Friday Five: 10/5 Edition
Bloomberg's supply chain compromise story scandal, the crisis of election security, and selling patient data on the darkweb. Dig into some of the week's best infosec stories with this roundup.
1. The Crisis of Election Security by Kim Zetter
This article got posted to the New York Times’ website last week but we’d be remiss in omitting it here. Plus if we’re really nit-picking it wasn’t published in the paper until this past Sunday when it surfaced in the New York Times Magazine. Veteran cybersecurity scribe Kim Zetter does a great job going deep on voting security, a topic she’s quite familiar with, having written about several times in the last 10 years. There are some great stats here, like the fact there are 350,000 voting machines in use across the country, and that Congress has allocated $380 million to states to pay for security upgrades with regards to voting security. When it comes down to it there are two sobering truths to Zetter's piece: The fact that it will likely take two more years to see some real movement when it comes to technology, and the fact that whatever changes get made they'll still run on components that don't get tested for vulnerabilities.
2. Apple’s Tim Cook is sending a privacy bat-signal to US lawmakers by Natasha Lomas
Perhaps it’s because we’re just as much of an Apple nerd as we are a data protection nerd but this headline, via Techcrunch, caught our eye on Wednesday. The company's CEO Tim Cook will give the keynote at the International Conference of Data Protection and Privacy Commissioners, a conference put on by the European Data Protection Supervisor authority. Apple has made its stance on data privacy crystal clear over the last few years but it will still be interesting to see if Cook drops any nuggets of wisdom around GDPR or California's recently passed sweeping data privacy bill. Crossing our fingers this will be live streamed.
3. Fork Over Passwords or Pay the Price, New Zealand Tells Travelers by Charlotte Graham-McLay
Okay, another New York Times story but it’s on something that could have potentially disastrous privacy/security implications if ever widespread adopted. New Zealand this week said it would begin fining travelers who refuse to hand over passwords for their devices upon entering the company. The fines could reach in excess of $3,000. According to a spokesman with the country's customs agency, once a traveler hands over their password, a search could be carried out and that looks at files saved to the device, but not website histories. New Zealand Customs aren't going to start collecting every travelers' passwords; they'd have to suspect travelers of either possessing objectionable material, child pornography, or committing drug offenses or financial crimes. As you can imagine the move has garnered its fair share of criticism, especially from civil liberties and privacy advocates who stress that many individuals carry industry data, intelligence, and intellectual property on our personal devices that could be severely impacted if access is misused.
4. Bupa fined after rogue employee put customers' information up for sale on the dark web in stunning data breach by Leontina Postelnicu
Okay, so the headline’s a little heavy handed. Stunning data breach? Let’s just call it what it is, an insider threat. Companies, especially those that parse vast amounts of health data like Bupa, an international private healthcare group, need to exercise caution and ensure security measures are in place when it comes to protecting customer information. In Bupa's case an employee at the company accessed SWAN, the company's customer relationship management system and stole data on 500,000 patients, including their names, dates of birth, nationality and email addresses. The employee sent the data to his personal email account then attempted to sell the data on the darkweb. According to the UK'S Information Commissioner's Office Bupa wasn't actively monitoring the SWAN activity log and didn't realize there had been unusual activity, in this case the extraction of large amounts of data, until after it had been taken.
5. The Big Hack: Statements From Amazon, Apple, Supermicro, and the Chinese Government by Jordan Robertson and Michael Riley
No doubt the biggest (and hotly contested) story of the week broke early Thursday morning when Bloomberg Businessweek reported that chips manufactured by Super Micro, a server company had been hacked in a Chinese supply chain compromise, something that ultimately impacted hardware used by Apple and Amazon. We'll spare you the specifics - if you're interested you can head here for all 5,000 words of it – but the most interesting part of the story isn’t the story itself, it’s whether or not it’s actually true. On one hand the article is apparently years in the making, well-sourced, and has had its claims vetted by former national security officials. On the other hand it's based on 17 anonymous sources - which is understandable given the sensitivity of the topic - but troublesome from a journalistic standpoint. Apple, Amazon, and Supermicro pushed back hard in response to the piece on Thursday, publishing comprehensive criticisms disputing Bloomberg's reporting, flat out denying the report. It could be weeks until the real story comes to light.