What
if these attacks became much more common?
Baltimore
ransomware nightmare could last weeks more, with big consequences
It's
been nearly two weeks since the City of Baltimore's networks were
shut
down in response to a ransomware attack,
and there's still no end in sight to the attack's impact. It may be
weeks more before the city's services return to something resembling
normal—manual workarounds are being put in place to handle some
services now, but the city's water billing and other payment systems
remain offline, as well as most of the city's email and much of the
government's phone systems.
… To
top it off, unlike the City of Atlanta—which suffered
from a Samsam ransomware attack in March of 2018 —Baltimore
has no insurance to cover the cost of a cyber attack. So the cost of
cleaning up the RobbinHood ransomware, which will far exceed the
approximately $70,000 the ransomware operators demanded, will be
borne entirely by Baltimore's citizens.
It's
not like the city wasn't warned. Baltimore's information security
manager warned of the need for such a policy during budget hearings
last year. But the final budget did not include funds for that
policy, nor did it include funding for expanded security training for
city employees, or other strategic investments that were part of the
mayor's strategic plan for the city's information technology
infrastructure.
Will
anyone listen? (Aside from Russia, et al.)
Poor
Security Hygiene Found Across Almost All Political Parties in US,
Europe
SecurityScorecard's latest report analyzes the
visible security posture of leading U.S. political parties and those
from ten EU countries.
… Four risk categories were examined during
Q1, 2019. These were application security (including detectable
vulnerabilities), DNS health (looking at DNS configurations), network
security (including open ports and SSL certificate issues), and
patching cadence (software updates and patching frequency).
Apart
from examining individual parties, the report (PDF)
also combines results by nation to provide a general view of national
political security cadence.
… Overall,
Sweden, followed by Northern Ireland has the most secure political
parties, according to SecurityScorecard. The
U.S. scores fifth, while the UK is a lowly ninth out of
eleven. France comes last.
Where
will the liability lie?
Comcast
is working on an in-home device to track people’s health
… The
device will monitor people’s basic health metrics using ambient
sensors, with a focus on whether someone is making frequent trips to
the bathroom or spending more time than usual in bed. Comcast is also
building tools for detecting falls, which are common and potentially
fatal for seniors, the people said.
… Unlike
most home speakers, the device won’t be positioned as a
communications or assistant tool, and won’t be able to do things
like search the web or turn lights on and off. But it will have a
personality like Alexa and it will be able to make emergency phone
calls in the case of a health event, the people said.
… In
addition to developing new hardware, Comcast has been in talks with
several large hospitals, including Rush in Chicago, said a person
familiar with the conversation. The discussions with Comcast have
centered around using the device to ensure that patients don’t end
up back in the hospital after they’ve been discharged.
Increasingly, hospitals
are getting penalized by
the federal government for failing to ensure that patients don’t
end up right back in the emergency room, and are looking into tools
to monitor patients remotely.
This
is NOT new.
It’s
Time to Combine Security Awareness and Privacy Awareness
… The
security and privacy professions have always found kinship over a
certain type of risks: the risks involved in securing the personal
data that the organization gathers. Privacy pros recognize that part
of their responsibility is to designate appropriately secure places
to store data, and security pros recognize their responsibility in
building and guarding these secure places.
But
their risk domains diverge substantially after that: security folks
are determined to resist attacks from a variety of malevolent
outsiders, including cybercriminals, nation-state hackers, and
hacktivists, and to ensure that employees do not expose the
organization to these external dangers in the ways they store,
transmit, and destroy data. In
the security domain, the threats are largely external and
they are imposed on the organization against its will. (Though of
course, there are also risks posed by employees who through
negligence, ignorance, malice, or inattention pose a threat.)
The
threats faced by the privacy profession are quite different. Perhaps
the greatest difference is that privacy
risks are created by the business as it handles personal
information in the conducts of its work; such risks are voluntarily
chosen, not imposed by an outside actor. They are the risks that
arise when you put complicated work in the hands of fallible humans,
and very often they involve questions of ethics and judgment that can
be genuinely complicated.
Perspective.
Basic math?
Small
loads from Internet-connected devices all add up
Our always-on
devices turn out to consume a lot of power. Do I really need to
connect my garage door to the Internet?
… It
is a subject we have covered before on TreeHugger, where we have
noted that every single little smart device has a small electrical
drain to run its radio; I calculated that my Hue Smart Bulbs on my
dining room table use
more energy while they are off than while they are on,
and they are not my only Smart devices. It all adds up quickly.
Lance Turner
at Renew goes through the list of those little loads that we all have
in our homes now, from modems and routers to range extenders,
cordless phone base stations and alarm systems.
Why can’t my
students be more like Wally? Oh wait, they are!
No comments:
Post a Comment