Things I Hearted this Week, 26th October 2018

Wordpress Wants to Erase its Past

I was just flexing my clickbait title muscles with the heading here. But according to a talk at DerbyCon, the WordPress security team stated its biggest battle is not against hackers but its own users, millions of which continue to run sites on older versions of the CMS, and who regularly fail to apply updates to the CMS core, plugins, or themes.

• WordPress team working on "wiping older versions from existence on the internet" | ZDNet

The Penalties Keep Rolling in

Looks like the regulators have recently seen the Arnie classic, Pumping Iron, as they flex their muscles to penalise companies for lax security.

First up, supermarket giant Morrisons has been told by the Court of Appeal that it is liable for the actions of a malicious insider who breached data on 100,000 employees, setting up a potential hefty class action pay-out.

• Morrisons Loses Insider Breach Liability Appeal | InfoSecurity Magazine

In other news, Facebook has been fined £500,000 by the UK's data protection watchdog for its role in the Cambridge Analytica data scandal.

The Information Commissioner's Office (ICO) said Facebook had let a "serious breach" of the law take place.

The fine is the maximum allowed under the old data protection rules that applied before GDPR took effect in May.

• Facebook fined £500,000 for Cambridge Analytica scandal | BBC

Breaches at 32,000 feet

Cathay Pacific has admitted that personal data on up to 9.4 million passengers, including their passport numbers, has been accessed by unauthorised personnel in the latest security screw-up to hit the airline industry.

• Cathay Pacific hack: Personal data of up to 9.4 million airline passengers laid bare | The Register

British Airways still encountering turbulence following its hack in September has revealed a further 185,000 customer details could have been compromised!

• British Airways reveals a further 185,000 users affected in September data hack | City AM

Fool Me Once

Children’s Hospital of Philadelphia has reported two data breaches that occurred in August and September of 2018.

The hospital on August 24 discovered that hacker had accessed a physician’s email account on August 23 via a phishing attack. A second breach found on September 6 revealed unauthorized access to an additional email account on August 29.

• Children’s Hospital of Philadelphia victimized twice by phishing attacks | Health Data Management

Some Notes for Journalists About Cybersecurity

The recent Bloomberg article about Chinese hacking motherboards is a great opportunity to talk about problems with journalism.

Journalism is about telling the truth, not a close approximation of the truth,  but the true truth. They don't do a good job at this in cybersecurity.

• Some notes for journalists about cybersecurity | Errata Security

CVE-2018–8414: A Case Study in Responsible Disclosure

Vulnerability management and responsible disclosure can be a tricky tightrope to walk at times. But this writeup by Matt Nelson on the process he recently went through is really insightful.

• CVE-2018–8414: A Case Study in Responsible Disclosure | Medium, Matt Nelson

What Does it Take to be a CISO?

How do people working in a Chief Information Security Officer (CISO) position or its equivalent view cybersecurity? Which problems do they face? To learn the answers to those questions, Kaspersky Lab surveyed 250 security directors from around the world.

• What it takes to be a CISO: Success and leadership in corporate IT security | Kaspersky

The Hunting Cycle and Measuring Success

This is an older article I came across, but the principles are worthwhile going over again.

• The Hunting Cycle and Measuring Success | Finding Bad

Other Things I Liked This Week

• The Wildly Unregulated Practice of Undercover Cops Friending People on Facebook | The Root
• Compassionate—Yet Candid—Code Reviews | YouTube, April Wensel