At a glance.
- Data exposure at the European Parliament.
- Unemployment fraud during the COVID-19 pandemic.
- Boutique law firms and cybersecurity.
- Tracking GIF users' searches.
Exposed database compromises 1200 EU Parliament officials' data.
The European Parliament told POLITICO Saturday that a database holding information belonging to some twelve-hundred elected officials and their staff members "along with another 15,000 other accounts of EU affairs professionals" was found exposed to the Internet. The database belonged to the European Peoples' Party, and system that held it, while operating under the EU Parliament's europarl [dot] eu domain, wasn't hosted by the Parliament itself. The exposure was discovered by researchers at Shadowmap, and EU Today writes that this raises questions about the Parliament's own security.
Unemployment fraud during the COVID-19 pandemic.
State agencies in the US engaged in administration of unemployment relief funds are experiencing a surge in both legitimate and fraudulent claims as COVID-19 takes a toll on jobs, the Washington Post reports. The New York Times sees weak identity verification systems as the root of the fraud problem.
Here are some notes on issues in various states. Late last week the state of Washington halted payments when, as the Seattle Times writes, authorities determined that criminals had skimmed some $1.6 million in relief funds during April, up from a mere $40 thousand lost to fraud in March. Arkansas sustained a data breach Friday night when an applicant gained unauthorized access to a site established to provide unemployment assistance during the pandemic, KNWA reports. And the Chicago Tribune records that Illinois Governor Pritzker has disclosed that his state's unemployment system has sustained a data breach that exposed the personal information on thousands of applicants for aid. On the Illinois data exposure, we heard from Mark Bower, senior vice president at comforte AG, who commented in an email:
“All indications are that this was an accidental software issue, but such incidents can be the cause of massive breaches of trust as well as data. Given the critical need for data security for businesses and people in stressed economic times, organizations establishing new services should really take a look at more modern, snap-in data tokenization technology to modernize their approach to data collection.
"When storing critically sensitive data, security and privacy must always be at the front of the discussion. While the issue in this particular breach was reportedly rectified in an hour, that is still long enough for dangerous criminals to steal troves of valuable personal information and leverage it for their own monetary gain - either by selling it on the dark web or conducting identity fraud.
"No matter what the reason is behind this particular data exposure, this incident surely points out that any kind of data could be at risk and at any given time. Therefore, more must be done to consider data protection and privacy at the earliest point of entry into databases, files, and other stored areas, as to minimise exposures of all sizes."
Boutique law firms and cybersecurity.
In response to news that hackers have attacked the Web site of top showbiz attorney Allen Grubman, demanding $42 million while threatening to reveal personal details of his clients including Elton John, Lady Gaga and Barbara Streisand, as well as Donald Trump, Lucy Security CEO Colin Bastable commented:
“If you don't patch people as part of an integrated cybersecurity strategy, you get to make statements like “We are grateful to our clients for their overwhelming support and for recognizing that nobody is safe from cyberterrorism today." That client support will turn to overwhelming lawfare if the celebrities feel pain. If people need a lesson on how hackers fuse psychology, marketing and "impending event" sales closing, this is a perfect case study in the black art of hackstortion. Doubling down and leveraging Donald Trump’s brand value is perfect. No downside for the hackers, no upside for the victims and all grist for the media mill, because someone fell for a phishing email.
"If state-of-the-art security technology worked, we would not be suffering from these relentless attacks. A holistic approach to cybersecurity mandates that people are treated as part of the security ecosystem – they can either be weak links in the chain of security or they can be positive reinforcements in the defenses. But they must be tested and trained as an ongoing security process.
"This is a classic case study in why hackers are always at an advantage – they leverage human behavior, psychology, marketing and sales techniques as well as current affairs, to create an environment that is conducive to their goals. There is little risk, if any to them. For the victims, it is lose-lose.
"The law firm is caught between a hacking rock and a client base hard place. For every other law firm, ensure that all of partners and staff are mandated to undergo training. We know that some partners and senior lawyers (like other high-powered professionals) dislike being required to undergo security awareness training – they are super-smart people and may get angry if they are “caught out” by simulated phishing attacks and forced to sit on the naughty step.”
The FBI pointed out that the extortion attempt the REvil ransomware gang made against the boutique celebrity law firm Grubman, Shire, Meiselas and Sacks may amount to an act of cyber terrorism, and that paying terrorists' ransom can be a violation of Federal law. That angered the gang, Forbes reports, and the hoods released a lot of anodyne and generic emails purporting to be a foretaste of the "dirty laundry" they have on President Trump. The dump didn't prove that they had much of anything: the emails weren't by President Trump (who's not a client of Grubman, Shire, Meiselas and Sacks) and they appeared to include mere mentions of his name and uses of the commonplace verb "to trump." Absence of evidence of course isn't evidence of absence, but the extortionists haven't so far given anyone reason to believe they're got much dirty laundry at all.
GIFs and beacons.
On the occasion of Giphy's acquisition by Facebook, OneZero explains why Menlo Park probably found the GIF search tool worth the $400 million it reportedly paid for it: Giphy tracks user activity.
"What might not be obvious, however, is that each search and GIF you send with Giphy is also a “beacon” that allows the company to track how and where the image is being shared, as well as the sentiment the image expresses. Giphy wraps each of its animated GIFs in a special format that helps the image load faster, and also embeds a tiny piece of Javascript that lets the company know where the image is being loaded, as well as a tracking identifier that helps follow your browsing across the web."
A lot of Giphy searches already begin in Facebook (about half of Giphy's traffic originates in Facebook apps), but it also gives Facebook a peak into user behavior with other apps, including Twitter and at least one iOS keyboard app. Facebook isn't alone among what OneZero primly but accurately calls "ad companies." Google bought Giphy competitor Tenor two years ago, so in some respects Facebook is a day late. But given that Giphy had recently been valued at $600 million, Facebook may have enjoyed a $200 million discount by waiting. And they get more data for the rifleshot targeting ad companies desire. As OneZero points out:
"While you may successfully block trackers like the Facebook ad pixel following you around online, or even delete your Facebook account, the majority of us wouldn’t suspect we’re being monitored when we’re sending funny images to friends."