The niner noteworthy stories of 2017 (week 3)

These are the noteworthy stories, in no particular order, that peaked my interest last week.

Thousands warned they may be victims of rogue webmaster


And there some companies still claim that outsourcing stuff because you don’t have the knowledge yourself is safe. Okay maybe a bit too harsh of a statement, but it does perfectly highlight why you need to be careful and only work with trusted parties or be able to check and verify that the work done is up to spec.
And yes that includes possible rogue scripts compromising your website and leaking your clients’ data to it’s developer. Effectively all websites compromised in this way suffered a data leak and could, depending on when the leak occurred be eligible for a big fine according to the Dutch data protection laws per the 1st of January 2016. Maybe even a double fine as they probably didn’t know and didn’t notify the Autoriteit persoonsgegevens (the Dutch DPA) neither.
source: BBC News (external link)

The US Postal Service Wants to Hunt Down Dark Web Criminals


Interesting job opportunities. What is even more interesting is that apparently the US Postal Service started to investigate a lot more into the dark web after it was breached itself back in 2014. The question is however, do we trust these types of organisations with policing the Internet or should this be left to law enforcement agencies?
At least this is one somewhat new development to keep an eye on for sure.
source: Motherboard (external link)

Cobert: OPM ‘feels like a different place’ post-cyber breach


First thing to become more data oriented is drop the term cyber and start talking about information security instead. It may seem little and just one word, but information security is by definition information and underlying data driven and not systems and network connectivity driven, which cyber security often doesn’t grow out of at all.
It is good to see that the OPM is taking this seriously. Though the most interesting point made in the article is that they apparently still have ageing and/or already outdated IT infrastructure in place and too little budget to actually do what’s necessary to upgrade or replace it.
source: Federal News Radio (external link)

Connected Devices Give Spies a Powerful New Way to Surveil


maybe the authors of this story should be given a copy of Orwell’s book 1984. Although if the picture they paint goes much further then that what is already reality in this day and age, Orwell’s vision would look like a extremely positive view on the matter to which everyone who really understands the implications would think back to with joy.
The storage problem that is highlighted in this article is essentially already solved too. The intelligence community just uses the data warehouses of companies like Google, Facebook and IOT platform providers to hold the data with unlimited access to everything that is stored there accessible whenever they want to have it. Add to this countries adopting far reaching surveillance laws like the UK’s investigatory powers act (or snoopers charter) and the outcome becomes even more bleak and worrisome.
source: Wired (external link)

New U.K. Surveillance Law Will Have Worldwide Implications


Take this, add the IOT as new surveillance factor from the previous article and add some ice, shake it well don’t stir and you have the starter for a nice and explosive surveillance cocktail.
All 007 quotes aside though, the trend in the world of implementing more and more data retention laws, mass and bulk surveillance and attack on security and privacy technology is extremely worrying and if not kept in check will ultimately destroy our open western society. No terrorist organisation required, just our own fear mongering politicians fed by an over-greedy intelligence community.
source: MIT Technology Review (external link)

Landmark Australian ruling on what counts as ‘personal information’


This Australian discussion on the application of privacy laws on meta data is not a standalone case. The fact that data about this customer wasn’t seen as personal data may however be interesting in Australia, but would have been different under other data protection regimes. E.g. in Europe from the data requested the individual customer can clearly be identified and as such would very likely fall under personal information and therefore would have to be included in an information request.
The fact that this court ruling does not clarify the matter on what actually is personal data or what would have to be part of an information request, will indeed cloud the rights of Australian citizens on what they can or can’t expect to obtain with an information request. The ruling as such is interesting as the information requested is clearly related and therefore, in my opinion, about the former journalist.
source: iTnews (external link)

Australia’s Department of Social Services pushing ahead with data-matching plans

Apparently there is a lot going on down under regarding to data protection vs. service outcomes and a definition (see above) on what constitutes data about an individual.
This could potentially go horribly wrong, but maybe the government may think hard and stop this project before it’s too late. On the other hand with the current hype around big data that doesn’t seem very likely.
The Register (external link)

Reminder: Your Passwords Are Still Terrible | News & Opinion


Take this in combination with the next article and you may begin to understand why so many people fall victim to identity theft or compromised accounts. Whilst it is the responsibility of users to use stronger passwords as well as not reusing them on multiple sites, the first bit can also be enforced by site and apps designers and developers to help bolster security for their users.
Most users can’t be bothered to do it themselves. However, if you force them to choose stronger passwords they often will comply.
On business networks though, don’t overdo it either. Asking for stronger passwords and at the same time ordering users to change them every 4 weeks or so will push them to other sorts of behaviour like using incremental numbers in their passwords. If you think you are clever and also say that the password can’t be identical to the last 12 or 13, they will simply append 2 digits for the year the password is used in, completely circumventing your reasoning behind the strict policies.
source: PCMag (external link)

Consumers are passing off security responsibility to others: Gemalto


Privacy laws actually agree with consumers on this topic putting the responsibility squarely on the company or organisation that actually holds the data. Which, in my opinion, is indeed where the responsibility or even accountability should rest indeed.
However, this doesn’t mean that consumers have no responsibility themselves at all. Specifically if social media and other online platforms are concerned, users have their own responsibility to think twice before disclosing sensitive and personally identifiable information online. Also the possible consequences of breaches which are amplified when re-using passwords across sides, is a responsibility of the users themselves and can not be blamed or passed off to others.
In some cases this will indeed lead to the fact that a certain service will be harder to use in exchange for better security and privacy e.g. Threema chat app on the one hand vs. Signal or WhatsApp on the other.
source: ZDNet (external link)

Squirrel ‘threat’ to critical infrastructure


So does this mean we can safely connect our power grids control systems to the internet and retrain security staff in squirrel hunting techniques? The problem is that both threats are serious and can cause major damage if successful. The animal attack factor however is, hopefully included in the business continuity planning of any critical infrastructure facility. Most of the times the human attack factor is not or at least insufficient to warrant for enough protection.
So whilst this article and the research done is interesting reading and at least puts things into perspective, this certainly does not mean that information security therefore merits less or no attention at all anymore, on the contrary.
source: BBC News (external link)