October 16, 2023
In this Episode:
Marcel Brown: October 16th, 1959. Control Data Corporation releases their CDC 1604 computer, the world’s fastest computer at the time, and the first commercially successful fully-transistorized computer. The 1604 was CDC’s first computer, primarily designed by engineer Seymour Cray.
Mark Miller: All the “recommendations” are saying use strong passwords, train your people, update your software, yadda, yadda, yadda, same ol’, same ol’. That’s not working- it never has. I’m not arguing against good practices like this, but when the shit hits the fan, what you REALLY want is a good backup.
Edwin Kwan: The Attorney General said that recent high-profile data breaches have demonstrated that disclosure of personal information has the potential to result in serious harm to individuals, which is why they are establishing the scheme so that there are clear, consistent requirements to notify individuals of data breaches of Queensland government agencies.
Hillary Coover: The technology ingrained in our smartphones and computers designed for displaying advertisements, inadvertently serves as a conduit for surveillance. A recent report from the US intelligence community emphasized that consumer technologies expose sensitive information about everyone, often without their awareness or ability to prevent it.
The Stories Behind the Cybersecurity Headlines
Queensland Introduces Mandatory Data Breach Notification
This is Edwin Kwan from Sydney, Australia.
There was a review done over a year ago into the culture and accountability of the Queensland government. One of the recommendations from that review was to have mandatory data breach reporting for government agencies. The Attorney General said that recent high-profile data breaches have demonstrated that lost or unauthorized access or disclosure of personal information has the potential to result in serious harm to individuals, which is why they are establishing the scheme so that there are clear, consistent requirements to notify individuals of data breaches of Queensland government agencies.
This would empower individuals to take steps to reduce the risk of harm resulting from a data breach. A Queensland government agency that suspect a breach must take all reasonable containment steps and have up to 30 days to assess the incident. A survey of Queensland government agencies back in June showed that agencies have more to do to be ready for data breach reporting.
– Gov.au: https://www.legislation.qld.gov.au/view/whole/html/bill.first/bill-2022-041
– IT News: https://www.itnews.com.au/news/qld-gov-introduces-data-breach-notification-legislation-601173
– IT News: https://www.itnews.com.au/news/qld-gov-proposes-mandatory-data-breach-reporting-for-agencies-581815
– IT News: https://www.itnews.com.au/news/qld-gov-agencies-have-more-to-do-to-be-ready-for-future-data-breach-reporting-596870
Government vs Corporate Surveillance: Which is more Intrusive?
Are you more concerned about government surveillance than corporate surveillance? Do you think corporations are taking steps similar to the US government to establish frameworks to govern the publicly and commercially available information that they acquire? I think not. Sure, continue to worry about government surveillance and press for change, but the real scare is the fact that corporations and potentially foreign adversaries are given so much power with almost unfettered access to such rich data.
This is Hillary Coover in Washington, DC.
The technology ingrained in our smartphones and computers designed for displaying advertisements inadvertently serves as a conduit for surveillance. Mobile apps and advertising networks gather intricate data about the online behaviors of countless devices. This compilation of logs and technical details provides a valuable source of cybersecurity information coveted by governments and corporations worldwide.
A recent report from the US intelligence community emphasized that consumer technologies expose sensitive information about everyone, often without their awareness or ability to prevent it.
The Wall Street Journal uncovered a network of brokers and advertising exchanges that funneled data from apps to the US Defense Department and intelligence agencies via a company called Near Intelligence. We’re focusing on the wrong problem here, though. I believe your average person does not understand the value, from a national security or public safety perspective, of this data. Imagine being able to locate wanted terrorists or missing children and /or their traffickers. With proper governance on this data, it could have a really positive impact on society.
Conversely, think about the risks of corporate and foreign adversary surveillance. This opens up risks in misinformation and disinformation efforts and providing sensitive and personal data to potential cyber criminals or other criminal groups.
While concerns about government intrusion into our lives garner attention, we tend to downplay the relentless data siphoning conducted by corporations and foreign adversaries. Our concerns about government surveillance for national security and public safety purposes should be scrutinized. However, it’s equally as important to recognize the pervasive corporate surveillance happening on an unprecedented scale.
Balancing these dual concerns is a task that demands thoughtful consideration, and perhaps a reevaluation of our priorities.
– Wall Street Journal: https://www.wsj.com/tech/cybersecurity/how-ads-on-your-phone-can-aid-government-surveillance-943bde04
Overwhelmed with Cybersecurity Alerts? Yeah, so am I.
This is Mark Miller, Executive Producer of It’s 5:05. Let’s see, where do I start on a Monday morning here? There’s just so many cybersecurity alerts coming out this morning, October 16, that it’s hard to wrap my head around what to focus on.
Here’s a couple things I’m following:
- The Identity Source Resource Center reports that the number of data compromises reported in the United States in the first half of 2023 is higher than the total compromises reported every year between 2005 and 2020, except for 2017. And we still got two and a half months to go.
- The Health Sector Cybersecurity Coordination Center says a relatively new threat actor and ransomware gang, NoEscape, is selling Ransomware-as-a-Service (RaaS) with attacks focused on the healthcare industry.
- The US Environmental Protection Agency has chosen to rescind the memorandum issued on March 3rd, 2023 because they were sued by states who decided they didn’t want to have to report what their cybersecurity status was.
In addition to that, when I hit the Cybersecurity and Infrastructure Security Agency page, CISA, there were three operational information alerts released this morning:
- Cisco Releases Security Advisory for iOS XE Software Web UI.
- CISA, FBI, and MS-ISAC release joint advisory on Atlassian Confluence Vulnerability.
- The Threat Actors Exploit Atlassian Confluence for initial access to networks.
After seeing all this, especially the one about the healthcare ransomware attacks that affect all of us, I came to the conclusion that it’s going to be impossible to protect every nook and cranny of your digital infrastructure… literally impossible, but you already knew that. So, where does that leave you?
All the “recommendations” are saying use strong passwords, train your people, update your software, yadda, yadda, yadda, same ol’, same ol’. That’s not working- it never has. I’m not arguing against good practices like this, but when the shit hits the fan, what you REALLY want is a good backup. If your entire healthcare service has been hit with encryption and a ransom demand, who are you going to call? Definitely not Ghostbusters in this case. You want the battle tested, hardened, and most current backup. That’s what’s going to save your ass.
As a practitioner or user in one of those systems, you can take it upon yourself to poke a stick in the eye of the CTO. ” Hey, Jill Bob, when did we last backup the system? Just askin’.”
You’re correct. It’s not your job to call the CTO, but hey, it is your patient or your client.
Tell the CTO that you listened to this funky little podcast that told you to call and check on the backups. All the links you’ll need to support your case are at the bottom of this segment of 505updates.com. Hey, tell them Mark sent you.
– U.S. Environmental Protection Agency (EPA): https://www.epa.gov/system/files/documents/2023-10/action-memo_rescinding-cyber-memo_october-2023.pdf
– Identity Theft Resource Center: https://www.idtheftcenter.org/wp-content/uploads/2023/07/20230712_H1-2023-Data-Breach-Analysis.pdf
– Health Sector Cybersecurity Coordination Center: https://www.hhs.gov/sites/default/files/2023oct12-noescape-ransomware-analyst-note-tlpclear.pdf
– CISA Latest Operational Information: https://www.cisa.gov/
This Day, October 16, in Tech History
October 15th, 1878. Thomas Edison and a group of investors formed the Edison Electric Light Company. The goal of the company was to provide financial support for Edison’s electric light experiments and work on developing an electrical lighting system for an entire city.
The long-lasting carbonized filament light bulb was developed by Edison while working for this company. Eventually, this and several other Edison companies were merged to form General Electric.
October 16th, 1959. Control Data Corporation releases their CDC 1604 computer, the world’s fastest computer at the time, and the first commercially successful fully-transistorized computer.
The 1604 was CDC’s first computer, primarily designed by engineer Seymour Cray, who would later go on to found Cray Research and be called the “father of the supercomputer.”
That’s your technology history for today. For more, tune in tomorrow and visit my website, ThisDayInTechHistory.com.