Do you have a procedure to handle situations for
which you have no procedure? My Computer Security students will be
writing one this week.
If you can’t prevent a breach, can’t you at
least fake genuine concern? You know, the “At ,
we take your privacy and security very seriously” bit?
Mark Flamme reports on a Key Bank
breach where the bank’s response to notification of a problem is at
least as problematic as the breach itself.
After a customer found himself with access to
another customer’s complete history and details, he attempted to
alert the bank.
“They told me, ‘Don’t worry. Just don’t worry.’ That’s all I can get out of them,” Brito said. “I sat on hold for 45 minutes for, supposedly, a supervisor who said, ‘Don’t worry. We’re taking care of it.’ I can look at a Connecticut man’s bank statements for the past 10 years. How is that a ‘don’t worry’ situation?”
The Sun Journal didn’t have any better luck. A call to a 24-hour hotline was answered by a representative who passed on a number for the Key Bank Corporate Headquarters Customer Complaint Resolution Department. Calls to that number, and to a third number for bank executive relations, were not answered.
A message left at the Complaint Resolution Department was not returned.
Read more on Sun
Journal.
Now maybe the employee intended to be reassuring
with the “Don’t worry,” response, but that was unsatisfactory
to the now-worried customers. Think about what you could say in that
situation that might reassure a customer.
A minor, but rather interesting breach.
I should have posted this one a few weeks ago, but
better late than never if you care about tracking breaches in the
education sector. On November 16, Kara Seymour reported:
Two women, one from Yardley another from New Hope, have been arrested after police say they illegally accessed the Bucks County Community College computer network and changed student grades, Newtown Township Police announced Thursday.
Alesisha Morosco, 30, of New Hope, and Kelly Marryott, 37, of Yardley, were arrested Thursday. Police said Marryott got the personal information of the faculty member at her job at a medical office, and gave it to Morosco, who used it to access the college’s computer network and change grades, including her own.
Read more on Patch.
It seems (to me) that the evidence falls short.
DHS Says
Drone Maker DJI Helping China Spy on U.S.
A
memo from the U.S. Department of Homeland Security (DHS) warns that
China-based Da-Jiang Innovations (DJI), one of the world’s largest
drone manufacturers, has been providing information on critical
infrastructure and law enforcement to the Chinese government.
The
Los Angeles office of Immigrations and Customs Enforcement (ICE),
specifically its Special Agent in Charge Intelligence Program (SIP),
issued an intelligence bulletin back in August claiming that DJI is
helping China spy on the United States.
A
copy of the memo, marked “unclassified / law enforcement
sensitive,” was published recently by the Public Intelligence
project. The document, based
on information from open source reporting and a “reliable source”
in the unmanned aerial systems industry, assesses with
moderate confidence that DJI is providing data on U.S.
critical infrastructure and law enforcement to the Chinese
government. The authors of the memo provide several examples of law
enforcement and critical infrastructure organizations using DJI
drones. [No actual
examples of data going to China? Bob]
… The
intelligence bulletin also points to a recent memo of the U.S. Army,
which instructs units to stop using DJI drones due to cybersecurity
vulnerabilities, and a U.S. Navy memo on the operational risks
associated with the use of the Chinese firm’s products. DJI has
taken some measures to
improve privacy following the Army ban. [Poor
security is not espionage. Bob]
This happens with a lot of senior managers.
Secretaries reading and filtering emails. PR(?) handling social
media accounts. In all cases, the simple solution is to make certain
that the politician/executive/celebrity never has access to the
password for that account. This article is definitely worth reading.
The Trouble
with Politicians Sharing Passwords
Yesterday I had a bunch of people point me at a
tweet from a politician in the UK named Nadine
Dorries. As it turns out, some folks were rather alarmed about
her position on sharing what we would normally consider to be a
secret. In this case, that secret is her password and, well, just
read it:
Nadine DorriesVerified account @NadineDorries
My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on@BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!
10:03 AM - 2 Dec 2017
For context, the back story to this is that
another
British pollie (Damian Green) is presently in hot water for allegedly
accessing porn on his gov PC and Nadine is implying it could have
been someone else on his PC using his identity. I read this
while wandering around in LA on my way home from sitting
in front of US Congress and explaining security principles to a
government so it felt like a timely opportunity to share my own
view on the matter:
Troy HuntVerified account @troyhunt
Troy Hunt Retweeted Nadine Dorries
This illustrates a fundamental lack of privacy and security education. All the subsequent reasons given for why it’s necessary have technology solutions which provide traceability back to individual, identifiable users.
(Related). Thought it never happened here?
Looking for
the Linguistic Smoking-Gun in a Trump Tweet
President Donald Trump’s behavior on Twitter
routinely drives entire news cycles. This weekend, he showed that a
single word within a single presidential tweet can be explosive.
Trump raised alarm bells in his
published response to the news that his former national security
adviser, Michael Flynn, pleaded guilty to lying to the FBI.
The tweet published to Trump’s account clearly
implied that he already knew that Flynn had deceived the Feds when he
fired him back in February: “I had to fire General Flynn because he
lied to the Vice President and the FBI. He has pled guilty to those
lies. It is a shame because his actions during the transition were
lawful. There was nothing to hide!”
That unleashed a frenzy of speculation about
whether Trump had just admitted to obstructing
justice, since it seems he must have known that Flynn had
committed a felony when he was pressuring then-FBI director James
Comey to ease up on the Flynn case.
But then came word that maybe Trump didn’t write
the tweet after all. The
Washington Post reported that “Trump’s lawyer John Dowd
drafted the president’s tweet, according to two people familiar
with the twitter message.” The
Associated Press also identified Dowd as the one who “crafted”
the tweet, citing “one person familiar with the situation,”
though Dowd himself declined to make a comment to the AP.
For my Data Management students: Another criteria
for your backup system?
Banks Build
Line of Defense for Doomsday Cyberattack
The Sheltered
Harbor project is meant to ensure that every U.S. bank has a
protected, unalterable backup that can be used to serve customers in
case of a major hack
U.S. banks have quietly
launched a doomsday project they hope will prevent a run on the
financial system should one of them suffer a debilitating
cyberattack.
The effort, which went live earlier this year and
is dubbed Sheltered Harbor, currently includes banks and credit
unions that have roughly 400 million U.S. accounts. The effort
requires member firms to individually back up data so
it can be used by other firms to serve customers of a disabled bank.
Indicating that my Data Management students might
find jobs!
Giangiacomo Oliv writes:
Under the General Data Protection Regulation (GDPR), companies that process large amounts of sensitive personal data or consistently monitor data subjects on a large scale will be required to appoint a data protection officer (DPO).
As discussed in our previous posts, the DPO will have significant responsibilities, including reporting on data to the highest management level. While the DPO debate has so far been focussed on where to place the DPO within company structures, confusion remains over the DPO’s actual responsibilities.
Firstly, the GDPR does not provide for any specific liability for the DPO. However, the Art. 29 Working Party addresses this issue in its Guidelines on Data Protection Officers of 13 December 2016.
Read more on DLA Piper Privacy
Matters.
Indicating that the world keeps changing? Does
anyone remember when Doctors made house calls?
… The transaction, one of the largest of the
year, reflects the increasingly blurred lines between the
traditionally separate spheres of a rapidly changing industry. It
represents an effort to make both companies more appealing to
consumers as health care
that was once delivered in a doctor’s office more often reaches
consumers over the phone, at a retail clinic or via an app.
… A combined CVS-Aetna could position itself
as a formidable figure in this changing landscape. Together, the
companies touch most of the basic health services that people
regularly use, providing an opportunity to benefit
consumers. CVS operates a chain of pharmacies and retail clinics
that could be used by Aetna to provide care directly to patients,
while the merged company could be better able to offer employers
one-stop shopping for health insurance for their workers.
Good to see that someone is thinking about
this – even if they only came up with four.
4 Reasons
Why Assassinating Kim Jong Un Could Become A Total Disaster
North Korea’s most recent intercontinental
ballistic missile (ICBM) test has once again captivated the
international community. Much less attention has been paid to how
South Korea is responding to its neighbor’s military advances.
Firstly, South Korea is acquiring
the capabilities to conduct preemptive strikes against North
Korea’s nuclear and missile sites under the guise of its “Kill
Chain” strategy. Relatedly, Seoul is seeking the capabilities and
simulating decapitation strikes against North Korea’s
leadership—that is, South Korea wants the ability to assassinate
Kim Jong-un and his inner circle.
Both capabilities pose enormous challenges that
are not being acknowledged. For both scenarios, Seoul is failing to
ask the simple question of whether the United States would back its
actions. Washington itself does not appear to be contemplating this
essential question, even though it would be directly implicated by
South Korea’s policies.
No comments:
Post a Comment