Increasing
the awareness of state actors so when we do retaliate it won’t come
as a total surprise?
https://therecord.media/cyber-command-ties-hacking-group-to-iranian-intelligence/
Cyber
Command ties hacking group to Iranian intelligence
U.S.
Cyber Command on Wednesday revealed that a hacking group reputed for
its cyberespionage campaigns is actually part of Iran’s
intelligence apparatus.
The
group, known as MuddyWater, is a subordinate element within the
Iranian Ministry of Intelligence and Security, the command’s Cyber
National Mission Force announced.
The
claim marked the first time the U.S. government has publicly linked
the prolific threat actor — whose targets have ranged from academia
and the tourism industry to government and telecommunications
operators — to Tehran’s regime.
Any
relation to yesterday’s shutdown of a New Mexico prison? (The
article says no.)
https://www.databreaches.net/schools-out-as-cyberattack-forces-albuquerque-public-schools-to-cancel-classes/
School’s
out as cyberattack forces Albuquerque Public Schools to cancel
classes
Olivier
Uytterbrouck and Jessica Dyer report:
A
cyberattack against Albuquerque
Public Schools
prompted the state’s largest district to cancel all classes
districtwide on Thursday and possibly Friday.
APS
Superintendent Scott Elder said the attack was discovered Wednesday
morning “when teachers tried to log onto our student information
system and were unable to gain access to the site.”
Read
more at Albuquerque
Journal.
Not
uncommon. If this was not a government agency, heads would be
rolling!
https://www.databreaches.net/south-african-justice-department-clueless-about-hacked-data/
South
African justice department clueless about hacked data
It’s
not exactly the headline you’d want for your agency, but that’s
what MyBroadband came up with for this report by Myles Illidge:
The
Department of Justice and Constitutional Development (DoJ&CD) has
no idea whether any data was stolen during a ransomware
attack on its systems in
September 2021.
“The
Department cannot tell with certainty as to what happened to the
compromised information,” justice minister Ronald Lamola said in
response
to
written questions from the DA’s Glynnis Breytenbach.
“As
at 1 December 2021, the analysis and/or forensic investigation is
still inconclusive in terms of the exact nature of the information
that was sent outside of the Department as part of the breach,”
Lamola stated.
Read
more at MyBroadband.
The more of the report I read, the more accurate
the headline actually sounds. The government did not try to decrypt
the encrypted files because they did not have the decryption key. It
is not clear if they every reached out to NoMoreRansonware to see if
there was any help to be had, but they report that they were able to
restore from backups anyway.
Does anyone know who the threat actors were or the
type of ransomware in this case?
(Related) Wouldn’t you like to have some
indication of who was accessing your data? I was producing a report
like that back in the 1990s.
https://www.databreaches.net/hackers-raided-panasonic-server-for-months-stealing-personal-data-of-job-seekers/
Hackers
Raided Panasonic Server for Months, Stealing Personal Data of Job
Seekers
Graham
Cluley writes:
Tech
giant Panasonic has confirmed
that
one of its servers suffered a data breach which saw the personal
information of job applicants accessed by an unauthorised party.
The
security breach, which saw hackers illegally access a Panasonic file
server located in Japan via an overseas subsidiary, began on June 22
2021, and only ended on November 3 2021.
Read
more at Bitdefender.
(Related)
How about a report that shows who created files. Would you notice
someone who did not work for your organization?
https://www.databreaches.net/the-ripta-data-breach-may-provide-valuable-lessons-about-data-collection-and-retention/
The
RIPTA Data Breach May Provide Valuable Lessons About Data Collection
and Retention
Joseph
J. Lazzarotti of JacksonLewis writes:
Efforts
to secure systems and data from a cyberattack often focus on measures
such as multifactor authentication (MFA), endpoint monitoring
solutions, antivirus protections, and role-based access management
controls, and for good reason. But there is a basic principle of
data protection that when applied across an organization can
significantly reduce the impact of a data incident – the minimum
necessary principle. A data breach reported late last year by the
Rhode Island Public Transit Authority (RIPTA) highlights the
importance of this relatively simple but effective tool.
In
December 2021, RIPTA
sent notification of
a data breach to several thousand individuals who were not
RIPTA
employees. Reports of the incident prompted inquiries from a state
Senator in Rhode Island, Louis P. DiPalma, and union officials who
represented the affected individuals. According to Rhode Island’s
Department of Administration (DOA), a forensic analysis conducted in
connection with the incident indicates the affected files included
health plan billing records pertaining to State of Rhode Island
employees, not RIPTA employees. The DOA goes on to state that:
[s]tate
employee data was incorrectly shared with RIPTA by an external third
party who had responsibility for administering the state’s health
plan billing.
Read
more at Workplace
Privacy, Data Management & Security Report.
How
would you identify eligible young people without getting personal?
https://www.pogowasright.org/uk-scotland-young-persons-free-bus-travel-scheme-is-it-your-papers-please-time/
UK:
Scotland young persons’ free bus travel scheme — is it “Your
papers, please!” time?
Katie
Williams reports:
Anyone under 22 can now apply for free
bus travel.
The Free Bus Travel Scheme will come into
force on January 31 and allow young people to travel on buses for
free.
However people have taken to social media
to express their frustration after users claimed the website kept
crashing.
Others have criticised the online
application process, which also requires
scanning the applicant’s face, could be a potential
barrier.
Read
more at Edinburgh
Live.
As
The
Times reports
in related coverage:
Applying under the new young persons’
free bus travel scheme has led to complaints about having to supply
biometric face scans, as well as images
of passports and birth certificates.
(Related)
Identity via your phone?
Another avenue to paperless?
https://techcrunch.com/2022/01/12/merit-grabs-50m-series-b-to-expand-digital-credentials-platform/
Merit
grabs $50M Series B to expand digital credentials platform
When
we think about identity in the digital world, it usually involves a
username and password, but Merit (originally called Sigma) wants to
help governments issue digital credentials that link back to a
government license database with the goal of bringing an end to
flimsy paper cards.
… A
driver’s license is proof that the state gives you the right to
drive, but one that is delivered in the analog form of a plastic
card. Merit wants to change that by moving these credentials into
the digital realm and linking them to a government database.
Another
challenge for Google?
https://techcrunch.com/2022/01/12/austrian-dpa-schrems-ii/
In
bad news for US cloud services, Austrian website’s use of Google
Analytics found to breach GDPR
A
decision by Austria’s data protection watchdog upholding a
complaint against a website related to its use of Google Analytics
does not bode well for use of US cloud services in Europe.
The
decision raises a big red flag over routine use of tools that require
transferring Europeans’ personal data to the US for processing —
with the watchdog finding that IP address and identifiers in cookie
data are the personal data of site visitors, meaning these transfers
fall under the purview of EU data protection law.
In
this specific case, an IP address “anonymization” function had
not been properly implemented on the website. But, regardless of
that technical wrinkle, the
regulator found IP address data to be personal data given the
potential for it to be combined — like a “puzzle piece” —
with other digital data to identify a visitor.
Consequently
the Austrian DPA found that the website in question — a health
focused site called netdoktor.at, which had been exporting visitors’
data to the US as a result of implementing Google Analytics — had
violated Chapter V of the EU’s General Data Protection Regulation
(GDPR), which deals with data transfers out of the bloc.
Can
you think of a reason not to use the free parts of these
tools? Share with students and clients?
https://www.pcworld.com/article/553284/5-free-privacy-tools-for-protecting-your-personal-data.html
5
free privacy tools for protecting your personal data
Ideally,
protecting your privacy shouldn’t require hours of time or gobs of
money. Instead of having to meticulously manage all the personal
data that’s floating around on the internet, you should be able to
minimize data collection automatically or proactively. If you value
privacy like I do, you’ll want to check out the following apps and
tools. While some have premium versions for certain features, all
of them are free to use:
(Related)
https://www.cpomagazine.com/data-privacy/us-government-issues-warning-on-spyware-for-hire-commercial-surveillance-tools/
US
Government Issues Warning on “Spyware for Hire” Commercial
Surveillance Tools
…
The
spyware
warning,
issued by the National Counterintelligence and Security Center, did
not name any specific surveillance tools (in spite of the Biden
administration’s previous blacklist actions against NSO Group and
several other similar services). But it does specify that the tools
are being sold to foreign governments and other entities that have
used them to track the movements and communications of dissidents and
journalists, and that mobile devices can be infected without the
target having to take any action.
The
notice also warns about the extensive capabilities that have been
seen with the Pegasus spyware: the ability to access and exfiltrate
“virtually all content” from a device, and to surreptitiously
record audio. Among other things, the notice advises that device
cameras be covered up and that geo-location be disabled.
Practice
where the laws are more surveillance friendly?
https://gizmodo.com/the-fbis-honeypot-phones-were-more-widely-distributed-i-1848345566
The
FBI's Honeypot Phones Were More Widely Distributed in the U.S. Than
Previously Thought
… During
“Operation Trojan Shield,” the feds used a secret relationship
with an encrypted phone company, called Anom, which sold devices
exclusively to career criminals looking for a secure way to
communicate with one another. The product’s developer, who had
previously been busted for drug trafficking, agreed to act as a
high-level federal informant and for at least two years sold devices
to criminals while also secretly cooperating with authorities.
Meanwhile the FBI, along with its international partners, intercepted
all of the communications, which allowed them to capture evidence of
widespread criminal malfeasance on a global scale.
… But
there was one place that didn’t see any arrests, and that’s the
United States. Due to legal issues, the FBI precluded surveillance
of American users of the backdoored devices, apparently because they
were concerned that the operation technically violated U.S. laws and
threatened civil liberties—specifically the Fourth Amendment, which
prohibits police search and seizure without a warrant. While a court
filing revealed that at least 15 people located in the U.S. were
known users of the trojanized devices, these individuals were said to
have been geofenced by authorities conducting surveillance—meaning
they were left out of the investigation.
It
works both ways…
https://www.bespacific.com/law-enforcement-and-technology-using-social-media/
Law
Enforcement and Technology: Using Social Media
CRS
Report – Law
Enforcement and Technology: Using Social Media,
January 11, 2022: “As the ways in which individuals interact
continue to evolve, social media has had an increasing role in
facilitating communication and the sharing of content
online—including moderated and unmoderated, user-generated content.
Over 70% of U.S. adults are estimated to have used social media in
2021. Law enforcement has also turned to social media to help in its
operations. Broadly, law enforcement relies on social media as a
tool for information sharing as well as for gathering information to
assist in investigations…”
[From
the paper:
There
are no federal laws that specifically govern law enforcement
agencies’ use of information obtained from social media sites, but
their ability to obtain or use certain information may be influenced
by social media companies’ policies as well as law enforcement
agencies’ own social media policies and the rules of criminal
procedure.
Someone
has been thinking about AI.
https://www.climate-kic.org/in-detail/artificial-intelligence-business-models-and-taxonomy-in-europe/
Artificial
intelligence business models and taxonomy in Europe
With
its ability to drive productivity and economic development,
artificial intelligence (AI) is already having a huge impact on our
lives. But what are the AI business models in Europe? What AI
landscape exists across Europe? What is AI’s impact in several
sectors and on climate? And how do we talk about AI in the European
AI Ecosystem?
… The
first-mentioned report “Emerging AI and Data Driven Business
Models in Europe” is taking stock of the state of AI in the
KICs’ innovation, education and business creation ecosystems. In
summary, this report contains the results of surveys and a desk
research study including:
https://ai.eitcommunity.eu/assets/docs/EIT-UrbanMobility-Emerging-AI-and-Data-Driven-Business-Models-in-Europe.pdf
… The
“Creation of a Taxonomy for the European AI Ecosystem”
report addresses the risk of losing oversight and efficiency in
several AI activities, reports and the AI landscape. 35 existing
frameworks have been scanned and analysed. The developed AI taxonomy
is compatible with existing ones as long as they haven’t used
incorrect or inconsistent clusters or categories.
https://ai.eitcommunity.eu/assets/docs/EIT-ClimateKIC-Creation-of-a-taxonomy-for-the-European-AI-ecosystem.pdf
(Related)
https://www.brookings.edu/blog/techtank/2022/01/12/how-countries-are-leveraging-computing-power-to-achieve-their-national-artificial-intelligence-strategies/
How
countries are leveraging computing power to achieve their national
artificial intelligence strategies
…
As
such, much of the development of AI is predicated on two pillars:
technologies and human capital availability. Our prior reports for
Brookings, “How
different countries view artificial intelligence”
and “Analyzing
artificial intelligence plans in 34 countries,”
detailed how countries are approaching national AI plans, and how to
interpret those plans. In a follow-up piece, “Winners
and losers in the fulfillment of national artificial intelligence
aspirations,”
we discussed how different countries were fulfilling their
aspirations along technology-oriented and people-oriented dimensions.
In our most recent post, “The
people dilemma: How human capital is driving or constraining the
achievement of national AI strategies,”
we discussed the people dimension and so, in this piece, we will
examine how each country is prepared to meet their AI objectives in
the second pillar—the technology dimension.
Helpful,
but I’m still not sure I understand the “new” definitions of
anti-trust.
https://www.makeuseof.com/monopoly-or-market-leader/
Monopoly
or Market Leader: Looking Into Today's Biggest Companies
You'd
be surprised how frequently people throw around the term "monopoly"
for companies like Google, Facebook, and Amazon.
However,
neither of the companies are monopolies. So, let's tackle some
common misconceptions and figure out what a monopoly is and whether
it matches your idea of it.
To
constitute a monopoly, a company has to dominate its market and
become the only option for its consumers. As per the definition, an
"absence of competition" is a must.