Facebook’s Role in Data Misuse Sets Off Storms on Two Continents*:
- Facebook faced a backlash about how it protects user data, as American and British lawmakers demanded that it explain how a political data firm with links to President Trump’s 2016 campaign was able to harvest private information from more than 50 million Facebook profiles without the social network alerting users.
- The call for greater scrutiny followed reports that a political data firm used Facebook data to develop methods that it claimed could identify the personalities of individual American voters and influence their behavior.
- The firm’s so-called psychographic modeling underpinned its work for the Trump campaign in 2016, though many have questioned the effectiveness of its techniques.
- Facebook did not inform users whose data had been harvested; the lack of disclosure could violate laws in Britain and in many American states.
- The fallout from the reports added to questions Facebook was already confronting over the use of its platform by those seeking to spread Russian propaganda and fake news.
- Top executives took to Twitter to argue that the company’s protections had not been breached, and that Facebook was thus not at fault.
- The data was obtained in 2014 when users were paid small sums to take a personality quiz and download an app, which would scrape some private information from their profiles and from those of their friends – activity that Facebook permitted at the time.
- The researcher told Facebook and his app’s users that he was collecting information for academic purposes, not for a political data firm.
- A former employee of the data firm described having recently seen hundreds of gigabytes of unencrypted data files on Cambridge servers.
- In both Britain and the United States, lawmakers said that in the light of the reports, they wanted fresh answers from both Facebook and the political data firm about how the data was obtained and what was done with it.
*Source: New York Times, March 18, 2018
Supply Chain Cyberattacks Surged 200% in 2017*:
- Major software update compromises occurred at least once a month last year as attackers adopted this more stealthy and efficient way to reach their targets (compared to just three such attacks per year previously).
- That 200% increase in such supply chain attacks only accounts for breaches in 2017 that were reported publicly, so the actual rate could be even higher.
- These are attacks where hackers hijack the software update process and replace it with malicious code.
- The most high-profile of these incidents last year was NotPetya, where Russian hackers compromised a Ukrainian accounting vendor's software as a way to spread malware to its targets.
- It’s tough to defend against supply chain attacks because patching software with the latest releases is a best security practice; you can’t stop patching, but organizations should start looking at their supply chain vendors and be sure they are protecting them.
- The spike in supply chain attacks coincided last year with a drop in zero-day attacks detected by Symantec.
- It’s all part of the trend of sophisticated attackers employing legitimate tools and applications on their victims’ networks to stay camouflaged for the long haul.
- Targeted cyberattacks increased by 10% last year, with some 90% of the attacks purely for intelligence-gathering.
- The US unsurprisingly is the most attacked, with nearly 30% of all targeted attack incidents.
*Source: Dark Reading, March 22, 2018
Atlanta is Offline as Ransomware Attack Cripples City Computer Network*:
- Atlanta is the latest victim of a broad-scale ransomware attack that knocked out computer networks across the city.
- The mayor of Atlanta described the attack as “outages in various internal and external customer facing applications,” including payment systems and court-related systems.
- One local media outlet showed a screenshot of a ransomware message demanding a payment of $6,800 in bitcoin to unlock each computer, or $51,000 to provide all the keys for affected systems.
- A researcher noted that this attack is yet another wakeup call for enterprises to protect against all threats, not simply focus on a single issue – performing a full vulnerability assessment can protect your company from a far larger threat landscape.
- Ransomware attacks have taken a sophisticated turn in the last few years and organizations should deploy a multi-layered security program in order to prevent the intrusion of malware and allow for quick recovery in case an attack is not stopped.
- The key is that organizations need to keep testing backup and recovery processes and backup copies of data in multiple locations.
*Source: Silicon Angle, March 22, 2018
First Data Breach Publicised Under Australian Notice Scheme*:
- Shipping company Svizter Australia has revealed a data breach that saw the personal information of half of its employees leaked outside the company.
- Up to 60,000 emails from three accounts in finance, payroll and operations were secretly auto-forwarded to two external accounts between May 27 2017 and March 1 this year.
- The emails contained information on employees including tax file numbers, next of kin details, and superannuation account information.
- It impacted more than 400 employees at the shipping company, which has a workforce of around 1000.
- The company is undertaking a review to determine the extent of the theft and the identity of the perpetrator.
- It notified the Office of the Australian Information Commissioner of the breach as per the country's new notifications scheme, which came into effect in February.
- The OAIC said it has received 31 notifications in the first three weeks of the scheme being in operation; it will release information on the notices it receives each quarter.
- It noted that the primary point of the new mandatory breach notification scheme was to ensure affected individuals were notified of a breach of their personal information.
*Source: IT Times, March 16, 2018
Cybersecurity: Employees Pose the Greatest Risk*:
- With almost daily reports of cyber-attacks resulting in the theft of data, operational disruption and financial loss, more businesses are implementing risk strategies.
- Most cyber-attacks are caused by mistakes made by employees as a result of ignorance or negligence.
- You can’t prevent cyber-attacks from ever occurring, but you can mitigate the impact following an incident by engaging everyone in the organization and taking these basic steps:
- Engage senior management and the board.
- Invest in regular employee training.
- Have clear cyber reporting protocols.
- Create a vendor of record list of cyber incident experts.
- Ensure supply chains are secure, including third party contractors.
- Stipulate security requirements in third-party contracts to coordinate effort internally and externally.
- Carefully negotiate cloud agreements and assess security architecture, including the need to employ additional tools such as encryption and multifactor authentication.
- The standard for addressing cyber risks isn’t perfection, it’s diligence.
*Source: Plant, March 19, 2018
GitHub: Our Dependency Scan Has Found Four Million Security Flaws in Public Repos*:
- The massive bug-find total was reached within a month of the initiative's launch, when GitHub began scanning for known vulnerabilities in certain popular open-source libraries and notifying owners that they should be using an updated version.
- GitHub plans to expand its scan to Python dependencies later this year; private repositories, meanwhile, need to opt in to the security alerts.
- Equifax’s massive data breach demonstrated that vulnerable open-source software libraries can have serious security consequences.
- GitHub found over four million vulnerabilities in over half a million repositories, and issued security alerts to each of the projects' admins in their dependency graphs and repository home pages.
- GitHub scans public repositories every time it receives a notification of newly-announced vulnerabilities in the dependencies it scans for, and then privately notifies developers.
- The code-hosting site says by December 1 project owners had cleaned up 450,000 of the four million vulnerabilities found by its scan.
- That figure still leaves over three million unfixed vulnerabilities, but GitHub says that the alerts are prompting developers to resolve issues, with around 30 percent of vulnerabilities being resolved within seven days of the security alert.
*Source: ZDnet, March 22, 2018