Security News for the Week Ending April 26, 2019
As Terrorists Blow Up Soft Targets, Sri Lanka Turns Off Social Media
As Sri Lanka is dealing with multiple bombs exploding at churches and hotels, the country’s solution to the inevitable use of social media to fan flames and release propaganda, in addition to news is to turn off social media.
At the current time, it appears that 8 bombs went off, 200+ people were killed and 400+ people were injured. The target seems to be minorities and foreigners, which is often the case in terrorist attacks.
Facebook and other social media, in an effort to spin the news, said that they are working to remove content that does not meet their guidelines (which of course could be very different than the government’s guidelines), but as we saw in Christchurch, New Zealand, doing that effectively is very difficult. Facebook and its cousins would like to be thought of as an important news source and not just a purveyor of trash and hate, so they are no doubt trying to figure out how to respond.
What is not clear is whether other governments (probably not in the U.S.) see this as an effective way to control the flow of information when they choose to (which could include any number of different situations, not just terrorist attacks) and follow Sri Lanka’s example. If this does become more common, that will not be good for the social media brands. (Source: CNN).
Businesses Continue to Ignore Contacts About Data Which is Exposed
In this case, it was the Mexican Embassy in Guatemala. Thousands of documents including passports and birth certificates and also documents related to the embassy itself were accidentally made publicly visible on a cloud storage provider.
But that is not my big concern.
One more time, the researcher contacted Mexican officials but got no response.
If a researcher contacted ANY person in your company saying they found a security issue, does every single employee know what to do? It is, after all, very simple.
CONTACT SECURITY and provide them the information that they received. Don’t try to figure out if it is a scam or how to fix it. Just contact security. Let them deal with it. That is what they do for a living. Now, if security screws up, well, that is their fault. My guess is that, in this case, the information never made it to the right people. Eventually, it did get removed. Source: Engadget).
China Has a New Export
China is the model of a surveillance state. Now China has figured out that they can make a lot of money exporting that technology to other countries. Ecuador is the prototype. 4,300 cameras. 16 monitoring centers. More than 3,000 people watching those cameras.
Oh, yeah, in addition to spotting crimes, the video feed also goes to Ecuador’s domestic intelligence agency. Some of the other countries buying the Chinese spy gear include Zimbabwe, Uzbekistan, Pakistan, Kenya, the United Arab Emirates and Germany.
36 countries received training on topics such as censorship (politely called “public opinion guidance”. Soource: The NY Times.
North Carolina Unveils Changes to Privacy Law
An amendment to the North Carolina Identity Theft Protection Act was introduced earlier this month. Among the changes are: (1) requires businesses to implement reasonable security practices (where reasonable is undefined and left for the lawyers to argue over in case of a breach), (2) reduces the time to notify victims and the AG to 30 days, like Colorado, (3) expands the definition of protected information to include health and healthcare information (which may also be protected under HIPAA, depending on how the business received it), (4) clarifies that other information may be included as covered PII depending whether there is sufficient information compromised to abuse it (for example, an email ID is not covered, unless the email password is also compromised), (5) changes the definition of a breach to unauthorized access, without regard to whether the compromised information is used, (6) if the business determines that there was no potential harm due to a breach, they must now keep that proof for three years, (7) requires in cases of breaches at a CRA or any breach that involves Social Security Numbers, the company provides 24 or 48 months of credit protection, (8) expands the information that a business may be required to provide to the AG in case of a breach, (9) says that compliance with GLBA or HIPAA gives a business safe harbor FOR THOSE sections of the bill that overlap and (10) imposes other requirements on CRAs and businesses conducting credit checks.
The bill also allows a person to file a private right of action if they have been damaged. Source: JDSupra