Increasing the awareness of state actors so when we do retaliate it won’t come as a total surprise?
https://therecord.media/cyber-command-ties-hacking-group-to-iranian-intelligence/
Cyber Command ties hacking group to Iranian intelligence
U.S. Cyber Command on Wednesday revealed that a hacking group reputed for its cyberespionage campaigns is actually part of Iran’s intelligence apparatus.
The group, known as MuddyWater, is a subordinate element within the Iranian Ministry of Intelligence and Security, the command’s Cyber National Mission Force announced.
The claim marked the first time the U.S. government has publicly linked the prolific threat actor — whose targets have ranged from academia and the tourism industry to government and telecommunications operators — to Tehran’s regime.
Any relation to yesterday’s shutdown of a New Mexico prison? (The article says no.)
School’s out as cyberattack forces Albuquerque Public Schools to cancel classes
Olivier Uytterbrouck and Jessica Dyer report:
A cyberattack against Albuquerque Public Schools prompted the state’s largest district to cancel all classes districtwide on Thursday and possibly Friday.
APS Superintendent Scott Elder said the attack was discovered Wednesday morning “when teachers tried to log onto our student information system and were unable to gain access to the site.”
Read more at Albuquerque Journal.
Not uncommon. If this was not a government agency, heads would be rolling!
https://www.databreaches.net/south-african-justice-department-clueless-about-hacked-data/
South African justice department clueless about hacked data
It’s not exactly the headline you’d want for your agency, but that’s what MyBroadband came up with for this report by Myles Illidge:
The Department of Justice and Constitutional Development (DoJ&CD) has no idea whether any data was stolen during a ransomware attack on its systems in September 2021.
“The Department cannot tell with certainty as to what happened to the compromised information,” justice minister Ronald Lamola said in response to written questions from the DA’s Glynnis Breytenbach.
“As at 1 December 2021, the analysis and/or forensic investigation is still inconclusive in terms of the exact nature of the information that was sent outside of the Department as part of the breach,” Lamola stated.
Read more at MyBroadband.
The more of the report I read, the more accurate the headline actually sounds. The government did not try to decrypt the encrypted files because they did not have the decryption key. It is not clear if they every reached out to NoMoreRansonware to see if there was any help to be had, but they report that they were able to restore from backups anyway.
Does anyone know who the threat actors were or the type of ransomware in this case?
(Related) Wouldn’t you like to have some indication of who was accessing your data? I was producing a report like that back in the 1990s.
Hackers Raided Panasonic Server for Months, Stealing Personal Data of Job Seekers
Graham Cluley writes:
Tech giant Panasonic has confirmed that one of its servers suffered a data breach which saw the personal information of job applicants accessed by an unauthorised party.
The security breach, which saw hackers illegally access a Panasonic file server located in Japan via an overseas subsidiary, began on June 22 2021, and only ended on November 3 2021.
Read more at Bitdefender.
(Related) How about a report that shows who created files. Would you notice someone who did not work for your organization?
The RIPTA Data Breach May Provide Valuable Lessons About Data Collection and Retention
Joseph J. Lazzarotti of JacksonLewis writes:
Efforts to secure systems and data from a cyberattack often focus on measures such as multifactor authentication (MFA), endpoint monitoring solutions, antivirus protections, and role-based access management controls, and for good reason. But there is a basic principle of data protection that when applied across an organization can significantly reduce the impact of a data incident – the minimum necessary principle. A data breach reported late last year by the Rhode Island Public Transit Authority (RIPTA) highlights the importance of this relatively simple but effective tool.
In December 2021, RIPTA sent notification of a data breach to several thousand individuals who were not RIPTA employees. Reports of the incident prompted inquiries from a state Senator in Rhode Island, Louis P. DiPalma, and union officials who represented the affected individuals. According to Rhode Island’s Department of Administration (DOA), a forensic analysis conducted in connection with the incident indicates the affected files included health plan billing records pertaining to State of Rhode Island employees, not RIPTA employees. The DOA goes on to state that:
[s]tate employee data was incorrectly shared with RIPTA by an external third party who had responsibility for administering the state’s health plan billing.
Read more at Workplace Privacy, Data Management & Security Report.
How would you identify eligible young people without getting personal?
UK: Scotland young persons’ free bus travel scheme — is it “Your papers, please!” time?
Katie Williams reports:
Anyone under 22 can now apply for free bus travel.
The Free Bus Travel Scheme will come into force on January 31 and allow young people to travel on buses for free.
However people have taken to social media to express their frustration after users claimed the website kept crashing.
Others have criticised the online application process, which also requires scanning the applicant’s face, could be a potential barrier.
Read more at Edinburgh Live. As The Times reports in related coverage:
Applying under the new young persons’ free bus travel scheme has led to complaints about having to supply biometric face scans, as well as images of passports and birth certificates.
(Related) Identity via your phone? Another avenue to paperless?
https://techcrunch.com/2022/01/12/merit-grabs-50m-series-b-to-expand-digital-credentials-platform/
Merit grabs $50M Series B to expand digital credentials platform
When we think about identity in the digital world, it usually involves a username and password, but Merit (originally called Sigma) wants to help governments issue digital credentials that link back to a government license database with the goal of bringing an end to flimsy paper cards.
… A driver’s license is proof that the state gives you the right to drive, but one that is delivered in the analog form of a plastic card. Merit wants to change that by moving these credentials into the digital realm and linking them to a government database.
Another challenge for Google?
https://techcrunch.com/2022/01/12/austrian-dpa-schrems-ii/
In bad news for US cloud services, Austrian website’s use of Google Analytics found to breach GDPR
A decision by Austria’s data protection watchdog upholding a complaint against a website related to its use of Google Analytics does not bode well for use of US cloud services in Europe.
The decision raises a big red flag over routine use of tools that require transferring Europeans’ personal data to the US for processing — with the watchdog finding that IP address and identifiers in cookie data are the personal data of site visitors, meaning these transfers fall under the purview of EU data protection law.
In this specific case, an IP address “anonymization” function had not been properly implemented on the website. But, regardless of that technical wrinkle, the regulator found IP address data to be personal data given the potential for it to be combined — like a “puzzle piece” — with other digital data to identify a visitor.
Consequently the Austrian DPA found that the website in question — a health focused site called netdoktor.at, which had been exporting visitors’ data to the US as a result of implementing Google Analytics — had violated Chapter V of the EU’s General Data Protection Regulation (GDPR), which deals with data transfers out of the bloc.
Can you think of a reason not to use the free parts of these tools? Share with students and clients?
https://www.pcworld.com/article/553284/5-free-privacy-tools-for-protecting-your-personal-data.html
5 free privacy tools for protecting your personal data
Ideally, protecting your privacy shouldn’t require hours of time or gobs of money. Instead of having to meticulously manage all the personal data that’s floating around on the internet, you should be able to minimize data collection automatically or proactively. If you value privacy like I do, you’ll want to check out the following apps and tools. While some have premium versions for certain features, all of them are free to use:
(Related)
US Government Issues Warning on “Spyware for Hire” Commercial Surveillance Tools
… The spyware warning, issued by the National Counterintelligence and Security Center, did not name any specific surveillance tools (in spite of the Biden administration’s previous blacklist actions against NSO Group and several other similar services). But it does specify that the tools are being sold to foreign governments and other entities that have used them to track the movements and communications of dissidents and journalists, and that mobile devices can be infected without the target having to take any action.
The notice also warns about the extensive capabilities that have been seen with the Pegasus spyware: the ability to access and exfiltrate “virtually all content” from a device, and to surreptitiously record audio. Among other things, the notice advises that device cameras be covered up and that geo-location be disabled.
Practice where the laws are more surveillance friendly?
https://gizmodo.com/the-fbis-honeypot-phones-were-more-widely-distributed-i-1848345566
The FBI's Honeypot Phones Were More Widely Distributed in the U.S. Than Previously Thought
… During “Operation Trojan Shield,” the feds used a secret relationship with an encrypted phone company, called Anom, which sold devices exclusively to career criminals looking for a secure way to communicate with one another. The product’s developer, who had previously been busted for drug trafficking, agreed to act as a high-level federal informant and for at least two years sold devices to criminals while also secretly cooperating with authorities. Meanwhile the FBI, along with its international partners, intercepted all of the communications, which allowed them to capture evidence of widespread criminal malfeasance on a global scale.
… But there was one place that didn’t see any arrests, and that’s the United States. Due to legal issues, the FBI precluded surveillance of American users of the backdoored devices, apparently because they were concerned that the operation technically violated U.S. laws and threatened civil liberties—specifically the Fourth Amendment, which prohibits police search and seizure without a warrant. While a court filing revealed that at least 15 people located in the U.S. were known users of the trojanized devices, these individuals were said to have been geofenced by authorities conducting surveillance—meaning they were left out of the investigation.
It works both ways…
https://www.bespacific.com/law-enforcement-and-technology-using-social-media/
Law Enforcement and Technology: Using Social Media
CRS Report – Law Enforcement and Technology: Using Social Media, January 11, 2022: “As the ways in which individuals interact continue to evolve, social media has had an increasing role in facilitating communication and the sharing of content online—including moderated and unmoderated, user-generated content. Over 70% of U.S. adults are estimated to have used social media in 2021. Law enforcement has also turned to social media to help in its operations. Broadly, law enforcement relies on social media as a tool for information sharing as well as for gathering information to assist in investigations…”
[From the paper:
There are no federal laws that specifically govern law enforcement agencies’ use of information obtained from social media sites, but their ability to obtain or use certain information may be influenced by social media companies’ policies as well as law enforcement agencies’ own social media policies and the rules of criminal procedure.
Someone has been thinking about AI.
Artificial intelligence business models and taxonomy in Europe
With its ability to drive productivity and economic development, artificial intelligence (AI) is already having a huge impact on our lives. But what are the AI business models in Europe? What AI landscape exists across Europe? What is AI’s impact in several sectors and on climate? And how do we talk about AI in the European AI Ecosystem?
… The first-mentioned report “Emerging AI and Data Driven Business Models in Europe” is taking stock of the state of AI in the KICs’ innovation, education and business creation ecosystems. In summary, this report contains the results of surveys and a desk research study including:
… The “Creation of a Taxonomy for the European AI Ecosystem” report addresses the risk of losing oversight and efficiency in several AI activities, reports and the AI landscape. 35 existing frameworks have been scanned and analysed. The developed AI taxonomy is compatible with existing ones as long as they haven’t used incorrect or inconsistent clusters or categories.
(Related)
How countries are leveraging computing power to achieve their national artificial intelligence strategies
… As such, much of the development of AI is predicated on two pillars: technologies and human capital availability. Our prior reports for Brookings, “How different countries view artificial intelligence” and “Analyzing artificial intelligence plans in 34 countries,” detailed how countries are approaching national AI plans, and how to interpret those plans. In a follow-up piece, “Winners and losers in the fulfillment of national artificial intelligence aspirations,” we discussed how different countries were fulfilling their aspirations along technology-oriented and people-oriented dimensions. In our most recent post, “The people dilemma: How human capital is driving or constraining the achievement of national AI strategies,” we discussed the people dimension and so, in this piece, we will examine how each country is prepared to meet their AI objectives in the second pillar—the technology dimension.
Helpful, but I’m still not sure I understand the “new” definitions of anti-trust.
https://www.makeuseof.com/monopoly-or-market-leader/
Monopoly or Market Leader: Looking Into Today's Biggest Companies
You'd be surprised how frequently people throw around the term "monopoly" for companies like Google, Facebook, and Amazon.
However, neither of the companies are monopolies. So, let's tackle some common misconceptions and figure out what a monopoly is and whether it matches your idea of it.
To constitute a monopoly, a company has to dominate its market and become the only option for its consumers. As per the definition, an "absence of competition" is a must.
No comments:
Post a Comment