Information Security & Occasional Forays Into Adjacent Realms
via Marc Weber Tobias, writing at Forbes, comes this superlative piece detailing consent inconsistency and other fundamental legal problems with Apple Inc.'s (NASDAQ: AAPL) Siri personal assistant. Todays Must Read.
via Natasha Lomas - writing at TechCrunch, comes this story of the Australian Information Commissioner filing proceedings targeting Facebook Inc. (NASDAQ: FB) over the Cambridge Analytica data breach outrage. My take: Good on ya, Commissioner!
'Australia’s Privacy Act sets out a provision for a civil penalty of up to $1,700,000 to be levied per contravention — and the national watchdog believes there were 311,074 local Facebook users in the cache of ~86M profiles lifted by Cambridge Analytica . So the potential fine here is circa $529BN. (A very far cry from the £500k Facebook paid in the UK over the same data misuse scandal.)' - via Natasha Lomas at TechCrunch
Updated: 20200310 1631 - Here's David Bisson at The State of Security blog take on the news:
As the Australian Information Commissioner, Angelene Falk has the authority to apply for a civil penalty order alleging that an organization bound to comply with the APPs committed serious and/or repeated violations against s 13G of the Privacy Act 1988. The Federal Court could then respond by issuing a penalty of up to $1,700,000 AUD for each serious and/or repeated violation of privacy."
via h/t
News, via The New York Times reporters Jennifer Valentino-DeVries and Natasha Singer, of a newly filed suit targeting deceptive utilization of user location data by The Weather Channel's phone app. The Weather Channel is an International Business Machines {IBM} {NYSE: IBM} subsidiary). Oops...; and, then there's this.
I am sure you have all read the news of Grayshift's issues battling extortionists and their ilk. I have, however, not seen any significant commentary regarding the data theft this SNAFU could facilitate.
Here's the thought problem (looking for culpability, specifically): A Law Enforcement agency has taken custody (adhering to standards of Generally Accepted Chain of Custody guidelines) of a suspect's iPhone. Unbeknownst to the trusted Sworn Officers and Forensicators (often, one in the same) examining the device, the Grayshift appliance undergoes an unfortunate successful attack - mounted by external miscreant(s) unknown, and succumbs to the exfiltration of all data on the applicance AND the slurped data on the iPhone.
Subsequent forensication by the Sworn Officers or Forensicators (again, often one in the same - at least in smaller agencies) entrusted with reasonable and prudent Chain of Custody of the device under scrutiny, discover that the Grayshift appliance and the suspect's iPhone have both undergone the indignity of significant data leakage. How does the Agency proceed in the effort to lay charges - or not - and protect the Agency, as well?
Oh, and while they are at it, perhaps they could explain why the device is attached to a forward facing TCP/UDP connection to our beloved Interweb?
In an outstanding thought piece over at SecurityCurrent, Cybersecurity Attorney Mark Rasch answers questions revolving around the latest Microsoft Corporation (NasdaqGS: MSFT) related code exploit WannaCry (and it's minor variant dubbed WannaCry 2.0); more specifically - are lawsuits a reasonable method to mitigate or transfer the risk of Ransomware Attacks like WannaCry.. Hat Tip to Gadi Evron, Founder and CEO at Cymmetria. Today's MustRead.
"update: A minor variant of the virus has been found, it looks to have had the killswitch hexedited out. Not done by recompile so probably not done by the original malware author. On the other hand that is the only change: the encryption keys are the same, the bitcoin addresses are the same. On the other hand it is corrupt so the ransomware aspect of it doesn't work - it only propagates." - via Rain-1 on GitHub
