The National Institute of Science and Technology (“NIST”) today released NISTIR 8320, Hardware-Enabled Security: Enabling a Layered Approach to Platform Security for Cloud and Edge Computing Use Cases.

The abstract provides:

In today’s cloud data centers and edge computing, attack surfaces have shifted and, in some cases, significantly increased. At the same time, hacking has become industrialized, and most security control implementations are not coherent or consistent. The foundation of any data center or edge computing security strategy should be securing the platform on which data and workloads will be executed and accessed. The physical platform represents the first layer for any layered security approach and provides the initial protections to help ensure that higher-layer security controls can be trusted. This report explains hardware-enabled security techniques and technologies that can improve platform security and data protection for cloud data centers and edge computing.

The report is aimed at security professionals on the technical side however anyone involved in privacy and data protection would get a benefit from it.  

It is, as is common with NIST reports and guides, a voluminous document, at 94 pages, making Read the rest of this entry »

The Cybersecurity and Infrastructure Security Agency (‘CISA’) along with:

• the Federal Bureau of Investigation (‘FBI’),
• National Security Agency (‘NSA’),
• Australian Cyber Security Centre (‘ACSC’),
• Canadian Centre for Cyber Security (‘CCCS’),
• New Zealand National Cyber Security Centre (‘NCSC’), and the UK’s National Cyber Security Centre (‘NCSC’),

has published a joint cybersecurity advisory, titled ‘2021 Top Routinely Exploited Vulnerabilities’.

The advisory provides a detailed overview of the 15 most commonly exploited cybersecurity vulnerabilities and exposures of 2021.

The advisory aims to help organisations prioritise their mitigation strategies, and highlights the importance of prioritising several mitigation measures related to:

• vulnerability and configuration management;
• identity and access management; and
• protective controls and architecture.

The  press release relevantly provides:

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) issued a joint Cybersecurity Advisory today on the common vulnerabilities and exposures (CVEs) frequently exploited by malicious cyber actors, including the 15 most commonly exploited of 2021.?? 

Malicious cyber actors continue to aggressively target disclosed critical software vulnerabilities against broad target sets in both the public and private sectors. While the top 15 vulnerabilities have previously been made public, this Advisory is meant to help organizations prioritize their mitigation strategies. Read the rest of this entry »

Google has been attracting some plaudits for being responsive to concerns about privacy abuses.  In October 2021  Google started allowing people under 18 or their parents request to delete their photos from search results. Users must specify that they want Google to remove “Imagery of an individual currently under the age of 18” and provide some personal information, the image URLs and search queries that would give rise to the results. Google also now allows requests to remove non-consensual explicit or intimate personal images from Google, along with involuntary fake pornography

It is pleasing that these changes have been made of Google’s own volition but it was done  at a time of regulator pressure and adverse findings regarding the use of Google Analytics by the CNIL. 

Recently Google announced  its plan to include a “reject all” button on cookie banners.  Google is now giving consumers more choice and control on how their data is tracked. 

The UK Information Commissioner is huffed stating:

We welcome news of Google’s revised approach to cookie consent. It’s a change we’ve been seeking through our ongoing discussions with Google and broader adtech work. The new ‘reject all’ option gives consumers greater control and balance of choice over the tracking of their online activity.

“There’s still a long way to go to address concerns around consent across the whole online advertising industry, but short term, we expect to see industry following Google’s lead to provide clearer choices for consumers. This is only a first step; current approaches to obtaining cookie consent need further revision in order to provide a smoother and increasingly privacy-friendly browsing experience.”

As of this week Google has updated its personal information removal policy to allow doxxing victims to remove personal identifiable information from search engines.

The statement from Google, per Read the rest of this entry »

The difference between Australian Privacy regulation and the European regulation under the General Data Protection Regulation has been well known.  The protections are greater under the GDPR than Australia’s Privacy Act 1988 and the size of the fines are much greater. That is made clear with the Data Data Protection Australian imposing a fine of 565,000 Euros on the Ministry of Foreign Affairs for violations of Articles 13(1)(e) and 32(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).

The media release provides:

The Dutch Data Protection Authority (DPA) fined the Dutch Ministry of Foreign Affairs €565,000 for long-term, large-scale, serious infringements of the General Data Protection Regulation (GDPR) in its visa-issuing process.

NVIS, the digital system used by the Ministry of Foreign Affairs for the Schengen visa process, is inadequately secured. As a result, there is a risk that unauthorised persons could access and change files. Furthermore, the Ministry of Foreign Affairs failed to provide visa applicants with sufficient information about the sharing of their personal data with third parties. Read the rest of this entry »

Ransomware attacks have surged early this year according to databreach today with Cybercrime: Ransomware Attacks Surging Once Again based on a report by the NCC Group.  it’s findings are that:

• Ransomware attacks increased 53% compared with February, representing continued growth since the start of the year
• The most targeted sectors continue to be Industrials (34%), Consumer Cyclicals (21%), and Technology (7%)
• The most targeted regions were North America (44%) and Europe (38%) – a return to the usual split after seeing both regions with a similar number of victims in February
• The most prolific ransomware variants were again Lockbit 2.0 (96 victims) and Conti (71 victims)

An interesting, and worrying development, is that the percentage of data being restored after paying the demanded ransom has dropped.  On average only 61% of the data is restored whereas 65% was restored in 2020. the key caveat to reporting on ransomware is that the figures are notoriously spongey.  Many affected businesses don’t report attacks if they pay the ransom.

To show that the threat is real in the US the ransomware group going by the name Conti posted on the dark web data belonging Elgin County which had been hit by a ransomware attacked.  Yesterday Austin Peay State University admitted to being a victim of a ransomware attack.  This is the twelfth US institute of higher education being successfully targeted by ransomware gangs Read the rest of this entry »

Yesterday the Australian Competition and Consumer Commission (“ACCC”) yesterday released Interim Report No s – General online retail marketplaces.

In broad compass the report covers, as its brief description states:

• intensity of competition in the relevant markets
• trends in online shopping and general online retail marketplaces
• the conduct of marketplaces in their roles as platforms to facilitate interaction between third party sellers and consumers; including, where marketplaces also supply their own products on their platform, the impact that these sales and associated practices may have on competition with third-party sellers
• relationships between marketplaces and third party sellers
• relationships between marketplaces and consumers, as well as third party sellers and consumers.

The report necessarily deals with the issue of data collection and privacy.  It does not contain any new insight or previously unknown fact or issue however it does synthesise and summarise the relevant issues.  All too often these issues are not considered with this level of focus.  In that regard it relevantly states Read the rest of this entry »

The Singapore Personal Data Protection Commission has imposed a $35,000 fine on GeniusU for failing to prevent unauthorised access and exfiltration of personal information of 1.26 million.  It is a significant data breach for Singapore in terms of numbers of individuals affected.  Singapore has a population of a little over 5 million. 

As is all too common there were more than one mistake in GeniusU’s cyber security set up.  The likely entry was through the use of a developer’s password.  Once in it was easy to exfiltrate the data.  It was stored in the codebase of its GitHub environment.  

The decision summary relevantly Read the rest of this entry »

The National Institute of Standards and Technology has released a preliminary draft guide on ensuring the transference from 4G to 5G is managed properly managed, in particular dealing with adequate cyber and cloud security and privacy protections.

As to be expected, this 83 page document is highly technical however it is a valuable asset for those practising in the privacy and cyber security space.

The Abstract provides:

Organizations face significant challenges in transitioning from 4G to 5G usage, particularly the need to safeguard new 5G-using technologies at the same time that 5G development, deployment, and usage are evolving. Some aspects of securing 5G components and usage lack standards and guidance, making it more challenging for 5G network operators and users to know what needs to be done and how it can be accomplished. To address these challenges, the NCCoE is collaborating with technology providers to develop example solution approaches for securing 5G networks. This NIST Cybersecurity Practice Guide explains how a combination of 5G security features and third-party security controls can be used to implement the security capabilities organizations need to safeguard their 5G network usage.

It defies easy summation.

In the broad the proposed Read the rest of this entry »

Yesterday the National Institute of Standards (“NIST”) released Trusted Cloud: Security Practice Guide for VMware Hybrid Cloud Infrastructure as a Service (IaaS) Environments, Hardware-Enabled Security: Policy-Based Governance in Trusted Container Platforms and Hardware Enabled Security: Machine Identity Management and Protection and Hardware-Enabled Security:Policy-Based Governance in Trusted Container Platforms.

The guides are highly technical but include useful practical methodologies on cyber security.  They are a valuable resource.  In Australia there is nothing equivalent at this level of detail. 

Trusted Cloud

The abstract Read the rest of this entry »

It is sign of how mainstream satellites have become and part of the the consumer economy that the National Institute of Standards and Technology (“NIST”) starts the process of developing guidelines for cybersecurity relating to the operation of satellite.  The NIST has released “Satellite Ground Segment: Applying the Cybersecurity Framework to Assure Satellite Command and Control”.   

While the number of satellite operators is relatively, if not absolutely, small guides such as these have a broader application for those who take cyber security seriously. 

The NIST abstract provides:

Space operations are increasingly important to the national and economic security of the United States. Commercial space’s contribution to the critical infrastructure is growing in both volume and diversity of services, as illustrated by the increased use of commercial communications satellite (COMSAT) bandwidth, the purchase of commercial imagery, and the hosting of government payloads on commercial satellites. The U.S. Government recognizes and supports space resilience through numerous space policies, executive orders, and the National Cyber Strategy. The space cyber-ecosystem is an inherently risky, high-cost, and often inaccessible environment consisting of distinct yet interdependent segments. This report applies the NIST Cybersecurity Framework to the ground segment of space operations with an emphasis on the command and control of satellite buses and payloads.

The objectives of guide Read the rest of this entry »