Saturday, May 04, 2019


The unexpected costs of acquiring a company with poor security.
Kevin Martin reports:
The massive data hack of guest information from the Marriott hotel empire has triggered a $100-million class action lawsuit in Calgary.
A statement of claim filed in Calgary Court of Queen’s Bench says the data breach in which hackers accessed records on as many as 500 million hotel guests was due to the chain’s lack of adequate security.
The defendants knew or ought to have known that their databases were vulnerable to loss or theft,” says the claim, filed by Calgary lawyer Clint Docken and Edmonton counsel James Brown.
Read more on Calgary Sun.




Does this reduce their liability? Should they be required to pay ransom?
IT service provider refuses to pay ransom, hackers publish stolen data online
In a statement posted high on its official web site, CityComp publicly admits it fell victim to a “targeted cyberattack” sometime last month, and while the company has since fended off the hackers, customer data unfortunately got leaked.
A still unknown perpetrator has stolen customer data of CITYCOMP and threatened the company with publication, should it not comply with the blackmail attempt,” the company states.
… “Since CITYCOMP does not comply with blackmail the publication of customer data could not be prevented,” the notice continues. “The stolen data has now been published by the perpetrators and CITYCOMP’s customers were informed about it.”
Many of CityComp’s clients are located in the European Union, which means the company should brace for GDPR impact.




Interesting. I might have to tweak my Computer Security curriculum to reflect some of these requirements. (Probably not.)
Oh, I missed something yesterday. President Trump signed an Executive Order on America’s Cybersecurity Workforce. I can’t find it in the Federal Register yet, but you can read it here.




Let’s turn off the alarms!” a Hollywood cliche.
Design Flaws Create Security Vulnerabilities for ‘Smart Home’ Internet-of-Things Devices
Researchers at North Carolina State University have identified design flaws in “smart home” Internet-of-Things devices that allow third parties to prevent devices from sharing information. The flaws can be used to prevent security systems from signaling that there has been a break-in or uploading video of intruders.
… “Essentially, the devices are designed with the assumption that wireless connectivity is secure and won’t be disrupted – which isn’t always the case,” says Bradley Reaves, co-author of the paper and an assistant professor of computer science at North Carolina State. “However, we have identified potential solutions that can address these vulnerabilities.”
… “One reason these attacks are so problematic is that the system is telling homeowners that everything is OK, regardless of what’s actually happening in the home,” Enck says.
These network layer suppression attacks are possible because, for many IoT devices, it’s easy to distinguish heartbeat signals from other signals. And addressing that design feature may point the way toward a solution.
One potential fix would be to make heartbeat signals indistinguishable from other signals, so malware couldn’t selectively allow heartbeat signals to pass through,” says TJ O’Connor, first author of the paper and a graduate student at North Carolina State.
The paper, “Blinded and Confused: Uncovering Systemic Flaws in Device Telemetry for Smart-Home Internet of Things,” will be presented at the 12th ACM Conference on Security and Privacy in Wireless and Mobile Networks being held May 15-17 in Miami, Fla.




Welcome to ‘Big Brother Net.’
Russia's new internet law presents a cybersecurity minefield for global enterprises
A new measure signed into law this week by Russian President Vladimir Putin that would enable the country to create its own internet network, independent from the rest of the world and regulated by national telecom agency Roskomnadzor (RKN), should give corporate executives around the pause about the cybersecurity implications of doing business in the country moving forward. As part of the maneuver, Russia has also demanded 10 of the top providers of Virtual Private Networks (VPNs) to connect to a state content-filtering system or be banned from operating in the country.
According to Francis Dinha, CEO of OpenVPN, one of the aforementioned VPN providers facing a ban by the Russian government, companies with remote workers in the country that need to access sensitive information from their homes offices in the U.S., Europe or elsewhere will have to rethink their security approach moving forward as authorities will have the ability surveil any data being transmitted through the new network.




A GDPR oops!
HMRC to delete five million biometric voice records
The UK's tax authority is to delete the biometric voice records of five million people because it did not have clear consent from its customers to have those files.
HM Revenue and Customs (HMRC) uses the Voice ID biometric voice security system to make it easier for callers to pass its security processes when discussing their account. It says using the system will reduce the time it takes to speak to an advisor and will help prevent anyone else accessing accounts.
But the UK's data privacy watchdog the Information Commissioners Office (ICO) said that HMRC failed to give customers sufficient information about how their biometric data would be processed and failed to give them the chance to give or withhold consent. "This is a breach of the General Data Protection Regulation," the ICO said.




I’ll look for the new ToS June 29th at 11:59:59 PM
European Commission Forces Changes to Facebook Terms of Service
In yet another victory for privacy advocates, the European Commission (EC) has forced social media giant Facebook to amend its terms of service in order to accurately reflect how the company makes money by selling user data. The Facebook terms of service, once obfuscated by complicated, legalistic language, are now going to state very clearly that Facebook provides its services free of charge to consumers in return for the agreement that their personal data will be shared with third parties and used for targeted advertising. According to the agreement reached between the European Commission, European consumer protection authorities and Facebook, the Silicon Valley giant will have until June 30 to implement the new changes.




Perspective. Could Denver privatize RTD? Brobably not, but Leadville could.
Uber Was Supposed To Be Our Public Transit’
In 2017, the growing Toronto exurb of Innisfil, Ontario, became one of the first towns in the world to subsidize Uber rides in lieu of a traditional bus. Riders could pay a flat fare of just $3-$5 to travel to community hubs in the backseat of a car, or get $5 off regular fares to other destinations in and around town.
People loved it. By the end of the Uber program’s first full year of service, they were taking 8,000 trips a month.
Now “Innisfil Transit” is changing its structure. As of April 1, flat fares for the city-brokered Ubers rose by $1. Trip discounts dropped to $4, and a 30-ride monthly cap was implemented. Town leaders say this will allow Innisfil to continue to cover costs.
But Hudson and others see the changes as harmful, and a strange way of declaring success.



No comments: