Two weeks ago the latest details on the Last Pass breach were much fresher, and since then two things have happened:<\/p>\n
In terms of new information we have the following:<\/p>\n
In terms of opinion, there’s the obvious fact that lots of smart people are choosing to leave LastPass, and advising others to do the same. What’s influenced me much more is an observation by Leo Laporte that the breach notifications are actually missing a lot of critical detail, yes, they were timely, and yes they included nerdy technical detail, but they failed to address two critical questions:<\/p>\n
Unless you started using LastPass after 2018 and know you have never had a weak password, you must assume baddies have a poorly protected copy of your vault.<\/strong> If you joined before 2018, or if you ever had a poor password, then you need to change every password you ever stored in LastPass<\/strong> before the baddies have time to break a weakly encrypted vault.<\/p>\n With all the hubub around LastPass, the news that up to 400,000 Twitter accounts have have been leaked has gotten rather lost in the mix!<\/p>\n What we now know is that early last year there was a flaw in a Twitter API that allowed an attacker to test if a given phone number or email address matched a Twitter username, and if it did, which one. This allowed attackers to mine Twitter for usernames that match email addresses from other breaches, and, the ranges of telephone numbers used by major providers. This let them build up a searchable database of Twitter usernames with supposedly private email addresses and phone numbers.<\/p>\n For most people the biggest danger here is automated but convincing targeted phishing<\/strong>, but for high-value users who rely on SMS 2FA being targeted for a SIM swapping attack is the biggest danger. In this case, high-value is from the point of view of baddies, so some categories that leap to my mind include:<\/p>\n While I think it’s important for all high-value users to change away from SMS 2FA, I think this is probably a good time for everyone<\/em> still using SMS 2FA on Twitter to switch over to TOTP<\/strong> (Google Authenticator-like codes from an app like Authy or 1Password).<\/p>\n The Irish Data Protection Commissioners (Irish DPC) have found that Meta is not in compliance with the GDPR because it doesn’t get user consent for targeted advertising. The judgement requires that it pay the fine, and update its processes to gather the needed consent on Facebook & Instagram.<\/p>\n Obviously Meta are appealing the decision, but so are the Irish Data Protection Commissioners (sort of)!<\/p>\n If you want a detailed understanding of the GDPR, I suggest CCATP episode 534<\/a> where myself and Allison go through the entire regulation in detail, but for this discussion, we just need to understand one concept \u2014 the legal basis on which data is collected. Under the GDPR, each piece of personally identifiable data you collect must be covered by one of six possible legal basises:<\/p>\n Just two of those are in play here \u2014 Consent and Contractual Obligations.<\/p>\n Meta say that by using Facebook you are entering into a contract with them, and that that contract requires tracking for targeted ads, so there is no need for consent.<\/p>\n In their initial ruling on a case brought by Austrian privacy campaigner Max Schrems the Irish DPC agreed with Meta, but that initial ruling had to be sent to all other EU DPCs, and many did not agree. That kicked of a process whereby the ruling went to a board of DPCs, and that board agreed with Schrems that ad targeting is not covered by contractual obligation because tracking is not essential for the delivery of the service, so consent is needed. The board overruled the Irish DPC, and forced them to issue the ruling against Meta that made the news.<\/p>\n The Irish DPC is quite cranky about being overruled like this, so they’ve filed suit in the European court, alleging that the board of DPCs over-stepped their authority with this ruling.<\/p>\n If the ruling stands<\/strong> it’s a really big deal, it would mean actual informed consent would be needed for targeted ads.<\/p>\nLinks<\/h3>\n
\n
Deep Dive 2 \u2014 The Twitter Breach<\/h2>\n
\n
Links<\/h3>\n
\n
Deep Dive 3 \u2014 Meta’s \u20ac390M ($411M) Fine, and its Implications<\/h2>\n
\n
Links<\/h3>\n
\n
Notable News<\/h2>\n
\n
\n
Top Tips<\/h2>\n