Facebook

Crossing the Compliance Chasm

There is a wide gap between regulatory compliance mandates and practical implementation and enforcement that I like to call the “Compliance Chasm”. That chasm is defined by the activity to protect consumers and consideration for the economic and operational impact on business enterprises. Finding that balance requires thought, not the more popular whack-a-mole enterprise strategy that reacts to new compliance mandates.

The frequency and size of regulatory fines are rising for non-compliance. In January 2023, Meta was fined $418 million for GDPR violations by Meta properties’ Facebook and Instagram. Ireland’s Data Protection Commission follows up in May that same year with a $1.3 billion fine for additional violations. And those were just the latest fines imposed on web giants, that also included Google and Amazon.

The targets of those fines might be justified in saying compliance is an impossible task. By 2025 the volume of data/information created, captured, copied, and consumed worldwide is forecast to reach 181 zettabytes. Nearly 80% of companies estimate that 50%-90% of their data is unstructured text, video, audio, web server logs, or social media activities.

Read more...

Security concerns reach beyond CISOs

The English riots this past week provide a Dickensian “best of times…worst of times.” context to politics in the United Kingdom and possibly the United States later this year. The UK has had a significant political shift in leadership that brought relief to the majority of that countries citizens (the best) but also encouraged the minority opinion to lash out with provocation from domestic actors and foreign states (the worst). This highlight the fact that digital security concerns reaches far beyond the confines of corporate CISO offices.

The rioters are extreme anti-immigration nationalists whipped up by false information regarding the stabbing of several young children and adults at a dance recital in Southport, a town just north of Wales. The disinformation came from several sources but is primarily coming through a Russian-linked website posing as a legitimate American news organization. The claim was meanwhile amplified up by far-right figures Tommy Robinson and Andrew Tate. Robinson was arrested under anti-terrorism laws but is out on bail has been vacationing in Europe. He is still spreading disinformation. Tate is currently under “judicial supervision” for rape and human trafficking charges. X owner Elon Musk has also participated personally in sewing the discord.

Foreign interference grows

Meanwhile, open source intelligence monitored by companies like Zero Fox and Fletch have identified efforts by North Korea and Russia to interfere in elections of Western countries including Germany and the United States. Zero Fox said, “The Telegram-based bot service IntelFetch had been aggregating compromised credentials linked to the Democratic National Committee (DNC) and their websites. This data, primarily sourced from botnet logs and third-party breaches, includes sensitive information such as login credentials for party members and delegates. This breach poses a significant risk of unauthorized access and potential disruptions to the convention.”

Zero Fox said the DNC had been alerted several weeks ago and that the weaknesses fixed. The DNC Convention is set to begin August 19 and Zero Fox was planning on announcing their findings that day to boost their profile.

Membership Required

You must be a member to access this content.

View Membership Levels

Already a member? Log in here
Read more...

Google at loggerheads over support for journalism

Google and the state of California have come to loggerheads over legislation designed to require Google to provide financial support for local journalism. Naturally, Google is fighting this with a PR and lobbying blitz. They and their allies may be missing the point. Whatever the outcome, it could have a profound impact on the democratic process.

The legislation, The California Journalism Preservation Act (CJPA) has been wending its way through the California legislation for about a year. The text of the law says, "This bill … would require … a covered platform (as in Google) to remit a … payment to each eligible digital journalism provider … The … payment would be a percentage, as determined by a certain arbitration process, of the covered platform's advertising revenue generated during that quarter."

Google and the state of California have come to loggerheads over legislation designed to require Google to provide financial support for local journalism. Naturally, Google is fighting this with a PR and lobbying blitz. They and their allies may be missing the point. Whatever the outcome, it could have a profound impact on the democratic process.

The legislation, The California Journalism Preservation Act (CJPA) has been wending its way through the California legislation for about a year. The text of the law says, "This bill … would require … a covered platform (as in Google) to remit a … payment to each eligible digital journalism provider … The … payment would be a percentage, as determined by a certain arbitration process, of the covered platform's advertising revenue generated during that quarter."

History of dispute

A bit of history provides context. Google launched Google News in 2002

A bit of history provides context. Google launched Google News in 2002

Membership Required

You must be a member to access this content.

View Membership Levels

Already a member? Log in here
Read more...

Commentary: Getting the point of Google News v. the media

Cyber Protection Magazine posted a long article about Google’s decision to start de-listing California-based newspapers. We strove to be as objective as possible and present both sides of the argument, but we did say that the opponents were missing the point, hoping that the point would be obvious in the discussion. Here, however, we want to shed objectivity and make the point clear.

Google’s move, generously described, is a preemptive response to California’s Journalism Preservation Act (AB 886) that has yet to pass the Senate. The act will require Google to sit down and negotiate with California publishers over the fair price of publishing content from those media sites.

Note that the bill is not mandating a price. It is mandating a negotiation. That changes the nature of the discussion.

Membership Required

You must be a member to access this content.

View Membership Levels

Already a member? Log in here
Read more...

Scam Bucket: Credit card fraud is inevitable

You can do everything right, but credit card fraud is inevitable.

In recent weeks, Cyber Protection Magazine has fielded calls and emails from people who have followed all the best-known techniques for securing banking, debit, and credit card information. That includes bank notifications every time the card is used, multi-factor authentication (MFA), biometrics, and limiting the use of a card for specific transactions. These readers still experienced unauthorized use of their payment cards

How does that happen?

The market for criminal use of legitimate credit cards is a well-known “secret.” The most common sites are found on the DarkWeb, but occasionally they pop up on Meta sites, where they can reap thousands of dollars before Meta gets around to kicking them off, generally without prosecution.

The criminals collect most of this information through phishing attacks using email, but also on Facebook and Instagram, and falling for a phishing scam may negate victims’ claims they “did everything right.” Criminals, however, are getting more sophisticated. Enterprises selling the card information gather it by sending fraudulent emails or text messages, posing as legitimate entities, and tricking individuals into providing their credit card information. Then there is basic social engineering, manipulating victims into revealing their credit card information through phone calls, and QR codes.

Even more sophisticated, criminals will install skimming devices on ATMs, gas pumps, or point-of-sale terminals to capture credit card information when cards are swiped or inserted. While it may not be obvious that the skimmers have been added to the terminal, it is fairly easy to determine if it is legitimate. Legitimate card readers cannot be easily removed, while skimmers may be held on with a simple adhesive. Some locations, like Costco fueling stations, place tape over the reader and, if broken, can alert users and the vendor that there may have been a breach.

No one is completely safe

But by and large, data breaches are the most common source of stolen credit card information, and that is something most victims cannot do anything about.

By hacking into databases of companies or financial institutions criminals steal terabytes of credit card information. Employees of companies or financial institutions may access and sell credit card information, posting the information of those above, carding forums. Criminals exchange...

Purchase Required

This content requires that you purchase additional access. The price is $1.00 or free for our Premium members.

Purchase this Content ($1.00) Choose a Membership Level

Already a member? Log in here
Read more...

Murky third-party agreements weaken healthcare privacy controls

The healthcare industry is a vulnerable target of cybercriminals, but not for the reasons most business sectors are. Between 80 and 90 percent of all cybercrime results from people not following basic cyber hygiene practices, but in healthcare criminals gain access to information through infrastructure weaknesses and the murky third-party agreements.

Membership Required

You must be a member to access this content.

View Membership Levels

Already a member? Log in here
Read more...