[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions đ
Sorry for all of the PII regulations for the US, but they seem to come out all at the same time.
Also, in case you are interested there is another newsalert I generate on new campaigns and hacker techniques. Let me know if you want me to add you to that list.
So onto the news:
A Security Awareness and Training Policy Checklist
This is a checklist of the policies that should underpin a successful STA program. When building up a team (or virtual team) to meet requirements, it can be useful to identify the types of skills needed to help meet objectives. So where possible, I have identified the professions I believe would be most useful to help with each step.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d4b0fa24a6&e=20056c7556
Why Russian Cybercrime Markets Are Thriving
The prices for stolen payment card data and other cybercrime products and services on Russian underground forums continue to fall. But such marketplaces are thriving more than ever, in part, because they help attackers quickly and affordably organize their efforts.
Those findings are included in a new report, Russian Underground 2.0, written by Max Goncharov, a threat researcher at the security firm Trend Micro. He notes that while the price of many cybercrime goods and services continues to fall – due to a glut of what is on offer – the lower prices, as well as increased automation and reliability, make it easier than ever for fraudsters to profit from cybercrime.
In fact, Trend Micro says it has cataloged 78 underground Russian forums – of which 50 are active, and about 20 quite active. And each may have 20,000 to hundreds of thousands of registered users. Such forums offer, by Trend Micro’s count, 38 types of cybercrime goods and services that include anonymizing VPNs, distributed denial-of-service attack attack services, spam and command-and-control services, Trojan malware, rootkits, social engineering services and ransomware.
In the past, for example, Goncharov says that to launder stolen card data, criminals often worked with “droppers” who would use stolen card data to purchase and sell physical goods, and then keep part of the profits. Now, however, dropper services are increasingly using stolen card data to buy and sell not physical goods, but such things as airline tickets or hotel reservations (see Airport Raids Target Fraudsters). In this scenario, a criminal might offer their peers – or consumers – a discount, for example charging $300 for a ticket worth $600. Because the goods have been paid for with stolen cards, whatever the criminal’s “customer” pays, the criminal sees as a profit. “In effect, [the criminal] not only saves time but also effort in laundering money,” Goncharov says.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ced00b7314&e=20056c7556
Critical BIND denial-of-service flaw could disrupt large portions of the Internet
The vulnerability affects all versions of BIND 9, from BIND 9.1.0 to BIND 9.10.2-P2, and can be exploited to crash DNS servers that are powered by the software.
The vulnerability, announced and patched by ISC Tuesday, is critical because it can be used to crash both authoritative and recursive DNS servers with a single packet.
This is no workaround to protect against the BIND vulnerability or a way to prevent its exploitation through access control lists. Patching is the only option, the ISC said in an advisory.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=bcf35951f5&e=20056c7556
This court ruling just made it easier to sue companies that get hacked
In a ruling causing a stir on legal blogs, the influential 7th Circuit Court of Appeals last week reinstated a lawsuit against Neiman Marcus over a 2013 data breach in which hackers stole credit card information from as many as 350,000 customers.
The unanimous 3-judge ruling, issued in Chicago, is a big deal because it lowers the bar for consumers who want to sue over such breaches. Until now, companies have been able to deflect many such lawsuits by invoking a Supreme Court case called Clapper that basically kept people out of court because they couldnât show an injury.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8f29d635c8&e=20056c7556
Significant Amendments to Connecticut and Nevada Breach Notifications and Data Security Laws
Nevada and Connecticut recently enacted amendments to breach notification and data security requirements that are relatively unique among existing state laws, thus imposing new compliance obligations upon companies doing business in these states, as further described below.
Nevadaâs Assembly Bill No. 179 expands the definition of âpersonal informationâ subject to Nevadaâs data security, encryption, and breach notification requirements to include online account credentials, medical identification number, health insurance identification number, and driver authorization card number.
Connecticut recently amended its breach notification statute pursuant to Public Act No. 15-142, effective October 1, 2015, to require that breached entities offer âappropriate identity theft prevention services and, if applicable, identity theft mitigation servicesâ to affected Connecticut residents whose Social Security numbers were exposed in the breach. The Connecticut amendment requires such offering at no cost for a period of not less than 12 months, although a representative of the Connecticut Attorney Generalâs Office has publicly indicated that they will continue to expect two years of the identity theft prevention services when Social Security numbers are compromised. Public Act 15-142 further specifies that the breached entity must provide affected individuals with âall information necessary for such resident to enroll in such service or services and shall include information on how such resident can place a credit freeze on such residentsâ credit file.â
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f60ebc2f64&e=20056c7556
** Washington and North Dakota Expand Data Breach Definition and Notice Requirements**
Washington
In an effort to strengthen the effectiveness of data breach notification requirements, Washington has enacted H.B. 1078, which took effect July 24, 2015, and requires notification of the breach of unencrypted information as well as encrypted information where the person also acquires the means to decipher the information. This legislation codifies a risk of harm analysis into the notification requirement and is expanded to include non-computerized (paper) data.
Companies now have 45 days from when the breach is discovered to notify affected residents
If more than 500 Washington residents are notified, the attorney general must also be notified by the time notice is provided to consumers.
Finally, H.B. 1078 adds federal preemption language for companies covered under HIPAA and the Gramm-Leach-Bliley Act to comply with those statute-specific timelines.
North Dakota
S.B. 2214, which takes effect August 1, 2015, expands coverage to any entity that owns or licenses personal information of North Dakota residents, while limiting disclosure of employer identification numbers only when âin combination with any required security code, access code, or password.â
Companies will be required to notify the attorney general if more than 250 individuals are affected.
Companies will be required to notify the attorney general if more than 250 individuals are affected. Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fcb6c6d376&e=20056c7556
5 Key Takeaways about Canadaâs Amended Privacy Laws
The Government of Canada has amended the Personal Information Protection and Electronic Documents Act (âPIPEDAâ), which generally governs the collection, use, and disclosure of personal information by private sector organizations in all Canadian provinces except for Alberta, British Columbia and QuĂ©bec. Some of the amendments came into force immediately as of June 18, 2015, while others will not come into force until a later date yet to be fixed. This brief commentary addresses five key changes to PIPEDA and the effects they may have on businesses.
1. CLEARER RULES REGARDING SHARING PERSONAL INFORMATION IN THE CONTEXT OF BUSINESS TRANSACTIONS
2. NOTICE BUT NOT CONSENT REQUIRED FOR NECESSARY USES OF EMPLOYEE INFORMATION
3. DATA BREACH NOTIFICATION REQUIREMENTS EVENTUALLY TO APPLY UNDER PIPEDA
4. ORGANIZATIONS PERMITTED TO SHARE PERSONAL INFORMATION IN THE CONTEXT OF INVESTIGATIONS
5. OPCâS ENFORCEMENT ACTIONS NOW INCLUDE COMPLIANCE AGREEMENTS
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d33433c546&e=20056c7556
HOW BOA TACKLES CYBERSECURITY WITH METRICS
According to Bessant, Bank of Americaâs defense against cybersecurity includes two key metrics, one which tracks the frequency of system scans and another that counts the potential problems found as a result of those scans. By using this data, along with a measure of how long it takes to identify and remove problematic code, Bank of America is better prepared to adjust its processes accordingly in the detection and prevention of cyberattacks, WSJ reported.
Although, one of the most critical focus points the bank has when it comes to cybersecurity is attracting and maintaining the right staff for security positions.
Bessant told WSJ it requires constantly monitoring the percentage of top talent filling the roles as well as keeping track of potential successors. She noted the concern of turnover in the cybersecurity group, which is something other companies are attempting to manage as well.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c246226d24&e=20056c7556
Getting More Personal: California Amends Data Security Law
On July 14 California expanded the definition of âpersonal informationâ under its data security statute with the enactment of A.B. 1541 effective January, 2016. Specifically, the definition of âpersonal informationâ will then include (a) a username or e-mail address combined with a password or security question and answer for access to an online account; and (b) health insurance information. Health insurance information is defined to include (1) an individualâs insurance policy number or subscriber identification number; (2) any unique identifier used by a health insurer to identify the individual; or (3) any information in an individualâs application and claims history, including any appeals records.
This amendment, which takes effect on January 1, 2016, essentially brings the definition of personal information in the data security statute into harmony with Californiaâs data breach notification law. According to one legislative committee, the addition of usernames and passwords to the definition of personal information was in part due to the fact that residents âuse the same password or username or answer to a security question for some or all of their online accounts.â Consequently, a âbreach of one online account can have a cascading effect upon the userâs other accounts.â Neither statute includes a definition of an online account.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=32e38fb981&e=20056c7556
SSL tools we wish we’d known about earlier
So you already know tcpdump, the openssl SSL client, the Mozilla SSL Configuration Generator and the SSL Labs test. Here’s a couple of new tools, and a couple of different ways to use old tools, that the CertSimple team wish we knew about earlier.
* badssl – live examples of improper SSL configurations
* scans.io – raw results from massive scale SSL scans
* Your old whois command, once you know the query syntax
* OS X native Wireshark
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2b445f1bd0&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If someone forwarded this email to you and you want to be added in,
please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage2.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=4eb8b1286b)
** Update subscription preferences (http://paulgdavis.us3.list-manage1.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)