Thursday, July 26, 2018

Note that this dies not seem to be a problem with either Oracle or SAP. It’s a management problem.
Study warns of rising hacker threats to SAP, Oracle business software
At least a dozen companies and government agencies have been targeted and thousands more are exposed to data breaches by hackers exploiting old security flaws in management software, two cyber security firms said in a study published on Wednesday.
The Department of Homeland Security issued an alert [ https://www.us-cert.gov/ncas/current-activity/2018/07/25/Malicious-Cyber-Activity-Targeting-ERP-Applications ] citing the study by security firms Digital Shadows and Onapsis that highlights the risks posed to thousands of unpatched business systems from software makers Oracle and SAP.
Systems at two government agencies and at firms in the media, energy and finance sectors were hit after failing to install patches or take other security measures advised by Oracle or SAP, security firms Onapsis and Digital Shadows said in the newly published report. (goo.gl/pWbz3Q)




When the “protectors” compromise your data… Think of ‘unsubscribe’ as a GDPR ‘opt-out.’
LifeLock ID theft protection leak could have aided identity thieves
LifeLock's identity theft protection service suffered from a security flaw that put users' identities in jeopardy. The event forced its parent company, Symantec, to pull its website down to fix the issue after it was notified by KrebsOnSecurity. According to Krebs, Atlanta-based security researcher Nathan Reese discovered the vulnerability through a newsletter email he received from the service. Upon clicking "unsubscribe," a page that clearly showed his subscriber key popped up. That allowed Reese to write a script that sequences numbers, which was able to pull keys and their corresponding email addresses from the service.




Non-reporting was even worse than I thought.
Under GDPR, Data Breach Reports in UK Have Quadrupled
… GDPR imposes a number of new requirements on organizations that handle personal information. But one of the biggest changes is that organizations must track all breaches, as well as report certain types of breaches to authorities "within 72 hours of becoming aware of the breach, where feasible," according to the Information Commissioner's Office, which is the U.K.'s data privacy watchdog and GDPR enforcer
… But the data does not reveal whether organizations are suffering more - or fewer - breaches than before. "It's important to note that while the number of reported breaches has increased, it does not necessarily mean the number of breaches has increased – just that more are being reported," says Brian Honan, who heads cybersecurity consultancy BH Consulting in Dublin, an who moderated a panel focused on complying with GDPR at the June Infosecurity Europe conference in London


(Related) A good summary for my students.
Nine Aspects Of GDPR Customer Data Management You Need To Know
1. The Right To Be Forgotten
The biggest impact GDPR will have on organizations is the right to be forgotten. Organizations are required to allow EU residents to revoke their consent at any point. This means that all that data must be removed from every system within the organization. Unless all their databases are integrated, this could get tricky.
8. The IP Address As Personal Data
One of the key tenets of cybersecurity operations is tracking indicators of compromise: Pieces of identifying information that tip off whether user or network activity is malicious. With GDPR in effect, IOCs such as a user's IP address are considered personal data, impacting the defenders' ability to fully use that data to identify, detect and respond to threats.
9. Third-Party Data Policy
All third-party scripts like social media plug-ins, advertising and analytics scripts are your responsibility. How they handle your users' data can be a liability. You cannot assume these third-party companies are GDPR compliant just yet. Review your third-party service providers’ security, and consider removing most external third-party scripts until you can ensure they are GDPR compliant.




I immediately thought this meant that the remaining 507 members of congress were correctly matched to mugshots. Perhaps they didn’t gather enough mugshots?
Amazon’s Rekognition messes up, matches 28 lawmakers to mugshots
The American Civil Liberties Union of Northern California said Thursday that in its new test of Amazon’s facial recognition system known as Rekognition, the software erroneously identified 28 members of Congress as people who have been arrested for a crime.
According to Jake Snow, an ACLU attorney, the organization downloaded 25,000 mugshots from what he described as a "public source."
The ACLU then ran the official photos of all 535 members of Congress through Rekognition, asking it to match them up with any of the mugshots—and it ended up matching 28.


No comments: