Peter A Clarke

The National Institute of Standards and Technology (“NIST”) has released Measuring the Common Vulnerability Scoring System Base Score Equation for comment.  It is a particularly useful document in that calculating the severity of information technology vulnerabilities permits prioritisation of remediation techniques.  It also helps to understand the risk of a vulnerability.

The abstract Read the rest of this entry »

The Singapore Privacy Commissioner has launched a free Data Anonymisation tool. Anonymisation is an important part of privacy protection, particularly in relation to the preparation of data sets.  It is also quite a contested issue. 

The statement provides:

The PDPC has launched a free Data Anonymisation tool to help organisations transform simple datasets by applying basic anonymisation techniques. An infographic that provides guidance on how to use the tool is also included.

and Read the rest of this entry »

The National Institute of Standards and Technology (“NIST”) has release Engineering Trustworthy Secure Systems for public comment.It is a very useful document for those interested in privacy and cyber security in that it provides a framework for analysis.

This guide has been produced pursuant to a Presidential Executive Order on 12 May 20212 titled Improving the National’s Cyber Security WO 14028.

The key elements of that executive order Read the rest of this entry »

The USA stands alone amongst first world countries that does not have Federal Legislation regulating the collection and use of the personal information.  That may soon change. The draft American Data Privacy and Protection Act was released by both House and Senate leaders on 3 June 2022.  it is a bipartisan discussion draft data privacy bill.

The Act is an advance on many previous efforts because it has bipartisan support and incorporates compromise positions on state law preemption and enforcement.

The statement from the US Sentate Committee on Commerce, Science and Transportation provides:

WASHINGTON – U.S. Senator Roger Wicker, R-Miss., Ranking Member of the Senate Committee on Commerce, Science, and Transportation, and U.S. Representatives Frank Pallone, Jr. D-N.J., and Cathy McMorris Rodgers, R-Wash., Chairman and Ranking Member of the House Committee on Energy and Commerce, today released a discussion draft of a comprehensive national data privacy and data security framework. The draft legislation is the first comprehensive privacy proposal to gain bipartisan, bicameral support.  

“This bipartisan and bicameral effort to produce a comprehensive data privacy framework has been years in the making, and the release of this discussion draft represents a critical milestone,” Wicker, Pallone, and Rodgers said. “In the coming weeks, we will be working with our colleagues on both sides of the aisle to build support and finalize this standard to give Americans more control over their personal data. We welcome and encourage all of our colleagues to join us in this effort to enable meaningful privacy protections for Americans and provide businesses with operational certainty. This landmark agreement represents the sum of years of good faith efforts by us, other Members, and numerous stakeholders as we work together to provide American consumers with comprehensive data privacy protections. Read the rest of this entry »

Tim Hortons is a Canadian fast food outlet specialising in take away coffees and snacks. It has a large presence in Canada.  It heavily promotes its apps to allow customers to order their beverages and food by phone. 

The Privacy Commissioner of Canada has found that Tim Hortons app violated privacy laws in collecting vast amounts of sensitive location data.   The app permitted Tim Hortons to track and record the users movements every few minutes even when the app was not open.  Tim Hortons asked for permission to access geolocations functions but misled users who thought that access would be used when the app was open.  In fact the location data was collected even when individuals app was not open. As long as the device was on data was collected.  Tim Horton’s only stopped the practice when the Privacy Commissioners began to investigate.

Collection on this scale would give Tim Hortons an enormous amount of raw data from which, with the right algorithms, determine where users lived, where they worked and even when they used a competitor’s product.  The question of proportionality was raised by the Privacy Commissioner.  And appropriately.  In the Australian context the issue is whether the purpose for the collection of that vast amount of data relates to the ordering and purchasing of coffee. 

It is no surprise that the Privacy Commissioner found there wasn’t a ” robust privacy management program for the app.” It is a fairly typical story to see the majority of the work being focused on developing a the functionality of the app and making it as attractive to users as possible and considering privacy protections as Read the rest of this entry »

May was hardly a banner month for cyber security 2022.  It governance has identified 77 security breaches in May 2022 resulting in 49,782,129 compromised records, a polite term for hackers accessing information.

The highlights are:

• hackers stole records of 22.5 million Malaysians from the National Registration Department and are looking to sell the data for $10,000 US;
• a successful phishing attack at the Australian Pension provider Spirit Super affected 50,000 victims.  The attack was made through an employee’s email account. The information involved included names, addresses, ages (as at 2019 and 2020), email addresses, telephone numbers, member account numbers, and member balances (as at 2019 and 2020).
• Chicago Public School was hit with a data breach exposing 4 years worth of records, involving 560,000 students and employees.
• Breastcancer.org, a breast cancer charity suffered a data breach which exposed 350,000 files totaling 150 GB of data.  The compromised data included sensitive images of website users.
• The National Population Commission of Nigeria suffered a theft of birth certificates.
• in South Australia more than 90,000 public servants had their personal information stolen.
• IKEA Canada had a data breach involving personal information of 95,000 customers.

Read the rest of this entry »

The National Institute of Standards and Technology (“NIST”) have released Volume A of a preliminary draft practice guide titled “Implementing a Zero Trust Architecture” .  This guide shows how commercially available technology is being used to build interoperable, open standards-based ZTA example implementations that align  with the principle of Zero Trust Architecture.

The Abstract provides:

The proliferation of cloud computing, mobile device use, and the Internet of Things has dissolved conventional network boundaries. The workforce is more distributed, with remote workers who need access to resources anytime, anywhere, and on any device, to support the mission. Enterprises must evolve to provide secure access to company resources from any location and asset, protect interactions with business partners, and shield client-server as well as inter-server communications. Read the rest of this entry »

Verizon has just released its 2022 Data Breach Investigation Report which shows that Ransomware has grown 13% year on year in 2022.   The report is valuable because it records trends in ransomware attacks.

The report states:

• the four means of accessing an organisations online site is via:
  • misuse of credentials,
  • Phishing,
  • Exploiting vulnerabilities, and
  • Botnets.
• Error continues to be a dominant trend, and is heavily influenced by misconfigured cloud storage.
• The human element continues to drive breaches. Whether it is the use of stolen credentials, phishing or simply an error, people continue to play a large part in incidents and breaches alike.
•  data compromises are considerably more likely to result from external attacks than from any other source.
• 80% of breaches are caused by individuals external to the organization

Read the rest of this entry »

The Federal, State and Territory Information Commissioners have released a joint statement regarding the handling of personal information, in the form of record.  The statement provides:

Information Access and Privacy regulators from across Australia have issued a joint statement to mark National Sorry Day (26 May).

Australian Information Access Commissioners and Privacy Authorities recognise the important role of historical records in truth telling and sharing history, intergenerational healing, redress and reparations for Stolen Generation survivors and their families. Read the rest of this entry »

The National Institute of Standards and Technology (“NIST”) has issued a guideline Blockchain for Access Control Systems.   

The abstract provides:

The rapid development and wide application of distributed network systems have made network security – especially access control and data privacy – ever more important. Blockchain technology offers features such as decentralization, high confidence, and tamper-resistance, which are advantages to solving auditability, resource consumption, scalability, central authority, and trust issues – all of which are challenges for network access control by traditional mechanisms. This document presents general information for blockchain access control systems from the views of blockchain system properties, components, functions, and supports for access control policy models. Considerations for implementing blockchain access control systems are also included.

Blockchain systems provide an alternative (or complimentary) system for reliability, security, accountability, and scalability for AC systems. Blockchain characteristics – such as transparency, distributed computing/storage, and a tamper-evident/tamper-resistant design – help to prevent AC data from being accessed or modified by malicious users. Access logs are also recorded in blocks that allow for the detection of malicious activities. Blockchain system components and their advantages for AC systems are Read the rest of this entry »