Monday, December 10, 2018

Not as much exposure as you might think. Do you know every computer a job applicant might have had access to?
DarkVishnya: Banks attacked through direct connection to local network
… In 2017-2018, Kaspersky Lab specialists were invited to research a series of cybertheft incidents. Each attack had a common springboard: an unknown device directly connected to the company’s local network. In some cases, it was the central office, in others a regional office, sometimes located in another country.
… Each attack can be divided into several identical stages. At the first stage, a cybercriminal entered the organization’s building under the guise of a courier, job seeker, etc., and connected a device to the local network, for example, in one of the meeting rooms.
The devices used in the DarkVishnya attacks varied in accordance with the cybercriminals’ abilities and personal preferences. In the cases we researched, it was one of three tools:
  • netbook or inexpensive laptop
  • Raspberry Pi computer
  • Bash Bunny, a special tool for carrying out USB attacks
… At the second stage, the attackers remotely connected to the device and scanned the local network seeking to gain access to public shared folders, web servers, and any other open resources. The aim was to harvest information about the network, above all, servers and workstations used for making payments. At the same time, the attackers tried to brute-force or sniff login data for such machines.
… Having succeeded, the cybercriminals proceeded to stage three. Here they logged into the target system and used remote access software to retain access




This could be another example of the FBI talking to lawmakers in another country, hoping to convince them to support an FBI position. Now they can point to this law and tell US lawmakers, :We’re behind!”
Australia Anti-Encryption Law Rushed to Passage
A newly enacted law rushed through Australia's parliament will compel technology companies such as Apple, Facebook and Google to disable encryption protections so police can better pursue terrorists and other criminals.
"I think it's detrimental to Australian and world security," said Bruce Schneier, a tech security expert affiliated with Harvard University and IBM.
U.S. law enforcement officials, including Deputy Attorney General Rod Rosenstein, are again pushing for legislation that would somehow give authorities access to secure communications.
The Australian bill is seen by many as a beachhead for those efforts because the nation belongs to the "Five Eyes" security alliance with the U.S., Britain, Canada and New Zealand.
"There is a lot here that doesn't make any sense," Schneier said of the Australian bill. "This is a technological law written by non-technologists and it's not just bad policy. In many ways, I think it's unworkable."
A leading figure in cryptography, Martin Hellman of Stanford University, said it appears the bill would "facilitate crime by weakening the security of the affected devices."
But Apple, in comments filed with parliament in October, argued that "it would be wrong to weaken security for millions of law-abiding customers in order to investigate the very few who pose a threat."




I’m beginning to think that stories like this are influencing the push for real penalties (like GDPR). The next requirement is some significant penalties for the managers who won’t take action on their own.
Stuff reports on a case in New Zealand that was cited in a newly-released annual report by the Privacy Commissioner. Disturbingly, the unnamed government agency not only did not set a great example for data protection, but they demonstrated less than admirable response to the incident of insider-wrongdoing that harmed a member of the public. Stuff reports:
A government employee in dispute with his neighbour snooped on him 73 times after accessing his employer’s “sensitive” records.
He also changed the man’s file to add allegations of “improper conduct”.
When the government agency found out about the privacy breach it reviewed its processes but was not willing to apologise to the neighbour or pay him compensation.
[…]
The commissioner has called for changes to the Privacy Act to introduce “meaningful consequences” for non-compliance, including for the commissioner to decide which cases should go to the tribunal and for the commissioner to take the claims.
Read more on Stuff. That the agency didn’t even apologize for the anguish or harm to the individual is concerning.
It is one thing to argue that you had policies and procedures in place that you monitored, but despite that, an employee willfully managed to violate both, but then not to give the affected individual anything — even a “We agree with you with and have terminated the employee’s position with us,” well…. there has to be more redress and/or compensation for those whose complaints are founded. And government agencies should be setting good examples instead of needing to be dragged before a tribunal or sued.
To jump directly to the annual report, go here.




Is political news based on the number of people who want to read it?
The long, tortured quest to make Google unbiased
The Verge – Can a search engine ever be meaningfully neutral: “[December 11, 2018], Sundar Pichai will try to reassure Congress that Google’s search engine isn’t rigged. The Google CEO is testifying before the House Judiciary Committee on Tuesday [The Hearing is titled – Transparency & Accountability: Examining Google and its Data Collection, Use and Filtering Practices] answering questions about “potential bias and the need for greater transparency” in Google’s business practices. It’s Republican lawmakers’ latest move in a series of hearings over Silicon Valley political bias. “Google has created some of the most powerful and impressive technology applications,” wrote House Majority Leader Kevin McCarthy in the announcement. “Unfortunately, recent reports suggest Google might not be wielding its vast power impartially. Its business practices may have been affected by political bias.” We don’t know exactly what questions will arise during Pichai’s testimony. But this summer, President Donald Trump caused a brief uproar by claiming (without evidence) that Google suppressed positive news about him. Reports indicated Trump might even direct regulators to investigate Google and other platforms for bias. But that proposal hadn’t come from one of Silicon Valley’s many ideological enemies — it was supposedly promoted by recommendations site Yelp, which has spent years protesting what it calls unfair demotion of its search results.
That investigation never came to pass. But it highlighted a major underpinning of the current anti-Google backlash: a decade-long fight over how search engines, which have become many people’s primary gateway to the internet, should treat the websites they list.”


No comments: