohio Department of Jobs and Family Services.
The information reportedly included names, Social Security numbers and street addresses.
ODJFS acknowledged what it described as the “data issue” in a release sent out Wednesday afternoon.
The department says Deloitte Consulting notified it last weekend that around two-dozen people were able “to view other PUA claimants’ correspondence.”
Read more on Fox19.
And in Colorado, Joe Rubino reports:
All 72,000 people signed up for pandemic unemployment assistance in Colorado are eligible for a year of free credit monitoring after a system error gave six people approved for benefits access to everyone else’s private information.
The Colorado Department of Labor and Employment was alerted to the problem Saturday. In a statement, the department referred to the situation as a “limited and intermittent data access issue.” State officials insist it was not a data breach.
Read more on Reporter Herald.
Ohio and Colorado are the third and fourth states we know of that have reported problems with state portals involved in filing for unemployment assistance. Arkansas was the first and Illinois was the second. At this point, it doesn’t seem like the states are all using the same program, but do not be surprised if more states report problems like these.

Saving face” at the expense of a few (million) deaths...
Data Leak Suggests China Had Hundreds of Thousands of Coronavirus Cases in 230 Cities
Jim Geraghty reports on a very significant data leak:
A dataset of coronavirus cases and deaths from the military’s National University of Defense Technology, leaked to 100Reporters, offers insight into how Beijing has gathered coronavirus data on its population. The source of the leak, who asked to remain anonymous because of the sensitivity of sharing Chinese military data, said that the data came from the university. . . .
While not fully comprehensive, the data is incredibly rich: There are more than 640,000 updates of information, covering at least 230 cities—in other words, 640,000 rows purporting to show the number of cases in a specific location at the time the data was gathered. Each update includes the latitude, longitude, and “confirmed” number of cases at the location, for dates ranging from early February to late April.
Read more on National Review.

Lots of questions. Was this an “authorized user” breach or could anyone do it?
Ron Hurtibise reports:
Hundreds of customers of ADT Security Services were spied on through security cameras installed inside and outside of their homes, two federal lawsuits filed Monday are claiming.
ADT, headquartered in Boca Raton, “failed to provide rudimentary safeguards” to prevent an employee from gaining remote access to the customers’ cameras over a seven-year period, a news release from the Dallas-based Fears Nachawati Law Firm states.
ADT notified customers of the breaches and then tried to pay them off if they agreed not to reveal them publicly, according to the suits filed in U.S. District Court in Fort Lauderdale.
Read more on Sun-Sentinel.

Worth reading and thinking about.
Verizon – 2020 Data Breach Investigations Report
Verizon 2020 Data Breach Investigations Report – “Here we are at another edition of the DBIR.
If you look closely you may notice that it has sprouted a few more industries here and there, and has started to grow a greater interest in other areas of the world. This year we analyzed a record total of 157,525 incidents. Of those, 32,002 met our quality standards and 3,950 were confirmed data breaches. The resultant findings are spread throughout this report. This year, we have added substantially more industry breakouts for a total of 16 verticals (the most to date) in which we examine the most common attacks, actors and actions for each. We are also proud to announce that, for the first time ever, we have been able to look at cybercrime from a regional viewpoint—thanks to a combination of improvements in our statistical processes and protocols, and, most of all, by data provided by new contributors—making this report arguably the most comprehensive analysis of global data breaches in existence…”

Is this the end of facial recognition? (Hint: Hell no!)
Kari Rollins and David Poell of SheppardMullin write:
The Seventh Circuit has recently ruled that plaintiffs have standing to enforce the Illinois Biometric Information Privacy Act’s informed consent requirements in federal court. As we have written before, BIPA regulates the collection, use, and retention of a person’s biometric information, e.g., fingerprints, face scans, etc. For years, federal trial courts have been split on whether a violation of BIPA’s informed consent provision is alone sufficient to confer Article III standing. The decision in Bryant v. Compass Group USA, Inc., — F.3d —-, 2020 WL 2121463 (7th Cir. May 5, 2020) removes that uncertainty and will drastically change the landscape of BIPA litigation going forward.
Read more on EyeOnPrivacy.

While we worry about a pandemic...
Papers, Please! writes:
Air travel in the US has been reduced by more than 90%, measured by the numbers of people passing through checkpoints at airports operated by the Transportation Security Administration (TSA) and its contractors.
And the Department of Homeland Security (DHS) has postponed its threat to start unlawfully refusing passage to travelers without ID credentials compliant with the REAL-ID Act of 2005 for another year, from October 1, 2020, to October 1, 2021.
So relatively little attention is being paid right now to air travel or TSA requirements — making it the ideal time for the TSA to try to sneak a new ID requirement for air travel (to take effect in 2021) into place without arousing public protest.
Read more on Papers, Please!

Try translating that for students!
Tackling Privacy by Design: Practical Advice Following Multiple Implementations
When advising clients on Privacy by Design (PbD) implementation, I often feel like the voice in his or her head is saying, “I see your lips moving, but all I hear is blah, blah, blah.” After experiencing those moments a few times, it occurred to me how professionals living in the PbD space are speaking a different language from business owners, product and service designers, and those in charge of privacy compliance for their organization. The purpose of this article is to demystify PbD (a bit), and to offer some practical advice for businesses looking to implement PbD in its products and services.

Sounds useful… Can we extract ‘Best Practices?’
Hogan Lovells Launches Global Privacy Guide to Support Businesses with COVID-19 Exit Plans
As the world focuses its efforts on the right strategy to beat the coronavirus and make normal life safe again, businesses are devising and implementing a variety of measures to deal with the COVID-19 crisis which rely on the collection, use and dissemination of personal data.
To assist with this challenge and ensure that privacy and cybersecurity aspects are appropriately addressed, Hogan Lovells has released today a detailed guide providing legal analysis and practical recommendations. The guide has been prepared by a team spanning its 45 offices around the world and led by the firm’s Global Regulatory practice.
To read COVID-19 Exit Strategy: A Global Privacy and Cybersecurity Guide, click here.

Reading for shut-ins.
Bart Gellman on Snowden
Bart Gellman's long-awaited (at least by me) book on Edward Snowden, Dark Mirror: Edward Snowden and the American Surveillance State, will finally be published in a couple of weeks. There is an adapted excerpt in the Atlantic.
It's an interesting read, mostly about the government surveillance of him and other journalists. He speaks about an NSA program called FIRSTFRUITS that specifically spies on US journalists. (This isn't news; we learned about this in 2006. But there are lots of new details.)

Inside every cloud, a silver lining.
Inside the Rise of a Hot New Industry: Social Distancing Consultants
Marker Medium: “…As shelter-in-place laws start to relax across the U.S., and businesses begin to reopen or at least to start thinking about it—everyone from retailers, restaurants, hairdressers, fashion boutiques, and building managers are desperate to overhaul their spaces with new safety protocols so they can protect employees and customers —and start making money again. The problem? No one really knows what they are doing. Federal guidelines cover the basics of hand-washing, sanitizing, and mask-wearing, but they lack specificity for different scenarios. For example, if you install a plexiglass screen, how large should it be? What’s the best way to redesign an office floor plan to limit interactions? Should employee temperatures be taken every shift? What about customer temperatures? Amid this uncertainty, a new cottage industry comprised of opportunists and pivoters has sprung up to fill the void: the social distancing consultant. From architects and designers to maintenance and marketing companies, these firms have recast themselves virtually overnight as experts in the new, high-demand art of keeping people six feet apart. Social distancing services have become a boon to the struggling architecture industry, as other projects have been put on hold...

The joy of face masks!

Wednesday, May 20, 2020

I’m not sure this qualifies as accidental.
Brazil’s Natura & Co Cosmetics Accidentally Exposes Personal Details of 192 Million Customers
Natura, one of Brazil’s largest cosmetics companies, accidentally exposed the personal identifiable information (PII) of nearly 192 million customers.
The leaky database, discovered last month by Safety Detectives led by cybersecurity researcher Anurag Seg, was hosted on two unprotected US-based Amazon servers, and contained between 272GB and 1.3TB of data belonging to the company.
In yesterday’s report, the researchers noted that more than “250,000 customers that had previously ordered beauty products from the website had their personal information made available to the public without Natura’s knowledge.”

Was the same technique used elsewhere? Probably. Then this becomes a guidebook for other lawsuits.
Canada fines Facebook almost $6.5 million over ‘false’ data privacy claims
Rachel England reports:
Facebook is coughing up for another fine. This time the social network is handing over CAD$9 million (US$6.5 million / £5.3 million) to Canada as part of a settlement over the way it handled users’ personal information between August 2012 and June 2018. According to Canada’s independent Competition Bureau, Facebook “made false or misleading claims about the privacy of Canadians’ personal information on Facebook and Messenger” and improperly shared data with third-party developers.
Read more on engadget.

I wish this article was amusing. I think I have used many of their decode phrases myself.
How to decode a data breach notice
The next time you get a data breach notification, read between the lines. By knowing the common bullshit lines to avoid, you can understand the questions you need to ask.
We take security and privacy seriously.”
Read: “We clearly don’t.”
We recently discovered a security incident…”
Read: “Someone else found it but we’re trying to do damage control.”
Out of an abundance of caution, we want to inform you of the incident.”
Read: “We were forced to tell you.”
There is no evidence that data was taken.”
Read: “That we know of.”

When is evidence entirely off limits?
Alaina Lancaster reports:
California’s chief justice warned Facebook Inc.’s Gibson, Dunn & Crutcher attorneys that they can expect more court appearances over criminal defendants’ access to private social media messages in order to build a defense.
During a video hearing Tuesday, California Supreme Court Chief Justice Tani Cantil-Sakauye said that the court had never confronted the constitutionality of subpoenaing social media companies for users’ communications and the right to a fair trial, until Facebook v. Superior Court (Touchstone). It’s the same legal question that the U.S. Supreme Court declined to take up Monday in a similar case against Facebook that alleged the company violated two criminal defendants’ Sixth Amendment and due process rights when it refused to comply with their subpoenas.