Friday News for May 11th, 2018
Irish High Court Deals Blow to Facebook
In yet another case that could deal a blow to the way that Facebook and others transfer data between the EU and the US, the Irish High Court told Facebook that it would not stay it’s “referral” to the European Court of Justice. The case in question is a ruling about whether “Standard Contract Clauses” and the U.S. Privacy Shield provide sufficient protections for E.U. residents private data. Facebook wants to appeal the decision to turn the question over to the ECJ to the Irish Supreme Court because the last place they want to be is at the ECJ – who ruled against them in their last privacy suit that destroyed the predecessor to Privacy Shield, Safe Harbor (Source: Reuters).
Georgia Governor Vetos Cybersecurity Bill
The Georgia legislature recently passed a cybersecurity bill that would have likely criminalized cybersecurity research and allowed so-called hack back attacks where victims can hack the hackers (what could possibly go wrong when security novices go after professional hackers?). The law, written by lawyers, was so vague that it might have made reporting a vulnerability a crime. Equally likely, the large cybersecurity firms with offices in Georgia would have left the state and security researchers at Georgia Universities would have likely found more understanding states to do their research in. Faced with a horribly drafted bill and the prospect of losing hundreds or maybe thousands of high paying jobs, the governor did the expedient thing – he vetoed the bill and told the legislature to find someone who knows something about security before they wrote the next version (Source: CSO Online).
IBM Bans All Removable Storage
IBM has issued a new company-wide policy that bans ALL FORMS OF REMOVABLE STORAGE from the company. IBM’s Global Chief Information Security Officer made the announcement saying “the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised.” IBM isn’t saying “Why now?” , but likely someone screwed up big time.
That being said, it is relatively easy to technically implement this ban and, if done along side a policy on the appropriate use of services like Dropbox, Box, One Drive and others, it likely will reduce the certain types of information leakage.
What is or should be your company’s policy? (Source: Gizmodo)
Beware of those Browser Extensions
Social engineering is still a very popular way to get you to load malware. Researchers are warning people of a campaign, said to have already infected a hundred thousand users, where people are lured to click on a link on social media which redirects them to a page that tells them that they have to install a plugin or browser extention to continue reading the page. DON’T! Once the software is invited in by the user, it steals passwords for a variety of accounts. Other variants of this type of attack could empty your bank account when you log in to your bank or forward all of your email to the hacker, as other examples.
If you think you need a plugin or browser extension to view a page and it is not already installed, independently find that extension and install it from the vendor’s site. Make sure that the site is not one with a name similar to the real site (think App1e is not Apple, for example) that hackers have set up to fool you (source: The Hacker News).
The Dangers Of Government Surveillance
The conversation often comes up about trusting the government with all of the data that they have of ours. Some people say there is nothing to worry about if you didn’t do anything wrong.
And then reality creeps in.
Sheriff Cory Hutcheson of Mississippi County, MO, used a service sold by Securus Technologies that is used to record and track phone calls to and from prisoners,
Unfortunately, he used it to track calls of a Judge and members of the State Highway Patrol. This would allow him to track the location and obtain call data of these people. And anyone else he wanted to.
Securus requires someone to upload a document authorizing the request and certify that the activity was legal – basically, pinky swearing.
When the sheriff was arrested and the media went to Securus to ask about their practices, they claimed that they weren’t judges or lawyers, so, basically, they just trust people.
Sometimes trust is good, but verifying usually better.
How much of this activity goes on – who knows (Source: NY Times)?