My takeaways from last week – Nov 22, 2021

My last week’s readings were a bit peculiar. Most covered personal privacy and life stories connected to cybersecurity. So I decided to focus this post on three privacy-related takeaways from last week.

The first is connected to a story from the previous week: the attack on FBI’s email servers and the false warnings sent to compromise the cybersecurity researcher Vinny Troia. This week he shared some personal details disclosing the impact of confronting cyber-crime can have on someone’s life. This is the heads-up that Pompompurin gave Troia via Twitter on the upcoming email campaign sent from the FBI’s server.

Here is a brief summary of Troia’s experience with Pompompurin:

“The last time this happened he sent me a message informing me that the National Center for Missing and Exploited Children posted a blog naming me as a sexual predator” he wrote. “Before that it was a heads up on a DDOS attack on our free consumer Breach Check website; before that [the actor] hacked my personal Twitter using a private API key that was stolen from our Data Viper website, in order to send out a number of childish Tweets to reporters; before that he tried to publicly frame me for the hack on Astoria company; and before that, it was something else”

https://threatpost.com/fbi-email-hoaxer-ided-vinny-troia/176377/

Don’t you love cloud services? I bet you do! They are so convenient. What data are you storing in the cloud? And is it by choice or… by default? These are important questions concerning data privacy. Once the data leaves your device, is technically out of your control. The long and convoluted “Terms of use” are in many cases hiding from view certain use-cases of your data. Let me give you some examples: anything you type in the Chrome address bar gets to Google even before you are pressing Enter. By default. According to one of Bruce Schneier’s recent posts, your bookmarks saved in Edge will fly-off to Microsoft. By Default. If you are ok with these practices, that might be fine for you but generally is not good for privacy.

It’s actually worse than I thought. Edge urges users to store passwords, ID numbers, and even passport numbers, all of which get uploaded to Microsoft by default when synch is enabled.

https://www.schneier.com/blog/archives/2021/11/is-microsoft-stealing-peoples-bookmarks.html

The last takeaway is a… literal one: pizza. Specifically, California Pizza Kitchen that during a recently identified breach exposed the names and Social Security numbers (SSNs) of more than 100,000 current and former employees. Beyond the details of the story, what is interesting and I would like to note are some of the learnings. First: employee security awareness training really counts:

One security professional noted that employee training is a key element of helping to avoid breaches like this, which are all too common at organizations that have sensitive data on their networks but typically employ people without specific knowledge of how security breaches can occur.

https://threatpost.com/california-pizza-kitchen-employee-ssns-data-breach/176478/

Second, the never-trust/always-verify approach is a key complement to employee education:

“Taking a proactive, zero trust (never trust/always verify) approach to cybersecurity and having the measures in place to prevent attacks from penetrating your systems is critical,” he said. “It’s also far more efficient and cost-effective than relying solely on your employees.”

Danny Lopez, CEO of security firm Glasswall, for Threatpost