• Skip to main content
  • Skip to primary sidebar

Shamrock Information Security

  • Home
  • About
    • Biography
      • Publications
    • Certifications
    • Company details
  • Services
    • Information Security consultancy
    • Information Security auditing
    • Information Security interim positions
    • Data Protection and GDPR Consultancy
    • Data Protection / Privacy interim positions
    • Data Governance Consultancy
    • Data Protection (Information Privacy) Certification Training
  • Contact us!
  • Blog

2016-07-12 by Drs. Andor Demarteau

The niner noteworthy stories of 2016 (week 27)

These are the noteworthy stories, in no particular order, that peaked my interest last week.

  • Ruling against data transfer regime may cost Europe €143bn a year, says Facebook
  • Data Protection Commissioner Helen Dixon accuses lawyers of ‘digital ambulance chasing’
  • Apple joins wide array of tech companies in fight to kill EU’s ‘Cookie Law’
  • Flaws in Free SSL Tool Allowed Attackers to Get SSL Certificates for Any Domain
  • New Mac malware can remotely access FaceTime camera, but macOS Gatekeeper users are protected
  • SECURING A TRAVEL IPHONE
  • PCI-DSS Compliance: Are CEOs Buying In?
  • Commission signs agreement with industry on cybersecurity and steps up efforts to tackle cyber-threats
  • What fraudsters hope you’ll post online about your identity

Ruling against data transfer regime may cost Europe €143bn a year, says Facebook


So this apparently is an estimate of the price we Europeans need to pay for our privacy and against US mass-surveillance practices, at least according to Facebook. This story is a follow-up of one I wrote about three weeks ago and which is one that will have it’s possible climax later this year. IF the CJEU rules that standard contractual clauses are indeed invalid in this perspective, specifically for data transfers to the US, this’ll have far reaching implications. If they go as far as the amount suggested in this weeks’ article remains to be seen.
source: the Irish Times (external link)

Data Protection Commissioner Helen Dixon accuses lawyers of ‘digital ambulance chasing’


So on the one hand the Irish DPA is tied up in court cases on big tech companies and the adequacy of American privacy protection, on the other her organisation is flooded with all kinds of low or non-impact cases. However about almost two months ago courts ruled that on the first bit Ms. Dixon’s agency got a slap on the wrist for not doing it’s job properly. Interesting.
source: the Irish Times (external link)

Apple joins wide array of tech companies in fight to kill EU’s ‘Cookie Law’


Is Apple losing it on it’s widely marketed promise of protecting it’s customers’ privacy? And how will this play out with their current strive for “differential” privacy which by definition at least in wording looks less then full privacy protection? What is Apple doing in the company of some others on this list that are known privacy violators in the first place?
Apart from these questions the article states that the E-Privacy directive has come into force in 2012. Whilst correct for the current version of the directive, the first edition is from 2001 and holds the 2001/56/EC code. Next to this I believe this directive should actually become a regulation, either part of or separate but complementary to the GDPR.
source: AppleInsider (external link)

Flaws in Free SSL Tool Allowed Attackers to Get SSL Certificates for Any Domain


Whilst the reported bugs and vulnerabilities are pretty severe, although partially tricky to really exploit, there is one small thing in this article that caught my attention. Why is this service handing out EV or extended validation certificates apparently without all the usual offline, identity and document checks?
source: Softpedia (external link)

New Mac malware can remotely access FaceTime camera, but macOS Gatekeeper users are protected


Mac malware, just like the popularity of Apple hardware, is on the rise and there is nothing too surprising about it. And yes I know, there is a way to install non-signed software without deactivating the gatekeeper within MacOS (or OSX as it is still called with the current version).
People who still think security tools and anti-virus/malware are not required on an Apple computer? Think again.
source: AppleInsider (external link)

SECURING A TRAVEL IPHONE


Some of these tips go way beyond the regular threats you may face in daily usage. However, specifically in some countries, this list may indeed come in handy very well.
As for the chat app suggestions I think the Threeema app may even hold better security than Signal or WhatsApp. The main reason for this is that you can create and later delete your Threema identity and you don’t need a phone number, public or otherwise, to register at all.
If you are really paranoid, I suggest trying to create a way to forward your mail messages as attachment using the Threema gateway system. Yes all of that costs money and you need to implement the Threeema gateway yourself on your mail system to be able to do this, but it may be worth the effort as opposed to trusting everyone you communicate with to not send you confidential information as you have instructed them to do.
source: Filippo.io (external link)

PCI-DSS Compliance: Are CEOs Buying In?


Is C-level really buying in? Are they really understanding what the threat models are? Or is C mostly standing for compliance rather then something else? Whilst standards like these give a general idea on how to implement information security and risk management within your organisation, how security actually is imbedded is an entirely other matter.
In my opinion these standards are good as a measuring stick to gauge levels of compliance after and only after you have looked at your own business processes, assessed possible risks and risk appetite and have designed and implemented required mitigation strategies. Then and only then compliance to laws, regulations and standards like these should come into full focus. Obviously you need to look at them before, but don’t take them on face value and blindly start implementing them, because you may still end up on that front page with a massive data leak.
source: Information Security Media Group, Corp. (external link)

Commission signs agreement with industry on cybersecurity and steps up efforts to tackle cyber-threats


I wonder if this will be more then just talking about it and broader then just cyber security encompassing the entire field of information security. Cyber is too much a buzzword and often more then not used as a lame excuse for organisations that misuse it to duck their responsibility on adequately protecting their company data assets. Although it’s good to see a more general approach as part of the digital single market initiative is taken, it remains to be seen if the expectations by the commission of investments by other players will take shape at all.
source: European Commission (external link)

What fraudsters hope you’ll post online about your identity


If you are an epic social media user and totally not aware of what identity theft is or on how to prevent it, by all means read this article very carefully. Chances are that if you are reading this, that is probably not the case, though this link may be worth sharing to your friends and colleagues who don’t read security and privacy related articles.
Sometimes, not specifically social media, you can’t but post personal data online or on semi-public documents like bills and receipts. Specifically the Dutch government is very good at ignoring the advice on social security numbers given in this article. So if you know somebody within the Dutch government, specifically in the ministry of finance or the tax authority, please be my guest and point them to this article and my comment on it by very cautiously mentioning it may be worth reading for them as it is closely related to the Dutch social security number and it’s VAT number scheme for certain types of companies.
source: BBC Newsbeats (external link)

Filed Under: Noteworthy Series Tagged With: InfoSec, Privacy

Primary Sidebar

Testimonials

IFS, DPC & GDPR

We were introduced to Shamrock Information Security during the development of the AVTN.TV Television News Project. As the projected demands on our systems; need to protect the company from Cyber Attacks; and ensure corporate practices were GDPR compliant increased, Shamrock became invaluable in advising us on the necessary structures and requirements. Their work is most evident within the relevant pages of the AVTN.TV Investment Proposal. I highly recommend their services, and wouldn’t hesitate to commission them in the future.

Phillip Covell, CEO, AVTN.TV

Phillip Covell
AVTN.TV

Great advice on all things to do with privacy and information security

I’ve worked with a lot of privacy and InfoSec professionals over the past couple of decades but few of them had minds as sharp and knowledgeable as those at Shamrock. For insightful and focussed advice on security/privacy matters, Shamrock is hard to beat!

William Hern
trust-hub

Training Feedback

Very knowledgeable trainer nice venue plenty of interaction possible.
If you are looking for an IAPP trainer I can commend this course to you.

Raymond Ford
GDPR Institute

CIPP/E training

I have a lot of experience this field, but there are always areas you are stronger and weaker on. Shamrock covered the exam content thoroughly, such that I was able to focus on the areas that would benefit from some revision.

I would recommend Shamrock training courses for beginners and experts alike.

David Nunn
trust-hub.com
  • Privacy
  • Cookie policy
  • Terms of service
  • Contact us!

Copyright © 2021 · Executive Pro on Genesis Framework · WordPress · Log in