These are the noteworthy stories, in no particular order, that peaked my interest for this week.
- Chinese Malware Fireball Infects More than 250 Million Computers
- Kmart Confirms Breach at Unspecified Number of Stores
- OneLogin suffers breach—customer data said to be exposed, decrypted
- Defense contractor stored intelligence data in Amazon cloud unprotected [Updated]
- NORK spy agency blamed for Bangladesh cyberheist, Sony Pictures hack
- Standing Rock Documents Expose Inner Workings of “Surveillance-Industrial Complex”
- Publishers call for rethink of proposed changes to online privacy laws | Media
- Digital Privacy Is Making Antitrust Exciting Again
- Making Google the Censor
Chinese Malware Fireball Infects More than 250 Million Computers
Malware attacks aren’t new, multiple delivery methods neither so. What makes this more interesting is that Windows as well as Mac systems were infected, the enormous scope of the infection and that with more and more services moving to browser-only requirements these kind of attacks will substantially grow over time as well.
A somewhat different view on the matter is provided by this article from the Register (external link). Which ones again highlights the unethical behaviour of online and direct marketing firms. And they don’t have to be American or European ones either as this one is a Chinese based outlet.
As stated in both articles, the malware is easy to remove, the question is however how many infected users will actually know they are infected in the first place.
source: GBHackers on Security (external link)
Kmart Confirms Breach at Unspecified Number of Stores
Okay so you are three years later and you are using the same excuse to say you were not able to do anything about it yourself and are a victim too? Makes you wonder what they actually improved after the last breach hit them in 2014.
The fact that in both cases the malware was not detected by anti-virus software is not really surprising, anti-virus and anti-malware software have enough limitations that are well known (at least in the InfoSec community) to make sure that those systems are not the only line of defence in your network.
Whilst identity theft may indeed be the biggest risk, not warning of financial fraude and simply letting the card issuers deal with that is irresponsible in my opinion.
source: Information Security Media Group, Corp. (external link)
OneLogin suffers breach—customer data said to be exposed, decrypted
Okay yet another data breach, this time the keys to decrypt stuff were stolen as wel it at least seems to. What is more worrying is that this was the second breach within a year for the same firm.
You would think that a company like this takes more steps to protect their clients as they must know they are a high valued target because of the information they are holding. At least let’s hope they know or it would be even more worrying then it already was.
source: Ars Technica (external link)
Defense contractor stored intelligence data in Amazon cloud unprotected [Updated]
Don’t rely on cloud providers to secure your data, you really need to take care of it yourself. That’s what this story really shows.
As for the data being classified or not, I won’t bet by money on the statement provided it not being classified.
It it also depends on what you define as classified, usernames and passwords may have that label depending on what systems they are for. Besides what’s doing data like that on an open folder anyway and can we call this simply an unintentional mistake? see BBC News (external link).
Oh and what is an intentional mistake btw?
source: Ars Technica (external link)
NORK spy agency blamed for Bangladesh cyberheist, Sony Pictures hack
So North Korea, as we all expected more or less, is behind the Sony Pictures attack. There was enough relevant material and reason as well as motive at that time.
The fact that they also started to target banks and apparently are shifting or expending to ransomware is not really surprising. The economy is under pressure, even more so now then back in June this year, and they do need cash to pay all the materials and maybe even knowledge for their missile program.
This then is one of the avenues you can explore to get what you want.
source: The Register (external link)
Standing Rock Documents Expose Inner Workings of “Surveillance-Industrial Complex”
Whilst not directly related to information security, this obviously has a lot of privacy aspects including online surveillance and all it’s related consequences.
If you read this report then you could be wondering who invented fake news first, the Russians accused of helping the current US president or the American law enforcement community with some help from a private company?
This story very much shows at least the information age we are living in and the backlash to the truth or at least the perceived truth it can have if opinions and interest clash.
source: the Intercept (external link)
Publishers call for rethink of proposed changes to online privacy laws | Media
Part of the reason why subsequent changes are made to the E-privacy regulation (draft) is because of those 3rd party advertising networks and the unlimited, automatic and shadowy way in which they profile all web users. So if these news organisations want to serve relevant ads, relevant being the keyword here, they probably will be using identical or similar techniques which still are invasive on the visitors’ privacy.
And as automatic profiling goes, prohibited by the GDPR it’s article 22 but also under current data protection regimes across Europe based on the old directive.
The problem is not the E-Privacy proposal, the problem lies more in the monopoly of those giant, all American, tech firms that are clearly not bound to the same rules and restrictions as their European rivals in the advertising business.
Besides all that, detecting if I have an ad-blocker installed and commenting on it may also be against current data protection regimes as well. You are, if you like it or not, invading my private computer to see what I have installed or not. Even though this is done remotely.
source: The Guardian (external link)
Digital Privacy Is Making Antitrust Exciting Again
Interesting statement which also shows the difference in the way of thinking between the European Union and the United States in the field of data protection (privacy).
The think tank quoted near the end of the article magnifies that in stating that privacy is about a company’s ability to not leak data. Well in the US it may be so, in Europe it is also defined very clearly by the way the company itself is using (or in the case of a lot of those tech giants misusing) the personal data they have collected.
As for price as an effective measure in antitrust thinking, we should then in these cases where the currency is your personal data look very closely to the impact to your personal life and freedoms the misuse of that data has by one organisation, in which case I know which ones will be in trouble.
source: Wired (external link)
Making Google the Censor
Please let’s not go this way. Just see the previous article in this post as well. As long as we keep seeing those large tech companies as simply delivering a service or platform instead of having a real responsibility to what they deliver, which is a danger by itself, this problem will not be solved.
Although do note this article is published in America probably written with the American freedom of speech culture in mind as well, that does not mean there is no danger here on letting or even ordering private companies to censor the Internet.
I have no answer to this issue eater, the only answer I have is that companies making money from any and every bit of content published on their platforms (yes also from advertising with hate speech and beheading video’s) will never in it’s own sole interest be the best party to censor that content itself.
source: NYTimes.com (external link)