Tuesday, April 16, 2019


A browser that’s vulnerable even if you don’t use it?
Internet Explorer flaw leaves Windows users vulnerable to hackers -- even those who don't use the browser
A zero-day exploit found in Internet Explorer means hackers could steal files from Windows users. What's particularly interesting about this security flaw is that you don't even need to be an Internet Explorer user to be vulnerable.
A security researcher has revealed details of an unpatched exploit in the way IE handles MHT files, and the problem affects Windows 7, Windows 10 and Windows Server 2012 R2. It leaves users vulnerable not only to having their files stolen by hackers, but also means they could be spied upon.
Details of the vulnerability were exposed by security researcher John Page after Microsoft refused to issue a patch.




Not the best news for Marketing.
Catalin Cimpanu reports:
Microsoft Office products are today’s top target for hackers, according to attack and exploitation data gathered by Kaspersky Lab.
In a presentation at its security conference –the Security Analyst Summit– the company said that around 70 percent of the attacks its products have detected in Q4 2018 are trying to abuse a Microsoft Office vulnerability.
Read more on ZDNet.




Who gets to declare war? Is Cyberwar different?
Big US companies discover insurance may not cover a cyberattack
Mondelez, owner of dozens of well-known food brands such as Cadbury chocolate and Philadelphia cream cheese, was one of the hundreds of companies struck by the NotPetya cyberstrike in 2017.
Mondelez's insurer, Zurich Insurance, said it would not be sending a reimbursement cheque. It cited a common, but rarely used, clause in insurance contracts: the "war exclusion", which protects insurers from being saddled with costs related to damage from war.
Mondelez was deemed collateral damage in a cyberwar.




Would they do this for anyone else? Did the police ask them to keep the post up? The article does not make that clear.
Twitter Left Up Ilhan Omar Death Threats So Law Enforcement Could Investigate
Twitter would’ve typically taken down the threatening tweets once they were reported, but the company left them up to enable potential law enforcement collaboration, a source close to the company told BuzzFeed News. The Capitol Hill police are working on the issue, the source said.
The incident highlights Twitter’s flawed approach to dealing with death threats on its platform. Instead of reporting death threats to law enforcement as a policy, Twitter simply deletes them. This means its users can make these threats with little fear of retribution, since the tweets usually disappear before police can review them.




Is the FBI trying to keep this quiet?
Alex Johnson reports:
A nonprofit organization affiliated with the FBI confirmed that hackers breached the web servers of multiple chapters and published the names and addresses of hundreds of law enforcement personnel and thousands of other people online.
The hacked materials. which were released late last week and obtained Sunday by NBC News, include names, job descriptions, email addresses and, in some cases, street addresses of more than 23,000 people in multiple databases. More than 1,000 of the email addresses belong to the FBI.gov domain and the domains of other federal, state and local law enforcement agencies.
Read more on NBC News.
There’s a lot that’s creating buzz about this group of threat actors and their leaks, not the least of which is the reluctance of major media outlets to name the group or provide details on the leaked data. DataBreaches.net has obtained the freely offered data dumps, and I assume that many other news outlets and non-news parties have also obtained the data by now.
So what are these threat actors really up to? Their claim over the weekend that “We demand freedom for Peter Levashov,” a convicted Russian spammer, may not appear to be credible at first blush, but Levashov is also a virus creator, and this group have also offered ransomware on their site — ransomware that others have declared not to be recognizable as the work of previously known ransomware creators.
As of this morning, Twitter appears to have suspended the group’s twitter account, but their web site is still online, with links to the data dumps that have concerned many. Their most recent dump, which they described as “A list of people being watched by the FBI,” contains more than 22,000 rows or entries with people’s first and last names, company, work area, and email address, appears to contain a lot of media people, but not nationally prominent people for the most part. So what does it mean that the FBI is “watching” them? Is the FBI merely watching a lot of reporters as part of its usual activities, or are these people “special” somehow? This database doesn’t quite make sense as described – at least, not yet.
Of course, the data of greatest concern (so far) have been the contact details (phone, work email) of those in agencies such as DHS, TSA, the Secret Service, Capitol Police, etc. Anything that might increase the effectiveness of a phishing attack is necessarily concerning.
So what will today bring or this week? It’s hard to predict. It seems that the attackers wish to market data and have been creating interest in what they have to offer. But what price will they ask for it, and what will the quality of their offering be? I guess we’ll just have to wait and see.




Do I believe it? (Podcast)
The Doctor Is in: What HIPAA Compliance Means for Amazon
Drexel's Robert Field and Wharton's Arnold "Skip" Rosoff discuss Amazon's announcement that its Alexa device is now HIPAA compliant.


(Related)
Smart speakers’ installed base to top 200 million by year end
Smart speakers’ global installed base is on track to top 200 million by the end of this year, according to a report out today from analysts at Canalys. Specifically, the firm forecasts the installed base will grow by 82.4 percent, from 114 million units in 2018 to 207.9 million in 2019.




Sue em all, sue em all, the long and the short and the tall
Efforts to Expand CCPA’s Private Right of Action Remain in Question
Recent developments in the California Assembly and Senate may preview whether California businesses and consumers should expect an expanded private right of action:




Continued clarification?
European Commission Issues Updated Q&A on Interplay between the GDPR and the Clinical Trials Regulation




Is this an anti-GDPR? Can anyone comply with both?
The U.S. Is Losing a Major Front to China in the New Cold War
A swathe of the world is adopting China’s vision for a tightly controlled internet over the unfettered American approach, a stunning ideological coup for Beijing that would have been unthinkable less than a decade ago.
Vietnam and Thailand are among the Southeast Asian nations warming to a governance model that twins sweeping content curbs with uncompromising data controls – because it helps preserve the regime in power.




The eSting? Aren’t the police being ‘invited’ in?
Four Steps Facebook Should Take to Counter Police Sock Puppets
EFF: “Despite Facebook’s repeated warnings that law enforcement is required to use “authentic identities” on the social media platform, cops continue to create fake and impersonator accounts to secretly spy on users. By pretending to be someone else, cops are able to sneak past the privacy walls users put up and bypass legal requirements that might require a warrant to obtain that same information. The most recent examples—and one of the most egregious—was revealed by The Guardian this week. The U.S. Department of Homeland Security executed a complex network of dummy Facebook profiles and pages to trick immigrants into registering with a fake college, The University of Farmington. The operation netted more than 170 arrests. Meanwhile, Customs and Border Protection issued a privacy impact assessment that encourages investigators to conceal their social media accounts…”




Looking North! (Long)
Canadian Internet Law Update - 2018*
This paper summarizes selected developments in Canadian Internet law during 2018. Internet law is a vast area that continues to develop rapidly. Reference to current legislation, regulatory policies, guidelines and case law is essential for anyone addressing these issues in practice.



No comments: