What’s
bad for Equifax is bad for everyone?
Not
surprisingly, states are responding to the Equifax breach, but they
are taking different approaches. Here are how two states are
responding:
Law.com
reports that in New York:
Attorney General Eric Schneiderman is proposing comprehensive legislation to tighten data security laws and expand protections.
The Stop Hacks and Improve Electronic Data Security Act, introduced this week in the Legislature, would require companies that handle New Yorkers’ sensitive data to adopt “reasonable administrative, technical and physical protections for data” regardless of where the company is headquartered, Schneiderman’s office said in a news release Thursday. It would cover credit reporting agencies such as Equifax as well as many other types of companies that collect personally identifiable information on individuals.
And Vermont
Public Radio reports:
Chittenden County Sen. Michael Sirotkin says he heard from more constituents about the Equifax breach than almost any other issue he’s dealt with as a lawmaker. Sirotkin says he’s now putting the finishing touches on legislation that would give Vermonters new legal options for similar breaches in the future.
“So what that means is that consumers will have a private right of action, if this bill passes, where they will be able to get their damages for their time and expense and their attorneys’ fees and the cost of repairing the problem,” Sirotkin said Thursday at a press conference announcing the legislation.
Another
example of Equifax security?
Equifax
Reopens Salary Lookup Service
Equifax
has re-opened a Web site that lets anyone look up the salary history
of a large portion of the American workforce using little more than a
person’s Social Security number and their date of birth. The
big-three credit bureau took the site down just hours after I
wrote about it on Oct. 8, and began restoring the site eight days
later saying it had added unspecified “security enhancements.”
When we’ll
help and when we’ll hack.
What
the White House Needs to Disclose about its Process for Revealing
Cybersecurity Vulnerabilities
At a series
of events earlier in October, White House Cybersecurity Coordinator
Rob Joyce announced that he is preparing to release more information
about the Vulnerabilities Equities Process (VEP).
As we’ve discussed
before, the VEP is a complicated yet important process that
determines whether the government will notify a digital-technology
company about a cybersecurity flaw in its product or service, or
choose not to disclose the flaw and use it for later hacking or
intelligence-gathering purposes.
A “new
tech” security issue.
Shadow
IT Growth Introducing Huge Compliance Risks: Report
Shadow
IT continues to grow, while senior management remains in denial. The
average enterprise now uses 1,232 cloud apps (up 33% from the second
half of last year), while CIOs still believe their organizations use
between just 30 and 40 cloud apps and services. Within this cloud,
20% of all stored data is at risk from being 'broadly shared'.
The
figures come from 1H 2017 Shadow Data Report (PDF),
based on aggregated and anonymized data from 22,000 cloud apps and
services, 465 million documents, and 2.3 billion emails used by
Symantec's CloudSOC (CASB) customers.
For my
Ethical Hackers and my Computer Security students.
Analysis
of 3,200 Phishing Kits Sheds Light on Attacker Tools and Techniques
Phishing
kits are used extensively by cybercriminals to increase the
efficiency of stealing user credentials. The basic kit comprises an
accurate clone of the target medium's login-in page (Gmail, Facebook,
Office 365, targeted banks, etc), and a pre-written php script to
steal the credentials -- both bundled and distributed as a zip file.
Successfully phished credentials are mailed by the script to the
phisher, or gathered in a text file for later collection. This is
commodity phishing; not spear-phishing.
… Duo
Security R&D engineer Jordan Wright found and analyzed a single
phishing kit; and decided to investigate the extent of their use.
The results were published this week in a new report (PDF).
For my Computer Security student Midterm: How
would you prevent this?
Rogue
Twitter employee on last day of job deactivated Trump’s personal
account, company says
President
Trump boasted Friday of his social media influence after his
personal Twitter account was briefly deactivated by a departing
company employee, raising serious questions about the security of
tweets the president wields to set major policy agendas, connect with
his voter base and lash out at his adversaries.
The deactivation Thursday sparked deep and
troubling questions about who has access to the president's personal
account, @realDonaldTrump, and the power that access holds. The
deactivation also came at a time when the social network is under
scrutiny for the role it played in spreading Russian propaganda
during the 2016 presidential election.
… at
8:05 p.m., at the same time Trump was tweeting
about tax revisions, the company posted
a statement saying the president's “account was inadvertently
deactivated due to human error by a Twitter employee.”
“The account was down for 11 minutes, and has
since been restored,” the statement read. “We are continuing to
investigate and are taking steps to prevent this from happening
again.”
But two
hours later, the company admitted that the deactivation wasn't an
accident at all: A preliminary investigation revealed that the
account was taken offline “by a Twitter customer support employee
who did this on the employee's last day.”
(Related).
Another potential question?
Security
Sense: How Do You Do Knowledge Based Authentication When All
Knowledge is Public?
Have a
think about the ways you identify yourself to institutions, both
commercial and government. Think about the process you go through in
order to establish that you are indeed yourself and it’s not
someone else pretending to be you. In particular, consider the sorts
of questions you’re asked in order to establish enough confidence
on behalf of that institution that they should now proceed with
granting you whatever it was you contacted them for in the first
place. Very often, you’re asked to partake in what’s referred to
as Knowledge Based Authentication or KBA and that’s something we’ve
now got a real problem with.
Consider the sorts of questions you’re usually
asked, a classic one being your date of birth. This has always been
a ludicrous KBA question because it’s a personal attribute we
willingly share with others, simply because most of us like cake and
presents. Yet we have cases like Betfair
using only that and an email address to reset your password. No,
you don’t have to actually receive an email, you just
simply say “here’s an email and a birthdate and here’s the
password I’d like that account to have”. Now that’s an extreme
example and I believe they’ve since seen the futility of that
approach and made some changes, but date of birth is still frequently
a part of the KBA process.
Will
this still be a good investment in the age of self-driving cars and
Uber-like services?
… Marc
Wisotsky and his partner, Jackie Lew, bought two spaces in 2005 in a
parking garage near their home in Park Slope, Brooklyn, for around
$45,000 each. They used one and rented out the other for $600 a
month, pocketing $310 after taxes and the garage fee.
It was a tidy, reliable income, Mr. Wisotsky said,
but the real payoff came when he and Ms. Lew sold their extra space
last year for $285,000. “We could have gotten more — the prices
just keep going up and up,” he said. “There are never as many
parking spaces as residential units being built.”
If you
are a JFK conspiracy nut, go away and read this. Great idea for a
free demo!
E-discovery
firm opens access to fully searchable database of JFK assassination
records collection
by Sabrina
I. Pacifici on Nov 2, 2017
ABA
Journal: “The legal review software company iCONECT has
digitized some JFK assassination records and is offering
free
access for 60 days.
Launched Oct. 30, the company imported 6,701 public documents from
the John
F. Kennedy Assassination Records Collection to its Xera
platform, including audio files. A user can now search various
fields to find relevant information. This is an improvement over the
National Archives’ repository of these documents, which are in PDF
format and non-searchable, according to a press release. iCONECT
also “built a search index, charts, graphs, quick-search folders
and word-highlight reports for all the records,” according to the
release. A user can even auto-mark CIA cryptonyms found throughout
the document set.”
For the
student toolkit.
New
is not necessarily mainstream.
Blockchain
development is the now second-hottest skill in the job market today,
growing more than 200% since this time last year.
Blockchain
developers now rank second among the
top 20 fastest-growing job skills, and job postings for workers
with those skills have more than doubled this year.
(Related)
One
Bitcoin Transaction Now Uses as Much Energy as Your House in a Week
No comments:
Post a Comment