The niner noteworthy stories of 2017 (week 10)

These are the noteworthy stories, in no particular order, that peaked my interest last week.

MAC randomization: A massive failure that leaves iPhones, Android mobes open to tracking


It’s interesting to see, yet hardly surprising, that Apple is doing better then Android devices in protecting the privacy of it’s users. Although all devices are vulnerable to the mentioned RTS (request to send) active attack, at least with iOS since version 8, you are protected against passive once.
Although iOS 10 devices are being distinguished because of some added information, it is unclear if that information bit is unique to each device or identical to all iOS 10 devices. In the latter case it would only show that a particular user has an iOS 10 handset, which is general enough to still hold a form of privacy. Maybe some follow-up research is required.
source: The Register (external link)

Thousands of NHS Wales staff lose personal data in breach


What is interesting here is that the breach was in October 2016 yet effected individuals were only informed early March 2017. Now the article is not particularly clear on why this is and if I may speculate, it could very well be because the breach was only discovered 4-5 months after it actually occurred instead of last October and they just waited to inform people.
This would be consistent with a lot of other data breaches as well. Accompanying statements that the contractor has secured there network to prevent further breaches is of little to no help to the persons who’s data is already compromised.
Lastly, even if the NHS had specific policies in place, who’s to say the contractor actually adopted those to protect their own system? If my experience in handling outsourcing contracts is any indication, merely all contractors will not adopt your security policies and state their own ones are secure enough. If that’s indeed the case here, we have seen the unfortunate result of that.
source: SC Magazine UK (external link)

Google Wants To Take ‘Faceprint’ Battle To Appellate Court


So photo’s are not biometric data and therefore Google argues that any biometric measurements taken from a photo isn’t biometric data either? Am I missing something here?
In Europe, specifically under the GDPR, both sets of data (photo’s as well as biometrics) count as special data so it seems we would not have this discussion overhere in the first place. Though it is interesting to see what comes out of this case in the US, it seems pretty certain to me Google will lose this. Although they probably will disagree.
source: mediapost.com (external link)

Acting Federal Trade Commission head: internet of things should self-regulate | Technology


So there may be a threat but as long as that threat doesn’t materialise the FTC does nothing to protect consumers because if we do nothing a solution may materialise at the same time as well? It’s precisely this kind of thinking that has already lead to massive data breaches, ransomware attacks and massive DDoS attacks as well.
If we would replace the head of the FTC with an ostrich, what would actually change? I suspect not that much.
Self regulation on information security and privacy in the IT business has never worked and will never work either.
source: The Guardian (external link)

Google’s Allo app can reveal to your friends what you’ve searched


Whilst this problem with the Google assistant could indeed have annoying privacy implications for it’s users, isn’t the fact you are using a chat app without any end2end encryption plus an assistant that is looking to all your chat transcripts privacy trouble enough?
I mean, if you want to safeguard your privacy simply don’t use apps like this and certainly don’t provide a lot of personal and potential sensitive information to a large search and advertising giant that wants to make money with that information in the first place.
source: Recode (external link)

What Your SecOps Team Can (and Should) Do


Unfortunately that global elite this article is talking about is nothing more then that, a small group of organisations that really understand and practice what they should do to protect their company assets. On the other hand, the fact that a lot of companies simply don’t or don’t want to understand this, means there will certainly be enough work around to help them mature in this field as well.
And yes, that means a possible double edged sword indeed.
Is your company part of the elite? Congratulations. If not, don’t hesitate and contact me for assistance.
source: Dark Reading (external link)

Is Your Company Using Employee Data Ethically?


The only reason those lines are getting blurred is the fact some companies think they “own” all our data and therefore have the “right” to do with it as they see fit.
The statement provided in the article

, “Ethics is knowing the difference between what you have the right to do and what is right to do

is probably more relevant in this day and age than at the time it was actually used. Specifically because of those blurring lines and the differences in privacy regulations between Europe and the US and the ever growing globalisation of people and, specifically, of data.
Is your company using data ethically? Please do ask yourself that question honestly and then review your data usage policies.
source: HBR (external link)

Canadian agency breached as hackers exploit new software bug


It’s difficult to keep all software patched immediately the moment vulnerabilities of this magnitude and impact are published, even though the Apache foundation has a patch for it available as well. However, the Canadian government did the only right thing in shutting down the vulnerable webserver until it could be patched and therefore secured against this specific vulnerability.
I know it’s probably not the most important must be 24/7 available website or else we lose a shitload of money website, but still doing it and even going public with it as well is showing guts and I am obliged to give kudos for this for sure.
If you have an Apache webserver and probably are running this specific vulnerable item, get patching!
source: Reuters (external link)

If Your iPhone is Stolen, These Guys May Try to iPhish You


For those who think you are able to commit crimes on or using the internet and stay anonymous, please read this article and ask yourself if it’s still worthwhile to continue breaking the law. Apparently there is enough data around to track you, specifically if you make stupid mistakes like this individual. But even if you don’t, it will be possible to find you just somewhat more difficult.
source: Krebs on Security (external link)