Bethesda blunders, IRS sounds the alarm, China ransomware, and more This week, we saw Linux get pwned, a teen hacker go down, and Julian Assange vowing to stay right where he is. But that wasn't the only news to hit over the week. Oh look, it's yet another SystemD vulnerability Linux management tool SystemD is once again getting the wrong kind of attention as researchers have spotted another …
How did they do that? By sending out letters using the postal system?
It looks to me that MS are trying to market their Advanced Threat Protection products.
As the starting point for attack seems to be fake file-sharing notifications from OneDrive I feel that MS should instead be taking more responsibility for making such file-sharing notifications less problematic in the first place. It's the old old problem of hiding vital information from the user (hiding execute extensions in Windows Explorer, hiding sender email addresses in emails, and hiding the true browsed domain in a URL) in an updated guise.
How did they do that? By sending out letters using the postal system?
More interesting is how did they manage to figure out who the targets are. OK, I can grok how they know the ones which use Office365 and the like as the fishing mails hit Microsoft mail servers. That, however is likely to be only a fraction of the target audience if the target audience is big corporates.
So how do they know where to send the notifications? Did the Bear suddenly became "The One Birdie Told Me". That makes for a very shape-shifting Bear. Alternatively, someone just needs to continue pumping the narrative as it is a slow news day and there is nothing suitable on the news to howl about from branches.
"How did they do that? By sending out letters using the postal system?"
In my case I was contacted by Microsoft directly over landline.
They were surprisingly helpul and even offered to do a free scan of my Windows box remotely over Logmein.
To my horror they did find several errors in the Windows Event viewer and that several attackers had already compromised my machine by showing me foreign addresses in netstat.
I was so impressed that I purchased their Advanced Firewall Protection that is usually only available to enterprise hardware products from Dell using their anonymous pay option of pre-paid gift cards.
Now that someone might found with whom senators slept in the past four years, it's time to copy the same GDPR which was seen as an attack on US companies "innovation" just a few months ago?
It's a bit different fearing to be stung directly by unrestricted personal information gathering and storage, and subsequent inevitable breaches, isn't it? Did they believe it only mattered those using Facebook directly?
The story "forgot" to mention that Joel Kurzynsk was an IT professional ... a very bad one. On the plus side, when he's released he's going to have the state looking over his shoulder for three years - sounds like he's such a loser that it will be surprising if he's not back in jail quite quickly.
"The big problem with data minimization is that this will burn your audit trail and, in doing so, encourage fraud and other misdemeanours."
I suggest you look into the provisions GDPR makes for the minimal legal requirement. One of those is off-line backup, so any auditor will still be able to retrieve a complete audit trail if necessary. If that isn't possible, there is an automatic suspicion of fraud and legal problems.
It can be difficult to reconcile data from an off-line backup with live data. For example, do you continue to constrain primary and foreign keys across that partition?
If so, then the keys concerned may need to be mapped in some way to preserve anonymity within the current dataset. Is that sufficient to prevent "casual" GDPR disclosure spilling over into a deeper search due to the presence of a reference to "other data" (which is obligatory)?
If not then there is a discontinuity in the audit trail which can lead to either a failure to find connections, or to make false inferences - in the case of some serious investigation. As time goes on, that discontinuity becomes more and more fragmented as each archive dollop is sliced away.
The problem of creating unique keys without reference to any other party is long solved and built into all well-known operating systems and database platforms.
Aside from that, data minimization means "Do not collect or store more data than is actually strictly necessary to provide the service".
In other words: You don't need someone's gender for any online transactions at all. Don't ask for it. You don't need their social security number to sell them a widget. Don't ask for it.
The CVV code is only needed for the period of the transaction, don't store it.
As a rule of thumb, if Marketing are asking for the data then you probably should not store it.
Why do you think you need to do that?
That's one of the things specifically prohibited by the Regulations.
If someone buys a widget and declines your kind offer to create an account, then you're simply not permitted to link any of their future transactions to that one.
Report fraud up the chain to the payment processor. That's the card issuer's problem, not yours.
So sad Bethesda had to go and trash Fallout, this could of been massive if they had just gave us private servers and mod support, the kind of crap we'd expect with a Fallout game. But nope, they wanted a cosmetics store. Shame so many companies have gone this route and forgot what made them great, I miss pirates on Battlefield :(
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
