* Posts by Kientha

17 posts • joined 17 Jan 2018

UK Info Commish quietly urged court to swat away 100k Morrisons data breach sueball

Kientha

He wasn't a contractor. He was an employee and the process mandated by KPMG involved Skelton copying the data to and from USB keys

Kientha

His job was not to analyse it. His job was to prepare it to send onward to the external auditors (KPMG). Their (KPMG mandated) process required the data to be put on a USB. Skelton copying the data to a USB wouldn't have raised alarm bells even if they had detected it because it was a component of his job

Morrisons is to blame for 100k payroll theft and leak, say 9,000 workers

Kientha

Re: If only...

And would have been able to attempt to reclaim that money from Skelton along with the costs of retrieving the money from him. Legally, the case is really interesting on the second element more than the first. If someone commits a criminal act that has a significant relation to their job role but is clearly not a function of their job, can their employer be held vicariously liable for that act? Does that count as the one continuous act required for vicarious liability?

Kientha

Morrisons were following the guidelines they were told they had to implement by KPMG. The ICO said the only other thing they could have done was have tools in place that would have alerted them that Skelton had copied the data on to an unencrypted USB which, because of the job he held, would not have raised alarm bells quick enough to prevent the leakage of the data. Skelton's entire job was handling sensitive data. They did not do anything worth being fined for under DPA or GDPR

Kientha

Re: Resistance is futile

Yep it was Skelton's job to send the financial data to KPMG. He had a business need to process that data. The process that KPMG told Morrisons to use involved putting that data on an encrypted USB. If they are held accountable for the actions of an employee breaking the law entirely out of a want to damage his employer for punishing him when he broke the rules, that has significant negative implications for all UK businesses and is giving Skelton exactly what he wants!

Trend Micro: Our super-duper security software will keep you safe from everyone – except our staff who go rogue

Kientha

Re: AV and similar software just increases your attack surface...

Also, no matter how well trained or intelligent someone is, they can have an off day where they slip up and click on something they shouldn't. Endpoint software is so much more than just an AV provision so that when someone does slip up, and they will, the right action can be taken and the company protected as well as they can be

Yes, TfL asked people to write down their Oyster passwords – but don't worry, they didn't inhale

Kientha

Re: Badly designed system

It's the process when you go to a ticket office rather than at an underground top up point. They don't have direct access to the Oyster system as it's managed by TfL so their work around requires a password because they need to log in to the TfL account or create a new TfL account as a part of the process. All the guidance on how to apply the discount to your Oyster says to go to a person at an underground station which doesn't require the password.

Biz forked out $115k to tout 'Time AI' crypto at Black Hat. Now it sues organizers because hackers heckled it

Kientha

Re: Openly and fairly...

Eh most business people know of Blackhat at least as a vague understanding. I doubt the idea was ever to sell it to anyone at Blackhat but to just be able to say they presented there to some purchasing managers who don't know better to get them to pay up. I doubt they expected the level of backlash hence the suit to try and reclaim the narrative. It's just a grift to pretend they have a cutting edge product to earn quick cash from companies who want to just buy a product rather than do any real work for security

Kientha

Re: If only...

There really needs to be a federal anti-SLAPP law at this point. You're getting more and more baseless defamation suits fighting to be heard in states without anti-SLAPP legislation like Depp. The fact they're trying this in California is incredibly laughable but you do see it still as a way to silence critics knowing that they can either eat the penalty or that the threat of a lengthy suit is more than most critics are willing to deal with

Kientha

Re: If only...

Freedom of Speech in this context means that the government cannot censor you or penalize you for speaking and sharing ideas. It has limitations and is not absolute but it in general applies to the government rather than other individuals.

Ever used an airport lounge printer? You probably don't know how blabby they can be

Kientha

Usability > Security

As already mentioned, anyone using an airport printer shouldn't be expecting any privacy of what they print. Surely this is just a classic example of how the system working and being accessible is more important than the system being secure. Even if you made the connection completely secure, what's to stop someone just grabbing it off the printer before you get there? Some printers allow you to reprint stuff stored in memory. You can't know the printer isn't capable of doing that. Anyone who prints sensitive stuff on these printers should be banned from printing things ever. Especially with how easy it is now to get machines with pens for annotating stuff as cheap as a couple hundred quid.

UK ruling party's conference app editable by world+dog, blabs members' digits

Kientha

Hi James, you seem to be confusing the Data Protection Act 1998 (replaced by GDPR) with the Computer Misuse Act 1990 which is still in effect. GDPR regards the protection of personal data aimed at any organisation that processes personal data. Computer Misuse Act is the overarching "hacking" legislation of the UK

Kientha

It's not a flaw! It's a feature!

If you look at the website of the people who they bought the app from, you'll notice that passwords are an extra £399 for all but the top tier. I'm betting they either didn't purchase passwords or didn't enable them. The fact the app is available without passwords is utterly insane but not surprising.

Kientha

They could use a defence along the lines of "it wasn't me someone else sent me the screen grabs" and unless they could prove beyond reasonable doubt that wasn't the case... But I agree with your interpretation of the CMA. Doesn't matter how you accessed it, if you didn't have permission or a reasonable belief of permission and changed data that's the third tier.

Revealed: British Airways was in talks with IBM on outsourcing security just before hack

Kientha

Re: "You don't outsource something that is working well."

The "Let's mark it as done because it's the deadline and we don't get paid otherwise" is everywhere in the IT sphere at the moment and in my experience results in a massive headache further down the line after that person moves on and no one realises it hasn't been done until way too late. Then you get the confused senior managers going "But it's marked as done! Why are we spending money on it if it's done! No if it says it is done it must be done."

Kientha

Re: BT was going to outsource security says leaked memo.

Playing buzzword bingo was the only thing that made corporate meetings bearable. There's only so many times you can say "That's not how it works" before you just give up and know they won't be able to work out you've done things differently. I still shudder whenever someone talks about the cloud or AI. I blame the salespeople.

Wanna motivate staff to be more secure? Don't bother bribing 'em

Kientha

Re: Implement security properly

At work we have 2fa in order to access the corporate side on our work machines. This times out after 15 minutes of inactivity so you end up having to put it in 7/8 times a day. It's a serious pain in the a**

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2019