The niner noteworthy stories of 2017 (week 29)

These are the noteworthy stories, in no particular order, that peaked my interest for this week.

Hacker steelt info van half miljoen Belgische patiënten

So for those who thought that security breaches in medical systems are something that don’t happen on the European mainland, think again.
The most troubling information from this breach is the fact that the medical appointment system apparently only used username and password as single factor as well as that the passwords were stored in the clear too.
The general password advise given, if you used the same password etc. etc., unfortunately is necessary, but this breach could have been prevented if the company responsible had taken more care in the health of their security posture.
source: De Tijd (external link)

Dow Jones customer data exposed in cloud error

Cloud error or just plain neglect or simply lack of qualified personel or lack of security awareness?
On the other hand, what’s that data doing on an AWS share in the first place, is that really necessary?
The comment from the spokesperson they did not notify because they didn’t have to sounds pretty arrogant as well as careless. With these kind of cases there is always a difference between having to notify by law or being good custodians of the personal data of your clients and wanting to notify because of that, Dow Jones is clearly not one of the latter good custodians judging by this behaviour.
source: TheHill (external link)

Forgotten your Myspace password? Just a name, username, DoB will get you in – and into anyone else’s, too

That Belgian site I just wrote about did not secure the passwords in hashed format on their system, MySpace does though. On the other hand, if you can get access to any account by knowing the full name and username and either guess or search for the associated date of birth then it really doesn’t matter how the password security is setup.
It looks like this company is declining in all ways possible: users, ranking, web traffic and security. Although the latter may never have been up to any standard at all.
So yes indeed, if you are one of those that may still have an account on this site, now you know how to obtain access and delete it before it’s too late.
source: The Register (external link)

Mariano’s, Kimpton Hotels sued over alleged collection of biometric data: ‘It’s something very personal’

Yes all those workers are absolutely right in their fears and concerns. Whilst biometrics could help in some security instances, they are not the silver bullet of physical security and pose a significant risk to the people involved. Besides all the false positives and negatives, biometric data can never be reset.
Ones lost, compromised or stolen it can never be used for something else reliably. One business contact of me reminded me of this fact by referring to the 2015 OPM breach where his data was compromised holding all ten of his fingerprints, effectively rendering them useless for the rest of his life.
One other thing, not security or privacy related, that strikes me in this article is that a lot of these companies are introducing this to combat coworkers punching in for others who aren’t actually there. Besides the fact that there are probably better ways to do something about this apart from introducing biometrics, this seems to be more a problem of company’s not trusting it’s own employees.
source: Chicago Tribune (external link)

iCloud security flaw put iPhone, Mac passwords at risk

An interesting bug that, fortunately, has been fixed long time and is not that easy to exploit. As the article states, two-factor authentication (not to be mistaken for Apple’s earlier two step verification) would have made this attack almost impossible.
Then again, only one flaw would make stuff insecure. As we have seen in the last two months Apple has been particularly good at that.
Remember the root account bug in MacOS High Sierra? That was it seems only one in a series of stupid mistakes that in smaller or larger amount compromised security on Apple devices recently.
Also this year the amount of Mac malware seems to be growing. So besides Apple’s blunders, the operating system is becoming more and more interesting for miscreants as well. Which means that Apple’s screw-ups won’t really help us Apple users to stay secure.
If you have no anti-virus or other protection software installed, now is a good time as ever to do so. That is for what those software packets are worth anyway, but that’s a different story. And yes I have them installed myself too.
source: ZDNet (external link)

Burglary in mind? Easy, just pwn the home alarm

Internet of Threats anyone? So much for the smart, I mean vulnerable, home security system. This is precisely why I stick with smart devices that have no direct impact to the physical access to my home. I’m even a bit squeamish on “smart” thermostats although they would benefit me greatly for accessibility reasons.
When are IOT vendors finally going to learn that this kind of behaviour is unacceptable?
The only smarthome system that had default high security requirements was Apple’s Homekit, although they dropped one part of that by no longer requiring a special hardware security chip to be included in all devices.
Then again, Homekit security was compromised earlier this month and Apple had to disable remote access for all guest users to a Homekit home for over a week until they could roll-out a software update that fixed the security hole. Add that to the list of Apple’s recent security blunders.
source: The Register (external link)

‘It was always going to happen’: Inside the cyber-attack on parliament

Good response and indeed probably coordinated or at least not a fully automated or amateur attack in this case. Good to see that 2 factor authentication is now rolled out to all accounts. On the other hand I still wonder why that still needed to be done in 2017.

source: BBC News (external link)

Yes, Canada could lose its adequacy standing

Interesting, besides the adequacy discussion itself, is the mentioning of rather not wanting to use privacyshield, binding corporate rules or standard contractional clauses as opposed to full adequacy.
As at least two out of these three alternatives are currently under legal fire moving to the European Court of Justice, that choice is certainly warranted.
Also the note on the five eyes countries not being a positive point on the adequacy scale, that could also have an interesting impact to the current discussions and future relationship between the European Union and the United Kingdom who is a member of the five eyes as well.
on that topic the IAPP (external link) posted a related article, this one also hints at some Canadian agreement issues related to data transfers as well
source: IAPP (external link)

Brexit Britain must move fast to keep data flowing with

One other thing that might hinder that adequacy decision however is the UK’s investigatory powers act (snoopers charter) I suspect. Also it’s membership of the five eye’s nations will certainly not help, we already see that in the Canada case too.
GDPR will be less of a problem for the private sector, this is I believe because of the extra-territorial scope of the regulation. Law enforcement data however is an entirely different beats that needs to be tackled separately. We see something similar going on this year between Europe and the US where regular transfers are handled under the privacyshield, yet law enforcement and criminal records data requires a separate agreement.
Since the hole brexit soap hasn’t become particularly more clear over the autumn, I doubt much has changed in respect to the adequacy and international data flows opinion poised in this article.
source: WIRED UK (external link)

Bonus article

Our personal data are precious – we must take back control

The only comment I have is just this: read this article and take it’s message to heart. And if you want to know the real extend, for as much as it could be ascertained, then just
read this as well.
source: The Irish Times (external link)