The niner noteworthy stories of 2017 (week 18)

These are the noteworthy stories, in no particular order, that peaked my interest for this week.

vladwel /

135 MEELLION Indian government payment card details leaked

How good the security and privacy either in policies or legislation actually is, is shown at the moment the enforcement of the rules is insufficient.
Not to say that with sufficient enforcement and oversight all breaches are a thing of the past, but if you have a massive scheme like this and not the system itself but all kinds of government departments are leaking the data then this is clearly something to be extremely worried about.
This is precisely why in European privacy law, at least my opinion, the data controller is held accountable for what happens with the data in all stages including 3rd party processing. That’s not to say it would fit one-on-one on the situation detailed here, but it is a related scenario and way of thinking.
source: The Register (external link)

Data breach rattles Sabre: Intrusion into hotel reservations system revealed

Normally I would suggest that something like PCI-DSS standards were probably not implemented nor enforced, however since I am well aware of the fact that this standard is rather useless I will refrain from further comment in this direction.
The fact that this kind of data (creditcard information as well as personal data) is accessible using only a username and password says enough really.
source: SC Magazine (external link)
Update: Sabre later disclosed some more details, although this article on the website of Information Security Media Group, Corp. (external link) raises even more questions then it actually answers.
Update July 13th: Sometimes details take a bit of time to emerge, at least for one of the customers of Sabre, in this case the Trump hotel chain. Although in all honesty, if this is your 3rd breach in as many years, no matter if it is one of your suppliers, there is something fundamentally wrong with your security and privacy posture as a company.
source: BBC News (external link)

FireEye calls Shim-anigans: Bank-raiding hackers switch tactics

Interesting tactic change here from spear-phishing to using a devops loophole approach means firstly that phishing attacks were getting less effective and or the new method took less time and effort.
Using code is probably also more effective. And since reading the code you download to do certain things is almost never fully read and analysed to make sure it is not infected, pretty effective too I suppose.
This is also what makes these kind of attacks into a persistent threat, if they are also advanced I leave up to the reader to decide.
source: The Register (external link)

Public Health Watchdog Warns That Using NHS Data For Immigration Enforcement Could Lead To Epidemics

This pretty much sounds like it was intended to stay under the radar in a form of security (or privacy) by obscurity system. It does however fit nicely with the investigatory powers act (or snoopers charter) and a police state mentality you can see grow over the last years in Europe, but only if you are looking carefully enough.
Whilst I perfectly understand that the border police and immigration services want to stop illegal immigration, I seriously doubt that this is the way to do it though.
On that matter I also remember a program I watched years back that talked about a lot of illegal immigration to the UK for one specific reason only and that reason was the “free” healthcare system NHS. So the fact that NHS data is used for this purposed is not as far fetched as you may think it is.
source: BuzzFeed (external link)

Serg001 /

Leaked: The UK’s secret blueprint with telcos for mass spying on internet, phones – and backdoors

Another interesting step in the ever continuing CryptoWars from the UK. Something a lot of other countries and law enforcement agencies have been crying out for getting, the UK conservatives seem to want to push through parliament.
If this indeed happens, I believe I have not read anything more about it since this was published in May of this year, this will have far reaching consequences for the privacy adequacy decision the European Commission needs to take after brexit to classify if the UK’s data protection standards are up to scratch with the EU’s data protection laws.
Well if this ever becomes law, I predict the answer to that will be “hell no” but then formulated a bit more diplomatically correct.
source: The Register (external link)

Encryption May Lower Fines Under New EU Privacy Regime

(note this article seems to be partially behind a pay-wall construction).
However, in the short bit I can read I find something that I disagree with and hope it is not true either as it makes no sense at all (at least not stated as bluntly here).
Whilst obviously using good information security practices, of which cryptography is only one, it is reasonable to assume that the fines after a breach may be lower as you can demonstrate that you have done your best to secure the personal data from disclosure, theft, destruction and unauthorised changes.
However, the fact that you are exempt from the data breach notification because you had encrypted the data? I seriously doubt it because more factors are in play here and even though you had encrypted it if it was your own copy you still will have to notify.
Either the rest of the article further clarifies this, if not then the lady quoted here stating this should go back to school. A European law school that is not an American one.
source: Bloomberg BNA (external link)

Out of German Parliament Passes New Federal Data Protection Act

Yep Germany, as one of the European member states with the strictest privacy laws, was the first one to fully implement the GDPR in it’s own national laws. Previous versions had some issues and there were massive comments. But at least they have had it implemented more than a year before the GDPR comes into force.
Contrary to the UK government that started it’s reform in September this year and the Dutch government who only in the last couple of weeks have published the draft implementation law (which contained some clear mistakes according to a well-known data protection lawyer).
source: HL Chronicle of Data Protection (external link)

Financial services sector most attacked in 2016

The major stinger I see in this article is not the fact that the number of incident is down, but the number of reported incidents is down and then we are only counting the ones IBM calls an incident here as well.
As for 2017, I believe we will see a major increase of the number of records being breached. Where 2016 it was 200 million, the Equifax breach alone already counts for between 143 and 144 million records worldwide. So add up all the other incidents and the totals will be pretty impressive.
(and yes I could not have written this in May, but sometimes a bit of hindsight may yield a better story).
source: SC magazine UK (external link)

Designua /

Hundreds of Apps Can Listen for Marketing ‘Beacons’ You Can’t Hear

Interesting technology, certainly if you know that the entire radio spectrum above 9 kHz (yes that includes audible frequencies as well as ultrasound ones) is regulated by national authorities. At least it is about this frequency in Europe, this may be different in other parts of the world.
What also strikes me is that apparently shops in Germany, a country well known for very strict privacy laws, are using this technology. So no camera’s but ultrasound beacons.
With the claim in the article that you can’t stop them transmitting I agree, you can block them for sure and not only in software too. Although it will depend on which frequencies are actually used on how easy it is to transmit anti-sound or a blocking signal.
source: Wired (external link)