The niner noteworthy stories of 2017 (week 11)

These are the noteworthy stories, in no particular order, that peaked my interest last week.

Millions of records leaked from huge US corporate database


There are two sides to this story: on the one hand a lot of aggregated data has become available to massively aid phishing and social engineering attacks, on the other hand it seems there are companies that actively aggregate these huge data sets to sell them for profit over and over and over again.
As for this being legal under US privacy laws would greatly depend on how they actually obtained this data in the first place. Even if the now available dataset does not come from this company directly, they apparently don’t care what happens with it after they sell it (profit made, not our problem anymore).
As for the impact, which they downplay, we will have to see. The possibility for massive misuse is certainly present. Which in my humble opinion could have been prevented if these kind of business models would have been made illegal. With the current administration however and the reversal of the FCC privacy rules on browsing data, changing that will be extremely unlikely.
source: ZDNet (external link)

Abta suffers security breach affecting thousands of glum British holidaymakers


A prime example of why it is so extremely important to manage your vendors, specifically when PII (personal identifiable information) is concerned. Not only because the law demands it, even more so under the general data protection regulation (GDPR) come May 25th 2018, but because it is ethically and morally correct to do so.
In that respect it doesn’t matter if the data leaked has a low or high risk it could result to identity theft, if it only increases the risks for it and could have been prevented that should have been done.
And yes obviously mistakes can be made, the exact details of this one breach aren’t known at the time of writing either. However, blaming it on a contractor whilst you as a data controller are fully liable is either pointing to ignorance or extremely childish.
source: Ars Technica UK (external link)

ISPs say your Web browsing and app usage history isn’t “sensitive”


So why is this such a big deal for the American internet service providers? There, unfortunately, is only one answer to that which is that they already sold that information before it may have become illegal to do so and with that threat hanging over the market they were simply afraid of a very lucrative revenue stream drying up.
It’s as simple as that. There is no other reason in my mind why these privacy enhancing rules are opposed at all.
Now their next step is probably to buy all VPN providers they could lay their hands on to be abel to get at your browsing data that way. That is if the American public actually cares about their online privacy and want to switch to using VPN (virtual private networks) at all in all circumstances. Time will tell.
source: Ars Technica (external link)

Canada’s privacy watchdog probes US border phone seizures


What they take? Probably everything the phone will synchronise with a computer system. For how long? Indefenately or maybe until space on the storage media runs out. Will they install something malicious? Obviously I don’t know, but with all the information leaking on US intelligence agencies from mr. Snowden and later leakes as well I can only conclude that I would not put it past them to do this in isolated cases.
As for stripping privacy rights from non-US citizens, nothing really changed that much as I wasn’t aware that we had any privacy rights to speak of in the eyes of the US administration anyway.
This by itself is a worrying trend which will hurt business travellers and may in the end leak sensitive data in a way that could be very damaging.
source: The Register (external link)

WhatsApp and Telegram Vulnerability Should Warn Wary Encrypted Chat Users Off the Web


This is indeed more a browser then a end-to-end encryption issue and can’t even be blamed on that technology It’s more the code running the browser as well as the browser security itself that are the culprits in this case.
The final line in the article however is more worrying as it clearly distinguishes between those that really need privacy of communication and those that see it as a added bonus. It’s that latter group of potential users that form the highest risks if they are working for your company and dealing with sensitive data too.
source: WIRED (external link)

Google, Facebook, Twitter must comply with EU consumer law—or face fines


Whilst this article doesn’t deal with privacy laws directly, these same social media and advertising networks will have a lot on their plates if they are willing to become compliant with the general data protection regulation next year may. In addition to that, the draft regulation published to update the old E-Privacy directive may hold even more problems for these American based companies.
In some respects, specifically when automatic profiling for direct marketing is concerned, they will have an extremely hard time to become compliant without actually destroying their own business models in the process.
source: Ars Technica UK (external link)

US Secret Service laptop with Trump Tower plans stolen in New York


Okay so the disk was encrypted which actually means, if it was done correctly, that it actually doesn’t matter that much what kind of data was on it and certainly not on how sensitive it was.
The only thing you can actually learn from this article is a pretty simple fact; never leave your laptop in your car unattended, not even in your own driveway it seems.
Depending on what the purpose is of those lapel assignment pins, these may be of more value to a potential miscreant with other plans then simply obtaining a new laptop, wiping the disk and using it for whatever reasons somebody uses a laptop.
source: BBC News (external link)

Ubiquiti network gear can be ‘hijacked by an evil URL’ – thanks to its 20-year-old PHP build


So a company that says they are taking network security very seriously has firmware versions that are vulnerable to a cross-side request forgery (CRSF) attack, don’t reply to bug-bounty requests and seemingly are using a PHP version that is indeed about 20 years old. Yes they are taking it “very seriously” indeed. Give me a break please.
source: The Register (external link)

Fragmentation: the silent killer in security management


Yes every aspect in this article is correct. And yet I disagree with some of what is being said.
The main problem isn’t the gap between attackers and defenders, although it will make the problem worse, but the fact that most companies don’t know what their attack surface is, what their critical processes are and mostly have no decent IT maintenance program in place (except for on paper). Additionally the lack of skills, low pay for highly qualified information security personnel and no real commitment by senior management completes the picture.
Call me sceptical, I would call it realistic and I have over 8.5 years of experience to account for that as well.
source: CSO Online (external link)