These are the noteworthy stories, in no particular order, that peaked my interest last week.
- Ruling against data transfer regime may cost Europe €143bn a year, says Facebook
- Data Protection Commissioner Helen Dixon accuses lawyers of ‘digital ambulance chasing’
- Apple joins wide array of tech companies in fight to kill EU’s ‘Cookie Law’
- Flaws in Free SSL Tool Allowed Attackers to Get SSL Certificates for Any Domain
- New Mac malware can remotely access FaceTime camera, but macOS Gatekeeper users are protected
- SECURING A TRAVEL IPHONE
- PCI-DSS Compliance: Are CEOs Buying In?
- Commission signs agreement with industry on cybersecurity and steps up efforts to tackle cyber-threats
- What fraudsters hope you’ll post online about your identity
Ruling against data transfer regime may cost Europe €143bn a year, says Facebook
So this apparently is an estimate of the price we Europeans need to pay for our privacy and against US mass-surveillance practices, at least according to Facebook. This story is a follow-up of one I wrote about three weeks ago and which is one that will have it’s possible climax later this year. IF the CJEU rules that standard contractual clauses are indeed invalid in this perspective, specifically for data transfers to the US, this’ll have far reaching implications. If they go as far as the amount suggested in this weeks’ article remains to be seen.
source: the Irish Times (external link)
Data Protection Commissioner Helen Dixon accuses lawyers of ‘digital ambulance chasing’
So on the one hand the Irish DPA is tied up in court cases on big tech companies and the adequacy of American privacy protection, on the other her organisation is flooded with all kinds of low or non-impact cases. However about almost two months ago courts ruled that on the first bit Ms. Dixon’s agency got a slap on the wrist for not doing it’s job properly. Interesting.
source: the Irish Times (external link)
Apple joins wide array of tech companies in fight to kill EU’s ‘Cookie Law’
Is Apple losing it on it’s widely marketed promise of protecting it’s customers’ privacy? And how will this play out with their current strive for “differential” privacy which by definition at least in wording looks less then full privacy protection? What is Apple doing in the company of some others on this list that are known privacy violators in the first place?
Apart from these questions the article states that the E-Privacy directive has come into force in 2012. Whilst correct for the current version of the directive, the first edition is from 2001 and holds the 2001/56/EC code. Next to this I believe this directive should actually become a regulation, either part of or separate but complementary to the GDPR.
source: AppleInsider (external link)
Flaws in Free SSL Tool Allowed Attackers to Get SSL Certificates for Any Domain
Whilst the reported bugs and vulnerabilities are pretty severe, although partially tricky to really exploit, there is one small thing in this article that caught my attention. Why is this service handing out EV or extended validation certificates apparently without all the usual offline, identity and document checks?
source: Softpedia (external link)
New Mac malware can remotely access FaceTime camera, but macOS Gatekeeper users are protected
Mac malware, just like the popularity of Apple hardware, is on the rise and there is nothing too surprising about it. And yes I know, there is a way to install non-signed software without deactivating the gatekeeper within MacOS (or OSX as it is still called with the current version).
People who still think security tools and anti-virus/malware are not required on an Apple computer? Think again.
source: AppleInsider (external link)
SECURING A TRAVEL IPHONE
Some of these tips go way beyond the regular threats you may face in daily usage. However, specifically in some countries, this list may indeed come in handy very well.
As for the chat app suggestions I think the Threeema app may even hold better security than Signal or WhatsApp. The main reason for this is that you can create and later delete your Threema identity and you don’t need a phone number, public or otherwise, to register at all.
If you are really paranoid, I suggest trying to create a way to forward your mail messages as attachment using the Threema gateway system. Yes all of that costs money and you need to implement the Threeema gateway yourself on your mail system to be able to do this, but it may be worth the effort as opposed to trusting everyone you communicate with to not send you confidential information as you have instructed them to do.
source: Filippo.io (external link)
PCI-DSS Compliance: Are CEOs Buying In?
Is C-level really buying in? Are they really understanding what the threat models are? Or is C mostly standing for compliance rather then something else? Whilst standards like these give a general idea on how to implement information security and risk management within your organisation, how security actually is imbedded is an entirely other matter.
In my opinion these standards are good as a measuring stick to gauge levels of compliance after and only after you have looked at your own business processes, assessed possible risks and risk appetite and have designed and implemented required mitigation strategies. Then and only then compliance to laws, regulations and standards like these should come into full focus. Obviously you need to look at them before, but don’t take them on face value and blindly start implementing them, because you may still end up on that front page with a massive data leak.
source: Information Security Media Group, Corp. (external link)
Commission signs agreement with industry on cybersecurity and steps up efforts to tackle cyber-threats
I wonder if this will be more then just talking about it and broader then just cyber security encompassing the entire field of information security. Cyber is too much a buzzword and often more then not used as a lame excuse for organisations that misuse it to duck their responsibility on adequately protecting their company data assets. Although it’s good to see a more general approach as part of the digital single market initiative is taken, it remains to be seen if the expectations by the commission of investments by other players will take shape at all.
source: European Commission (external link)
What fraudsters hope you’ll post online about your identity
If you are an epic social media user and totally not aware of what identity theft is or on how to prevent it, by all means read this article very carefully. Chances are that if you are reading this, that is probably not the case, though this link may be worth sharing to your friends and colleagues who don’t read security and privacy related articles.
Sometimes, not specifically social media, you can’t but post personal data online or on semi-public documents like bills and receipts. Specifically the Dutch government is very good at ignoring the advice on social security numbers given in this article. So if you know somebody within the Dutch government, specifically in the ministry of finance or the tax authority, please be my guest and point them to this article and my comment on it by very cautiously mentioning it may be worth reading for them as it is closely related to the Dutch social security number and it’s VAT number scheme for certain types of companies.
source: BBC Newsbeats (external link)