These are the noteworthy stories, in no particular order, that peaked my interest last week.
- PayAsUGym user details compromised in hack attack
- Windows 10 update broke DHCP, knocked users off the Internet
- Ransomware Offers Victims Free Decryption For Infecting Their Friends
- DOT proposed rules would require cars to share information
- Companies face new data access rules under controversial Commission plans
- EPrivacy leaked draft: The ‘good,’ the ‘bad’ and the ‘missing’
- Uber said it protects you from spying. Security sources say otherwise
- Houston, we have a problem: ‘App dev stole our radio station’
- Man held at JFK airport over largest US financial cyber-hacking
PayAsUGym user details compromised in hack attack
Yes I know, another week and another data leak. A minor one compared to others this month though. If there is one take away from this one is the notion that this company says to take the security of it’s customers seriously but yet it was not able to detect the ongoing breach itself. It also migrated to “new servers” after it was notified, what ever that means. I obviously have an idea and that has to do with the software installed on their old machines, but I will leave it up to PayAsUGym to come clean on this one themselves.
source: BBC News (external link)
Update: December 24th 2016)
Apparently somebody on Twitter spilled the beans for them already, more or less confirming my suspicion. Btw, claiming all your data is stored in the UK whilst there is stuff on a server in the Netherlands is not much of an issue here. At least maybe not until brexit comes along.
source: SC Media UK (external link)
Windows 10 update broke DHCP, knocked users off the Internet
Okay, so you update your PC (or at least Microsoft automatically installs the updates for you if you want it or not) and afterwards your internet connection is broken. And apparently you may need another update from the internet to fix it. Or simply: “In the time-honoured tradition of IT support, Microsoft’s advice begins by telling people to try turning their PCs on and off again”. Have we really come this far in software development?
source: Ars Technica (external link)
Ransomware Offers Victims Free Decryption For Infecting Their Friends
Okay, so first you need to infect probably two “friends” or family, hope they will pay the 1 bitcoin and next you will need to “trust” the criminals to keep their promise? Quite an interesting game to play coming pretty close to Russian roulette. However, since it is also known that ransomware “companies” sometimes have a better helpdesk then your general IT provider, who knows.
source: PCMag (external link)
DOT proposed rules would require cars to share information
Whilst I absolutely agree there are privacy risks to this technology, encryption will not help at all. The data needs to be useable by the other cars, which means that they need to be able to decrypt the information. So either all cars need their own key pair and cars need to figure out which other cars are around them to encrypt the relevant information with the public key of the specific other car, or we need one symmetric key to encrypt all traffic or we need to do constant key negotiation between cars. In other words: this is not going to work in whichever way you look. And besides that there are a host of attack factors you can think about as well.
source: IAPP (external link), full article on Consumer Reports (external link)
Companies face new data access rules under controversial Commission plans
I can think of a couple of reasons it is a good idea for companies not to own and monetise large data sets which have a privacy impact. I also can think of some reasons why it is a bad idea to open the floodgates on sharing that data around seemingly without restrictions.
The second thing in this article, the free movement of data, in my mind is contrary to some local laws and I don’t see why countries should give that up. Sure, in an ever closer union this should not be an issue at all and as the GDPR comes into force the privacy protection in the entire union is more or less iddentic, but pushing this seems over the top EU powerplay.
source: EurActiv..com (external link)
EPrivacy leaked draft: The ‘good,’ the ‘bad’ and the ‘missing’
So another privacy regulation, possibly large fines for telecoms as well as over the top (OOT) services and “do-not-track” as default cookie setting, looks good so far.
It seems the commission is, probably influenced by lobbying, however going for an opt-out position on marketing usage of contact information. Whilst I can understand this however, only allowing to withdraw your consent every 6 months instead of immediately the moment you want to do so is an absolute bad point. It even may break the consisting EU privacy regulation (GDPR) as well.
It is indeed a pity that nothing is done against excessive data retention, however I assume that some of the EU members have objected against that. As for the DTIP, we now know that the ECJ had something very interesting to say about that earlier this week.
A As for a standard on end-to-end encryption, besides the obligation to implement it, may not be a good idea as you certainly don’t want technical solutions embedded into a law that takes forever to change again.
source: IAPP privacy advisor (external link)
Uber said it protects you from spying. Security sources say otherwise
Okay, so Uber apparently has lousy security practices, doesn’t adhere to basic principles like least privilege and need-to-know and even goes as far as encrypting machines that are about to be ceased under a warranted search. Even though this article is based on court filings after the security person was sacked, I lean towards believing his story than Uber’s response. Couple this to their history of data protection mischief and their current GPS data hunger, even when you are not using the Uber app, and the picture becomes quite clear.
source: The Center for Investigative Reporting (external link)
Houston, we have a problem: ‘App dev stole our radio station’
Bloke accused of seizing control, redirecting calls, pretending to be the boss
Sometimes you don’t even need cyber criminals to damage or destroy your brand, one vendor apparently is all that it takes. The best take away from this article is that you always must make sure you own the credentials to vital accounts.
source: The Register (external link)
Man held at JFK airport over largest US financial cyber-hacking
Whilst in a lot of cases the “hackers” are never caught, partially because the breach of security was never discovered, in this case the outcome seems to be different. It remains to be seen if the three cyber criminals are actually convicted as well.
The fact that it took this long to get them before a court is worrying by itself though.
source: BBC News (external link)