Tuesday, April 10, 2018

Infographic identifies worst rated countries for internet surveillance





Practical Approaches to Big Data Privacy Over Time: “The Berkman Klein Center is pleased to announce a new publication from the Privacy Tools project, authored by a multidisciplinary group of project collaborators from the Berkman Klein Center and the Program on Information Science at MIT Libraries. This article, titled “Practical approaches to big data privacy over time,” analyzes how privacy risks multiply as large quantities of personal data are collected over longer periods of time, draws attention to the relative weakness of data protections in the corporate and public sectors, and provides practical recommendations for protecting privacy when collecting and managing commercial and government data over extended periods of time. Increasingly, corporations and governments are collecting, analyzing, and sharing detailed information about individuals over long periods of time. Vast quantities of data from new sources and novel methods for large-scale data analysis are yielding deeper understandings of individuals’ characteristics, behavior, and relationships. It is now possible to measure human activity at more frequent intervals, collect and store data relating to longer periods of activity, and analyze data long after they were collected. These developments promise to advance the state of science, public policy, and innovation. At the same time, they are creating heightened privacy risks, by increasing the potential to link data to individuals and apply data to new uses that were unanticipated at the time of collection. Moreover, these risks multiply rapidly, through the combination of long-term data collection and accumulations of increasingly “broad” data measuring dozens or even thousands of attributes relating to an individual…”


Infographic identifies worst rated countries for internet surveillance betanews: “…Consumer security site Security Baron has created an infographic showing the best and worst, along with those named by Reporters Without Borders as, ‘enemies of the internet’. There are many results you might expect, China, Vietnam and Saudi Arabia being on the list of ‘pervasive’ sensors for example. Russia, Burma and Pakistan among others imposing ‘substantial’ censorship. What may surprise you are the ‘selective’ sensors, which include India, the US and UK. These three are also on the ‘enemies of the internet’ list…”

It is not surprising to now today from Facebook that the debacle of Cambridge Analytica harvesting data on 87 million people has escalated monumentally to the level of 2 billion users worldwide per the Washington Post: “Facebook said Wednesday that “malicious actors” took advantage of search tools on its platform, making it possible for them to discover the identities and collect information on most of its 2 billion users worldwide. The revelation came amid rising acknowledgement by Facebook about its struggles to control the data it gathers on users…But the abuse of Facebook’s search tools — now disabled — happened far more broadly and over the course of several years, with few Facebook users likely escaping the scam, company officials acknowledged. The scam started when malicious hackers harvested email addresses and phone numbers on the so-called “Dark Web,” where criminals post information stolen from data breaches over the years. Then the hackers used automated computer programs to feed the numbers and addresses into Facebook’s “search” box, allowing them to discover the full names of people affiliated with the phone numbers or addresses, along with whatever Facebook profile information they chose to make public, often including their profile photos and hometown…”
“Facebook said in a blog post Wednesday, “Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped.” And per a conference call with journalists as reported by Axios, Mark Zuckerberg acknowledged that Facebook “made mistakes.”
Via Recode: “Facebook says it will begin alerting those users that their data may have been part of this batch on Monday, April 9. The company plans to put a link at the top of every Facebook user’s News Feed next Monday to help them understand which third-party apps have their data. That alert will also include whether or not your data was part of the set obtained by Cambridge Analytica.”
On April 10 Zuckerberg will testify before the Senate Committee on the Judiciary, Senate Committee on Commerce, Science, and Transportation – the topic – Facebook, Social Media Privacy, and the Use and Abuse of Data

Variety – Facebook Under Fire: How Privacy Crisis Could Change Big Data Forever Variety: “…The scandal in a nutshell: Cambridge Analytica, a U.K.-based political data analytics firm, illicitly procured the data of 50 million Facebook users — without their knowledge or consent — and then enlisted that to inform voter-targeting strategies for Donald Trump’s presidential campaign. It wasn’t a hack per se. But both Facebook and Cambridge Analytica claim they were duped by the researcher who originally harvested the data, who used an innocuous-seeming personality quiz in 2013 to access info on friends of people who used the app. That was possible because of Facebook’s then relatively lax privacy protocols. The controversy landed like a Category 5 hurricane, to Facebook’s evident surprise. Ultimately, it may prove to be a watershed moment in how governments — the U.S. in particular — decide internet companies should be regulated after decades of laissez-faire policies. Facebook was caught asleep at the wheel, says Daniel Ives, chief strategy officer and head of technology research at GBH Insights. “The Cambridge Analytica debacle has been the darkest chapter in Facebook’s 14-year history,” he says. “We view this as a seminal moment that’s going to change the nature of privacy, content and ad transparency…“The regulatory aftershocks could rattle companies beyond Facebook. In the big M&A deals in play in the media sector — AT&T’s bid for Time Warner, Comcast’s pending acquisition of Sky, Disney’s proposed takeover of 20th Century Fox — streaming media is front and center. And everyone wants to use big data to serve up highly targeted ads … just as Facebook does.”
See also ‘Malicious actors’ collected data on 2 billion Facebook users worldwide



Nextgov - April 5, 2018
The Health and Human Services division that manages Medicare and Medicaid data hasn’t established special security rules for health care researchers that access beneficiaries’ data, an auditor said Thursday. Those researchers must follow broad rules that apply to all government data but, unlike Medicare contractors, they aren’t required to follow stringent data security rules designed for Medicare and Medicaid data, according to the Government Accountability Office report. The Centers for Medicare and Medicaid Services hasn’t applied special rules to researchers because it wants to give them “more flexibility to independently assess their security risks and determine which controls are appropriate,” the report states. However, the lack of specific guidance increases the risk that beneficiary data will be breached, GAO said. The auditor recommended the health benefits agency establish minimum security guidelines for researchers. Those guidelines should be based on security controls developed by the National Institute of Standards and Technology.




The Hill - April 4, 2018

A Massachusetts judge has cleared the way for the state to sue Equifax over the massive data breach that the credit reporting firm disclosed last year. Suffolk County Superior Court Judge Kenneth Salinger denied a motion by Equifax to dismiss the lawsuit brought against it by Massachusetts Attorney General Maura Healey, Reuters reports. Healey, a Democrat, sued Equifax last September after the company revealed a data breach impacting more than 140 million U.S. consumers. She alleged that the credit reporting firm ignored clear cybersecurity vulnerabilities for months and failed to safeguard personal information on nearly 3 million Massachusetts residents. She also accused the firm of waiting too long to disclose the breach




FCW - April 3, 2018

Policymakers and members of Congress have increasingly called for a "whole of government" response to cybersecurity threats, including foreign election meddling and critical infrastructure protection, and a formal, unified cyber doctrine to govern U.S. policy. One idea – that of a single, consolidated agency with authority over most civilian cyber operations – is garnering increased attention from both nation states and policy analysts. In February, Microsoft put out a white paper laying out best practices for a single national cybersecurity agency that drew from the company's experiences dealing with governments around the world.
 

NBC - April 3, 2018
When news broke last week of a hacking attack on Baltimore’s 911 system, Chad Howard felt a rush of nightmarish memories. Howard, the information technology manager for Henry County, Tennessee, faced a similar intrusion in June 2016, in one of the country’s first so-called ransomware attacks on a 911 call center. The hackers shut down the center’s computerized dispatch system and demanded more than $2,000 in bitcoin to turn it back on. Refusing payment, Howard’s staff tracked emergency calls with pencil and paper for three days as the system was rebuilt. “It basically brought us to our knees,” Howard recalled. 








Nextgov - April 2, 2018
Federal agencies have one year from today to identify the gaps in their cybersecurity workforces and report their needs and reasons for the skill shortages to the Office of Personnel Management, the department said Monday. The government’s human resources department issued a memorandum Monday with guidance and milestones for reporting on critical cyber workforce needs over the next four years. The guidance aligns with the National Initiative for Cybersecurity Education, or NICE, framework for categorizing the cyber workforce and instructs agencies on how to comply with mandates in the Federal Cybersecurity Workforce Assessment Act of 2015. “I am pleased to provide guidance that will help federal agencies pinpoint their cybersecurity workforce’s most critical skill shortages,” Mark Reinhold, associate director for employee services at OPM, said in an April 2 memo to agency human resources directors. OPM’s guidance is the first benchmark for the four-year effort.

Federal News Radio - April 2, 2018
The Defense Department is transitioning to a new approach to authorize its IT systems. The Risk Management Framework (RMF) will replace the DoD Information Assurance Certification and Accreditation Process (DIACAP). This new approach should let owners, operators and defenders of IT systems better understand and manage the risks posed by threats and vulnerabilities to DoD networks and data. While managing risk is more difficult than checklist compliance with cybersecurity regulations, officials said it produces better results. The move from DIACAP to RMF is not new — it began about four years ago with DoD Instruction 8510.01, issued in March 2014, said Ed Brindley, DoD’s acting deputy chief information officer for cybersecurity. “Now that three years is gone, the deadline is here,” he said.  “I have a high degree of confidence that they are ready [for the deadline].”