Friday, January 31, 2020


This is not Newton’s Third Law. For every force the reaction does not have to be equal, or in a direction we can predict.
If the US launches cyberattacks on Iran, retaliation could be a surprise
On the morning of Jan. 8, the Islamic Revolutionary Guards Corps fired 22 surface-to-surface missiles at two Iraqi airbases. If Americans had died, the Pentagon would have put in front of President Trump options for cyberattacks to disable Iran’s oil and gas sector.
Would the U.S. oil and gas industry have been ready for an Iranian cyber counterattack?
While Americans celebrated Thanksgiving, someone hit Iran with a massive cyberattack that disclosed 15 million Iranian bank debit card numbers on a social media site. On Dec. 11, Iran’s telecommunication minister admitted this was “very big” and that a nation-state carried it out.
Will U.S. banks and credit card companies be ready if Iran tries to hack the card numbers of millions of Americans?
The Trump Administration uses sanctions and cyberattacks as their go-to tools against Iran. U.S. officials have admitted twice on background to recent cyberattacks on Iran.
The implication that cyberattacks are somehow a safer response for the United States than kinetic attacks is dangerous. Iran will retaliate, and the cyber defenses of Iran’s likely targets in the United States are uneven. More needs to be done to prepare the American people for Iranian cyber retaliation.




A sophisticated twist on the classic “man in the middle.”
Hacker snoops on art sale and walks away with $3.1m, victims fight each other in court
Each impacted party is claiming the other is responsible for not detecting the scam.
As reported by Bloomberg, London-based veteran art dealer Simon Dickinson and Rijksmuseum Twenthe were in the midst of negotiations over the acquisition of a valuable painting by John Constable, a 1700 - 1800's landscape painter from England.
Conversations took place over email for months, and at some point during the talks, cybercriminals sent spoofed messages to the museum and persuaded Rijksmuseum Twenthe to transfer £2.4 million ($3.1 million) into a bank account from Hong Kong.
In the aftermath of the scam, both Simon Dickinson and Rijksmuseum Twenthe are claiming the other side is responsible.
A lawsuit has been launched at a London High Court. The museum, based in Enschede, the Netherlands, claims that the art dealer's negotiators were roped into some of the spoof emails, and yet did not spot the scam.
The museum's lawyer has argued that this silence should be considered "implied representation," according to the publication.
In response, Simon Dickinson says that the dealer did not detect the presence of the eavesdropper and the museum should have double-checked the bank details before transferring any cash.
Each side is also accusing the other of being the source of the theft by allowing their systems to be compromised in the first place.




Patch. Not even the big boys get it right every time.
Severe ‘Perfect 10.0’ Microsoft Flaw Confirmed: ‘This Is A Cloud Security Nightmare’
Microsoft quickly fixed the vulnerability when Check Point approached them in the fall, and customers who have patched their systems are now safe. The vulnerability is as punchy as it gets, “a perfect 10.0,” Balmas says, referring to the CVE score on Microsoft’s disclosure in October. “It’s huge—I can’t even start to describe how big it is.” The reason for the hyperbole is that Balmas says his team found the first remote code execution (RCE) exploit on a major cloud platform. One user could break the cloud isolation separating themselves and others, intercepting code, manipulating programs. That isolation is the basis of cloud security, enabling the safe sharing of common hardware.
There was no detail when Microsoft patched the flaw, just a short explainer.




For those (and I’m talking to you lawyers in particular) who thought there was no need to encrypt your email…
Ray Schultz reports:
A privacy bill that addresses email only has been introduced in the Oklahoma State Legislature.
House Bill 2810, the so-called Oklahoma Email Communication Content Privacy Protection Act, would prohibit email service providers from scanning subject lines or the body of any email communication sent to its users, and from letting any other entity do so.
Read more on MediaPost.




This week I will teach my students to generate public/private RSA keys, with no backdoor. Will I get a visit from the FBI?
Todd Feathers reports:
The US government is once again reviving its campaign against strong encryption. demanding that tech companies build backdoors into smartphones and give law enforcement easy, universal access to the data inside them.
At least two companies that sell phone-cracking tools to agencies like the FBI have proven they can defeat encryption and security measures on some of the most advanced phones on the market. And a series of recent tests conducted by the National Institute of Standards and Technology (NIST) reveal that, while there remain a number of blind spots, the purveyors of these tools have become experts at reverse engineering smartphones in order to extract troves of information off the devices and the apps installed on them.
Read more on Vice.




The argument continues.
Why We Should Ban Facial Recognition Technology




The job my students face keeps growing. Something they have noticed.
Data Classification: Not Just for CISOs Anymore
Data classification has always been regarded as a foundational element of any viable data security strategy. After all, most organizations are creating, utilizing and storing more potentially sensitive data than ever before.
The emergence of compliance guidelines and data privacy mandates, such as General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), puts data classification front and center. The necessity of classifying data has grown as organizations must ensure their data is compliant and protected.
At the same time, data classification is proving to have equally valuable implications for corporate privacy initiatives. Because of this, some elements of data classification are moving beyond the realm of the Chief Information Security Officer (CISO) to involve the Chief Privacy Officer (CPO), who is beginning to shoulder more of this responsibility.
These security stakeholders come from different backgrounds and places on the organization chart, yet both bring important perspectives. Rather than engage in meaningless turf wars, savvy CPOs and CISOs increasingly are forming strategic partnerships to elevate data security throughout organizations. It may take time for elements of the new CISO-CPO paradigm to jell, but the common rallying point is a shared reason for being: Safeguarding the organization’s employees, brand and image.




One example – insurance claims.
What’s the Big Deal about Privacy?
With the rapid expansion of technology entering every field of business, manufacturers and service providers are being presented with previously unconsidered opportunities to reap value from the reuse and repurpose of data initially collected and harvested for other reasons. Learned intelligence through artificial intelligence (AI) systems provides value for the processor not previously realized or recognized in transactions. This is particularly true when considering how AI companies that work with insurers to optimize their claims processing are left with a valuable resource after the data collection is complete. This article addresses how the value of a neural network has been ignored and should be considered when an insurer considers outsourcing its claims processing.¹




Perspective.
Emerging Trends: What to Expect From Privacy Laws in 2020



No comments: