Google Chrome: Beware These Malicious Extensions That Record Everything You Do*:
- Google has removed 89 malicious extensions from the Chrome Web Store that have been installed on over 420,000 browsers, turning them into Monero-mining slaves and loading a tool to record and replay what their owners do on every website they visit.
- Researchers dubbed the family of malicious extensions Droidclub.
- The scripts allow a site owner to essentially shoulder-surf their visitors by recording and replaying your "keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit.”
- The 98 malicious extensions are an odd collection of home cooking and home decoration themed tools.
- The attackers likely used a blend of malicious ads and social engineering to trick victims into installing the extensions.
- The extension, combined with the library, allows the attacker to steal data entered into forms, including names, credit card numbers, CVV numbers, email addresses, and phone numbers.
- And although Google encourages users to report malicious extensions, Droidclub extensions have been designed to thwart that process too.
- If users try to report an extension via the Chrome Web Store, they end up being redirected to the introduction page of the affected extension.
*Source: ZDnet, February 02, 2018
FBI Warns Hackers Impersonating Federal Portal for Reporting Fraudsters*:
- The FBI says that hackers are sending fake emails impersonating a federal hub for filing internet crime complaints to lure victims into handing over sensitive personal information or open malicious documents.
- The Internet Crime Complaint Center (IC3) is a virtual complaint desk that allows individuals to report online fraud.
- The FBI also published a copy of the template used by the scammers to bait would-be victims into handing over their personal data or opening the malware-laden attachment.
- The bureau said it has identified at least three other versions of the scam, one of which involved a fake social media page for IC3.
- The Department of Homeland Security also issued an advisory on the scam.
*Source: The Hill, February 21, 2018
Think GDPR Doesn’t Apply to Asia Pacific Businesses? Think Again.*:
- Sweeping changes to the General Data Protection Regulation (GDPR) taking effect on May 25, 2018 mean businesses in the Asia Pacific region will have to meet strict requirements to protect the data of EU citizens or face steep penalties.
- Regulators have pledged to enforce the law beyond European borders, and violating the GDPR could result in hefty fines – as much as 20 million Euro or 4 percent of your business’ annual global revenue.
- The results of one study showed that while 76 percent of Asia-Pacific respondents were concerned about GDPR compliance, most lacked awareness of what was required for their organization to stay in compliance.
- To protect EU citizens, the GDPR sets out specific requirements for data management, storage, usage and security.
- Organizations must follow six key data privacy principles: Lawfulness and transparency, purpose limitations, data minimisation, accuracy, storage limitations, and integrity and confidentiality.
- Another fundamental change with the GDPR is that if a loss, theft, or breach to data occurs, the incident must be reported “without undue delay” and within 72 hours, if possible.
- To build a strong foundation of trust with customers and set yourself apart from your competitors, it is essential to align your IT and compliance resources to establish a thorough risk-assessment process and solid compliance framework.
- It’s important to extend this effort to everyone in your information supply and storage chain, regardless if they are based in Asia or not.
*Source: LinkedIn, February 05, 2018
12,000 Social Media Influencers, Mostly Women, Exposed by Marketing Firm Data Breach*:
- More than 12,000 prominent social media influencers from YouTube, Instagram, Twitter, and the gaming platform Twitch were exposed last month by a data breach at a marketing firm that pairs online stars with top brands seeking product reviews and endorsements.
- Many of the online stars have massive followings and are known for offering beauty tips, primarily on Instagram, or video game reviews and commentary on YouTube.
- The breach, which was tied last month to the influencer marketing firm Octoly, exposed not only the stars’ true identities, but their street addresses, apartment numbers, phone numbers, email addresses, and more.
- The database exposed further contained a massive list of the brands that partner with these influencers.
- Octoly’s Amazon server was publicly accessible, but compared to most companies whose sensitive data has been unearthed in this way, Octoly was strikingly slow to respond.
- Octoly’s inability to secure the data for weeks after being notified, despite repeated follow-up communication and instruction on how to do so, is an unfortunate illustration of how not to respond to news of a data exposure.
- While many of the corporate records disappeared shortly thereafter, the client database containing a wealth of personally identifiable information remained accessible online for almost a month following the initial notification.
- Locating unprotected Amazon cloud servers has become a hobby of data breach hunters over the past two years.
*Source: Gizmodo, February 05, 2018
New OCR Checklist Outlines How Health Care Facilities Can Fight Cyber Extortion*:
- Cyber extortion can take many forms, but it typically involves cybercriminals demanding money to stop or delay their malicious activities, which include stealing sensitive data or disrupting computer services.
- Health care and public health sector organizations that maintain sensitive data are often targets for cyber extortion attacks.
- Ransomware is a form of cyber extortion where attackers deploy malware targeting an organization’s data, rendering it inaccessible, typically by encryption.
- Other forms of cyber extortion include Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks, in which affected computers cannot respond and are otherwise inaccessible to legitimate users.
- Cyber extortion can occur when an attacker gains access to an organization’s computer system, steals sensitive data from the organization, and threatens to publish that data.
- The HHS Office for Civil Rights (OCR) published a checklist to assist HIPAA covered entities and business associates on how to respond to a cyber-extortion attack.
- Organizations can reduce the chances of a cyber extortion attack by implementing a robust risk analysis and risk management program that identifies and addresses cyber risks holistically throughout the entire organization.
- Click on the link below to view other suggestions on how to keep organizations safe and steps that should be taken in the event of a cyber attack.
*Source: The National Law Forum, February 12, 2018
Grammarly's Flawed Chrome Extension Exposed Users' Private Documents*:
- Grammarly has fixed a security bug in its Chrome extension that inadvertently allowed access to a user's account – including their private documents and data.
- A security researcher at Google's Project Zero who found the "high severity" vulnerability, mentioned that the browser extension exposed authentication tokens to all websites.
- That means any website can access a user's documents, history, logs, and other data.
- More than 22 million users have installed the grammar-checking extension.
- Grammarly issued an automatic update following the bug report.
*Source: ZD net, February 05, 2018
Upcoming Deadlines for Covered Entities Subject to NYS DFS Cybersecurity Regulations*:
- The New York State Department of Financial Services (DFS) issued a press release to remind covered entities of an upcoming deadline under the DFS cybersecurity regulations.
- By February 15, 2018 any covered entities must submit a statement to DFS certifying compliance with the first-in-the-nation regulations.
- The certification must be submitted through DFS’ online cybersecurity portal.
- The press release also noted that cybersecurity will be incorporated into all future examinations conducted by DFS.
- Another deadline is approaching – by March 1, 2018 covered entities should submit their annual written report to their boards, governing bodies, or other appropriate committees.
- Also by this deadline, covered entities should have in place:
- Regular cybersecurity awareness training;
- Continuous monitoring or period penetration testing and vulnerability assessments;
- Multi-factor authentication controls; and,
- A process for the completion of written and documented periodic risk assessments of information systems in conformance with written policies and procedures.
*Source: National Law Review, February 02, 2018