Tag Archives: Social media

Security News for the Week Ending December 3, 2021

Australia Proposes Law To Force Online Platforms to Disclose User Info

Australia plans to introduce legislation that will force social media companies to either take down posts that people don’t like or hand over their user’s information. This isn’t law yet, but I can easily see how this will be gamed. This comes in the wake of Australia’s high court saying that publishers can be liable for contents that their customers post. in response, CNN has shut down their Australia Facebook site. I suspect that more publishers will do this – the market for Australia is just not big enough and the liability is too big. Credit: Gizmodo

What a Difference Having Backups Makes

Colorado’s Delta-Montrose Electric Association, an electric coop on the Western Slope of Colorado was hit by a ransomware attack in early November. While they didn’t say it was ransomware, it took down 90% of its internal systems. They were not able to send out any bills last month and they have said that it will take them a long time to restore data that was corrupted. Reports are that they LOST the majority of their historical data for the LAST 20 to 25 YEARS. Guess they didn’t know about backing up there data offline. Credit: MSN

Cuba Ransomware Gang Compromised At Least 49 Critical Infrastructure Entities

The Cuba ransomware gang, which, curiously, is not based in, run by, or funded from Cuba has infiltrated AT LEAST 49 different entities in five critical infrastructure sectors, including finance, government, healthcare, manufacturing and information technology – according to the FBI. It has also made over $40 mil in ransom payments. Much more important than the money is the possibility that this gang has compromised at least dozens of companies in different areas of critical infrastructure. How many more have they infiltrated that we don’t know about? Credit: Bleeping Computer

NSO Group Hacks US State Department

NSO Group has really been getting in trouble lately. Now that it has been banned in the U.S. and is the target of multiple lawsuits and has tried to redeem its image, it was caught spying on at least 9 U.S. State Department employees. NSO says that they cancelled the accounts of the offenders after being told that the media was going to out them for this attack (I think that is called self preservation, but it isn’t going to help). The State Department found out because Apple told them. Credit: Vice

In Case You Thought These Bitcoin “DeFi” Companies Were Safe

Hackers stole hundreds of millions of dollars of cryptocurrency from two “DeFi” projects. MonoX lost $31 million after hackers exploited a bug in their smart contract software and BadgerDAO lost $120 million to hackers when an alert from some of their customers of unusual activity which the admins blew off. $100 million plus later the platform says that it is pausing all withdrawals as the investigate. Likely none of this is covered by insurance. Credit: Hackread

Security News for the Week Ending April 26, 2019

As Terrorists Blow Up Soft Targets, Sri Lanka Turns Off Social Media

As Sri Lanka is dealing with multiple bombs exploding at churches and hotels, the country’s solution to the inevitable use of social media to fan flames and release propaganda, in addition to news is to turn off social media.

At the current time, it appears that 8 bombs went off, 200+ people were killed and 400+ people were injured.  The target seems to be minorities and foreigners, which is often the case in terrorist attacks.

Facebook and other social media, in an effort to spin the news, said that they are working to remove content that does not meet their guidelines (which of course could be very different than the government’s guidelines), but as we saw in Christchurch, New Zealand, doing that effectively is very difficult.  Facebook and its cousins would like to be thought of as an important news source and not just a purveyor of trash and hate, so they are no doubt trying to figure out how to respond.

What is not clear is whether other governments (probably not in the U.S.) see this as an effective way to control the flow of information when they choose to (which could include any number of different situations, not just terrorist attacks) and follow Sri Lanka’s example.  If this does become more common, that will not be good for the social media brands.  (Source: CNN).


Businesses Continue to Ignore Contacts About Data Which is Exposed

In this case, it was the Mexican Embassy in Guatemala.  Thousands of documents including passports and birth certificates and also documents related to the embassy itself were accidentally made publicly visible on a cloud storage provider.

But that is not my big concern.

One more time, the researcher contacted Mexican officials but got no response.

If a researcher contacted ANY person in your company saying they found a security issue, does every single employee know what to do?   It is, after all, very simple.

CONTACT SECURITY and provide them the information that they received.  Don’t try to figure out if it is a scam or how to fix it.  Just contact security.  Let them deal with it.  That is what they do for a living.   Now, if security screws up, well, that is their fault.    My guess is that, in this case, the information never made it to the right people.  Eventually, it did get removed.  Source: Engadget).


China Has a New Export

China is the model of a surveillance state.  Now China has figured out that they can make a lot of money exporting that technology to other countries.  Ecuador is the prototype.  4,300 cameras.  16 monitoring centers.  More than 3,000 people watching those cameras.

Oh,  yeah, in addition to spotting crimes, the video feed also goes to Ecuador’s domestic intelligence agency.  Some of the other countries buying the Chinese spy gear include Zimbabwe, Uzbekistan, Pakistan, Kenya, the United Arab Emirates and Germany.

36 countries received training on topics such as censorship (politely called “public opinion guidance”.  Soource:  The NY Times.


North Carolina Unveils Changes to Privacy Law

An amendment to the North Carolina Identity Theft Protection Act was introduced earlier this month.  Among the changes are:  (1) requires businesses to implement reasonable security practices (where reasonable is undefined and left for the lawyers to argue over in case of a breach), (2) reduces the time to notify victims and the AG to 30 days, like Colorado, (3) expands the definition of protected information to include health and healthcare information (which may also be protected under HIPAA, depending on how the business received it), (4) clarifies that other information may be included as covered PII depending whether there is sufficient information compromised to abuse it (for example, an email ID is not covered, unless the email password is also compromised), (5) changes the definition of a breach to unauthorized access, without regard to whether the compromised information is used, (6) if the business determines that there was no potential harm due to a breach, they must now keep that proof for three years, (7) requires in cases of breaches at a CRA or any breach that involves Social Security Numbers, the company provides 24 or 48 months of credit protection, (8) expands the information that a business may be required to provide to the AG in case of a breach, (9) says that compliance with GLBA or HIPAA gives a business safe harbor FOR THOSE sections of the bill that overlap and (10) imposes other requirements on CRAs and businesses conducting credit checks.

The bill also allows a person to file a private right of action if they have been damaged.  Source: JDSupra  

Your Tweets Could Affect Your Insurance Rates

While the big data vs. insurance rates battle is in its infancy, that does not mean that insurers don’t have plans.  They do.

Some are already using data from consumers to affect rates.  Some insurers say that the data that consumers give them could lower rates and SOME insurers say that the data won’t be used to raise rates.  Since this is still in its infancy, don’t count on those statements for much.

Swiss Re, one of the biggest reinsurers (the insurance companies’ insurance company) just bought digi.me .  Digi.me is currently allowing consumers to aggregate data in their system .  That data will be shared with businesses to give consumers targeted ads and discounts.  At least for now.

Discovery’s Vitality program collects diet, exercise and other information.  Make the “right” choices and you might get a premium discount or cash back.  Make the wrong choices and…

Allstate’s Drivewise gives drivers who install a gizmo in their car which sends driving data to Allstate discounts if you drive “appropriately”.  That is only a short step from penalizing you if you drive like Mario Andretti.

They could also use people’s public social media posts to affect rates too.  Have a salad for dinner and get discount points.  Have a burger and beer and your rates go up.

Refuse to share data and maybe you can’t get insurance at any price.

There are very few laws in the United States that control what insurance companies can do with “public” data or even data that they buy from the likes of R.L. Polk (owned by IHS now), A.C. Nielsen and others, each of which have data on tens of millions of people.

Also remember that the Internet never forgets.  Even if you improve your behavior, that data is still there in those databases.  Articles that I wrote in the 1990s are available.

And with things like smart TVs and smart refrigerators, what you eat and what you watch might affect your ability to get insurance.  Or your rates.

This is complete conjecture at this point but I sure wouldn’t rule it out.

Information for this post came from Reuters.

Loose Lips Sink Ships – And Businesses

Kaspersky Labs, the research arm of the Russian anti-malware software company, released some statistics that may not surprise you, but should concern you.

Among the statistics –

  • 1 in 10 did not think that people outside of their friends could see their posts.  That’s actually a good thing – most people understand that their posts are not private because even if you set YOUR rules that way, once you hit that enter button, you have lost control.
  • Around 12 percent said that they would add anyone to their friends list, whether they know them or not.
  • 31 percent said that they will friend anyone if they have a friend in common.
  • 26 percent said they would have no hesitation to clink on a link sent by a friend, without asking what it is or considering that the friend’s account could have been hacked.

I see posts all the time that say “at the airport on the way to …” or with pictures saying “having a great time in …”.  Burglars do troll social media and what this does is give them notice that probably no one is at your house and may not be for days.

Linked In gives away a different kind of information – what you do for a living, what tools you use and indirectly, instructions on how to hack your company.  If you say that you are an Oracle wiz at your company, it probably means that your company uses Oracle.  You just did an important piece of “recon” for me.

While I won’t be a Luddite and suggest that you don’t use social media, it is important that people consider what they are posting.  Certainly, configuring whatever social media platform to restrict who has access to your information and your posts is smart, but many people still don’t do that.  As I troll in my security business, I continue to be amazed at the number of people who do not lock down their profiles.  While this will not prevent crime, it will, at least, make the job a tiny little bit harder.

Even though every social media platform wants you to post your location, resist the urge, especially if you are going out of town.

Don’t post pictures from your trip until you are back.

We are beginning to see some insurance companies refusing to pay burglary claims for people that post TMI on social media.

For businesses, it is an education process – what can I post about work and what can’t I post;  how should I set my profiles, don’t click on links, stuff like that.  If 26% of your employees click on random links in social media, you are likely toast.

Just food for thought.  Life is a balance, this is no different.

Information for this post came from SC Magazine.