Apple Customer Data in China was Sold Illegally*:
- The Chinese police said this week that they had arrested 22 people suspected of selling the personal data of an unspecified number of Apple customers.
- According to police, the thieves reaped about $7.3 million, over an unspecified period.
- Many details were unclear, including the identities of those involved and the severity of the breach.
- Police found that Apple employees had illegally acquired personal data, and 20 of the 22 people worked for companies that sell Apple products or are Apple contractors.
- In China, Apple’s products are sold broadly, in electronics chain stores and small booths in shopping malls in addition to official Apple Stores.
- The data stolen included names, Apple IDs and phone numbers of Apple users; it is not clear whether passwords or financial information were involved.
- A growing number of Chinese people fear cybercrime and identity theft, particularly as millions of them turn to online shopping and using money electronically.
- Between widespread malware campaigns and a large number of new internet users, China has become a playground for internet fraudsters.
- Last year, China tried 361 criminal cases involving violation of personal data, up from 176 in 2015.
- The problem is not even new to Apple – last year, 10 employees of an Apple contractor in China were also found with data from more than 80,000 users.
*Source: New York Times, June 09, 2017
Outdated Operating Systems, Browsers Correlate with Real Data Breaches*:
- Organizations that run more than half of their computers on outdated operating systems are three times more likely to suffer a data breach.
- Those organizations running more than half of their browsers on old versions are twice as likely to get hit with a breach according to a new study.
- Security ratings service BitSight studied the correlation between real data breaches and thousands of organizations running older, out-of-date versions of operating systems and browsers on their computers.
- They found that among some 35,000 companies worldwide across 20 industries, 2,000 had more than 50% of their computers running out-of-date OSes.
- The analysis focused on Apple OS and Microsoft Windows OSes and Firefox, Chrome, Internet Explorer, and Safari browsers.
- The findings don’t necessarily mean the data breaches occurred via the outdated OS or browser version, but it is an indicator in the risk profile of the victim organization.
- Industry-sector wise, more than one-fourth of government computers were found running outdated Windows or Mac OS platforms.
- Financial services, health care, and retail scored the same when it came to out-of-date OSes and browsers – each with 15% of their computers.
*Source: Dark Reading, June 08, 2017
EU Seeks New Powers to Obtain Data “Directly” from Tech Firms*:
- European authorities are considering proposals that would allow law enforcement to directly obtain user data stored by US tech companies in the EU.
- The move comes in the wake of an uptick in terrorist attacks, including several in Britain and France.
- One proposal would give police the power to "directly" access data stored on cloud servers of US tech companies in urgent cases.
- Discussions are thought to have included what data should be made available, ranging from geolocation information to the contents of private messages.
- Such powers would only be used in “emergency” situations, and safeguards would require police to ensure that each request is “necessary” and “proportionate.”
- A proposal is expected to be put forward by the end of the year.
- It would mark a sharp reversal in long-standing policy by the Europeans, who have praised the use of mutual legal assistance treaties – the formal process of asking a foreign government for citizen data to help with an active investigation.
- While US tech companies are obliged to respond to foreign police, their requests are often delayed by a slow and bureaucratic government process.
*Source: ZDnet, June 08, 2017
Target’s Legal Fallout from Data Breach Has Limited Impact on Shopping Habits*:
- Target Corp. is still dealing with the legal fallout from its massive 2013 data breach, but the company is keeping its head above water when it comes to public sentiment.
- The company last month reached an $18.5 million settlement with 47 states over the data breach that affected as many as 70 million customers.
- Target had already settled with financial institutions for roughly $39.4 million.
- The most recent legal action had little impact on shoppers’ habits though; when informed of the settlement and Target’s promise to beef up its digital security, 39% of US adults said that doesn’t make them more or less likely to shop at Target in the next six months.
- 28% of poll respondents said they think Target is taking the right steps to keep data secure.
- The poll was conducted a week after Target announced the multi-state settlement, which consists of efforts to keep customer information safe and independent evaluations of how the company is handling shoppers’ data.
- People’s loyalty toward their favorite brands is put to the test whenever personal data is at stake.
- Yahoo Inc. took a 10 percentage point hit to its favorability in the weeks after it revealed that a data breach compromised more than 1 billion Yahoo accounts.
- In the week following Target’s most recent settlement tied to its data breach, the company’s favorability rose 4 percentage points to 76 percent.
*Source: Morning Consult, June 08, 2017
Why You Must Patch the New Linux Sudo Security Hole*:
- Linux is the best-known and most-used open source operating system.
- As an operating system, Linux is software that sits underneath all of the other software on a computer, receiving requests from those programs and relaying these requests to the computer's hardware.
- If you want your Linux server to be really secure, you defend it with SELinux.
- Sudo enables users to run commands as root or another user, while simultaneously providing an audit trail of these commands, and is essential for daily Linux work.
- A security company discovered that this essential command can be abused to give the user full root user capabilities, but only on systems with SELinux enabled.
- On a SELinux-enabled system, if a user is Sudoer for a command that does not grant him full root privileges, he can overwrite any file on the filesystem with his command's output and obtain full root privileges.
- The security hole exists in sudo 1.7.10 through 1.7.10p9 inclusive and sudo 1.8.5 through 1.8.20p1 inclusive, so all Linux distributions released in the last five years are vulnerable to this attack.
- The good news is patches are available for almost all significant server Linux distributions; if you haven’t patched your server yet, do so.
*Source: ZDnet, June 05, 2017
Gaining Insight Into How Cyber Insurers Understand and Price Risk*:
- Cyber insurance is a broad term for insurance policies that address first and third party losses as a result of a computer based attack or malfunction.
- Despite the strong growth of the cyber insurance market over the past decade, insurance carriers are still faced with a number of key challenges: How to develop competitive policies that cover common losses but exclude risky events? How to assess the variation in risks across insureds?
- The research shows a much greater consistency among loss coverage and exclusions of insurance policies than is often assumed.
- The application questionnaires provide insights into the security technologies and management practices that are examined by carriers.
- However, information about the security posture of third-party service and supply chain providers are notoriously difficult to assess properly, despite numerous breaches occurring from such compromise.
- Many policies examined used a very simple, flat-rate pricing, based simply on expected loss, while others incorporated more parameters, such as the firm’s asset value, revenue, and industry type.
- More sophisticated policies also included specific information security controls and practices as collected from the security questionnaires.
*Source: IAPP, June 09, 2017