Infographic identifies worst rated countries for internet surveillance betanews: “…Consumer security site Security Baron has created an infographic showing the best and worst, along with those named by Reporters Without Borders as, ‘enemies of the internet’. There are many results you might expect, China, Vietnam and Saudi Arabia being on the list of ‘pervasive’ sensors for example. Russia, Burma and Pakistan among others imposing ‘substantial’ censorship. What may surprise you are the ‘selective’ sensors, which include India, the US and UK. These three are also on the ‘enemies of the internet’ list…”
It is not surprising to now today from Facebook that the debacle of Cambridge Analytica harvesting data on 87 million people has escalated monumentally to the level of 2 billion users worldwide per the Washington Post: “Facebook said Wednesday that “malicious actors” took advantage of search tools on its platform, making it possible for them to discover the identities and collect information on most of its 2 billion users worldwide. The revelation came amid rising acknowledgement by Facebook about its struggles to control the data it gathers on users…But the abuse of Facebook’s search tools — now disabled — happened far more broadly and over the course of several years, with few Facebook users likely escaping the scam, company officials acknowledged. The scam started when malicious hackers harvested email addresses and phone numbers on the so-called “Dark Web,” where criminals post information stolen from data breaches over the years. Then the hackers used automated computer programs to feed the numbers and addresses into Facebook’s “search” box, allowing them to discover the full names of people affiliated with the phone numbers or addresses, along with whatever Facebook profile information they chose to make public, often including their profile photos and hometown…”
“Facebook said in a blog post Wednesday, “Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped.” And per a conference call with journalists as reported by Axios, Mark Zuckerberg acknowledged that Facebook “made mistakes.”
Via Recode: “Facebook says it will begin alerting those users that their data may have been part of this batch on Monday, April 9. The company plans to put a link at the top of every Facebook user’s News Feed next Monday to help them understand which third-party apps have their data. That alert will also include whether or not your data was part of the set obtained by Cambridge Analytica.”
On April 10 Zuckerberg will testify before the Senate Committee on the Judiciary, Senate Committee on Commerce, Science, and Transportation – the topic – Facebook, Social Media Privacy, and the Use and Abuse of Data
Variety – Facebook Under Fire: How Privacy Crisis Could Change Big Data Forever Variety: “…The scandal in a nutshell: Cambridge Analytica, a U.K.-based political data analytics firm, illicitly procured the data of 50 million Facebook users — without their knowledge or consent — and then enlisted that to inform voter-targeting strategies for Donald Trump’s presidential campaign. It wasn’t a hack per se. But both Facebook and Cambridge Analytica claim they were duped by the researcher who originally harvested the data, who used an innocuous-seeming personality quiz in 2013 to access info on friends of people who used the app. That was possible because of Facebook’s then relatively lax privacy protocols. The controversy landed like a Category 5 hurricane, to Facebook’s evident surprise. Ultimately, it may prove to be a watershed moment in how governments — the U.S. in particular — decide internet companies should be regulated after decades of laissez-faire policies. Facebook was caught asleep at the wheel, says Daniel Ives, chief strategy officer and head of technology research at GBH Insights. “The Cambridge Analytica debacle has been the darkest chapter in Facebook’s 14-year history,” he says. “We view this as a seminal moment that’s going to change the nature of privacy, content and ad transparency…“The regulatory aftershocks could rattle companies beyond Facebook. In the big M&A deals in play in the media sector — AT&T’s bid for Time Warner, Comcast’s pending acquisition of Sky, Disney’s proposed takeover of 20th Century Fox — streaming media is front and center. And everyone wants to use big data to serve up highly targeted ads … just as Facebook does.”
See also ‘Malicious actors’ collected data on 2 billion Facebook users worldwide
Nextgov - April 5,
2018
The Health
and Human Services division that manages Medicare and Medicaid data hasn’t
established special security rules for health care researchers that access
beneficiaries’ data, an auditor said Thursday. Those researchers must follow
broad rules that apply to all government data but, unlike Medicare contractors,
they aren’t required to follow stringent data security rules designed for
Medicare and Medicaid data, according to the Government Accountability Office
report. The Centers for Medicare and Medicaid Services hasn’t applied special
rules to researchers because it wants to give them “more flexibility to
independently assess their security risks and determine which controls are
appropriate,” the report states. However, the lack of specific guidance increases
the risk that beneficiary data will be breached, GAO said. The auditor
recommended the health benefits agency establish minimum security guidelines
for researchers. Those guidelines should be based on security controls
developed by the National Institute of Standards and Technology.
The Hill - April 4,
2018
A
Massachusetts judge has cleared the way for the state to sue Equifax over the
massive data breach that the credit reporting firm disclosed last year. Suffolk
County Superior Court Judge Kenneth Salinger denied a motion by Equifax to
dismiss the lawsuit brought against it by Massachusetts Attorney General Maura
Healey, Reuters reports. Healey, a Democrat, sued Equifax last September after
the company revealed a data breach impacting more than 140 million U.S.
consumers. She alleged that the credit reporting firm ignored clear
cybersecurity vulnerabilities for months and failed to safeguard personal
information on nearly 3 million Massachusetts residents. She also accused the
firm of waiting too long to disclose the breach
FCW - April 3,
2018
Policymakers
and members of Congress have increasingly called for a "whole of
government" response to cybersecurity threats, including foreign election
meddling and critical infrastructure protection, and a formal, unified cyber
doctrine to govern U.S. policy. One idea – that of a single, consolidated
agency with authority over most civilian cyber operations – is garnering
increased attention from both nation states and policy analysts. In February,
Microsoft put out a white paper laying out best practices for a single national
cybersecurity agency that drew from the company's experiences dealing with
governments around the world.
NBC - April 3,
2018
When news
broke last week of a hacking attack on Baltimore’s 911 system, Chad Howard felt
a rush of nightmarish memories. Howard, the information technology manager for
Henry County, Tennessee, faced a similar intrusion in June 2016, in one of the
country’s first so-called ransomware attacks on a 911 call center. The hackers
shut down the center’s computerized dispatch system and demanded more than
$2,000 in bitcoin to turn it back on. Refusing payment, Howard’s staff tracked
emergency calls with pencil and paper for three days as the system was rebuilt.
“It basically brought us to our knees,” Howard recalled.
Nextgov
- April 2, 2018
Federal
agencies have one year from today to identify the gaps in their cybersecurity
workforces and report their needs and reasons for the skill shortages to the
Office of Personnel Management, the department said Monday. The government’s
human resources department issued a memorandum Monday with guidance and
milestones for reporting on critical cyber workforce needs over the next four
years. The guidance aligns with the National Initiative for Cybersecurity
Education, or NICE, framework for categorizing the cyber workforce and
instructs agencies on how to comply with mandates in the Federal Cybersecurity
Workforce Assessment Act of 2015. “I am pleased to provide guidance that will
help federal agencies pinpoint their cybersecurity workforce’s most critical
skill shortages,” Mark Reinhold, associate director for employee services at
OPM, said in an April 2 memo to agency human resources directors. OPM’s
guidance is the first benchmark for the four-year effort.
Federal
News Radio - April
2, 2018
The Defense
Department is transitioning to a new approach to authorize its IT systems. The
Risk Management Framework (RMF) will replace the DoD Information Assurance
Certification and Accreditation Process (DIACAP). This new approach should let
owners, operators and defenders of IT systems better understand and manage the
risks posed by threats and vulnerabilities to DoD networks and data. While
managing risk is more difficult than checklist compliance with cybersecurity
regulations, officials said it produces better results. The move from DIACAP to
RMF is not new — it began about four years ago with DoD Instruction 8510.01,
issued in March 2014, said Ed Brindley, DoD’s acting deputy chief information
officer for cybersecurity. “Now that three years is gone, the deadline is here,”
he said. “I have a high degree of confidence that they are ready [for the
deadline].”