Beware of users bringing their own devices.
https://www.makeuseof.com/anyone-can-be-windows-admin-razer/
Anyone Can Be a Windows Admin by Plugging In a Razer Mouse or Keyboard
… When you plug your Razer mice or keyboard into the system, Windows will automatically fetch and install the Razer Synapse software. It's a cloud-based device configuration tool that lets users customize RGB lighting, keyboard hotkeys, and Alexa profiles.
Windows will then execute the RazerInstaller.exe file to install Synapse. However, as with other system-level tasks, this will also be called with admin privileges. So it doesn't matter which user has plugged the component; the installer will run as admin.
Having security procedures is not enough, you need to ensure they are followed!
https://www.databreaches.net/fired-ny-credit-union-employee-nukes-21gb-of-data-in-revenge/
Fired NY credit union employee nukes 21GB of data in revenge
Sergiu Gatlan reports:
Juliana Barile, the former employee of a New York credit union, pleaded guilty to accessing the financial institution’s computer systems without authorization and destroying over 21 gigabytes of data in revenge after being fired.
“In an act of revenge for being terminated, Barile surreptitiously accessed the computer system of her former employer, a New York Credit Union, and deleted mortgage loan applications and other sensitive information maintained on its file server,” Acting U.S. Attorney Jacquelyn M. Kasulis said.
Read more on BleepingComputer.
[From the article:
Even though a credit union employee asked the bank's information technology support firm to disable Barile's remote access credentials, that access was not removed. Two days later, on May 21, Barile logged on for roughly 40 minutes.
The defendant deleted over 20,000 files and around 3,500 directories during that time, totaling roughly 21.3 gigabytes of data stored on the bank's share drive.
This seems rather quick to me. Something here I’m not seeing?
Wawa paying $9-million in cash, gift cards in data breach settlement; Nov. deadline to file claim
WPVI reports an update to the 2019 WaWa breach covered on this site in a number of posts:
Wawa is paying out up to $9-million in cash and gift cards related to a data breach that exposed customers’ credit and debit card numbers and names.
The breach happened between March 4, 2019 and December 12, 2019.
If you can show proof that the breach cost you money, you can be reimbursed up to $500.
“The Settlement Class consists of all customers who reside in the United States and who used a credit or debit card at a Wawa convenience store or fuel pump at any time during the Period of the Security Incident,” the Wawa Consumer Data Security
Read more on WPVI.
Another brick in the privacy wall?
https://www.pogowasright.org/illinois-protecting-household-privacy-act-was-signed-into-law-now-what/
Illinois’ Protecting Household Privacy Act Was Signed Into Law. Now What?
Odia Kagan of Fox Rothschild writes:
On August 27, 2021, Illinois Governor JB Pritzker signed the Protecting Household Privacy Act into law. It goes into effect Jan. 1, 2022.
House Bill 2553 prohibits Illinois law enforcement agencies from obtaining household electronic data or direct the acquisition of household electronic data from a private third party.
This includes any information or input provided by a person to any device primarily intended for use within a household that is capable of facilitating any electronic communication, excluding personal computing devices (like a personal computer, cell phone, smartphone, or tablet) and digital gateway devices (like a modem, router, wireless access point, or cable set-top box serviced by a cable provider.
Read more on Privacy Compliance & Data Security.
Ya gotta ‘splain it gooder!
https://www.pogowasright.org/whatsapp-fined-266-million-over-data-transparency-breaches/
WhatsApp Fined $266 Million Over Data Transparency Breaches
Stephanie Bodoni and Katharine Gemmell of Bloomberg report:
Facebook Inc.’s WhatsApp was ordered to pay a 225 million-euro ($266 million) penalty for failing to be transparent about how it handled personal information, its first fine under beefed-up European Union data protection law.
The Irish Data Protection Commission — Silicon Valley’s main privacy watchdog in Europe — said it found violations in the way WhatsApp explained how it processed users’ and non-users’ data, as well as how data was shared between WhatsApp and other Facebook companies.
Read more on Bloomberg.
Long but worth reading…
FTC Bans SpyFone and CEO from Surveillance Business and Orders Company to Delete All Secretly Stolen Data
Today, the Federal Trade Commission banned SpyFone and its CEO Scott Zuckerman from the surveillance business over allegations that the stalkerware app company secretly harvested and shared data on people’s physical movements, phone use, and online activities through a hidden device hack. The company’s apps sold real-time access to their secret surveillance, allowing stalkers and domestic abusers to stealthily track the potential targets of their violence. SpyFone’s lack of basic security also exposed device owners to hackers, identity thieves, and other cyber threats. In addition to imposing the surveillance-business ban, the FTC’s order requires SpyFone to delete the illegally harvested information and notify device owners that the app had been secretly installed.
… This is the second case the FTC has brought against stalkerware apps, and the first where the FTC is obtaining a ban. In a complaint, the FTC alleged that Support King, LLC, which did business as SpyFone.com, and its CEO sold stalkerware apps that allowed purchasers to surreptitiously monitor photos, text messages, web histories, GPS locations, and other personal information of the phone on which the app was installed without the device owner’s knowledge.
Something new, for my students involved in privacy.
CDPSE certification: Requirements, exam, and cost
The Certified Data Privacy Solutions Engineer (CDPSE) certification is new on the scene, but the privacy-focused cert is already in increasing demand.
The Certified Data Privacy Solutions Engineer (CDPSE) certification focuses on the implementation of privacy solutions, from both a technical and governance perspective. It is offered by ISACA, a nonprofit professional association focused on IT governance with a number of certifications in its stable, including CISM.
… Overall, a CDPSE certification is meant to demonstrate expertise in three main areas, which ISACA refers to as work-related domains:
Privacy governance, which includes governance, management, and risk management
Privacy architecture, which includes infrastructure, applications and software, and technical privacy controls
Data lifecycle, which includes data purpose and data persistence
ISACA breaks down what's covered under each of these domains in more detail on their website.
How about automatically filing them under “Humor?”
Texas is set to pass a new law banning Facebook from censoring conservatives
Texas is one step closer to enacting a law that would make it more difficult for social media companies to moderate political content. Both Texas’ House and Senate approved the bill earlier this week, sending it to Gov. Greg Abbott’s desk.
The bill would make it unlawful for social media companies with more than 50 million users, like Facebook and Twitter, to censor users and content based on political views or geographic location. This includes moderation actions like banning, deplatforming, or demonetizing users and removing posts.
Perspective. Have we all gone mad?
House GOP Leader McCarthy threatens companies that cooperate with Jan. 6 probe
House Minority Leader Kevin McCarthy on Tuesday warned dozens of communications companies against cooperating with the House select committee investigating the Jan. 6 Capitol attack, saying that Republicans "will not forget" it if they retake the House.
His broadside was immediately criticized by Democrats and ethics experts, who accused him of violating House ethics rules and likened the statement to tampering with the congressional investigation.
Tools & Techniques.
https://www.nature.com/articles/d41586-021-02346-4
Drowning in the literature? These smart software tools can help
Every time Eddie Smolyansky had a few moments to himself, he tried to stay abreast of new publications in his field. But by 2016, the computer-vision researcher, who is based in Tel Aviv, Israel, was receiving hundreds of automated literature recommendations per day. “At some point the bathroom breaks weren’t enough,” he says. The recommendations were “way too much, and impossible to keep up with”.
… But change is afoot. In 2019, Smolyansky co-founded Connected Papers, one of a new generation of visual literature-mapping and recommendation tools. Other services that promise to tame the information overload, integrating Twitter feeds and daily news as well as research, are also available.
Instead of serving up a daily list of new articles by e-mail, Connected Papers uses a single, user-chosen ‘origin paper’ to build a map of related research, based partly on overlapping citations. The service recently surpassed one million users, Smolyansky says.
The maps are colour-coded by publication date, and users can toggle between ‘prior’, seminal, papers and later, ‘derivative’, works that build on them. The idea is that scientists can search for an origin paper that interests them, and see from the resulting map which recent papers have made a splash in their field, how they relate to other research, and how many citations they have accrued.
Beware the amateur psychologist.
https://dilbert.com/strip/2021-09-02
No comments:
Post a Comment