LinkedIn Fixes User Data Leak Bug *:
- LinkedIn has quietly patched a vulnerability which could have allowed malicious third parties to steal members' personal data.
- The flaw revolves around the business networking platform's AutoFill button, which allows third-party sites to AutoFill information.
- LinkedIn interprets this as an AutoFill button being pressed and sends the relevant user data to the malicious webmaster.
- LinkedIn fixed the feature a day after being informed, restricting it to whitelisted sites paying to host ads.
- The incident comes at a sensitive time for online firms which collect and share data on users with third parties.
- Following the Cambridge Analytica scandal which unearthed serious deficiencies in Facebook's terms of service agreements with app developers.
*Source: Info Security, April 20, 2018
iOS Sync Glitch Lets Attackers Control Devices*:
- A new iOS vulnerability called "trustjacking," which exploits a feature called iTunes Wi-Fi Sync to give attackers persistent control over victims' devices.
- Researchers disclosed the vulnerability to Apple, who has released a mechanism to safeguard devices from the vulnerability.
- All victims need to do to fall victim to this attack is approve their device's connection to a malicious computer when syncing with iTunes.
- The vulnerability exploits an iOS feature called iTunes Wi-Fi sync, which allows users to manage their iOS devices without physically connecting them to their computer.
- Enabling this feature requires users to sync their iOS devices with iTunes by connecting to their computer via a cable.
- Once Wi-Fi sync has been enabled, the attacker can view the victim's device screen by installing the developer image that is suitable to the victims' device iOS version via Wi-Fi.
- Attacker can use the access to the device to install malicious apps and replace existing apps with modified versions that look like the original app but that can spy on the users.
- Attackers can also leverage this attack anytime and without the restriction of being in proximity with the device or connected to the same network.
- Users can also go to Settings > General > Reset > Reset Location & Privacy, and re-authorize all previously connected computers next time they are connecting the iOS device to each device.
*Source: Threat Post, April 18, 2018
Atlanta City Splurges $2.7m in Ransomware Aftermath*:
- Atlanta City has been forced to spend $2.7m in the aftermath of a major ransomware attack in another sign of the ongoing threat posed by this class of malware.
- Hackers demanded the equivalent of over $50,000 in Bitcoin when they struck a couple of months ago.
- These are said to include a $650,000 contract with SecureWorks to investigate and mitigate the initial damage caused by the attack.
- The city's law department also signed a $600,000 contract with business consultants Ernst & Young, and Edelman PR's expertise was also sought for a hefty fee.
- The revelations highlight the need for organizations to have effective and regularly tested incident responses plans in place.
- Most experts will advise against paying up, especially as it only emboldens the black hats and may still not result in being able to regain access to corporate data.
*Source: Info Security, April 20, 2018
Exclusive: Facebook to Put 1.5 Billion Users Out of Reach of New EU Privacy Law*:
- The online social network is making changes that ensure the number will be much smaller.
- Facebook members outside the United States and Canada, whether they know it or not, are currently governed by terms of service agreed with the company's international headquarters in Ireland.
- Facebook is planning to make that the case for only European users, meaning 1.5 billion members in Africa, Asia, Australia and Latin America will not fall under the European Union's GDPR.
- It which allows European regulators to fine companies for collecting or using personal data without users' consent.
- That removes a huge potential liability for Facebook, as the new EU law allows for fines of up to 4 percent of global annual revenue for infractions.
- Facebook had 239 million users in the United States and Canada, 370 million in Europe and 1.52 billion users elsewhere.
- Facebook played down the importance of the terms of service change; plans to make the privacy controls and settings that Europe will get under GDPR available to the rest of the world.
- The change means the 1.5 billion affected users will not be able to file complaints with Ireland's Data Protection Commissioner or in Irish courts.
- Facebook released a revised terms of service in draft form two weeks ago, and they are scheduled to take effect next month.
- New terms that take effect May 8 move non-Europeans to contracts with U.S.-based LinkedIn Corp.
*Source: US news, April 18, 2018
Hackers once stole a casino's high-roller database through a thermometer in the lobby fish tank*:
- Hackers are increasingly targeting "internet of things" devices to access corporate systems, using things like CCTV cameras or air-conditioning units.
- The internet of things refers to devices hooked up to the internet, and it has expanded to include everything from household appliances to widgets in power plants.
- There's a lot of internet-of-things devices, everything from thermostats, refrigeration systems, HVAC systems, to people who bring in their Alexa devices into the offices.
- The CEO of Darktrace gave one memorable anecdote about a case Darktrace worked on in which a casino was hacked via a thermometer in an aquarium in the lobby.
- Government Communications Headquarters, from 2014 to 2017, appeared alongside Darktrace CEO on the panel and agreed that hackers' targeting of internet-of-things devices was a growing problem for companies.
*Source: Business Insider, April 15, 2018
Former Airline Employee Sentenced For Hacking PenAir's Ticketing And Reservations System*:
- U.S. Attorney Bryan Schroder announced today that a former airline employee has been sentenced in federal court for hacking PenAir's ticketing and reservation system.
- Suzette Kugler of Desert Hot Springs, California, was sentenced today by U.S. District Judge Sharon L. Gleason, to serve five years of probation, and 250 hours of community service.
- As part of the plea agreement, Kugler agreed to pay $5,616 in restitution to PenAir, paid in full by the time of sentencing.
- According to court documents, Kugler was a long-time employee of PenAir, who parted ways with the company in February 2017, dissatisfied with the circumstances surrounding her departure.
- The investigation revealed that, upon retirement, Kugler used her specialized knowledge regarding the Sabre database to create fake employee accounts with high-level privileges, without authorization.
- And then used those accounts to destroy critical information in a series of network intrusions.
- Kugler's unauthorized network intrusions were intended to prevent employees in any of the eight airports serviced by PenAir from being able to book, ticket, modify, or board any flight until the stations were again added in the system.
- The Court at sentencing commended PenAir for remediating the damage caused by Kugler before it resulted in significant disruption for air travelers in Alaska and other states.
*Source: Justice, April 12, 2018
7 Non-Financial Data Types to Secure*:
- Credit card and social security numbers aren't the only sensitive information that requires protection.
- Here are the seven non-financial data types to secure:
- Medical Information: Companies are collecting data on everything from weight loss and smoking cessation to DNA tests and exercise patterns on their employees and, in some cases, on their customers.
- Browser History: The browser history that lives on a personal computer is one thing, and we know that spyware often looks at local browser history as part of its data-gathering duties.
- Survey Data: Once a company has data from a survey, whether the immediate point of the survey is entertainment or political action, it should treat that data as PII and take steps to protect it accordingly.
- Comments: Reputation is one of those factors that enterprise IT security rarely talks about, but in the consumer/individual world it is incredibly important because an individual's reputation has a currency of its own.
- Employment Details: When we protect employee data, we tend to focus on those pieces that connect directly to a bank account or other financial factor.
- Passwords: Humans tend to re-use passwords because, well, they're human. And that means that a criminal who knows the password for a user's account on one system has a better-than-even chance of knowing their passwords on multiple systems.
- Synthesized Data: When your company is gathering data and doing that Big Data voodoo on it, the results should be protected just as more traditionally sensitive data is shielded.
- When modern business runs on diverse data types, modern IT security must protect diverse data types.
*Source: Dark Reading, April 14, 2018
Cloud data privacy for businesses unclear after Supreme Court drops Microsoft case*:
- The US Supreme Court dropped the Microsoft vs. Department of Justice case over data privacy, which ushered in new legislation around cloud provider data privacy.
- When federal law enforcement agents filed a warrant requiring Microsoft to disclose emails and other information from one of its users based on probable cause that the account was being used for drug trafficking activity.
- Microsoft determined that the emails were stored in a data center in Dublin, Ireland, and challenged the warrant.
- The case led to the passage of the Clarifying Lawful Overseas Use of Data (CLOUD) Act in March 2018, which now renders the debate moot under law.
- After the passage of the CLOUD Act, the federal government attained a new warrant, which replaced the original warrant served on Microsoft in 2013.
- It remains unclear how much personal privacy individuals can expect when US litigations require documents to be produced.
- The company actually backed the CLOUD Act, as it creates a legal framework regulating how law enforcement can access data across borders.
*Source: Tech Republic, April 18, 2018