The city of Atlanta operations had been severely crippled and pwned in March 2018, arising from a rather serious and in-depth ransomware attack. This successful attack made the city of Atlanta operations very difficult. The city is still working to recover from this (https://www.helpnetsecurity.com/2018/06/08/wi-fi-phishing-attacks/). On the tail of the issues being remediated, another attack is passively underway. A security firm has detected hundreds of WiFi phishing sites activelyInfoSec, information security, cybersecurity, cyber-security, defenses, static defenses working. Surprisingly these are located not only proximate to the city hall, but also inside of the building. The research firm also detected active attacks in the Georgia State Capital. This is located merely a few blocks away from the Atlanta City Hall.
The attack was detected by the Coronet Secure Cloud Platform. The specific phishing attacks included Evil Twins, Captive Portals, and ARP Poisoning.
This instance brings up the importance of defensive measures. A static, flat defense is not a workable solution presently. The attackers will utilize the most current methods, pivoting to which method works the best for the circumstance. This does come at a cost, however, this is much better than the costs and expenses associated with breaches.
Showing posts with label privacy. Show all posts
Showing posts with label privacy. Show all posts
Wednesday, August 1, 2018
Saturday, July 21, 2018
California Consumer Privacy Act of 2018 Applicability
California recently passed an aggressive data privacy law. The California legislature passed AB375 (The California Consumer Privacy Act of 2018), which by most accounts, is a strong push for consumer privacy. The law, in summary, requires companies collecting consumer data to disclose to the consumer the types of data collected and allowing the consumer the option of opting out from allowing the companies to sell the consumer’s data.
The new California law is a step towards the GDPR. This has much of the same intent, however, does not have the like exact goals, parameters, or negative reinforcement for not complying. Interestingly, the law requires the company to disclose the “category” of the third party receiving the consumer’s data, versus the name of the third party.
Consumers in California will, beginning on January 1, 2020 (the point at which the law takes effect), have the right to know all the data that has been collected for the individual consumer, to not allow their data to be sold, know what type of companies are receive the data, have their data deleted, the sources of the consumer data being sold, and other pertinent, germane facets of their data.
The headlines do indeed portray this as a far-reaching and direct victory for consumer rights. The general consumer thought is of this bringing the Google, Yahoo, and other internet-oriented companies to comply and be more transparent with their wishes. One should actually read the statute to garner a better understanding of the statute’s parameters. The California Consumer Privacy Act of 2018 does indeed affect businesses. As an example, section 1798.105 references a consumer’s right to request a business to delete any of the consumer’s personal information. On the initial reading, this would appear to affect all businesses collecting the personal information of a California citizen.
With this law, in general as it pertains to consumer’s data privacy, a business “...collects consumer’s personal information” (1798.140(c)(1)), has annual gross revenues greater than $25M (1798.140(c)(1)(A)), buys or receives the personal data of at least 50K consumers, households, or devices (1798.140(c)(1)(B), or derives 50% or more of the annual revenue from selling consumer’s personal information (1798.140(c)(1)(C)). As the statute is presently written, the “or” is important. Although this does narrow the potential field of companies having to comply to the statute, this would include the massive companies that comprise most of the work done in this endeavor. This statute also covers any device, which is any equipment that may connect to the internet or another device.
Embedded Devices
Embedded devices are throughout many industries and utilized with many devices consumers are in contact with daily, including vehicles. The connected vehicles have many opportunities to collect a consumer’s private information. If the person were to connect their cell phone to the vehicle with an app, the person’s contact list, smartphone call history, locations visited previously, credit card numbers, and other relevant data could be collected or in the least pass through the modules. With IoT devices, there may be present a portion of this data and other data points deemed confidential. These are only two examples of the many possible scenarios. In the present capacity, there is no legal advice and this is my opinion only, however, seemingly this new statute would apply to the embedded systems in vehicles, IoT devices, and other like devices collecting, processing, or managing a consumer’s private information and data in California. At this junction, this point is more of conjecture and to begin the thought process.
Is this were to be applicable to these systems, there would need to be completed much updating to the code for the present and future hardware, the affected policies, and noticing functions for the consumers.
Resources
California Legislative Information. (2018). Bill text - AB-375 Privacy: personal information: business. Retrieved from https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
California Privacy. (n.d.). Californians for consumer privacy applauds successful passage of groundbreaking legislation. Retrieved from https://www.caprivacy.org/
Lecher, C. (2018, June 28). California just passed one of the toughest data privacy laws in the country. Retrieved from https://www.theverge.com/2018/6/28/17509720/california-consumer-privacy-act-legislation-law-vote
The new California law is a step towards the GDPR. This has much of the same intent, however, does not have the like exact goals, parameters, or negative reinforcement for not complying. Interestingly, the law requires the company to disclose the “category” of the third party receiving the consumer’s data, versus the name of the third party.
Consumers in California will, beginning on January 1, 2020 (the point at which the law takes effect), have the right to know all the data that has been collected for the individual consumer, to not allow their data to be sold, know what type of companies are receive the data, have their data deleted, the sources of the consumer data being sold, and other pertinent, germane facets of their data.
The headlines do indeed portray this as a far-reaching and direct victory for consumer rights. The general consumer thought is of this bringing the Google, Yahoo, and other internet-oriented companies to comply and be more transparent with their wishes. One should actually read the statute to garner a better understanding of the statute’s parameters. The California Consumer Privacy Act of 2018 does indeed affect businesses. As an example, section 1798.105 references a consumer’s right to request a business to delete any of the consumer’s personal information. On the initial reading, this would appear to affect all businesses collecting the personal information of a California citizen.
With this law, in general as it pertains to consumer’s data privacy, a business “...collects consumer’s personal information” (1798.140(c)(1)), has annual gross revenues greater than $25M (1798.140(c)(1)(A)), buys or receives the personal data of at least 50K consumers, households, or devices (1798.140(c)(1)(B), or derives 50% or more of the annual revenue from selling consumer’s personal information (1798.140(c)(1)(C)). As the statute is presently written, the “or” is important. Although this does narrow the potential field of companies having to comply to the statute, this would include the massive companies that comprise most of the work done in this endeavor. This statute also covers any device, which is any equipment that may connect to the internet or another device.
Embedded Devices
Embedded devices are throughout many industries and utilized with many devices consumers are in contact with daily, including vehicles. The connected vehicles have many opportunities to collect a consumer’s private information. If the person were to connect their cell phone to the vehicle with an app, the person’s contact list, smartphone call history, locations visited previously, credit card numbers, and other relevant data could be collected or in the least pass through the modules. With IoT devices, there may be present a portion of this data and other data points deemed confidential. These are only two examples of the many possible scenarios. In the present capacity, there is no legal advice and this is my opinion only, however, seemingly this new statute would apply to the embedded systems in vehicles, IoT devices, and other like devices collecting, processing, or managing a consumer’s private information and data in California. At this junction, this point is more of conjecture and to begin the thought process.
Is this were to be applicable to these systems, there would need to be completed much updating to the code for the present and future hardware, the affected policies, and noticing functions for the consumers.
Resources
California Legislative Information. (2018). Bill text - AB-375 Privacy: personal information: business. Retrieved from https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
California Privacy. (n.d.). Californians for consumer privacy applauds successful passage of groundbreaking legislation. Retrieved from https://www.caprivacy.org/
Lecher, C. (2018, June 28). California just passed one of the toughest data privacy laws in the country. Retrieved from https://www.theverge.com/2018/6/28/17509720/california-consumer-privacy-act-legislation-law-vote
Subscribe to:
Posts (Atom)