Tag Archives: GDPR

Security News Bites for the Week Ending February 1, 2019

GDPR Gone Crazy

I think we’re gonna need a bigger boat!

According to the European Commission, Europe’s data protection regulators received more than 95,000 complaints about possible data breaches in the first 8 months of GDPR.

At the same time businesses reported over 41,000 breaches.

But regulators only opened 255 investigations.

Many of the complaints were related to email marketing,  telemarketing and video surveillance.  Source: Bleeping Computer.

 

1987 and 1999 DNS Standards to be Enforced Soon

We often think about things moving at Internet speed.  Except when it comes to Internet standards.

On or about February 1, 2019, many major DNS resolver vendors are going to release upgrades that will stop supporting many DNS band-aids that have been implemented over the years to allow non-compliant DNS software to work – albeit slowly.  Major DNS providers such as Google, Cisco, Quad 9, Cloudflare and others have all agreed to rip off these band-aids in the next few weeks.  If your DNS vendor does not operate a fully 1987 or 1999 compliant DNS service, your web site will go dark to users of these major DNS resolvers.

You can test your DNS service provider by going to www.DNSFlagDay.Net and entering your domain name.  If it passes then there is nothing to worry about.  If it fails, talk to your DNS provider ASAP.  Source: DNSFlagDay .

 

Alastair Mactaggart Says He Thinks CCPA Will Survive

Alastair Mactaggart, who is the reason that the California Consumer Protection Act was passed, says that he believes that the CCPA will survive the attacks by telecom companies and the tech industry.  After all, with all of the negative news about tech companies, Congressional investigations, etc., the tech companies need to watch out for negative press.  Also, people are getting used to Europe’s GDPR.  Stay tuned – it doesn’t mean that they won’t try. Source: The Recorder.

 

Russia Targeting Robert Mueller’s Investigation Directly

Prosecutors revealed this week that The Kremlin sent reporters a trove of documents supposedly leaked from the Mueller investigation.

In reality, the Kremlin mixed documents that had actually been leaked or filed with the courts with fake documents that they created in an attempt to change the narrative around the investigation.

The reporters were very excited to receive the trove of documents but equally disappointed when they figured out that they were being targeted by a Russian disinformation campaign.

Obviously, the Russians have not given up their old ways and will continue to try and create disinformation if it works to their best interest.   Source: NBC.

 

FBI is Notifying Victims of North Korea Joanap Malware

The FBI and the Air Force have gotten the U.S. courts approval to infiltrate a North Korean botnet to create a map of Americans whose computers are infected.

While the malware is very old and can be detected by anti virus software, there are still large numbers of infected computers.

The FBI is using the map to get ISPs to notify users of infected computers and in some cases is directly contacting the infected users to clean up their computers.  Source:  Ars Technica.

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending January 25, 2019

Oklahoma Government Data Left Unprotected

The Oklahoma Department of Securities left data going back to at least 1999 unprotected online.  Data exposed included state agency passwords and login information, data on FBI investigations, information on thousands of securities brokers and other information.  The state says it was unprotected for “a limited duration”.  They are investigating.  Source: The Hacker News.

 

NOYB Files More GDPR Complaints

None of Your Business, the non-profit founded by Austrian privacy activist, lawyer and Faceboook-thorn-in-their-side has filed 10 complaints with the Austrian Data Protection Authority.

They say that companies are not fully complying with the requirements of GDPR in providing data to requestors and some companies didn’t even bother to reply at all.  For the most part, they said that companies did not tell people who they shared data with, the source of the data or how long they stored it for.

Beware, this is only the beginning of challenges for companies that have built their business models on selling your data.  The press release also shows the MAXIMUM potential fine (not likely), which ranges from 20 million to 6.3 billion Euros.  Source: NOYB .

 

Another Zero Click WiFi Firmware Bug

Security researcher Denis Selianin has released the code for a WiFi firmware bug he presented a paper on last year.  The code works on ThreadX and Marvell Avastar WiFi driver code and allows an attacker to take over a system even if the device is not connected to WiFi.  Affected devices include the Sony Playstation 4, Microsoft Surface, Xbox One, Samsung Chromebook, Galaxy J1 and other devices.  All it takes is for the device to be powered on.

I am not aware of a patch for the firmware of WiFi devices to fix this and likely, for most WiFi devices, the risk will remain active until the device winds up in a landfill or recycling center, even if a patch is released.  Source:  Helpnet Security.

 

Apple Releases Patches For iPhone, Mac and Wearables

Apple has released patches for the iPhones (and other i-devices) that include several remote code execution bugs (vulnerabilities that can be exploited remotely) including FaceTime, Bluetooth and 8 bugs in the Webkit web browser.  The iOS kernel had 6 vulnerabilities patched that allowed an attacker to elevate his or her privilege level.

The macOS had similar patches since much of the same software runs on the Mac, but there were Mac unique bugs as well.

Rounding out the patch set were patches for the Apple watch and Apple TV.

At one time Apple software was simpler and therefore less buggy, but over time it has gotten more complex and therefore more vulnerable.  Source: The Register.

Data Analytics Firm Ascension Reveals 24 Million Mortgage Related Documents

Ascension, a data analytics firm, left a stash of 24 million mortgage related documents exposed.  it is not clear who owns the data belonging to tens of thousands of loans, but it appears that the originators of the loans include Citi, Wells, Capital One and HUD.  Ascension’s parent company Rocktop, owns a portfolio of 46,000 loans, but we don’t know if these are theirs.

While they think the loan documents were only exposed for a few weeks, that is certainly enough time for a bad guy to find them.  After all, a researcher found them. Now Ascension is having to notify all of the affected parties and I am sure that the lawsuits will begin shortly.

If this isn’t a poster child for making sure that your VENDOR CYBER RISK MANAGEMENT PROGRAM is in order, I don’t know what to say.

This could be a third party cyber risk problem *OR* it could be a fourth party cyber risk problem.  In either case, if your vendor cyber risk management house is not in order, it will likely be YOUR problem.  Now would be a good time to review your program.  Source:  Housingwire.

Facebooktwitterredditlinkedinmailby feather

News Bites for the Week Ending January 4, 2019

Vietnam’s New Cybersecurity Law in Effect

Vietnam’s new “cybersecurity” law which requires companies to remove any content from the Internet that the government finds offensive went into effect on January 1.

It also requires some companies like Facebook and Google to open offices in Vietnam if they want to continue to do business there.

The law prohibits individuals from spreading anti-government information.  The Vietnam Association of Journalists announced a new code of conduct prohibiting reporters from posting anything on the Internet that “runs counter” to the state.

Google has apparently agreed to open an office there, although they are being somewhat sly about it;  Facebook does not seem to have committed to that.

Companies will need to decide if the income from Vietnam is worth the risk.  Source: South China Morning Post.

 

Android Apps Send Data to Facebook without User Permission

Apparently the Facebook software development kit did not even give app developers the option not to send data to Facebook until a month after GDPR went into effect.

Apps that have not updated their software are likely still sending data, probably without user consent, to Facebook, even if the user does not have a Facebook account.

Some apps send data to Facebook the second they are opened; others, like travel apps, send data to Facebook every time you search for a flight.

Integrating the data from various apps, Facebook could determine your religion (prayer app), gender (period app), employment status (job search app) and travel plans including number of children traveling (travel app).

Example apps are prayer apps, MyFitnessPal, Kayak, Indeed, Spotify, TripAdvisor and others.  The test was against Android apps, so it is not clear if the Apple Facebook library does the same thing.

Facebook admitted that they have a problem. Source: Android Police.

Both Facebook and the app developers could be on the hook for fines of $20 million Euros or more for violating GDPR.

Hackers Leak Private Info on 100s of German Politicians

Hackers leaked sensitive data on German Chancellor Angela Merkel and Brandenburg’s prime minister Dietmar Woidke, along with other politicians, artists and journalists.

Leaked information includes private conversations, photo IDs, credit card information,bills and other personal info.

Germany’s Federal Office of Information Security, who is investigating this said that government computers were not affected.  Other than covering their own butts, it is not clear why they would say that since no one suggested that government computers were being attacked.

This does point out that protecting your phones and tablets by making sure they are patched (many older phones do not have patches available and are therefore vulnerable if people use them to log on to web sites that contain email and other personal info), that applications on them are patched and unneeded applications are removed is very important.  Unfortunately, older devices for which there are no patches should be replaced.  Details here.

 

Lloyd’s of London Denies THEY Were Hacked; Throws Partner Hiscox Under the Bus

As a follow up to a blog post from earlier this week, hackers have now posted a sample of docs related to 9/11 lawsuits reportedly hacked from Lloyds and Hiscox.

Lloyd’s claims that they were not hacked but rather their business partner Hiscox was hacked.

Nice of them proclaim themselves innocent while throwing their partner under the bus.  No doubt this was an effort to divert lawsuits from them to Hiscox.  I will point out that this likely won’t work since a client of Lloyd’s has no agreement with or ability to select or control Lloyd’s vendors.  This is yet another reason why we are so adamant about companies implementing robust vendor cyber risk management programs.  Read details here.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending December 28, 2018

FCC to Investigate Centurylink

In an example of “can you believe this”,  Ajit Pai, who earlier this year said that the FCC can’t regulate Internet providers wants to investigate why Internet provider Centurylink had an outage today that affected 911 call centers across the country.

Centurylink, who told people earlier today that if they had an emergency they should drive to a nearby fire station, says it is all working (my Internet is not, so maybe there are being optimistic), has not said what happened to their Internet.

Many 911 call centers are now running on the Internet to save money.

Pai could be between a rock and hard place since he, earlier this year, said the FCC can’t regulate the Internet and this is an Internet problem, so maybe he doesn’t even have any authority to investigate something he doesn’t regulate.

Some hospitals had to declare emergencies since their electronic medical record systems are Internet based.

Stay tuned.  (Source: NBC) .

Yet, Another Bitcoin Hack – $750,000

Hackers made off with 200 Bitcoin – around $750,000 from Electrum digital wallet apps.

The hack is very basic and relies on a flaw in the Electrum software.

This is NOT an attack  on the encryption but rather an attack using a flaw in the software.

The hackers added some servers to the Electrum Wallet network that does the Bitcoin math.  If a user connects to one of those bogus servers, it sends the user a message to download an update.  The update, of course, is malicious and steals the user’s wallet credentials and then empties the user’s wallet.

Users, however, have an amazing ability to do dumb things.  After the attack started, the Electrum developers stopped servers from sending a message to wallets in rich text.  The result is if a user reached one of the attacker’s servers, the message they received looked jumbled and unformatted.  Some users still picked the URL out of the mess and downloaded the bogus patch.  The developers are still working on a long term solution, Electrum users need to beware.

But here is my complaint about digital currency.

People are out at least $750,000.  That is coming out of their pocket. Can you afford to lose three quarters of a million dollars?  I can’t and there is no insurance for this.  Source: ZDNet.

China Hacks EU Diplomatic Cables

Just so that the U.S. does not feel the pain of China’s hacking alone, various media have been sent copies of thousands of diplomatic cables stolen by hackers.

One describes Trump as a bully and another warned that Russia may have nukes in Crimea.  Others merely confirmed what people were thinking privately.  Another describes July’s meeting between Trump and Putin as “successful (at least for Putin)”.   One quoted China’s president as saying that China would not submit to bullying from the US, even if a trade war hurt everyone.

The hacking has been going on for at least three years  The hackers posted the cables online and when found, copies sent to the media.

The company that found them said that likely, tens of thousands of documents were stolen.  My guess is that it is way more than that.

For companies, this is another example of where inadequate security controls  can come back to bite you years later like it did to Marriott.  Whether the data is stolen by foreign governments, hackers or competitors, lack of appropriate tools  makes it unlikely to be detected – which is what the hackers want – until the hackers choose to make it public.  Source: The Guardian.

Alexa says Oops

Some people have said that if you have nothing to hide, why are you worried about your privacy?  Here is one reason.

Alexa, like other personal digital assistants, records a bucket of information.  Whether it is requests that you make or just conversations it records to see if you want it’s attention, Amazon, like the other players, keep everything.  But that is not always good.

The European privacy law GDPR allows a resident of the EU to ask a company for a copy of data that is storing about you.

Amazon complied with such a request recently.  Only problem is that the 1,700 recordings that someone made with their Alexa in their home, including in the bedroom and in the shower (that could be both intimate and embarrassing) were sent to the wrong person.

The German magazine Heise says that the details in the recordings of the person and his female companion revealed a lot about the victims’ “personal habits” and that it was easy to identify the people.

Amazon, possibly hoping not to get sued gave the victim a free Amazon Prime membership and, yes, if you can believe this, a free Echo Dot and Spot devices.  As if they hadn’t done enough damage already.

One point to think about here.  Possibly, the owner of the Echo understood the risks of having Alexa join him in the shower and bedroom, but did his female companion accept those risks also?

Maybe you should turn off your Echo when you are engaging in adult activities.  Just saying.  Source: Motherboard.

San Diego School District Hacked – 500,000 Students Affected Going Back to 2008

The school district sent a letter to students, teachers, staff and anyone else affiliated with the district saying that they had been hacked and the hackers stole data including names, socials, birth dates, payroll and benefits information along with other data.

The hackers also had the ability to change the data in the system.

The data stolen goes back to 2008 – a risk of online systems.  They tend to rarely get purged of old data.

The school district says it is sorry, but they were just duped by crafty hackers.  Not much responsibility there.  I wonder what they would say if their students tried that tactic when they got poor grades.

The school district set up a 24/7 hotline for victims, but when Newsweek called, they got a recorded apology and were referred to the web site.  Nice. They called back and did talk to a police officer who said they had gotten a “torrent” of phone calls.

The hackers were in there since January; they discovered it in October and told people about it last week.  Source: Newsweek.

 

Facebooktwitterredditlinkedinmailby feather

News Bites for the Week Ending October 19, 2018

Austria Issues First GDPR Fine; Has 115 Fine Proceeding In Q

Austria has issued its first GDPR fine.  4,800 Euros for having a security camera that covers the sidewalk (a no-no) without warning people that they are under surveillance.  Welcome to GDPR.  In the first 100 days of GDPR,  they have 115 fine proceedings in the works.  They also have 58 investigations in process.  Austria’s data protection authority has been notified of 252 breaches and have 721 complaints from data subjects.  Consider also that Austria is a small country.  This is all likely to ramp up over time.  Source: Lexology

Voter Records for 19 States Sold On Hacker Forum

It is a good thing that the Russians and Chinese and everyone else are not interfering with our elections.  It is probably, then, just a vanilla crook who is selling this voter data.  The data, including name, address, phone number, voting history and other information is public in some states and sold by the states themselves in some others. Other states do not release this data.

Being an entrepreneur, the hacker is selling the data for different states for different prices.  Georgia, for example, is $250 while New Mexico is $4,000.  Why?  I have no clue.

The estimate is that the aggregate data is around 35 million records. Source” ZDNet.

Google: Don’t Get Mad, Get Even

Google got hit with a $5 billion fine for forcing EU phone makers to bundle Google apps with Android phones they sell.  Google said that this was an exchange for giving away Android for free.

Since they can no longer do that, they are now going to CHARGE only EU phone makers if they choose to bundle Google apps like the Play Store and Chrome.  Phone makers will have to pay another fee if they want to include apps like Google Maps and Youtube.

This fee is independent of where the phone is made; rather it is tied to where the phone is sold.  It is unclear if users can download those apps themselves if their phone maker chooses not to include those apps.  Of course, if the phone maker does not include the Google Play Store app, it is not clear, exactly, how a user would download those other apps.   Source: Bleeping Computer.

Is Open Source Software More Secure  ?

One of the ongoing conversations in IT circles is the question about whether open source software is more secure than commercial software.

The theory that it is more secure is based on the fact that anyone can look at the software.  It doesn’t mean that anyone has looked or if they have looked that they have found bugs or security holes, but it is technically possible to look.

This week we had 3 separate announcements of very popular open source software with security holes.  While it is a good thing that patches were developed, it means that you as a user are responsible for watching to see if any software that you are using has a patch and deploying it.

In addition, you are also responsible for, somehow, figuring out if any software that you use incorporates that buggy software under the cover.  If that other software is also open source, you are on the hook for that too.  Whether or not anyone has recompiled that software with the new patched version of the underlying software that was released.

The three buggy products are:

  • A four year old bug in libSSH, a library that provides a supposedly secure way to log in to servers and that was classified as SEVERE was patched.  See details here.
  • A critical flaw was patched in the library used by the open source video player VLC (the library is called Live555) and other open source software to stream audio and video.  The bug allows an attacker to execute arbitrary code on your computer.
  • Lastly, a flaw was patched in Amazon’s free IoT operating system called FreeRTOS.  13 bugs were patched that allowed both arbitrary code execution and denial of service attacks. See details here.

So, based on that, my opinion is that open source software is no more secure than commercial software, but the onus is on you to watch out for patches and hope that developers that used that buggy software under the covers patched their software too.

Facebooktwitterredditlinkedinmailby feather

Facebook Hack Compromises 50 Million

Ancient Chinese Proverb: May You Live In Interesting Times.

Well welcome to interesting times.

Today, Facebook said that the accounts of 50 million users were compromised.

The hackers compromised the security “tokens” that Facebook uses to authenticate users and not the passwords themselves.  Facebook revoked those users “tokens” to stop them from continuing to be used.

Later in the day Facebook said that they revoked another 40 million user’s tokens because they might have been compromised.

Finally, to put a cherry on top of things, Facebook admitted that any site that you log into with your Facebook ID may have been compromised too.

So now not only does Facebook have to investigate, but so do sites like Tinder, Instagram, Spotify, AirBnB and thousands of other sites.

Here is why this is interesting.

Hacks are old school. YAWN!

This is the first mega hack after the effective date of GDPR.  Sure British Airways lost 380,000 credit cards, but this is 50-90 million users just on Facebook alone.  We DO NOT KNOW if other sites were affected that share logins, but if they do, this could affect dozens to hundreds of companies and hundreds of millions of accounts.  All of them COULD be fined under GDPR.  If that happens, they will likely sue Facebook.  Of course Facebook’s software license agreement with other sites like Tinder and Spotify probably says that they use the software at their own risk, but the courts MAY rule that this is negligence and not covered by that disclaimer.  If such a disclaimer exists.  Would companies like Spotify and AirBnB actually agree to terms like that?  Maybe.  That is why this is such an interesting day.  BTW,  my token was apparently hacked as login was revoked.  So was Zuck’s.  Karma. 🙂

Remember that fines could go (but likely would not go) as high as 4% of Facebook’s global revenue.

Facebook is already talking to Helen Dixon.  Helen is Ireland’s Data Protection Commissioner and in a large sense, Facebook’s destiny in this breach – and their wallet – is in Helen’s hands.  I would say, right now, her hands are full.

So what should you do?

Depends on your level of paranoia. 

First, I would change my Facebook password and the password on any other sites that use the same password.  Since we do not THINK that passwords were taken but rather tokens, this is a precaution.

Second, enable two factor authentication.  Facebook’s two factor process is really simple.  When you log in you get a pop up on your phone asking if it is you.  If you click yes, you are logged in.

Third – and this is the most painful one – those sites that you log into with your Facebook userid and password – create a local account.  I know.  It is a pain in the ….. but so is having multiple accounts compromised.  Even if they figure out in this case that didn’t happen, what about next time?  Security. Convenience.  Pick one and only one.

Information for this post came from Business Insider.

Facebooktwitterredditlinkedinmailby feather