The niner noteworthy stories of 2017 (week 27)

These are the noteworthy stories, in no particular order, that peaked my interest for this week.

Google ships WannaCrypt for Android, disguised as Samba app

How interesting? With almost 99 percent of mobile malware already targeting the Android operating system and the levels of total malware in the mobile space growing in 2017 as compared to the previous year, Google thought it a good idea to help the miscreants a bit?
Or are they really that lame? Specifically after the two big ransomware attacks both using this very protocol to spread.
source: The Register (external link)

Massive cyber-attack could cost Nurofen and Durex maker £100m | Business

Either there are connections between the plants and the sales and other office departments or they were hit via separate attack factors. The fact alone that production was hit says that the security on their factory’s is not up to scratch.
Interesting though they were able to recover quickly. Which either means they have at least good backup and restore capability or reserve equipment on standby.
Let’s hope that one of their brands provides better security (safety) to couples who use them then the IT security seems to be of the factory who produces them.
source: The Guardian (external link)

RSA SecurID admin console can issue emergency access to decent social engineers

And then to know that those RSA tokens plus licenses are quite expansive too.
The most interesting bit here is the fact that rather then making your users security aware enough to make sure they always have their tokens with them, you expose your entire access control portal to a level of ease-of-use that makes the system effectively insecure.
Putting it behind a firewall, as the article suggest, probably won’t help or will not be done. For the simple reason that most of those token solutions are used for remote access in the first place.
source: The Register (external link)

The AA Exposed Emails, Credit Card Data, and Didn’t Inform Customers

It seems that 2017 is the year of the open and publicly accessible datasets, as this case and others I wrote about are indicating.
The worst thing in this one is not the way they picked it up, apparently it was solved rather quickly, but the fact that effective customers were not notified at all. Something with would be interesting if it happens again after the 25th of May 2018 when data breach notification, under certain conditions, will become mandatory.
In the end however they had to notify their customers as this article by The Register (external link) clearly shows. The most interesting bit in their statement however is that they are blaming this on a 3rd party supplier.
Interesting because as a data subject I may not care if it was a 3rd party supplier or your own company, as you are the data controller you are liable for the breach. Under the GDPR the data processor will get it’s own liability though, but the main accountability will remain with the data controller.
source: Motherboard (external link)

Inside the darknet: where Australians buy and sell illegal goods | Technology

Medical data plus dark web equals disaster I suppose. There is no doubt about that one.
And yet the Aussie government then goes to say it’s just criminal activity not a hack of some kind as “stolen” credentials were used. Well as a medicare user I would not care whichever of the two was the cause of the breach, the end result meaning unauthorised access is identical and similarly damaging.
The statement from the government can be read in this article by The Register (external link).
Besides that, if it were indeed stolen credentials then why is that medical data accessible with only a username and password in the first place?
source: The Guardian (external link)

FBI-DHS “amber” alert warns energy industry of attacks on nuke plant operators

Why is this news? Probably only because the two government agencies are bringing out a warning report on the matter I suppose.
Industrial systems are notoriously insecure, running on outdated software and if air-gapped rely heavily on USB drives if data needs to be transferred between the operational environment and the office network.
Although, specifically for the last issue, there are data diodes available (network devices that only allow data to flow in one direction and only on a very specific protocol).
For the insecurity and older operating and software systems is no quick fix available. There is also a good reason why this is the case.
have you ever tried to secure a 10 to 30 year old computer network against modern day threats? Next to that comes the fact that most if not all of those systems need to be certified to allow them to operate e.g. a nuclear facility. Change the computer systems or the software and you may have to re-certify the entire installation, not something you really want to do.
source: Ars Technica (external link)

Google DeepMind deal with NHS broke UK data law, rules ICO

If you have been following my blog regularly, you will remember that I have written about this topic before. See e.g. this link or search on “deepmind” in the search box at the top of the page.
I really wonder what improvements the hospital has implemented. It is a pity though that the work of the ICO took over a year to be completed, all the while the privacy violations could continue.
That they in the end found that the trial failed to comply with the data protection act (1998) is not really surprising though.
Google also admitted that it ” that it had “underestimated the complexity of the NHS and of the rules around patient data, as well as the potential fears about a well-known tech company working in health.” Underestimated? Really? Or is this ostrich language for “ignored”?
source: Ars Technica (external link)

Why all online threats feel like privacy threats: information commissioner

A nice look into the Australian way of privacy laws and data protection. Interesting to see that there will be a mandatory code of conduct as well as breach notification under conditions in Australia as well. Specifically the breach notification bit seems something that is getting more and more global attention and put into mandatory requirements worldwide too.
A data driven economy needs to be build on good security and trust. For that to happen though, a lot needs to be done to achieve this and the current tide of data misuse needs to be turned rapidly.
source: The Mandarin (external link)

Could new data laws end up bankrupting your company?

Such a pity, the article by the BBC looked like a well written piece. Until they started talking about consent and being able to withdraw it whenever we liked. Unfortunately for the BBC, that’s not new under the GDPR and is a right we already have under current data protection laws.
As for the 72 hour reporting window, there is a possibility there to extend it. However you really need to be able to show why that was absolutely necessary.
I do like there man with his had in the sand picture with the question if that’s your GDPR attitude though. This article is not too bad overall, there are some obvious mistakes in it as I have pointed out.
The fact that a proper data audit needs to be your first step is something I fully agree with. If you don’t know where your data is and what data you actually have, a data protection impact assessment is near to almost useless or at least a waste of time and resources. DPIA’s Need to be done, but not as the first item of your GDPR checklist.
source: BBC News (external link)