Senate Republican Proposes Federal Privacy Bill

In an interesting turn of events, Republican US Senator Roger Wicker’s staff has written a draft federal privacy bill.   It’s main goal is to overturn California’s privacy law that goes into effect in January.

Of course, there are only 28 days between now and January 1, so I would be really surprised if the bill made it through the House and Senate and gets signed by the President.  Still it is interesting.

Wicker, who heads the Senate Commerce Committee, says it offers more detailed consumer protections, covers more companies, and has more explicit requirements that companies collect the minimum amount of personal data needed for their purpose.

*IF* that is true, I can’t imagine that Facebook, Google and the like will sign on to supported it, but who knows.

I have not seen a copy of the draft, although the Senator has given Reuters a copy.

One challenge is this:  The Democrats won’t support a bill that preempts state law and the Republicans won’t support one that doesn’t preempt state law.  I am not sure how you resolve that.

Reuters says the draft covers any company doing business across state lines (a one person company?  Non-profits?), expands the definition of sensitive information to include biometrics, requires companies to have clear and conspicuous privacy policies (that no one reads) and would allow consumers to request to have inaccurate information corrected.

What I don’t see, from the Reuters article, is that consumers have any rights in their data.  No right to get a copy of their data, no right to stop companies from selling their data, no right to have their data deleted, etc.  BUT, I have not seen the actual draft bill.

If those rights are not there, I can’t see how Wicker can say with a straight face that the bill is better than California’s current law, unless he means better for Google, Facebook and others.

There also does not appear to be any right for consumers to sue.

If the consumers don’t have any rights from under this law and if it preempts state law, then I think that the Facebooks and Googles of the world will support it, even if it isn’t perfect.

Wicker’s committee is holding a hearing Wednesday which will include lawyers from Microsoft and Walmart.

Wicker said “If there is something weak here, if there are other protections that need to be added, let’s add them, but let’s make it a nationwide standard.”

If he is serious, that is great, but I think that companies that earn all of their money by selling your data are not very interested in giving consumers rights to their data or the right to sue.

I said months ago that I doubted that a federal law would be passed and signed anytime soon.  The two sides are still far apart.  However, I could be wrong.

Stay tuned!  Source: Reuters

 

 

Facebooktwitterredditlinkedinmailby feather

British Nuke Plant Attack Kept Quiet

The nuclear power industry has always been nervous about people’s fear of some form of nuclear meltdown.  Whether it was Three Mile Island or Chernobyl, the spectre of something bad happening at a nuclear plant has been the story of made for TV movies.

The UK Telegraph newspaper has obtained information, using a freedom of information request, that indicates that the UK National Cyber Security Center, part of the GCHQ (sort of equivalent to the US NSA), has been helping a British nuclear plant recover from a cyber attack.

This news comes after reports last year from the FBI and DHS that the Russians (and not the Chinese) have been have been attacking our critical infrastructure, at least since 2016.

Because they are worried that people will freak out, they are keeping the details of who was hacked and what was hacked secret.  I am sure that will make people feel better.  Unless the attack was really bad.  In which case not knowing and speculating might be better than knowing.

The document, from a Nuclear Decommissioning Agency Board Meeting was dated March 13, 2019.  The Telegraph says that it is likely the first KNOWN successful cyber attack on a British nuclear plant.  I am not sure how comforting that is.  They are not suggesting that it is the first successful attack but rather the first successful attack that we have heard about.

Since no one is providing details, we don’t know whether this is a Chernobyl-style issue or a random computer virus on an office computer.  On the other  hand, if they had to ask GCHQ for help, I am guessing that it is not an office virus.

One security expert pointed out that if you assume whichever nuke plant or plants were hacked are no less secure than the ones that haven’t been hacked YET, it isn’t smart to tell other hackers how this or these plants were hacked.

This follows on to the revelation in October that an Indian nuclear plant was hacked – after they first said that reports of a hack was a lie.  I guess the lie was by the Indian government.

This also follows the WSJ article that said that  more than a dozen US utilities were targeted (I assume successfully) by hackers recently

In fairness we should not forget that the US hacked Iran’s nuclear program years ago.  We would say that we are the good guys, so that is okay.  Not everyone might agree with that interpretation, including Russia, so they might say that the US legitimized hacking the nuclear industry.  Source: The Telegraph .

 

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

Advertisers Still Want to Know Who You Are, What You Are Doing

As more users install ad blocking software and browsers such as Firefox and Safari start blocking some ad trackers by default, advertisers decided to come up with a new solution to track everything you do.

This new technique is a bit technical, but I will try to keep it high level.

Typically, the company tracking you is a separate company from the company who’s website you are visiting because not only do people want to know what you are doing on their website, but also what you are doing on every other website in the world.  This logic is what created the third party ad tracking business.

But browsers can tell, if you are visiting ABC.COM, if that web page makes a request for some data from XYZ.COM – a third party.

Those requests come in many forms.  It could directly load data from or save data to that third party.

Or it could save a “cookie” from that third party with information associated with the site you are visiting so the ad tracking company can track you everywhere.

As people have become smart to this and taken anti-tracking measures, advertisers tried Adobe Flash cookies.  That didn’t work well because many people (like me) think Flash is insecure and even Adobe is killing it in December 2020.

So the ad trackers came up with a new idea.

If ABC.COM wants to track you, the ad tracking company asks ABC to create a new subdomain, say trackyou.abc.com and point that subdomain to the tracking service.  Since the core part of trackyou.abc.com is still abc.com, it doesn’t look to the browser like there are any third parties.  But since the tracking company runs trackyou.abc.com, they can collect whatever data they want.

It turns out that it is possible, with some work, to block this if you use Firefox, but not with any other browser.  Most browser makers are in the business of selling your data, so they are a bit conflicted.

In fact, a Google search provides lots of articles on how to do this yourself.

Advertisers are just trying to make a buck, not do you in (mostly).   Source:  The Register

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending November 29, 2019

The Problem with Big Data is, Well, That it is Big

On October 16th researchers revealed that they had found an exposed database with 4 billion records covering 1.2 billion people.  The first database contained information on 1.5 billion unique people (note these numbers do not exactly match) including work phone numbers and mobile phone numbers.  The second database contains hundreds of millions of scraped profiles from LinkedIn.  The data appears to be linked to “data enrichment” firms, People Data Labs and Oxy.io, but the firms say that the server doesn’t belong to them.  They did not say that the data did not originate from them.  Likely, the server belongs to one of their customers.  The good news is that the databases do not contain passwords or credit cards, but still there is a lot of data there.  The term data enrichment is an expression for “we aggregate data from a bunch of sources and put it all together, so if all YOU have, for example is a person’s email, we can tell you how much they make, how many kids they have and the roads they travel on to work, etc…”  Source: Computer Weekly.

 

California DMV Made > $50 Million Last Year Selling Your Data

First the law requires you to provide all kinds of information to the DMV.  Then the DMV sells that information to anyone who’s check clears.  And they do not need to ask your permission.  In theory the law restricts who they sell your data too, but there are a lot of exceptions. One example was a private investigator who bought the information and gave it to his stalker client who killed the person.  Another is data brokers like Lexis/Nexus.  Maybe the law should be changed, but in the meantime the DMV loves the cash.  Source: Vice

 

Another Public Leakware Attack

As I said in my November 19, 2019 post titled “Argh – They Have a Name for it Now – Leakware“, leakware is becoming more popular.  Now we have a case of the security and building facilities firm Allied Universal ($7 billion in revenue, 200,000 employees).  Allied was breached and the hackers want money.  To make a point, they leaked 700 megabytes of data.  They say that they have 4 GB+ more to leak and they will give it to Wikileaks.  They posted the sample data to Bleeping Computer’s forum, which took it down and also to a Russian crime forum who was not so supportive.  The hackers initially wanted $2 million.  Not they want $4 million; Allied offered $50k.    A bit of a gap.  Allied says that they take security seriously but didn’t say what they planned to do to protect the stolen data.  If these hackers are Russian, there really isn’t much they can do other than to negotiate.  They have brought in security experts after the breach.  While it is useful to close the barn door once the horses are gone and the barn is burned to the ground, that probably won’t make much difference to the customers who’s data was compromised.  Stay tuned for lawsuits.  Assuming this trend continues, we need to create different defenses for ransomware.  Source: Bleeping Computer

That Thanksgiving e-Card – Yup, Its Malware

With the holiday season starting, the purveyors of malware  are in the holiday spirit too.  They are sending out millions of MALICIOUS, INFECTED e-greeting cards.

Open the card and you, too, will be infected.  In one campaign, the malware is the emotet password stealing trojan.

Open that card and all of your passwords will be sent to Russia or China or some other friendly place.

When I get one of these cards, I send the person who sent it a note thanking them, but telling them that, in an unfortunate sign of the times, it is too risky to open it.

Then I hit the delete key.  Source: Bleeping Computer

Facebooktwitterredditlinkedinmailby feather

Tips to Keep Remote Workers Safe(Safer) – Part 2

Yesterday’s list was so long I decided to break it into two posts.  Here is the second part.

To recap – here are some recommendations from Dark Reading. Most people will pick and choose from this list, but pick some today and then come back in a week or a month and pick a few more. Remember, you are just trying to make life hard enough for the bad guys that they hack someone else.

11. Turn on auto update – Installing updates is a pain and even though updates sometimes happen at inconvenient times, they are important.  The challenge with updates is that there are so many.  Whether it is your laptop, phone, tablet, desktop and then, of course, all of the applications too.  Add to that your firewall, digital assistant, Wi-Fi and whatever else.  Updating it could be a full time job.  Which is why so many updates are missing.  The largest data breach in US history (Equifax) was caused by one missing patch.  If it is possible to automatically update, turn that feature on.  It just makes life easier.  ESPECIALLY for those Internet of Things devices.

12. Segment off your personal network – here is one you probably didn’t think of.  Put your work computer on  its own network segment – give it its own Wi-Fi hotspot.  If you isolate your work computer then if your kid’s computer gets infected, it won’t infect you.

13.  Use a password manager – passwords are a weak spot.  People can’t remember a thousand passwords so they either make them all the same, so when one web site is breached, they all are or they make them easy to guess.  Some people ask their browsers to remember their passwords.  After all, what could go wrong by asking the one part of your computer that talks directly to the Internet to store all your passwords.  There have been numerous attacks against browser password stores and many companies disable that feature for that reason.  Password managers actually make using unique, crazy passwords easy.

14. Enable Multi-Factor Authentication – Not only that, but it is better to do that with an app such as Google Authenticator or Authy instead of a text message.  If you have the option and a business is storing your sensitive data – like a bank – and they don’t offer multi-factor authentication, find a new bank.  I mean it.  Really.

15.  Avoid Browser Extensions – Speaking of not asking your browser to do un-natural acts, browser extensions are often security nightmares.  To the extent that you can avoid them, do so.  For one thing, it slows things down.  For another, many times they have bugs.  And going back to number 11, they often don’t automatically update.  It is a matter of security vs. convenience.  Your choice.

16.  Carry a spare portable battery for your phone or tablet – DO NOT use those handy USB charging ports in airports and other public places.  They can literally infect your device.  An alternative to a portable battery is to use the AC power outlet.  That won’t infect things.

17. Make sure you share documents securely –  In the mortgage business where I spent many years, loan officers often asked for bank statements, tax returns and other personal information via email.  Not exactly secure.  If you don’t have an ENCRYPTED email solution, ask your company for one.  If you need to control access, don’t use solutions like Dropbox.  Work with your IT department to figure out the best, secure, controlled access solution.

18. Be skeptical.  And then be more skeptical – you have a lot of things to do.  You have a lot of emails to read.  You have a lot of web sites to visit.  Bad actors are counting on that.  We hear about people falling for scams every day.  The FBI said that between Mid 2016 and mid 2019 losses due to scams reported to them totaled over $26 BILLION.  That is a lot of money.

19. If you have a remote working policy, follow it.  If you don’t have one, create one –  When it comes to reducing risk, you need to tell employees what they should and should not do.  If you don’t have one then you can’t complain if employees do things you don’t want them to.  For certain industries, these policies are legally required.  In fact you should have a complete set of security policies which are in addition to typical employee HR policies.

20.  Last but not least, get to know your IT and security folks – we really don’t want to make your life difficult.  We are working hard to protect the company and that includes making sure the company does not get breached or sued due to losing customer’s data.  Those kind of incidents can cost a company a lot of money and sometimes that translates to layoffs or even closing the company’s doors.  If you need something, ask.  We may not be able to do it, but hopefully we can explain why.

That is the end of this list.  If you have questions, please reach out to us – refer to number 20 above.

Based on information from Dark Reading. 

Facebooktwitterredditlinkedinmailby feather

Tips to Keep Remote Workers Safe(Safer)

As my son likes to say, nothing it bulletproof – it all depends on the size of the bullet.  Likewise, nothing is 100% secure (except the computer that has never been taken out of the box)  but your actions can improve the odds dramatically.

Here are some recommendations from Dark Reading.  Most people will pick and choose from this list, but pick some today and then come back in a week or a month and pick a few more.  Remember, you are just trying to make life hard enough for the bad guys that they hack someone else.

So here are the tips:

  1. When working remotely, use two computers – one for work and one for personal stuff.  Besides the fact that malware on one might not infect the other, there are many other reasons that you might want to do this (like not wanting your boss to snoop on your personal stuff or backup your nude selfies on the company backups).
  2. Use only approved software on your company computer – many companies won’t let you install other software but many do let you.  There is a reason they approve the software that they do;  it goes through a vetting process.  It might be inconvenient, but so is getting breached.
  3. Don’t rely on a consumer-grade router, Wi-Fi hotspot or Firewall – I could go on all day about this one.  If your router, Wi-Fi or firewall is provided by your home Internet provider, you can assume that it is the best equipment that your provider can buy for $5 or $10.  Some Internet providers require that you use their equipment but there are no rules that say that you can’t put your own  firewall between the box your Internet provider uses and your computers.  That is what I do.  My firewall cost me $200.  But it runs the same software that you use in your office.  This is a case of you get what you pay for.  My Internet provider has not patched their firewall since 2013.    I am sure that there were no bugs fixed in the last 6 years.
  4. Ensure that your Firewall is configured securely – Your Internet provider will configure any equipment that they provide to minimize the number of support calls that they get.  That saves them money.  If that happens to make things more secure, that is a coincidence.  Mostly, it will make things less secure.  YOU are responsible for the security of your home network.
  5. Connect to your corporate network using a VPN – Using a VPN will definitely improve the security of your connection.  If you are a techie and you manage cloud servers from home, use a VPN connection to manage those as well.  Again, many free VPN services are worth exactly what you pay for them.  And some of them are even run by China – I am sure those are very secure.
  6. Be wary of public Wi-Fi – I am sure that your local coffee shop has all the best intentions when they offer you FREE Wi-Fi, but again, you get what you pay for.  Their IT department likely manages the network in between grinding and serving coffee.
  7. Harden your wireless access point(s) – There are lots of ways to improve the security of your Wi-Fi, especially when you are located in a high density location.  A friend of mine lived in New York and never paid for Internet, he only mooched off neighbor’s Wi-Fi.  Wi-Fi 6 is coming soon as is WPA-3.  Both will improve your security but both will require either software or hardware upgrades.
  8. Keep a very close watch on your stuff when you travel – I recently did a TV interview discussing a poor fellow who got his credit cards stolen while he was in the grocery store.  90 minutes later the crooks had racked up $23,000 worth of charges on his cards.  Hotel rooms and hotel safes are notoriously insecure.  If you don’t need to take it when you travel LEAVE IT AT HOME!  Otherwise, secure it as best you can.
  9. Update system and software patches regularly – this includes your phone and your tablet, in addition to your computer and ONLY update from a secure location – NEVER from public Wi-Fi.  Note that this includes all of your apps in addition to your operating system.
  10. Update your system’s firmware – do you even know what firmware is?  It is the software that runs the software that you see.  Almost nothing is done in pure hardware these days.  That includes updating the firmware in your firewall, router, Wi-Fi and especially your phone.  Some equipment can be configured to automatically update (Apple is really good about this) and while that might, occasionally cause problems, overall, auto-update is the way to go.

Come back tomorrow for more tips.  That’s all for now.

Facebooktwitterredditlinkedinmailby feather

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed