Jan 192018

Ah, I’m having flashbacks to the days when some of us debated whether the TJ Maxx breach would have any significant impact and how could we determine impact.  

Bruce Schneier cites  a research report,“Long-term market implications of data breaches, not,” by Russell Lange and Eric W. Burger.

From key findings:

  • While the difference in stock price between the sampled breached companies and their peers was negative (1.13%) in the first 3 days following announcement of a breach, by the 14th day the return difference had rebounded to + 0.05%, and on average remained positive through the period assessed.
  • For the differences in the breached companies’ betas and the beta of their peer sets, the differences in the means of 8 months pre-breach versus post-breach was not meaningful at 90, 180, and 360 day post-breach periods.

Read more on Security Boulevard.


Jan 192018

Jessica Davis reports:

Maryland-based CareFirst has filed a final appeal to the U.S. Supreme Court to hear its data breach case, arguing that without a high court review, companies in every sector will be hit with a “flood” of data breach lawsuits in the future.

The appeal stems from a decision by the U.S. Court of Appeals in the District of Columbia in August that allowed the 1.1 million members impacted by CareFirst’s data breach in 2014 to pursue a lawsuit against the company.

Read more on Healthcare IT News.

Jan 182018

Tara Seals reports:

MailChimp, the bulk email company responsible for sending millions of newsletters, promotional mail and other mass communiques every day, has been leaking respondents’ email addresses.

Security researcher Terence Eden found what he termed “an annoying privacy violation,” adding that the issue can expose personal information. The issue is this: When a respondent clicks a link in a MailChimp email, the browser opens the link and sends the newly visited webpage what is known as a “Referer Header” (the misspelling is intentional).

“This says, ‘Hello new site, I was referred here by this previous website,’” said Eden, in a blog. “This has some privacy implications – the administrator of a website can see which website you were on. Usually this is fairly benign, but it can leak sensitive information.”

Read more on InfoSecurity.

Jan 182018

A friend tweeted to me tonight:

Indeed we do.

Carly Page reports:

One in four ethical hackers have not reported a vulnerability that they found because the company didn’t have a channel to disclose it.

That’s according to HackerOne’s ‘2018 Hacker Report‘, which surveyed 1,698 members of the hacking community – making it the largest documented survey ever conducted of the ethical hacking community.

One of the standout discoveries was that almost 25 per cent of respondents said they were unable to disclose a security flaw because the bug-ridden company in question lacked a vulnerability disclosure policy (VDP).

This doesn’t mean the hackers don’t try – with HackerOne noting that many attempt to contact firms via social media and email but are “frequently ignored or misunderstood.”


Read more on Inquirer.net.  And keep in mind that the rate of reporting will drop and/or be chilled if law enforcement treats ethical hackers or greyhats like blackhats and attempts to prosecute them.  Our federal hacking statute, CFAA, needs updating and revision and the revisions need to provide protection to researchers who attempt to responsibly disclose what they have found.

Jan 182018

Peter Dinham reports:

A majority of Australian IT decision-makers believe reporting of data breaches to regulators will help prevent cyber crime.

Surveyed by global security vendor Palo Alto Networks, 79% of IT decision-makers agreed that reporting breaches to regulators should be mandatory and 69% believed reporting of data breaches to regulators would help prevent cyber crime.

Are 69% being optimistic, naive, or both? We have mandatory disclosure here in the U.S. Have Australian experts noticed that we haven’t seen any decrease in cybercrime since 2005 and thereafter as state laws were implemented?

At first we consoled ourselves, telling ourselves that hey, it takes a few years for laws to have any impact.  But it’s painfully obvious by now that breach disclosure laws do not really help prevent cybercrime. No, no company wants the bad press for a breach or the risk of litigation, but these laws do not do enough to prevent cybercrime.


Read more on iTWire.