Follow on to Google+ Breach and Notification
I recently reported about Google getting in trouble for hiding a breach discovered in March.
The first thing to point out is that it is unlikely that Google broke any laws. The current breach notifications laws in the U.S. give a company the wiggle room not to disclose a breach if they reasonably think that the risk of harm to breach victims is low. Each state words that differently, but obviously Google figured that they could wiggle their way out of this and they did until they were outed by none other than that bastion of big business – the Wall Street Journal.
Whether the fox should be making that decision regarding henhouse security or not is a separate issue, but that is the state of breach laws currently in the U.S. They say that is so that we don’t over tax people’s brains, but I don’t particularly believe that.
The second point is more interesting. Google made the determination that no one would be harmed by looking at TWO WEEKS worth log data because in a very un-Google style strategy, they only kept two weeks worth of log data. So a bug that had been around for years had to be analyzed using two weeks worth of log data.
All of this points to the challenges that all businesses have when it comes to breach notification issues, both in the U.S. and internationally.
Mikrotik Routers susceptible to Stealing Your Data
In May Mikrotik announced a bug (and a patch) that allowed an UNauthenticated user to download the password file which was not encrypted. What kind of a problem could that cause anyway? Of course, most users who buy a $49 plastic box at Best Buy and shove it in a corner are likely to patch it right away when Mikrotik announces on their blog that a patch is available. (hint: not). But Mikrotik also makes enterprise routers that are also susceptible. Hopefully at least some of those are patched.
Last month Mikrotik announced another bug where authenticated users could take over the router and run any software that they wanted, effectively eavesdropping on all inbound and outbound traffic or running a cryptomining operation on your machine. Several hundred thousand routers have not installed the first patch and thousands have already been compromised.
The moral of the story is patch your router and especially do that if your router has a Mikrotik logo on it. (Source: The Hacker News)
Cathay Pacific Loses Info on 9.4 Million
Cathay Pacific admitted to losing control of records on 9.4 million passengers six months ago. The good news is that the event occurred prior to the effective date of GDPR, so the fines will be much smaller. The bad news is that they are based in Hong Kong, China, so there could be other “penalties”.
The South China Morning Post says that the Chinese government is not happy about the breach (maybe they are jealous that they didn’t do it?).
Among the data stolen was name, address, phone number, email address, nationality, travel history and passport information .
Cathay Pacific has hired Experian to provide credit monitoring services. This may be a good choice because Experian has had so many breaches of their own that 9 million people who’s information was just stolen would be happy to give more of that information to a company that gets hacked on a regular basis (I am guessing not).
Apparently it has been trying to figure out who’s data was stolen since May (call it 100+ days). Remember that GDPR gives you 3 days, so they are kind of on the wrong side of that number by 97+ days.
As breach notification laws become stricter and the fines get higher (If this were a California business and CCPA was already in effect, a class action asking for $750 x 9.4 million = $7 billion would already have been filed), businesses need to get much better about their incident response programs. You need to be able to figure who got in, when they got in, what they took and who you are going to engage very quickly. Source: CNN ,
Russian Spy Gathered Info On Non-Profit’s Cybersecurity Defenses as a Student in the US
Accused Russian spy Maria Butina, waiting to stand trial in Virginia, is also accused of working on a project at American University where her cover was as a student. The project examined cybersecurity defenses of organizations such as the Electronic Frontier Foundation and while there is no direct evidence that she funneled that data back to Moscow, it is highly unlikely that she was part of that project for the fun of it. The non-profits thought the University vetted the students; the University thought the State Department vetted them. In the end, no one did and she now is facing trial for spying on us. Source: The Daily Beast .
US Continues Attack on China to Stop Stealing Our Stuff
Not only are the Russians after us, as the item above points out, but so are the Chinese. In fact, the Chinese are way more blatant about it. In two moves to try and counteract that, the DoJ indicted almost a dozen Chinese spies for stealing aviation related secrets. The theft went on between 2010 and 2015, so the indictment comes 8 years after the theft began. I would think the Chinese would think that this is an OK return on investment. Since these people will never face a trial, it is a somewhat meaningless gesture and coming 8 years after the attack started also points out that our ability to detect and stop these folks is somewhat lame. I say that they won’t come to trial, but a Russian spy was recently lured to Belgium where he was arrested, so you never know. Source: WaPo
In a second action, the U.S. issued sanctions against Chinese semiconductor manufacturer Fujian Jinhua which prevents them from buying parts from the U.S. While this hurts Jinhua, it also hurts U.S. companies that sell to them. The Feds are worried that Jinhua will flood the U.S. market with cheap DRAM chips driving U.S. manufacturers out of the business and forcing DoD contractors, who already have massive supply chain security problems, to buy even more parts from China. I am not sure that there is anything to stop China from creating a new company with the stolen technology and move on, but you have to try. Source: Computing .