Security failures are often management failures.
This is especially true when management fails to learn from their
mistakes.
Peter Cowan reports:
For
the second year in a row the provincial government’s
salary disclosure includes names and salaries that shouldn’t have
been released.
The list, which is often called the
“sunshine list” reveals the names and salary information for
anyone making more than $100,000.
(Related) I never have to look far to find really
good “Bad Examples” for my Computer Security class.
Nico Arboleda and Steven Kiernan report what is
pretty much a total destruction breach:
Digital marketing and web provider
Cyanweb Solutions lost
nearly all customer data and backups after a “criminal
hacking incident” that compromised one of its servers last week.
The three-staff, Perth-based company
provides web design, hosting, online marketing and search engine
optimisation for around 500 clients. The
company did not have offsite backups in place.
According to an
advisory posted on its website, “A professional hacking group
attacked, infiltrated the server and destroyed all data, including
all available backup data.
Should we expect more lawsuits in Richmond?
Joseph J. Lazzarotti, Jason C. Gavejian and Maya
Atrakchi of Jackson Lewis write:
Cybersecurity incidents are on the rise,
and so too is data breach litigation brought by plaintiffs who allege
they were harmed by the unauthorized exposure of their personal
information. Federal circuits across the United States are grappling
with the issue of what satisfies the Article III standing requirement
in data breach litigation, when often only a “risk of future harm”
exists.
The United States Court of Appeals for
the Fourth Circuit (“the Fourth Circuit”) is the latest circuit
court to weigh in on standing in data breach litigation. In Hutton
v. National Board of Examiners in Optometry, the court held
that the plaintiffs satisfied the Article III standing requirement by
alleging hackers stole and misused their personally identifiable
information (PII), even
though no financial loss was incurred.
Will right-wing hackers start sending compromising
data to immigrant phones?
Europe is
using smartphone data as a weapon to deport refugees
Smartphones have helped tens of thousands of
migrants travel to Europe. A phone means you can stay in touch with
your family – or with people smugglers. On the road, you can check
Facebook groups that warn of border closures, policy changes or scams
to watch out for. Advice on how to avoid border police spreads via
WhatsApp.
Now, governments are using migrants' smartphones
to deport them.
Across the continent, migrants are being
confronted by a booming mobile forensics industry that specialises in
extracting a smartphone’s messages, location history, and even
WhatsApp data. That information can potentially be turned against
the phone owners themselves.
In 2017 both Germany and Denmark expanded laws
that enabled immigration officials to extract data from asylum
seekers’ phones. Similar legislation has been proposed in Belgium
and Austria, while the UK and Norway have been searching asylum
seekers’ devices for years.
… Over the six months after Germany’s phone
search law came into force, immigration officials searched 8,000
phones. If they doubted an asylum seeker’s story, they would
extract their phone’s metadata – digital information that can
reveal the user’s language settings and the locations where they
made calls or took pictures.
… If a person says they were in Turkey in
September, for example, but phone data shows they were actually in
Syria, they can see more investigation is needed.
Denmark is taking this a step further, by asking
migrants for their Facebook passwords. Refugee groups note how the
platform is being used more and more to verify an asylum seeker’s
identity.
Good or bad, it is another way for governments to
tax citizens.
Uganda
leader says social media used for 'lying', defends tax for access
Uganda’s President Yoweri Museveni has defended
the country’s new social media tax, saying Ugandans were using such
platforms for “lying”, and squandering the nation’s hard
currency on fees to foreign-owned telecoms firms.
In May Uganda’s parliament passed new tax laws
that introduced a levy of 200 shillings ($0.05) per day for access to
a range of online services.
The platforms that have been identified by the
country’s revenue service for the tax include Facebook, Twitter,
WhatsApp, Google Hangouts, YouTube, Skype, Yahoo Messenger and many
others.
The tax, collected by mobile phone internet
service providers since July 1, is equivalent to about 20 percent of
what typical Ugandan users pay for their mobile phone data plans.
Clearing the path?
Facebook
Ads Offer Peek at Looming Supreme Court Fight
Even before President Trump’s new Supreme Court
nominee is announced, a fight over the choice is raging on social
media.
In the days since Justice Anthony M. Kennedy
said
he would retire, partisan groups have turned to Facebook, Twitter
and other social networks with political ads. Some of the ads urge
voters to pressure their senators to block or speed the confirmation
process for Mr. Trump’s eventual nominee. Others oppose allowing
specific jurists to fill the vacant seat.
Judicial Crisis Network, an organization that
promotes conservative judicial nominees,
announced
last week that it would spend
more
than $1 million to support Mr. Trump’s nominee. So far,
the group has spent as much as $140,000 on a series of nearly two
dozen Facebook ads. Many of the Facebook ads are targeted at users
in North Dakota, Indiana and West Virginia, all red states with
vulnerable Democratic senators who are up for re-election this year.
… Demand Justice, an organization
formed
this year by veterans of the Hillary Clinton and Barack Obama
campaigns, began running
Facebook
ads on Monday urging voters to “stop Trump’s SCOTUS
takeover.” The group, which has said it
plans
to raise $10 million this year, has also run ads opposing
Brett Kavanaugh, Amy Coney Barrett and Amul Thapar, three judges who
are reported to be on Mr. Trump’s shortlist for the Supreme Court.
… These groups, which are classified as
501(c)(4) advocacy groups, are not required to identify their donors
or disclose much of their spending. But new Facebook ad policies are
for the first time giving a glimpse of how money from these
organizations flows through social media.
In an attempt to avoid a repeat of 2016, when
Russian disinformation campaigns successfully exploited flaws in its
network, Facebook recently began requiring political advertisers to
authenticate themselves as residents of the United States and label
every ad with a “paid for by” indication. The company also began
archiving all paid political content on Facebook and Instagram,
including promoted news, in a searchable public database, along with
information about how much was spent on the ads and basic details
about how they were targeted.
Are we ready for this election? I doubt it.
Intel
Committee Releases Unclassified Summary of Initial Findings on 2017
Intelligence Community Assessment
News release: “Today [July 3, 2018], Senate
Select Committee on Intelligence Chairman Richard Burr (R-NC) and
Vice Chairman Mark Warner (D-VA) released the Committee’s
unclassified
summary
of its initial findings on the Intelligence Community Assessment
(ICA) on Russian activities in the 2016 U.S. elections.
The
Committee finds that the overall judgments issued in the ICA were
well-supported and the tradecraft was strong. The course of the
Committee’s investigation has shown that the Russian cyber
operations were more extensive than the hack of the Democratic
National Committee and continued well through the 2016 election.
“The Committee has spent the last 16 months
reviewing the sources, tradecraft and analytic work underpinning the
Intelligence Community Assessment and sees no reason to dispute the
conclusions,” said Chairman
Burr. “The Committee continues its investigation
and I am hopeful that this installment of the Committee’s work will
soon be followed by additional summaries providing the American
people with clarity around Russia’s activities regarding U.S.
elections.”
“Our investigation thoroughly reviewed
all aspects of the January 2017 ICA, which assessed that Russian
President Vladimir Putin ordered an influence campaign to target our
presidential election and to destabilize our democratic
institutions,” said Vice
Chairman Warner. “As numerous intelligence and
national security officials in the Trump administration have since
unanimously re-affirmed, the ICA findings were accurate and on point.
The Russian effort was extensive and sophisticated, and its goals
were to undermine public faith in the democratic process, to hurt
Secretary Clinton and to help Donald Trump. While our investigation
remains ongoing, we have to learn from 2016 and do more to protect
ourselves from attacks in 2018 and beyond.”
The summary is the second unclassified installment
in the Committee’s report on Russian election activities. The
Committee held a closed door hearing in
May
to review the ICA on “Assessing Russian Activities and Intentions
in Recent U.S. Elections.” Members heard testimony from former
Director of National Intelligence James Clapper, former Director of
the Central Intelligence Agency John Brennan and former Director of
the National Security Agency Mike Rogers, which informed the
Committee’s report.
You
can read a copy of the unclassified summary here.”
Where do your experiences fall?
Stories
From Experts About the Impact of Digital Life
“While many technology experts and scholars have
concerns about the social, political and economic fallout from the
spread of digital activities, they also tend to report that their own
experience of digital life has been positive… Over the years of
canvassings by Pew Research Center and Elon University’s Imagining
the Internet Center, many experts have been anxious about the way
people’s online activities can
undermine
truth, foment
distrust,
jeopardize individuals’
well-being
when it comes to physical and emotional health, enable
trolls
to weaken democracy and community, compromise
human
agency as algorithms become embedded in more activities,
kill
privacy, make institutions
less
secure, open up larger social divisions as
digital
divides widen, and wipe out untold numbers of
decent-paying
jobs. An early-2018 expert canvassing of technology experts,
scholars and health specialists on
the
future of digital life and well-being contained references to
some of those concerns. The experts who participated in that
research project were also asked to share anecdotes about their own
personal experiences with digital life.
This
report shares those observations…”
Re-purposing an e-discovery tool? Seems like an
obvious step to me.
AI spots
legal problems with tech T&Cs in GDPR research project
Technology is the proverbial double-edged sword.
And an experimental European research project is ensuring this axiom
cuts very close to the industry’s bone indeed by applying machine
learning technology to critically sift big tech’s privacy policies
— to see whether AI can automatically identify violations of data
protection law.
The still-in-training
privacy
policy and contract parsing tool — which is called ‘
Claudette‘:
Aka (automated) clause detector — is being developed by researchers
at the European University Institute in Florence.
… Early results from this project have been
released today, with
BEUC
saying the AI was able to automatically flag a range of problems
with the language being used in tech T&Cs.
… In theory, all 15 parsed privacy policies
should have been compliant with GDPR by June, as it came into force
on May 25. However some
tech
giants are already facing legal challenges to their
interpretation of ‘consent’. And it’s fair to say the law has
not vanquished the tech industry’s fuzzy language and logic
overnight. Where user privacy is concerned,
old,
ugly habits die hard, clearly.
Another article for my Security collection.
Do You Know
What Apps Have Access To Your Gmail? Here’s How to Find and Remove
Them