The niner noteworthy stories of 2016 (week 22)

These are the noteworthy stories, in no particular order, that peaked my interest last week.

• Should someone be fired for a cyber breach? And if so, who?
  
• An FBI-Proof iPhone May Be In The Works
  
• FBI is developing software to sort, track and profile citizens by their tattoos
  
• Dropbox Smeared in Week of Megabreaches
  
• Your WordPress and Drupal installs are probably obsolete
  
• UK Home Sec makes concessions to please Snoopers’ Charter opposition
  
• Why the World Is Drawing Battle Lines Against American Tech Giants
  
• DFW Airport Is Going to Start Tracking Your Phone, But Not for the Reason You’d Think
  
• Millennials would rather share a toothbrush than their smartphone
  

Should someone be fired for a cyber breach? And if so, who?

The direct obvious answers would be: yes and the person or persons ultimately accountable for failing information security posture, training and/or processes and procedures. Unfortunately the real answer is not that straight forward and an answer such as “it depends” would better fit the situation.
It is clear however that with sphere phishing attacks on the rise, cyber criminals take enough time to make sure they know the organisation and possibly who is responsible and accountable for what processes. Only awareness training in the end may help, but as a final stopgat measure to correct processes and 4-eye principal to approve transactions. Although I must admit that in some cases even that may not work, in which case awareness is the final barrier of defence left.
source: IT World Canada (external link)
Partially proving my point including a more open transparent company culture in this related article Infosecurity Magazine (external link

An FBI-Proof iPhone May Be In The Works

That is if US government doesn’t decide to ban such forms of encryption unless there is a backdoor present for law enforcement. Then again, if such devices have become commonplace in the international market, it would look very stupid to come with such laws in the first place, now doesn’t it?
Anyway, in the ongoing battle between lazy law enforcement agencies and a certain tech company bound to protect us citizens against over-eager agencies and cyber criminals alike, this will be an interesting move towards the end-game in this chess-match with far reaching consequences if Apple loses.
source: ThinkProgress (external link)

FBI is developing software to sort, track and profile citizens by their tattoos

So if you can’t crack the encryption on a phone, let’s find something else to categorise the public by in groups, sub-groups and other divisions. Apparently some people think that dividing the public by racial or ethnical standards isn’t enough yet and so tattoos are thrown into the mix as well.
And with this bit of news in mind, across the pond they are still wondering why we don’t want their privacy shield? Interesting.
source: The Next Web (external link)
That’s not to say European law enforcement agencies are the pinnacle of privacy correctness btw. Probably on the contrary, but it still makes you wonder.

Dropbox Smeared in Week of Megabreaches

Okay so that one breach of Dropbox is bogus, at least it’s bogus now. This as well as the LinkedIn one I spoke about two weeks ago which was from an old breach. What this does show however is that seemingly small incidents can have far reaching consequences, even several years later.
The password advice given in this article is sound advice and should indeed be followed-up. If you need assistance in assessing and improving the password policies and procedures within your company, don’t hesitate to contact me.
source: Krebs on Security (external link)

Your WordPress and Drupal installs are probably obsolete

Research reckons Mossack Fonseca hack may have been thanks to CMS vulns

In the days when I stil did a lot of penetration testing, outdated software versions and a lack of patch management were almost always findings you could write down in your final report. Even worse, you could do that even before testing had started and use the findings there only to validate that assumption. So to me this bit of news is no real surprise. Even if the CMS’s were supported by central IT this would be something to watch.
source: the Register (external link)

UK Home Sec makes concessions to please Snoopers’ Charter opposition

Just as Human Rights Joint Committee report lands

Last week I wrote about the snoopers charter with a link explaining why the entire bill “is wrong”. Apparently some amendments are proposed but the question will remain if it is good enough. Or even more fundamentally if such broad snooping powers won’t go against European privacy laws (e.g. the GDPR coming into force in the summer of 2018) or even article 8 of the European Charter of Human Rights. The latter of which will still be in effect for the UK even after a Brexit. Same may hold for the GDPR, but only if the UK wants to stay within the EEA (European Economic Area).
source: the Register (external link)

Why the World Is Drawing Battle Lines Against American Tech Giants

The fragmentation between countries and the ever growing reach of big tech companies makes it even more disturbing that on one hand governments are trying to protect us from these companies whilst on the other hand one of them, Apple, is trying to do the exact opposite in the field of personal data protection (otherwise known as privacy).
The way the American intelligence agencies operate isn’t helping matters either.
But as can be read in this El Reg article “Google is the EU Remain campaign’s secret weapon (external link)”, these tech giants may have other unwanted and maybe unethical powers we really want to watch out for.
source: The New York Times (external link)

DFW Airport Is Going to Start Tracking Your Phone, But Not for the Reason You’d Think

Another nice example of “big data” I suppose. Whilst on the hole the idea seems very helpful, the question will remain how anonymous that tracking really is. It isn’t hard to combine this location information with meta data on what you are using the wireless network for, which tickets are booked on what name and what devices are seen in which queues. Over time a profiling effort may very well tell more about your device then just it’s location and how long it’s in a particular queue or not.
Now this may not be the outset goal for the airport or the company providing the service, but it only takes one clever person to think this up in an effort to make more money for it to become reality sooner rather then later.
source: Mic Network Inc. (external link)

Millennials would rather share a toothbrush than their smartphone

After you have read this article it is no wonder that law enforcement agencies want access to our body extension we stil call a mobile phone. Though we all know that using it as a phone, is something we seem to do even less and less these days. So it’s not surprising that privacy efforts are focused on these devices and the personal data they hold as well.
For a business the use of people’s private phones for say 2-factor authentication or reading company mail is becoming more and more a struggle of where does the private part on the private phone ends and the business usage starts. It’s a dilemma most companies either already are facing or may face in the future. If you are facing this now and want help with the security and privacy aspects of this dilemma? Please do contact me.
source: The Blue (external link)