Gotta feel kind of bad for nation-state hackers who spend years implanting and cultivating some hardware exploit, only to discover the entire target database is already exposed to anyone with a web browser.

(Via xkcd)

‘bout right.

Granted, this is not the most egregious lapse CPB and it’s ecosystem have wrought. But it might be the one that gets traction.

US Customs Contractor Hack Breaches Traveller Images:

US Customs Contractor Hack Breaches Traveller Images

US Customs and Border Protection (CBP) has admitted a data breach at a sub-contractor has compromised images of individuals and vehicles entering and leaving the country.

The controversial agency first learned of the “malicious cyber-attack” on May 31.

And we know this was a “malicious cyber-attack” exactly how? 

“CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” it said in a statement.

“Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract.”

“Security by contract” isn’t a thing. And the data was breached … how?


(Via Infosecurity) also here here here here here here and many other places I’m sure.

CBP and the Transportation Security Administration (TSA) both fall under the Department of Homeland Security (DHS). Their collective track record on privacy, cybersecurity, and basic physical security leaves much to be desired.

Which leaves me scratching my head about why Delta asks their customers to risk their unchangeable data in a breach for convenience. And, to be clear, the convenience of the boarding gate scanners at some US airports is not for the passengers – it’s for Delta.

I always opt out. Not a U.S. citizen? Or you are but maybe your name (or one like yours) is on a watchlist? I have nothing for you, I’m afraid.

Back to the breach! Thank goodness the CPB is now on the case. Per the Atlantic,

CBP claims they’ve already conducted a search, but haven’t found any of the stolen images on the dark web, where hackers sometimes trade post stolen information for sale. In its statement to The Atlantic, CBP said it’s working with law enforcement to continue the search and survey the full extent of the damage. It hasn’t yet commented on the scope of the breach or offered specifics on the data that was stolen. Perceptics did not immediately respond to a request for comment.

And how do we know what third party vendor left this data vulnerable? The CPB told us by way of the Washington Post:

CBP would not say which subcontractor was involved. But a Microsoft Word document of CBP’s public statement, sent Monday to Washington Post reporters, included the name “Perceptics” in the title: “CBP Perceptics Public Statement.”

Perceptics representatives did not immediately respond to requests for comment.

CBP spokeswoman Jackie Wren said she was “unable to confirm” if Perceptics was the source of the breach.

This whole thing – from prevention to protection to monitoring to response to recovery – was manageable. Yet another takeaway is that CPB has no Incident Response Plan (IRP) at its most basic level. How do we know? They would not have sent the press a Word document titled with the name of the vendor that is the source of the leak.

It also throws into question the whole idea of a “malicious cyber-attack”. It seems more likely Perceptics, the alleged source of the data leak, failed to safeguard the data their contract said they shouldn’t have access to yet somehow acquired from CPB without their knowledge.

Hanlon’s Razor says to never attribute to malice that which is adequately explained by stupidity. Maybe the corollary in this case is never attribute to “malicious cyber-attack” that which is adequately explained by opportunism met by trivial, if any, security? I merely speculate … 

Why do I feel a bunch of SSSS branded boarding passes in my future?

Georgia Supreme Court Rules that State Has No Obligation to Protect Personal Information:

Almost exactly one year after the stringent European General Data Protection Regulation came into effect (May 25, 2019), the Supreme Court of the [U.S.] state of Georgia has ruled (May 20,  2019) that the state government does not have an inherent obligation to protect citizens’ personal information that it stores.

The ruling relates to a case that dates back to 2013. A Georgia Department of Labor employee inadvertently emailed a spreadsheet containing the names, Social Security numbers, telephone numbers and email addresses of 4,457 people who had applied for benefit to about 1,000 people.

Thomas McConnell, whose details appeared on the spreadsheet, … had alleged negligence, breach of fiduciary duty, and invasion of privacy by public disclosure of private facts by the Department of Labor. Each of these claims has been rejected. The first to go was ‘negligence’ — dismissed because there is no requirement in law to protect the data of benefit claimants. Furthermore, McConnell’s claim that Georgia recognizes a “common law duty ‘to all the world not to subject others to an unreasonable risk of harm'” (Bradley Center, Inc. v. Wessner; 1982) does not, according to this ruling, set a precedent.

Furthermore, the existing identity theft statute does not explicitly require anything from data storer, while the statute restricting disclosure of social security numbers only applies to intentional disclosures and not accidental exposures as appeared here. 

The fiduciary duty claim was then dismissed because no public officer stood to gain from the incident, and there was no special relationship of confidence between McConnell and the Department.

Finally, the allegation of an invasion of privacy was rejected. The Supreme Court ruled that “the matter disclosed included only the name, social security number, home telephone number, email address, and age of individuals who had sought services or benefits from the Department. This kind of information does not normally affect a person’s reputation, which is the interest the tort of public disclosure of embarrassing private facts was meant to remedy.”

(Via SecurityWeek RSS Feed)

Georgia is setting a bad precedent. Municipalities and government agencies are being targeted for exactly this type of data. The idea that Georgia law only offers redress for actions of a malicious insider while providing for a “whoopsie” defense is absurd. 

Progress in Cybersecurity: Toward a System of Measurement by Paul Rosenzweig:

How do we quantify safety and security? That fundamental question underlies almost all modern national security questions (and, naturally, most commercial questions about risk as well). The cost/benefit analysis inherent in measuring safety and security drives decisions on, to cite just a few examples, new car safety devices, airplane maintenance schedules and the deployment of border security systems. In a world where resources are not infinite, some assessment of risk and risk mitigation necessarily attends any decision–whether it is implicit in the consideration or explicit.
What is true generally is equally true in the field of cybersecurity. Governments, commercial actors and private citizens who are considering new deployments of cybersecurity measures either explicitly or implicitly balance the costs to be incurred–whether monetary or in terms of disruptions caused by changes to enterprise and resulting (temporary) reductions in efficiency– against the benefits to be derived from the new steps under consideration.
The problem with this rather straightforward account of enterprise decisionmaking is that no universally recognized, generally accepted metric exists to measure and describe cybersecurity improvements. Unfortunately, for too many, cybersecurity remains more art than science.
Decisionmakers are left to make choices based upon qualitative measures, rather than quantitative ones. They can (and do) understand that a new intrusion detection system, for example, improves the security of an enterprise, but they cannot say with any confidence by how much it does so. Likewise, enterprise leadership can, and does, say that any deployment of a new system (say, an upgrade to an accounting package) will bring with it risks that unknown or previously non-existent vulnerabilities might manifest themselves. Yet, again, they cannot with confidence ask to what degree this is so and measure the change with confidence.
This challenge is fundamental to the maturation of an enterprise cybersecurity model. When a corporate board is faced with a security investment decision, it cannot rationally decide how to proceed without some concrete ability to measure the costs and benefits of its actions. Nor can it colorably choose between competing possible investments if their comparative value cannot be measured with confidence. Likewise, when governments choose to invest public resources or regulate private sector activities, they need to do so with as much information as possible–indeed, prudence demands it.
Because the problem of measuring cybersecurity is at the core of sound policy, law and business judgment, it is critical to get right. The absence of agreed-upon metrics to assess cybersecurity means many companies and agencies lack a comprehensive way to measure concrete improvements in their security. We should strive toward an end state where investment and resource allocation decisions relating to cybersecurity are guided by reference to one (or more than one) generally accepted, readily applicable method of measuring improvements in cybersecurity.
It is a good read focused on software.
One of the challenges of a security program, of course, is how to measure objectively how well the program is working.
It’s not often I can write a piece about cybersecurity that is generally optimistic. But these two new efforts do make me smile a bit.
So true.

Japan folks, please pay attention!

Hackers Access Over 461,000 Accounts in Uniqlo Data Breach:

Fast Retailing, the company behind multiple Japanese retail brands, announced that the UNIQLO Japan and GU Japan online stores have been hacked and third parties accessed 461,091 customer accounts following a credential stuffing attack.

As detailed in the official statement issued Fast Retailing following the security breach, the credential stuffing attack which led to the data breach took place between April 23 and May 10, 2019, with the number of compromised accounts possibly being higher seeing that the investigation has not yet concluded.

“While the number of incidents and circumstances may change during the course of the investigation, Fast Retailing is today providing notice of the facts as determined at the present time, and the company’s response,” says Fast Retailing.

The company also listed the customer information which got accessed during the attack:

• Customer name (last name and first name)
• Customer address (postal code, address, and apartment number)
• Customer phone number, mobile phone number, email address, gender, date of birth, purchase history, and clothing measurements
• Receiver name (last name and first name), address, and phone number
• Customer partial credit card information (cardholder name, expiration date, and portion of credit card number). The credit card numbers potentially accessed are hidden, other than the first four and last four digits. In addition, the CVV number (credit card security code) is not displayed or stored.

On May 13, Fast Retailing disabled the account passwords of 461,091 UNIQLO Japan and GU Japan online shop customers and started sending emails to all affected individuals to reset their passwords.

Fast Retailing discovered the breach after multiple customers reports of weird account activity and blocked the attackers from accessing the company’s computing systems, while also “strengthening monitoring of other access points.”

“Fast Retailing has also filed a report of damages regarding the unauthorized logins with the Tokyo Metropolitan Police,” states the data breach notification.

The company concludes the data breach notification [EN, JP] by asking all its customers to change their passwords especially if they’re also using them on other online platforms:

Fast Retailing is therefore requesting everyone who uses the same user ID or password with other services, not just the customers who have been contacted individually, to change their passwords immediately. The company recognizes that protecting customer information is a matter of the highest priority, considering this incident extremely serious, and is strengthening monitoring of unauthorized access, as well as taking other steps to further ensure that customers are able to shop with safety.

Customers who want more details regarding the data breach can contact the company’s customer service team using the free of charge 0800-000-1022 support phone line “available 9:00-17:00, including weekends and holidays,” or via e-mail at [email protected]

While the number of Fast Retailing online customers is not public, “Internet sales made up 10% of domestic sales in the first half of the company’s current fiscal year,” as Bloomberg initially reported.

(Via BleepingComputer)

I like how fast this was disclosed. I don’t like that I learned about it from a non-Japanese news source.

How IBM X-Force IRIS Prepared for the Ukraine Election:

You may not have been aware there was a presidential election in Ukraine last Sunday, but all eyes in the cybersecurity and intelligence communities were keenly focused on this event. In the past few years, cyberattacks targeting elections in democratic countries, including the U.S., have become increasingly disruptive. And in the past few months, international observers have seen disinformation campaigns attempting to influence the outcome of the Ukraine election.

Leading up to the election, the IBM X-Force Incident Response and Intelligence Services (IRIS) team had been preparing to observe and analyze possible attempts of foreign interference in the election. Although it appears that a major cyber disaster was averted, we were ready for the worst.

… we recognize that the risk of a major cyberattack on Ukraine could be the bleed-over to the rest of the world. IBM Security has many clients, including some of the largest financial and logistics companies, that need to be resilient in an attack or face potential damages in the millions or hundreds of millions of dollars. We needed to prepare a response to go at a moment’s notice.

Well in advance of the first round of the Ukraine election in March, we decided that we couldn’t afford to sit on our heels until an attack was launched. We began to operationalize a plan for responding to anything that we could conceive of happening before or after the election event. I ordered the creation of an incident command center team, comprised of top experts across the IBM company, that was on alert and could be stood up immediately if needed. This team operated outside of the traditional organizational structure.

Now that we have moved from an alert posture back to a normal readiness stance, I can share a little bit from behind the scenes about how we prepared. I’ll also describe what organizations can do to evolve their security posture from a reactive stance to a more proactive and predictive security posture.

I don’t often post articles about IBM Security (full disclosure: my employer) but I like Caleb’s write-up about this – especially about the C-TOC:

Plus, for the first time since it’s construction, we had at the ready the X-Force Command Cyber Tactical Operations Center (C-TOC), the industry’s first mobile command center, to assist clients in Europe with investigations and recovery. We had multiple drivers ready to go at a moment’s notice and drive through the night if necessary. The C-TOC gives us unique capabilities in a destructive attack: If a client’s systems go down, we have a sterile platform from which to work, and we travel with our own internet, data center and all the gear we need to accelerate recovery.

It is pretty cool! Check out the whole article for the breakdown on what my colleagues did and some generally good advice around being prepared for the worst.

Road to Adequacy: Can California Apply Under the GDPR? – Lawfare:

Earlier this year, the European Commission, the executive arm of the European Union, recognized Japan’s data protection regime as adequate under the European General Data Protection Regulation (GDPR). Japan is now treated as part of the European Economic Area (EEA) under the GDPR, and data flows from the EEA may be transferred to Japan without any additional safeguards or agreements. This is the first adequacy decision since the GDPR took effect, and it will likely provide a road map for other countries or territories seeking EU approval going forward.

At the same time that Japan’s adequacy determination was being finalized, the California attorney general began hosting seven public forums across the state to allow public comment during the California Consumer Privacy Act (CCPA) pre-rulemaking process. The CCPA, enacted July 28, 2018, and effective Jan. 1, 2020, is modeled on the GDPR, imposing new data protection requirements on certain companies and granting new rights to California residents.

Even before the CCPA was signed into law, the bill sparked speculation about whether California could apply under the GDPR for adequacy. While California has not yet expressed an intention to apply, the state has a history of forging its own path in the absence of federal action. And notably, industry stakeholders at the CCPA public forums requested that the potential CCPA regulations contain a safe harbor provision for GDPR-compliant businesses. In addition, legislation introduced this year to amend the CCPA to more closely align with the GDPR framework—coupled with last year’s stalled efforts to create a California data protection agency—indicates that some state legislators may have a broader vision of the relationship between the two privacy regimes.

But could a single state secure a GDPR adequacy determination even though the United States has not obtained a full adequacy decision? This post considers whether California could apply (based on the factors considered in the recent Japanese adequacy decision) and, importantly, whether any legal barriers exist under the GDPR.

A fascinating read about CCPA and GDPR. The Japan example is a useful one but only to a certain point. Andrei Gribakov’s article is an excellent breakdown of the issues and how this might play out.

✚ Productivity and Promises:

Your productivity and your moral character are not intertwined.

Meaning: Getting things done does not make you a good or better person. And, conversely, failing to be “productive” does not make you a bad person.

… many “productive type things” get thrust upon us by other people. People who have expectations which they’ve projected upon us without our consent!

They want us to reply to their email within their desired timeframe. Or they want us to be available on Slack when they need us. Or whatever.

And then they have the audacity to be disappointed at us when we do not meet their unfair and un-agreed-upon expectations of what they consider to be “productive behavior”.

Well, shame on them. We had better things to do.

(Via Shawn Blanc)


Two Part Job:

Part of your job is to do your job.

But the other main part of your job is to help others feel good about you doing that job.

If you can cause others to be glad that you do what you do, they’ll want you to do it again and they’ll tell their friends.

(Via Gabe The Bass Player)

Mistakes, chatter, and showing up:

The more time we spend trying to build new things or get work that matters done, the more mistakes we are inevitable going to make.

I’ve come to realize that the key is to not let the chatter (both external and internal) about the mistakes and the stuff that is broken to get in the way of showing up every day with enthusiasm.

Every day, we get the opportunity to solve puzzles that involve continually prioritizing between fixing what’s broken, plugging short term gaps, and investing in the long term. We get to do this in our products, in our communities, in our families, and within ourselves.

We (and what we build) are always going to be work in progress. Once we accept that, it follows that the best thing we can do is to make the most of that opportunity and continue to earn it every day.

In the long run, it turns out that becoming is far more important than being.

(Via A Learning a Day)

Wow. That’s … not relatable for a lot of people, IT or otherwise.

My takeaways? Show up and learn from mistakes instead of letting them get in your way. If the rest applies, that’s gravy.