The niner noteworthy stories of 2017 (week 26)

These are the noteworthy stories, in no particular order, that peaked my interest for this week.

A new ransomware outbreak similar to WCry is shutting down computers worldwide

Ransomware is used to make money, this one however seems hellbent on destruction rather then making money. As Ukraine was the country most heavily hit, it would be easy to conclude that Russia would be behind it.
yet targets in Russia itself were victimised as well. Collateral damage or on-purpose targeted to mislead the true intentions?
A subsequent article by Ars Technica (external link) substantiates the Russian claim as well as the destructive nature of the notPatcha outbreak in June.
source: Ars Technica (external link)

WannaCry helps speeding drivers dodge fines in Australia

Well well, even a couple of weeks after the major outbreak. Interesting to know also that those camera’s apparently run Windows or at least an operating system that has a SAMBA protocol stack installed and open to the network as well.
Lucky Aussie’s obviously, but it does highlight the problem that even on closed networks you need to be extremely careful. Scanning USB sticks before they enter such an environment is one mitigating control that might have helped in this situation.
Then again, they weren’t clearly the only ones that got hit far after the main wave as The Register (external link) reports in this article.
Honda was the target in this case, although it wasn’t clear if this was the original or one of the variant version of the wannacrypt malware doing the rounds here.
And yes, mitigating controls probably would have helped here as well.
source: BBC News (external link)
(update on July 7th) Apparently those traffic fines are reinstated and therefore the “lucky Aussie’s” remark has been premature and is hereby revoked too.
source: ZDNet (external link) leaves data dashboard users’ details on publicly accessible site

And after reading this you are still wondering why it is such a bad idea to exempt governments from data protection fines or leave them capable of collecting massive amounts of data about it’s citizens?
They clearly can’t even keep a file with usernames, and (okay) hashed password secure.
Whilst this seems a small insignificant incident, the potential for a massive impact is certainly there. Besides if this small incident is exemplary of how the UK government handles sensitive and personal data, then the problem could even be systemic.
source: The Register (external link)

Civil rights warriors get green light to challenge UK mass surveillance

Is this entire snoopers charter story, the upcoming GDPR and the clear rulings against bulk collection by the European Court of Justice the real reason behind brexit?
In all seriousness the snoopers charter, specifically the parts referred to here, won’t stand a chance in the ECJ I suspect. Then again as long as the UK is part of the European Charter of Human Rights, they go against the fundamental right of privacy (article 8 ECHR) as well.

Do note that the UK with the investigatory powers act is going much further then any other country on this planet with a democratic system, yes and that includes the United States. Although in the latter case I must add the caveat that in the case of the US that comparison only holds for US citizens, not for foreigners.
source: The Register (external link)

Internet regulation: is it time to rein in the tech giants? | Technology

Yes it is and if you look at all the side-effects the question is rather if we are already too late or if there is stil time to turn the tide.
Take this article and add the knowledge of data brokers and data mining plus profiling I have written about here and you will quickly realise where this is going.
Relying on those tech behemoths to censor the net on our behalf isn’t the answer either, on the contrary it will only make the problem worse.
Recently Facebook even has admitted that you can get a depression from using their platform. But counter intuitively to offering a medication for it, they provide more poison by stating that the cure is, yes you guessed it right, more Facebook. Well no it isn’t.
source: The Guardian (external link)

Wetherspoons just deleted its entire customer email database – on purpose

It is very likely that they had come to their senses and had taken this step because of ICO fines to other companies. That would be one of the few instances a company actually learned from mistakes made by others.
Then again the hole publicity around it raises more questions then it answers. What may be more worrying for privacy minded people now is that they have to go to anti-privacy sites in the social media domain to see if there are any special offers (okay the website of the company itself as well which is sure to have enough trackers on them too).
So this entire story gives a mixed picture as it comes to data protection. And what do they mean by holding “almost none” when they mention the amount of personal data they hold?
source: WIRED UK (external link)

Cyber attacks have long-lasting business impact

Whilst I understand that an insurance company says that you need to prepare for the full costs of an incident, I would say prepare as much as possible to mitigate the risk of an incident and only then prepare for the cost related to the residual risk.
Breaches (ransomware effectively is a data breach), spear-phishing, whaling and other incidents in which data gets lost, corrupted, stolen or misuse will always occur and will be costly. Can you get an insurance policy that covers it all? Probably not.
Insurers are there not to help you mitigate your risk, you can only transfer some of it, as you will remain accountable for all of it. They also have there own methods of risk avoidance, which you can read about here.
source: Reuters (external link)

Your fingerprints could replace your airline boarding pass

The conclusion in this article, mainly that there are better and less privacy and body part invasive ways to speed up boarding, is absolutely correct. This article also references the program on foreign visitors and the over-extension usage of biometrics within that program (see next article to read more on that as well).
The privacy policy of the company that stores all that biometric data is not very user-friendly either, as they won’t delete your data if you cancel your membership and you have to request that separately.
Is this last bit an example of the way US companies generally treat the privacy (data protection) of their customers? There is no reason to keep that data after the membership has ended and under European data protection regulations you are not allowed to keep that data stored at all after termination.
Besides all that, how trustworthy are biometric systems, as specially used on very large scales?
source: Finance Yahoo (external link)

Facial Recognition Scanners at Emirates Airline to Speed Passenger Processing

So where Emirates clearly is implementing this for speedier boarding and passenger comfort, jetBlue and the US government are clearly attempting to misuse biometrics to solve immigration issues link HowStuffWorks (external link).
It will be interesting to see if and when European airlines may want to pick up on this biometrics craze in the travel industry. Effectively this will come with a big mark on top of it saying “special category of data” as is stated in article 9.1 of the GDPR.
Another interesting fact in this is that the largest community cloud provider in the aviation industry, Amadeus, is based in Spain and therefore will fall fully under the GDPR as well. The question is then what the side-effect of this will be for non-EU airlines using the platform. Although in these cases Amadeus may only be the data processor in the relationship and they only will get added security and privacy protection for good measure.
source: Skift (external link)