The Importance of Encryption in Complying With Australia’s Privacy Amendment Act*:
- November 2017 saw one of Australia’s biggest ever data breaches, in which sensitive personal information regarding almost 50,000 consumers and 5,000 public servants was exposed online.
- One thing many cyber security incidents have in common is how accessible the leaked information was after the breaches themselves occurred – something that could have been avoided had the data been encrypted.
- Government regulations such as the EU General Data Protection Regulation (GDPR) are aimed at protecting the privacy of consumer information, and require businesses to ensure the data they hold isn’t breached or leaked.
- The Privacy Amendment Act 2017 was passed by the Australian Senate as an amendment to Australia’s Privacy Act from 1988, and says that a company should disclose any breach of individual data, or face fines of up to AU $1.8 million.
- Effective from February 2018, the Act also states that if the company has technology in place that will make the leaked data meaningless to people not authorised to have it, then it is protected and the breach notification is unnecessary.
- By enabling encryption, separation of duties, and the use of intelligence logs to identify where a leak may have occurred, you can become fit for compliance.
*Source: Security Boulevard, January 24, 2018
Nations Seek the Elusive Cure for Cyberattacks*:
- When the “Wannacry” ransomware attack spread across the world last May, private firms that looked at the code determined that the attack almost certainly came from North Korea.
- The North Koreans almost certainly used computer code that had leaked from the inner sanctum of the National Security Agency.
- It took until October for the British government to identify North Korea as the culprit in an attack that paralyzed its health care system for a few days, and until mid-December for the White House to reach the same conclusion.
- So what was the penalty for the government in Pyongyang for unleashing a devastating cyberattack? There was none.
- Securing the world against cyberattacks – from nations, criminal groups, vandals and teenagers – will be on the agenda when many of the world’s top leaders gather at the World Economic Forum.
- The major powers of the world have been unable to come up with a viable means of deterring the most damaging attacks; it still takes far too long to formally identify the culprits, and the responses are insufficient.
- The most talented state sponsors of attacks – mostly Russia, China, Iran and North Korea – have carefully calibrated their operations in cyberspace to achieve their strategic aims while avoiding a real shooting war.
- The explosion of state-sponsored, sophisticated cyberattacks over the past seven or eight years has been fueled, in large part, by the expansion of poorly protected targets.
- In the past five years, these attacks have become the cheapest way for nations to undercut one another in the name of bigger strategic goals.
- Yet the world has been unable to decide what constitutes fair game, and what should be off limits.
- There have been a few successes in setting norms of behavior, particularly when it comes to banning child pornography or cracking down on intellectual property theft, but those are the easiest issues on which to agree.
*Source: New York Times, January 21, 2018
Cybercrime: £130bn Stolen From Consumers in 2017*:
- Hackers stole a total of £130bn from consumers in 2017, including £4.6bn from British internet users.
- More than 17 million Brits were hit by cybercrime in the past year, meaning the nation, which accounts for less than 1% of the global population, makes up almost 2% of the 978 million global victims of cybercrime and almost 4% of the global losses.
- Each victim of cybercrime spent, on average, nearly two working days dealing with the aftermath of the attack.
- The most common crimes were generally low-tech, such as attempts to trick individuals into revealing their personal information through bogus emails with generally low costs to victims.
- Other forms of cybercrime were more expensive: a technical support scam cost victims £44, a ransomware attack £111, and a fraudulent purchase online costing as much as £166.
- The report found that the victims are more than twice as likely as those who haven’t fallen prey to cybercrime to share passwords to online accounts with other people, and almost twice as likely to use the same password for all online accounts.
- A surprising number of cybercrime victims – more than a quarter – believe they are safe from future attacks, showing a dangerous disconnect that leads people to skip taking even basic precautions to protect themselves.
*Source: The Guardian, January 23, 2018
Lenovo’s Fingerprint Authentication App Had Bad Bugs That Made it Easy to Hack*:
- Lenovo has confirmed its in-house authentication software Fingerprint Manager Pro (version 8.01.86), which lets users unlock their devices using fingerprint recognition, was affected by a severe vulnerability which attackers could exploit to access any system equipped with the app.
- Fingerprint Manager contained a hard-coded password that made it accessible to all users with local non-administrative access.
- In addition to this, it stored sensitive information like Windows logon credentials and fingerprint data which were “encrypted using a weak algorithm.”
- For those unfamiliar, Fingerprint Manager allowed users with fingerprint-enabled Lenovo devices to log in using their fingers.
- The faulty software is available for Windows 7, 8, and 8.1.
- According to a details posted on the company’s website, this is the full list of devices compatible with Fingerprint Manager:
- ThinkPad L560
- ThinkPad P40 Yoga, P50s
- ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
- ThinkPad W540, W541, W550s
- ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
- ThinkPad X240, X240s, X250, X260
- ThinkPad Yoga 14 (20FY), Yoga 460
- ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
- ThinkStation E32, P300, P500, P700, P900
- Users running an affected iteration of the authentication app are advised to immediately update to version 8.01.87 or later.
*Source: The NextWeb, January 26, 2018
Lyft Responds to Allegations of Employees Snooping on Riders*:
- Lyft said it is investigating new accusations that employees improperly accessed the private data of its riders.
- An anonymous poster claimed to have seen Lyft employees look up "exes," as well as data on Hollywood actresses, porn stars and Facebook CEO ‘Mark Zuckerberg.’
- The news immediately drew comparisons to Uber's "God view" mode, which an Uber employee reportedly used to track a journalist's real-time whereabouts.
- Uber settled the complaint with the FTC, agreeing to 20 years of privacy audits as part of the agreement.
- In a statement, Lyft said some employees have access to customer data, that may include details like pickup and drop off locations.
- Its employees are required to take trainings and sign a confidentiality and responsible use agreement upon joining the company.
- The agreements also "bar them from accessing, using, or disclosing customer data outside the confines of their job responsibilities."
- Every query made in Lyft’s system to look up rider data is logged, so if the allegations are true, it shouldn’t be difficult to track which employees were logging into customer data.
*Source: CNN Tech, January 26, 2018
ICO Funded Projects Hit by 100 Cyber-Attacks a Month*:
- Projects which raise funds through “initial coin offerings” (ICOs) are attacked by cyber criminals 100 times a month on average.
- The research, published by Moscow-based cyber security firm Group-IB, was based on an analysis of 450 attacks on ICOs since the beginning of 2017.
- Attempts by hackers to steal money from ICO projects increased tenfold over the period.
- Group-IB also took part in a study published by Ernst & Young which showed that roughly $400 million of the $3.7 billion raised via ICOs to date had been stolen.
- The findings come amid a cryptocurrency investing craze, with young companies raising hundreds of millions of dollars online to fund projects, with often little more than a handful of employees and an outline business plan.
- There is also growing scrutiny from regulators and investors, some of whom say they have been misled or defrauded via ICO schemes.
- Group-IB said ICOs and cryptocurrency investors were particularly at risk from so-called phishing attacks.
- Hackers have also attacked and doctored ICO project websites, changing the information so would-be investors send their money to the wrong digital “wallets” used for storing crypto currencies.
*Source: Reuters, January 24, 2018
Major UK Cyber-Attack is 'When, Not If', Says Security Chief*:
- A major cyber attack on the UK is a case of “when, not if” according to the head of the National Cyber Security Centre.
- Martin mentioned that the country had been lucky to avoid a "category one" attack targeting infrastructure like energy companies and financial services.
- He also warned that whilst he had not seen any successful attempts to interfere with the UK's democratic process, there may have been intelligence-gathering taking place for possible future attacks.
- The most serious cyber-attack on the UK so far took place in May 2016 when WannaCry ransomware hit the NHS.
- The attack was classed as a category two incident as there was no risk to life.
- He also warned that there had been a "shift" to more of these types of attacks to try and get money, but those who launched them did not always keep control of them.
*Source: BBC, January 23, 2018