Saturday, September 15, 2018

Never a good idea?
FreshMenu Hid Data Breach Affecting 110,000 Users
FreshMenu, a food delivery provider based in India, has come under social media attack for keeping under wraps a data breach two years ago that exposed the personal information of over 110,000 users.
The incident originally was brought to light in 2016 by data breach tracker HaveIBeenPwned, which discovered that the breach exposed names, email addresses, phone numbers, home addresses, and order histories, the Times of India reported on Wednesday. That news report led to the strong response on social media.
Troy Hunt, who runs HaveIBeenPwned, says he had informed FreshMenu back in July 2016 that the breach had taken place, but the company decided not to notify impacted customers.
… But security practitioners say that even if payment information wasn't breached, the incident should have been promptly reported to those affected.
"Customers have every right to know what data of theirs has been compromised or leaked," says Rahul Sharma, founder of the Perspective, a firm which focuses on cyber policy. "This should be a practice followed by every company, and I feel a law addressing this issue must come out soon."
"Who are they to decide whether my leaked data is important or critical? If I am trusting them with my data, I have every right to know when my data gets compromised, however small the breach is."




Unfortunately, minimal is the key word.
Catalin Cimpanu reports:
A multi-year study on the stock price evolution for breached companies reveals that data breaches have a long-term impact on a company’s stock price, even if it’s somewhat minimal.
The study, carried out by the research team behind the CompariTech web portal, looked only at companies listed on the New York Stock Exchange (NYSE) that suffered and publicly disclosed breaches of one million records and over in the past three years.
Read more on ZDNet.
[From the article:
"In the long term, breached companies underperformed the market," the CompariTech team concluded in their report.
… Study authors noted that the impact of data breaches likely diminished over time, but the damage was still visible in the stock's NASDAQ performance indicator even after three years, in some cases.




The Cold War in the Internet Age. How close to the “trigger” are they willing to come?
German Troops Face Russian 'Hybrid War' in Lithuania: Merkel
German Chancellor Angela Merkel said Friday Berlin was boosting military cyber capabilities to respond to Russian hybrid warfare that is targeting its troops deployed on NATO's eastern flank.
"Here you are also confronted with a situation that represents another part of the Russian military doctrine: the idea of hybrid warfare," she told German troops stationed in Lithuania as part of a NATO force deployed to deter Russia.
NATO allies have accused Russia of using "hybrid warfare" techniques, including subversion, propaganda and cyber warfare, to undermine the West without triggering a full NATO military response.
Russia has repeatedly denied that it stages such attacks and has accused the US-led alliance of provoking an arms race.
… Soon after their arrival, German troops were subjected to false rape accusations while media reports said Moscow also targeted NATO soldiers' smartphones.


(Related) Follows the Russian pattern. (They also attacked the lab doing Olympic drug testing.)
Dutch 'Expelled Two Russian Spies Over Novichok Lab Plot'
Dutch intelligence services arrested two alleged Russian spies on suspicion of planning to hack a Swiss laboratory investigating the poisoning of double agent Sergei Skripal, reports and officials said Friday.
The two agents, believed to be working for Russia's GRU military intelligence service, targeted the Spiez laboratory near Bern, Dutch-based NRC newspaper and Swiss daily Tages-Anzeiger said.
At the time, Spiez was analysing data related to poison gas attacks in Syria, as well as the March 4 attack using the nerve agent Novichok on Russian double agent Sergei Skripal and his daughter in Salisbury, they reported.
The laboratory does analytical work for the Hague-based Organisation for the Prohibition of Chemical Weapons (OPCW), the global chemical arms watchdog.




Interesting argument.
Carrie Goldberg and her law firm represent Matthew Herrick in Matthew Herrick v. Grinder LLC, a case that may shake things up with Section 230 of the CDA’s protections for platforms. Tor Ekeland Law, PLLC are co-counsel in the case.
Goldberg writes:
Our client, Matthew Herrick, was stalked and harassed by his ex-boyfriend through the Grindr app. The ex-boyfriend had created impersonating profiles to arrange sex dates with over a thousand men who came to Matthew’s home and workplace. Matthew reported it to Grindr over 100 times. He also got an Order of Protection and made criminal complaints against his ex, but the strangers kept coming. The impersonating profiles told them that Matthew had drugs to share and wanted to role-play rape fantasies. When our firm served Grindr’s team with a court order demanding they exclude Matthew’s ex from using their product, they said they didn’t have the technology to do so. They own the patent to geo-locating technology! And yet, they can’t screen users?!
We said, “If you can’t control your product, it’s dangerous.” So we, along with co-counsel Tor Ekeland Law, PLLC, sued Grindr using theories of products liability. This case challenges Section 230 of the Communications Decency Act (CDA), which tech companies claim exempts them from being liable for harm that happens on their platforms. The CDA, passed in 1995, was initially created to protect online bulletin boards from defamation cases. Over the last twenty-two years, the law has become broader and broader because of the way courts have interpreted it, granting protections to a broader array of internet service providers for a broader array of harmful activities.
Read more on her blog, where you can also download the relevant filings.




For future Computer Security classes.
Secureworks Launches New Security Maturity Model
Secureworks has launched the Secureworks Security Maturity Model. It is released, announces Secureworks, in response to "research which shows that more than one-third of US organizations (37%) face security risks that exceed their overall security maturity. Within that group, 10% face a significant deficiency when it comes to protecting themselves from the threats in their environment."
Secureworks is offering a complementary evaluation (an online process supported by a security expert) to help organizations benchmark their own security maturity. The model incorporates elements of well-known frameworks like National Institute of Standards and Technology (NIST) and ISO 27001/02 with insight from Secureworks' global threat intelligence. It comprises four levels: guarded, informed, integrated and resilient.
Further information, and a route map for attaining security maturity, can be found in a white paper titled '5 Critical Steps to a More Mature Security Posture' (PDF).




The price of entry into the China market?
Google built a prototype of a censored search engine for China that links users’ searches to their personal phone numbers, thus making it easier for the Chinese government to monitor people’s queries, The Intercept can reveal.
The search engine, codenamed Dragonfly, was designed for Android devices, and would remove content deemed sensitive by China’s ruling Communist Party regime, such as information about political dissidents, free speech, democracy, human rights, and peaceful protest.
Previously undisclosed details about the plan, obtained by The Intercept on Friday, show that Google compiled a censorship blacklist that included terms such as “human rights,” “student protest,” and “Nobel Prize” in Mandarin.




Perspective.
Facebook’s Crackdown on Misinformation Might Actually Be Working
… The study, released as a working paper Friday afternoon, examines how Facebook and Twitter users interacted with articles from 570 sites that have been identified by at least one credible source as a purveyor of “fake news”—that is, patently false, intentionally misleading, or hyperpartisan content. It finds that engagement on stories from those sites rose steadily on both Facebook and Twitter until shortly after the 2016 U.S. presidential election. Beginning in early 2017, however, those sites’ engagement began to drop off on Facebook—even as it kept rising on Twitter.
While the authors caution that the study is “far from definitive,” it’s noteworthy as perhaps the first large-scale empirical study that directly examines the efficacy of Facebook’s ongoing campaign against misinformation. Its findings could serve as a guidepost as the company continues to reckon with its influence on civil society.


(Related) On the other hand…
Tech’s New Problem: North Korea
North Korea operatives have sought to use U.S. technology and social media networks to evade U.S.-led sanctions and generate income, taking advantage of many of the same shortcomings that allowed Russians to interfere in the 2016 election.
Cloaking their identities, the North Koreans have been able to advertise jobs and find clients on job-search exchanges such as Upwork and Freelancer.com.




Dogbert suggests a message for my students.


No comments: