Monday, April 23, 2018

Naive, stupid or maliciously negligent..... you decide.

The last few weeks have been a roller coaster ride for security with all the discussions about Facebook being evil and Mark Zuckerberg being the reincarnation of Stalin.

People in general are way too loose on their data sharing and when a FREE service like Facebook makes the news because they are making money on your data..... the surprise that people feel is mind boggling.

I'm not debating that there are abuses.  I'm stunned that people are this stupid and actually thought that Facebook was "free".

How many of your friends have taken one of them silly surveys that pops up and then you get to see the survey results of 'how' they scored an 87% on the hotness scale if you too take the survey!  What exactly do you think happens to all the personal information you are handing out like it's free....  

What is of great frustration to me as a security specialist isn't really Facebook.   It is the sigh of relief that Equifax let out when Facebook news brook out.

Just like the American president who keeps jiggling his left hand with a shinny object of meaningless bullshit to occupy the weak cerebral cortex of the masses while the other hand is firmly jammed into big business and big dollars.

The Equifax story shouldn't be dead.

In fact, if their is a real story of an entire system gone bad, this is it.

The bad partnerships

So the banks give all your information to a third party, who then sells you access to your information online, so you can check your credit and make sure the data collected on you is accurate.

I'm no genius, but I can tell when I'm getting screwed.

The lack of a quality security audit by your banks towards their "partners" is an insult.

There are so many things that surfaced that are wrong with the lack of maturity at Equifax, that it is clear that a quality audit was never performed by their business partners.  Now isn't that alarming, thinking that the banks just hand off your data to a third part without actually checking the state of their security!?

Now I know for a fact that they sent off security questionnaires and that someone at Equifax provided very formal and valid sounding answers.   So the banks feel like they have done their best.  This is complete crap.   Just because you put in place a contract with security requirements does not automatically wash your hands of the responsibility of handing over sensitive data to an incompetent partner.  How respectful is that of our data?  It isn't.

The lack of followup and penalties (reward instead)

Why hasn't a formal plan been produced and made known to the public about how the banks are going to address this with Equifax (and TransUnion, the other very similar third party)?

As a citizen impacted by these issues, we should be demanding that a formal plan be made, be publicly published, and reviewed by a qualified and independent security entity (not one of them business friends scratching each others back).

No real penalties here... in fact, Equifax shares went up!   They are after all selling a lot of them "identity theft" protection packages so the breach actually helped them make more money.

This is purely criminal behaviour.  Just because our laws don't spell it out, and our elected officials don't care (because they are all friends....), does not make it legal.  This is criminally wrong.

Lets take a moment to look up the word CRIME in a dictionary, this is a worthy mission....



an action or an instance of negligence that is deemed injurious to the public wel-fare or morals or to the interests of the state and that is legally prohibited.
4.     any offense, serious wrongdoing, or sin.
a foolish, senseless, or shameful act:
Now Item #1 sounds good until the last words that stipulate "is legally prohibited"  but #4 and #5 remain very clear.

What is going on with our personal data within banks and companies like Equifax is a CRIME.

Our privacy commissioner is asleep

I continue to be amazed that we, as a society agree to be spoon fed bullshit about privacy being important by significant entities like the privacy commissioner (constantly bitching about Facebook), but when it comes to fixing a real problem, involving a real failure across the entire system, nothing gets done.  

There will be some bitching at Equifax, yet no one mentions the banks role in criminally mishandling our information, and then life goes on.  Nothing really changes.

So to all the journalists awaiting that next big breach..... how about you finish up on the really important ones instead of hunting for the next mostly insignificant one.   As much as it is fun to watch Facebook get slapped around, we all gave up that data willingly.   What the banks and Equifax are doing is NOT THE SAME THING.  New enterprises get breached every day, but not all of them have the impact that Equifax has. 

It is always easy to blame someone else for your stupidity.   This week, journalists pointed out that an anonymous jury was being identified by Facebook.  NO !   The jury is being identified by completely lax and incompetent security around an anonymous jury.  Who is running these juries!   

No one instructed the jury to leave their cell phones off (or turning data off) prior to arriving at the court house ?

No one instructed the jury to NOT post selfies at the court house?

Big surprise that Facebook is suggesting "New friends" at the court house!

That is what happens when no one cares enough about security.  Don't blame Facebook, blame human ignorance.

Oh my, we can't ask people to turn off "data" on their phones while they are here, it is "their right" to communicate electronically.   

Ok, then it is their decision to expose themselves and potentially no longer be an anonymous jury.

You can't have it both ways.

As a society we are a whiny ass bunch of losers always saying it is someones "right" to do something stupid, and it's always OK to blame someone else for our lack of common sense.

And in doing so, we forget that we have the "right" to impose common sense into certain processes like this case of an anonymous jury.

But hey.... lets just blame Facebook because Mark Zuckerberg has that smug rich look.  It's all his fault.

Now, just to be clear.  We cannot expect normal users to understand that they are being very foolish when posting too much information to Facebook, Instagram, etc.   

Facebook is indeed "Evil" because their position has changed into a global information processing demon.

Doesn't change that we continue to act foolishly.

Doesn't change that Equifax is a major issue that will not get the attention it should because it is protected by big business and we, as a society, get really distracted easily with shinny objects.

Doesn't change that Banks are not handling us like "clients", we are simply their products and they do not actually care.

Doesn't change that our privacy commissioner isn't living up to expectations.

And, until senior executives are held personally accountable, nothing will change.

Big fines that are paid by the corporation are just the cost of doing business.


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

No comments:

Post a Comment

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...