Oh the G20
That's right, I remember that hideous waste of money.
Just one of many screw ups by stunt-boy Abbott.
Last week, Australia passed mandatory metadata retention laws, over objections that personal data should only be accessible by a very small number of people under very secure circumstances because it is is bound to leak and cause embarrassment. Two business days later, the antipodean tentacle of the Grauniad revealed that …
"Autocomplete is great for regular casual situations. I'm just wondering why people handling sensitive information have it turned on"
Without autocomplete you have to not make a typo every time you type an email address. I reckon autocomplete prevents emails going to the wrong recipient more often than not having it. And when you do screw up it goes to someone you already have a relationship with and therefore may cooperate, as seems to be the case here.
However, if your emails are spreading gossip you probably wish it did go to a complete stranger rather than the wrong friend/colleague.
I am Daniel Cameroon, fomerly a presidente of the Unided Kingodoom of Great New England and it has been Brought to my personall attencion after the lost 2014 parlimentari elections, that apon vocting the 10 Downing HIll premisees, it was dicovered the some Of no less than 10 trillon USD troubles in two thick browne envelops, addressed personnally to you, dear Sir. Therefor and henceforth I besech you to provide me with your full account details so that I can return the envolops to you (minus handling fees and postal charges) at hte earlyst oportunity. May God be with You and have mercy Upon your sol and mine.
Your dearest frend,
That's too funny!
On the less funny side, has anyone noticed how many hacking / data protection / cloud / privacy classic fuckups are on the front of page of El Reg recently? Has anyone in charge got a clue? LA DE DA sleep-walking to the mother of all data-fuckups with no accountability or jail time ...........
Data theft isn't increasing, its merely more visible in the media. Which is a good thing overall, despite what we're seeing.
Years ago it was trivial to compromise a system, now it has to be done through obscure zero-days and spear-phishing attacks.
Crazy, what a load of crap.
Data breaches 30 or more years ago were people stealing ledgers from buildings, & made little difference to anyone. You needed physical access, and special spy cameras to not get found out.
15 years ago no-one cared much. The scale was still small and what use was most of the data? A customer number, possibly an address, maybe a credit card.
Now? You get access for 3 minutes and you can pull gigabytes of data over the network or onto a thumbdrive, which has links to enough other related stuff you can know everything of worth about someone (or, more likely, 100,000+ someone's) and then turn around and sell that data through a ready for action network for actual money without much risk.
Data theft is far more common, & the scale is breathtaking when you think about it, in number of crimes, number of attempts and number of people affected.
Was there a database of more than a million credit card details that wasn't a bank or the card company itself 20 years ago? Because there are hundreds of them now, hence patches like PCIDSS.
Further, there are now many people looking for 0days to sell them on, & plenty of people targeting specific organisations who are prepared to pay out for them.
Add in the the letter agencies harvesting everything in site* & sharing it around, which I personally see as a data breach, & there is little that *isn't* leaked.
It is certainly encrypted with passport number (maybe DOB too), however I don't believe these can be read from the passport via NFC - they need to be typed in (or optically read) so would need physical access. There's nothing extra stored in the chip beyond what is printed on the card.
That does remind me though, I need a new passport photo for a different ID card, maybe I'll just read the image off my passport and send that in!
You don't need physical access once you have those details. There is an Android App called NFC Passport Reader which allows you to type in those details in and then read your passport NFC chip by placing it against the phone and you will see all the details held on the chip.
"Microsoft Outlook was the culprit: the sender meant for the mail to go to someone else, but was undone by an unwanted autocomplete"
This should read:
"The sender was the culprit for not ensuring that the recipient field was correct. But fortunately, because only the recipient had the corresponding private key to the public key used for encrypting the material, they weren't able to read it."
There is absolutely *no* excuse for this. It's one thing if you're all at the same organisation and the worst that happens is, for instance, a UK-based worker like myself is sometimes asked to "pop in" to the Sydney office "tomorrow" to do something (my stock answer is that, as long as they clear the travel, I'm on my way, but it may actually be "the day after" when I get there).
Emailing sensitive unencrypted material to the wrong person is utterly unacceptable. In fact even emailing it to the right person is pretty much unacceptable, as there should be no expectation of the material remaining private unless it is properly encrypted. It's not even hard: if your recipient is cryptographically naive, send them an encrypted zip and phone them up with with password. If you can't do that, you are not the right person to be sending the email.
"It's considered unlikely that the document reached the public domain. Even if it did, it would be of limited use: who could attempt to get through immigration with a passport for Barack Obama or Angela Merkel? "
People such as Jose Lantigua might try. See http://www.palmbeachpost.com/ap/ap/top-news/suspicion-surrounded-florida-businessman-who-faked/nkd2x/ Apparently one of the reasons why he got caught (after a delay of several years, something which speaks highly of the competence of the immigration authorities) was that, and I quote, "The passport he had used to get back into the U.S. had proved his downfall. The man whose name Lantigua was trying to steal was black — the photo Lantigua submitted showed he is white." And, oh, "Finding him wasn't hard — while the other information on his passport application was allegedly forged, he listed his supposed widow as his emergency contact and gave the correct North Carolina address." You can't make this up.
'Fraid not old bean. If you select Deleted Items and (depending on your version) select "Recover Deleted Items" you'll see that even those ones "emptied" are recoverable. Depending on your Exchange config, they can be in there for 14 days. It's known as "deleted item retention time".
Oh, and yes it does get backed up.
> DEL file.txt
Are you sure?
Really, really sure?
Shall I keep it for a while in case you change your mind later?
OK, it's gone, but let me know if you, like, regret this over the next week or two, I'm sure we can do something.
Well, that's not a nice thing to say at all.
And then you have data the Malware scanning systems may be hanging onto. Then there may be additional copies stored elsewhere as part of an auditing system. Or maybe some sysadmin had been debugging a network link and have a packet capture of the data...
Then you have malicious folks: rouge admins running packet dumps on all port 25 traffic; intelligence agencies capturing the organization's traffic (and someone running an international conference like this would be an obvious target).
Sending the list by (presumably unencrypted) email is a bigger problem. Sending email is like putting a post card into a letter box, it can be read by anyone who handles it. So: this email has potentially been read by all sorts of people.
This is the REAL cluelessness - it seems that el-reg's journalists have also forgotten this problem with email.
OK: in this case the NSA has already got this information, but who knows who else has tapped into the Internet routers that the email went through ?
I regularly submit Subject Access Requests and in response, I am constantly being asked for photo ID as identifying information. I have argued on numerous occasions to the ICO that I'm not going to give any company a copy of my passport or driving licence because of the security risk and because it's excessive.
A data controller can validate me by phoning me and asking me a few questions about my account. Or they could send me a letter to my home address and ask me to quote the reference number on the letter. Or they could wait for the £10 fee to clear and that validates me. Or they could ask me to pay the fee by credit card as that would validate me too!
There are lots of ways that a data controller can be satisfied about my identity without me having to give them photo ID.
The ICO however is adamant that requesting a copy of a passport is not excessive. If the UK's Data Watchdog couldn't care less who sees passport information then what's the big deal? Having said that, the ICO also told me that a year on its own constitutes a date for the purpose of a Subject Access Request. This organisation is not fit for purpose.
There is no obligation, at least for UK citizens, to have either a passport or a driving licence, so they cannot assume that everyone has these documents. Plenty of people don't - many elderly people who no longer drive or travel for example. Offer them a copy of your Bingo Club membership card.
So if they want a copy of your passport so that you can see what information they hold about you, does that not suggest that they did not do enough to assert who you were when you signed up on their web site in the first place ?
Surely: give the exact same information (be that true or false) should be enough.
Biting the hand that feeds IT © 1998–2020