The niner noteworthy stories of 2017 (week 13)

These are the noteworthy stories, in no particular order, that peaked my interest last week.

Who’s Tracking Your Faceprint?


The subtitle of this article says it all really

Advertising companies, tech giants, data collectors, and the federal government, it turns out.

At least in America.
With these systems becoming more and more ubiquitous and more and more pictures are being (mis)used training these systems, there will come a time where you are recognised instantly the moment you pass any camera anywhere anytime.
The problem is that these systems are certainly not foolproof or accurate, so who will indeed have to prove they were not where the system say you were? “Computer says yes”, will become the norm. It’s probably against these kind of automagical systems the general data protection regulation (GDPR) has strict fprovisionce against automatic profiling.
However with these kind of technologies becoming more and more prevalent, will there be something left for the data protection agencies to salvage of our privacy rights or will it already be too late?
source: The Atlantic (external link)
Besides that, biometric data will become a special category under the GDPR and therefore it’s processing wil need to adhere to an extra set of conditions before it is actually allowed. This will become very interesting for certain international creditcard companies experimenting with selfe-based authentication systems.

By dismantling domestic privacy laws, the US will lose control of the global internet | Opinion


An interesting opinion on America’s totalitarian regime on our data, media, governments and more. However, it seems that their greatest big brother department can’t hold their own secrets. Not in 2013 with the Snowden leaks and not even in 2017 with the Shadow Brokers leaking most of or their entire cyber weapons stash to Wikileaks.
In Europe we may help the downfall of Silicon Valley a bit with the GDPR, but even more with some proposed articles in the rewritten E-Privacy regulation (E-Privacy directive for now) which will classify some of these services as over-the-top ones that have to comply to the same privacy regulations as the telecoms sector. Precisely the opposite of what the US senate has just voted for, interestingly.
What does this mean for your business? Be very careful of where you put your data, on who’s servers and who’s administrative controls. If your “cloud” provider says your data is secured by the latest cryptographic algorithms, ask yourself this one important question: but who has the keys?
source: The Guardian (external link)

Microsoft’s Docs.com: Search your privacy away


This is a post by my good friend Chris Kubecka who alerted me to this breach of confidentiality by the Microsoft docs.com service. It is interesting to see that this is a document service coupled to the Office365 service by Microsoft which can be used to “share” documents with others. Well in that objective it succeeded very very well.
Wit all the information becoming public this way, not even from companies but from individuals as well, with the GDPR in hand the fines will be lucrative for the European data protection agencies for sure. The Dutch agency, Autoriteit Persoonsgegvens, can already impose pretty annoying fines for those not taking care of the personal identifiable information of others.
I doubt there are any processor agreements with Microsoft for this data, yes there is probably one which is dictated by MS just like Salesforce does business, and certainly not provisions for cross-border data lows either. If there are they certainly don’t include the massive publication of PII data.
Now if you are shocked after reading this, please read the article above and place this one in that context.
source: Security-Evangelist.eu (external link)
The comments in this article by a Microsoft spokesperson would be hilarious if they weren’t very naive and stupid. If you really mean what you stated there Microsoft, you should have warned people of the consequences of “publishing”, or show-casing as your spokesperson puts it, every time somebody wants to put a document on that site.
In my opinion there is no excuse good enough here. If this was a gross oversight by Microsoft it’s inexcusable, if this was done as a deliberate service then it’s gross neglect on their behalf.
source: Ars Technica (external link)

My Concerns with Google Deepmind’s UK Health initiative>


This is indeed a troubling direction. Google may have had a perfect security record, as the author states, however who really knows if that’s true or not? The data breaches, if any, at least have not been of a massive scale that it actually was worth publishing about. That is, if Google itself by virtue of it’s employees isn’t one large data breach as it’s employees apparently have access to any and all data the company “owns”.
Will this in the near future also include all NHS health data? This isn’t the first time this topic comes up either, see this link from last year.
With the NHS also trying to update their outdated IT systems using hedge fund money, see Ars Technica UK (external link), the question isn’t if but when health data confidentiality is breached. Although I don’t know what’s worse: money hungry investors that leave the debt within the organisation and may see the health data to the highest bidder or a data hungry company that misuses it to target you with unwanted advertising including those for medication for your illnesses without subscription and pretty cheap too.
source: Anish Mohammed (external link)

Hong Kong’s election watchdog urged to come clean on city’s ‘worst’ data theft


This is as specially interesting considering the political turmoil Hong Kong has been in over the last years concerning these 2017 elections in the first place. But also because the Hong Kong data protection act is modelled almost completely in accordance with the data protection directive 95/46/EC from the European Union.
If this data was indeed stolen because of alternative motives, which would not surprise me, then this is certainly one to watch.
source: South China Morning Post (external link)
This article gives a bit of an international view to this story. It is indeed unusual that the actual hardware carrying personal information has been stolen instead of via an online attack. However, since the laptops were in “storage”, it is understandable. Certainly if this is an insider job as well.
source: CNET (external link)

One of the most dangerous forms of ransomware has just evolved to be harder to spot


Yep the game is up, now your malware detects honeypots, virtual machines and security products running on your end-point systems as well. All in an effort to avoid detection, analyses and making it harder for security products to “protect” it’s users against their new variants.
Couple that to ever evolving business models, this is certainly a force to be reckoned with. Are your protections up-to-date? Did you invest enough in a multi-level approach and is your staff taking security alerts seriously? If you can’t answer a definitive YES to any of these questions, it’s time to ask me for advice.
source: ZDNet (external link)

Smart TV hack embeds attack code into broadcast signal—no access required


yes indeed, not only samsung is spying on you through their tv sets, I could be doing it too. Effectively any smart TV is a miniature computer including security vulnerabilities and requiring patching and maintenance. What is probably worse is that a lot of companies and business centers are using tv’s as conference room monitors for obvious reasons, for a reasonable size screen with reasonable resolution they are much cheaper then real computer monitors or beamers.
But, certainly in this case, with an important downside as well. Not only are these tv’s connected to your internal network, they can be used as stepping stone or become part of an IOT botnet which is handy for your next DDoS attack on the Internet, like we had seen with security camera’s in September 2016.
It is about time IOT vendors will be massively fined for leaving security vulnerabilities in their products. Unfortunately we can’t trust them to self-regulate it either. We have seen this all too well in the entire software industry for decades.
source: Ars Technica (external link)

US ATM fraud surges despite EMV


The problem isn’t directly the EMV chips themselves, although the skimming criminals are already tackling EMV chips too see this article.
American cards still use magnetic swipe strips next to the EMV chip variant on the same card. Similarly to the change over to EMV chips in Europe, it will take a while before all systems are converted. In the mean time, skimming is increasing and as long as vulnerable systems are in use, the bounty outweighs the chances of getting caught and the financial sector is busy with compliance and in their opinion “bigger risks”, that unfortunately won’t change either.
source: The Register (external link)

Chinese Learn the Value of Privacy


So what’s the difference between online companies leaking your data and the once that seem to better “protect” it like the monolithic ones in Silicon valley? In both cases the respective government is similarly using your data, if you want it or not. Although the US government isn’t supposed to do this for it’s own citizens, at least not to the extend it does for anybody else.
Effectively the only difference lies in the simple fact that even more parties can make money of your personal data in all kinds of interesting ways including identity theft, fraude etc. Both types of companies are certainly not privacy heroes, it’s just that the American ones are better in monetising your data for their own profit then the Chinese competition.
source: Bloomberg View (external link)