The niner noteworthy stories of 2016 (week 21)

These are the noteworthy stories, in no particular order, that peaked my interest last week.

How Facebook Warps Our Worlds

How much privacy professionals may criticise Facebook and others for their blatant breaking of our privacy, which views I share. This article is not about that topic, it may not even be about privacy or information security for that matter either (although it does give a nice insight on how awareness training could be improved).
It does however give a very nice mirror on how we humans work and how Facebook and others actually thrive on our characteristic of conformity and human nature to be strengthened in our believes and ideas instead of questioning them and coming up with new ideas and insights. What this means for your personal habits I leave as an open question.
source: New-York Times (external link)

Top Websites Using Audio Fingerprinting to Secretly Track Web Users

Yes indeed, more technology to track you online. The more we are using technologies like ad-blockers to restrict what companies like Google, Facebook (which is going to distribute ads to non-FB websites as well) and other large advertising networks limit their ability to profile us, the more sneaky and intrusive their methods will become to still be able to track and profile us.
It seems with every new method the fight is getting more and more difficult to do anything private online anymore without either a government or privately held advertising giant knowing about it. This in my opinion is getting worse then even George Orwell could have foreseen in his book 1984.
source: The Hacker News (external link)

Anonymity is not Just for Criminals – 3 legit Reasons to Hide your Tracks Online

Although I agree with this article (it won’t give you the reasons for wanting to be anonymous online btw), VPN solutions like that of F-Secure only shift the problem and possible threat to the company providing the VPN service. As F-Secure is a security company with a good public privacy attitude, I wouldn’t hesitate to use their service for masking my internet activities.
But who’s to say that all VPN providers on the net are similarly interested in protecting our privacy? They can secretively make a lot of money by selling your VPN data to advertising companies. Yes, inside the VPN endpoint you are not anonymous.
source: F-Secure Safe and Savvy blog (external link)

Why the UK government’s latest Snoopers’ Charter bid is wrong

Interesting article and an even more interesting view on the intelligence agencies in a country that, at least for now, is part of the European Union. This snoopers charter goes even further then current US practices (so far as we are aware of them) and may do what the American’s are trying to do to encryption and scoping it to outside their country and jurisdiction.
However the UK and US are certainly not the only countries that try to broaden scopes of surveillance laws and data grabbing powers to give us a fake notion of safety and security against what ever threats are facing our western lifestyle. The EU, the Brits may leave at the end of next month, has their own way of violating article 8 of the ECHR by storing all passenger data of all flights in, out and inside of Europe in one bulk data grabbing database. Interestingly enough the law that made this possible was passed through the European Parlement at the same time new European privacy laws (GDPR) were passed as well, new privacy laws that give more control over our own data to the EU citizens in 2018 except for our aviation passenger data it seems.
source: Ars Technica UK (external link)

Analysis: Japanese ATM super-raiders bag £9m in 3 hours

Impressive. Couple this to the fact that the international payment network only now is thinking about 21st century security and you may understand why this hack of one South African bank using Japanese ATM’s may have more and further reaching consequences then both incidents separately.
Combining the two stories is pure speculation obviously, but as the article itself also asks: how is it possible to cash so much money in such a short period of time from one large financial institution? I will add to this: are those transactions also going through the Swift international banking system?
source: SCMagazine UK (external link)

SWIFT finally pushes two-factor auth in banks – it only took several multimillion-dollar thefts

Better late than never

Paperwork, more paperwork and even more paperwork. Very typical for an organisation still living in the previous century it seems. Will this make the payment system actually more secure? Only time will tell and I mean that in two ways: first will this enough to actually better secure Swift their systems and secondly this isn’t done overnight and may take at least a year or more to be fully implemented.
Unfortunately this is another case of patching security afterwards instead of designing it in in the first place, always a difficult and painful exercise that takes time, resources but above all senior management sponsorship.
source: The Register (external link)

FCC swivels to online privacy, gets bitten in the ass by net neutrality

Has America’s telecom regulator finally pushed its luck too far?

The answer to that question is certainly yes the FCC is indeed overstepping it’s authority and if not it’s knowledgeability for sure. Internet service providers do indeed have less insight in user’s surfing habits then say Facebook or Google (unless they play with super cookies etc).
One thing that is noted in this article which may in the end partially will become true is the notice that an IP address is similar to a telephone number. With IP version 6 and the fact that in most cases the hardware address of your device will become part of your IP address on whatever network you reside, may come very close to that similarity, close but not synonymous.
source: The Register (external link)

Why America still controls its nukes with ancient floppy disks

Okay the US department of defence may be archaic in their use of floppy disks, but I for one don’t blame them for doing so.
And yes this may indeed well be the most secure way of still doing it whilst at the same time having the benefits of some digital systems and data transfers. If you really want to go safe, then type writers may be a better alternative still (something the Russian government seems to agree upon after the Snowden revelations).
Keeping things off the internet however doesn’t necessarily make them 100% secure though, as the stuxnet hack of an Iranian nuclear facility back in 2010 has shown all too clearly. That is not a reason to couple everything to the internet though, certainly not for systems that are not designed to be interconnected or properly protected.
source: SMH (external link)

Armed FBI agents raid home of researcher who found unsecured patient data

And finally the shocker of this week that really questions how companies are handling sensitive data (yes this is a form of handling, but not the one I would advice).
you find a server with unsecured medical records, you report it and make sure it is fully secured and only then you publish what you have found. Apparently even that can lead to a house rate, arrest and who knows what’s more. Because of what? Well maybe only because the parent company of the company in violation of properly handling sensitive data is trying to gag you for publishing their inability to handle such data.
Either of two things may happen next time if these kind of idiotic responses continue to happen: security researchers will not notify a company anymore and keep quiet or they will rip all data and post them to the open internet for all to see but in such a way that they themselves can’t be traced. Is that really the world of responsible disclosure companies really want?
source: Ars Technica (external link)