Wednesday, May 22, 2019


What if these attacks became much more common?
Baltimore ransomware nightmare could last weeks more, with big consequences
It's been nearly two weeks since the City of Baltimore's networks were shut down in response to a ransomware attack, and there's still no end in sight to the attack's impact. It may be weeks more before the city's services return to something resembling normal—manual workarounds are being put in place to handle some services now, but the city's water billing and other payment systems remain offline, as well as most of the city's email and much of the government's phone systems.
To top it off, unlike the City of Atlanta—which suffered from a Samsam ransomware attack in March of 2018 —Baltimore has no insurance to cover the cost of a cyber attack. So the cost of cleaning up the RobbinHood ransomware, which will far exceed the approximately $70,000 the ransomware operators demanded, will be borne entirely by Baltimore's citizens.
It's not like the city wasn't warned. Baltimore's information security manager warned of the need for such a policy during budget hearings last year. But the final budget did not include funds for that policy, nor did it include funding for expanded security training for city employees, or other strategic investments that were part of the mayor's strategic plan for the city's information technology infrastructure.




Will anyone listen? (Aside from Russia, et al.)
Poor Security Hygiene Found Across Almost All Political Parties in US, Europe
SecurityScorecard's latest report analyzes the visible security posture of leading U.S. political parties and those from ten EU countries.
… Four risk categories were examined during Q1, 2019. These were application security (including detectable vulnerabilities), DNS health (looking at DNS configurations), network security (including open ports and SSL certificate issues), and patching cadence (software updates and patching frequency).
Apart from examining individual parties, the report (PDF) also combines results by nation to provide a general view of national political security cadence.
Overall, Sweden, followed by Northern Ireland has the most secure political parties, according to SecurityScorecard. The U.S. scores fifth, while the UK is a lowly ninth out of eleven. France comes last.




Where will the liability lie?
Comcast is working on an in-home device to track people’s health
The device will monitor people’s basic health metrics using ambient sensors, with a focus on whether someone is making frequent trips to the bathroom or spending more time than usual in bed. Comcast is also building tools for detecting falls, which are common and potentially fatal for seniors, the people said.
Unlike most home speakers, the device won’t be positioned as a communications or assistant tool, and won’t be able to do things like search the web or turn lights on and off. But it will have a personality like Alexa and it will be able to make emergency phone calls in the case of a health event, the people said.
In addition to developing new hardware, Comcast has been in talks with several large hospitals, including Rush in Chicago, said a person familiar with the conversation. The discussions with Comcast have centered around using the device to ensure that patients don’t end up back in the hospital after they’ve been discharged. Increasingly, hospitals are getting penalized by the federal government for failing to ensure that patients don’t end up right back in the emergency room, and are looking into tools to monitor patients remotely.




This is NOT new.
It’s Time to Combine Security Awareness and Privacy Awareness
The security and privacy professions have always found kinship over a certain type of risks: the risks involved in securing the personal data that the organization gathers. Privacy pros recognize that part of their responsibility is to designate appropriately secure places to store data, and security pros recognize their responsibility in building and guarding these secure places.
But their risk domains diverge substantially after that: security folks are determined to resist attacks from a variety of malevolent outsiders, including cybercriminals, nation-state hackers, and hacktivists, and to ensure that employees do not expose the organization to these external dangers in the ways they store, transmit, and destroy data. In the security domain, the threats are largely external and they are imposed on the organization against its will. (Though of course, there are also risks posed by employees who through negligence, ignorance, malice, or inattention pose a threat.)
The threats faced by the privacy profession are quite different. Perhaps the greatest difference is that privacy risks are created by the business as it handles personal information in the conducts of its work; such risks are voluntarily chosen, not imposed by an outside actor. They are the risks that arise when you put complicated work in the hands of fallible humans, and very often they involve questions of ethics and judgment that can be genuinely complicated.




Perspective. Basic math?
Small loads from Internet-connected devices all add up
Our always-on devices turn out to consume a lot of power. Do I really need to connect my garage door to the Internet?
It is a subject we have covered before on TreeHugger, where we have noted that every single little smart device has a small electrical drain to run its radio; I calculated that my Hue Smart Bulbs on my dining room table use more energy while they are off than while they are on, and they are not my only Smart devices. It all adds up quickly.
Lance Turner at Renew goes through the list of those little loads that we all have in our homes now, from modems and routers to range extenders, cordless phone base stations and alarm systems.




Why can’t my students be more like Wally? Oh wait, they are!



No comments: