Hacker Puts Info of Over 6,000 Indian Businesses Up For Sale in Massive Data Breach*:
- In what could be the biggest breach affecting Indian organizations, Seqrite Cyber Intelligence Labs along with its partner seQtree InfoServices has tracked an advertisement on DarkNet announcing secret access to the servers and database dump of over 6000 Indian businesses.
- It has identified the affected organisation as India's National Internet Registry: IRINN which comes under National Internet Exchange of India.
- As a precautionary measure, Seqrite has reached out to Government authorities with a strong recommendation to alert all potentially affected organisations and urge them to change passwords and get their servers and systems patched with the latest updates.
- The hacker has priced the information at 15 Bitcoins (about 65,000 USD) and is offering network takedown of affected organizations for an unspecified amount.
- The seller claims to have the ability to tamper the IP allocation pool, which could result in a serious outage or Denial of Service (DoS) like condition.
- If the hacker gets an interested buyer, then an attack on the system could disrupt Internet IP allocation and affect Internet services in India.
- The company said that on noticing the broadcast advertisement, the team realised that the persona was created recently - an ongoing trend seen with other recent data breaches.
- They then contacted the actor for further details, posing as an interested buyer, and were finally able to get a sample of the email list.
- A list of about 6000 emails was shared which led them to believe that the compromised database was from IRINN.
*Source: The Economic Times, October 03, 2017
Social Security Number Has 'Outlived Its Usefulness'*:
- The Equifax breach of 145.5 million Americans’ personally identifiable information has brought cybersecurity to the national forefront and as experts grapple with protecting consumer privacy, the social security number could be on the chopping block.
- White House cybersecurity coordinator Rob Joyce said, “I feel very strongly that the Social Security number’s outlived its usefulness…every time we use the Social Security number [we] put it at risk.”
- A Social Security number is a personal identifier that connects an individual to all sorts of information online.
- These numbers were just one of the many pieces of personal data compromised when unauthorized third parties accessed information at Equifax (EFX) earlier this year.
- Joyce recently proposed a security system that uses a public and private key, or two random sets of numbers – one that is shared publicly and the other is kept secret by the owner.
- The two keys are mathematically related, so something encrypted and sent to the public key can only be turned back to its original form using the private key.
*Source: Fox Business, October 03, 2017
Equifax Ex-CEO: Hacked Data Wasn't Encrypted*:
- Customer data that was compromised during a massive breach of Equifax's systems was not encrypted according to the company’s ex-CEO Richard Smith.
- During a three-hour hearing before the House Energy and Commerce Committee, Smith blamed the massive hack on a combination of failed technology and human error.
- The Department of Homeland Security warned the company on March 8 it needed to patch a particular vulnerability in software that Equifax and other businesses use.
- Equifax emailed out that warning the following day and asked that applicable personnel install the upgrade, but despite Equifax’s policy requiring upgrades within 48 hours, Smith said the upgrades didn’t happen.
- The hack took place as early as May 13, but it wasn’t until July 28 that the company's security noticed what he called "suspicious activity" in a part of the website used for customer complaints, separate from financial information used for credit reports and credit scores.
- Smith said the data was “not encrypted,” though they did use various techniques to protect data, including encryption, tokenization, and masking.
- That situation is common among large companies, which mostly don't encrypt their databases.
- Even if the data were encrypted, the application that the hackers exploited would still have had access to it, so encryption wouldn’t have stopped the hack.
- The compromised information included names, addresses, phone numbers and Social Security numbers – plenty of fodder for a would-be criminal to impersonate someone.
- The broader problem lies in Smith's description of different data techniques in different environments – companies do some things and don’t do other things because there’s no standard.
*Source: CBS news, October 03, 2017
Russian Intelligence Reportedly Breached the NSA in 2015, Stealing Cybersecurity Strategy*:
- The NSA suffered a serious breach in 2015, exposing the agency’s cyber-warfare strategy, including its own defenses and methods of attacking foreign networks.
- Russian intelligence is said to be behind the attack, and software from Russia-based Kaspersky labs is suggested to have been their vector.
- The data in question is reported to have been taken home by an NSA contractor, who was somehow compromised through their use of Kaspersky’s antivirus software.
- Kaspersky Labs has come under fire this year as fears of Russian interference in U.S. affairs were stoked by innumerable cybersecurity incidents and alleged links to the present administration.
- Kaspersky denies “inappropriate ties with any government” and maintains that the allegations are unfounded.
*Source: Tech Crunch, October 05, 2017
Rising Hacker Threat Will Trigger Boom in Cyber-Crime Insurance*:
- Insurer Tryg expects 90 percent of its corporate customers to buy cyber-crime insurance within five years as the threat from hackers and viruses to crucial data and IT systems grows.
- Tryg, Denmark’s biggest insurer, has sold 5,000 cyber-crime insurance policies since the turn of the year when it launched a new product providing assistance in restoring data and getting systems up and running if a firm is hit by a cyber attack.
- The initial rise in demand for cyber insurance was prompted by the ransomware attack, named “WannaCry”, that infected more than 300,000 computers worldwide.
- It’s estimated that around 50 percent of the firm’s corporate clients would buy cyber insurance by 2020 and possibly even reach 90 percent a few years after that.
- While the firm has good insight into how often a house burns down or a bicycle is stolen on average, the frequency and extent of cyber crimes is hard to predict.
- Tryg will also offer extensions to the basic insurance that cover consequential losses, back-up of data and a so-called DNS box aimed at blocking web pages known to contain viruses and malware.
*Source: Reuters, October 04, 2017
Irish Court Agrees That Facebook’s EU/US Data Sharing Might Be Illegal*:
- The Irish High Court released its judgement in a case against Facebook – the court agreed with the Irish Data Protection Commissioner’s concerns and found that channels that Facebook and other companies use for data transfer from the EU to the US might be illegal.
- The reason it might be illegal is because the data privacy of EU citizens is threatened by the massive digital surveillance of the US government.
- This includes the massive surveillance programs PRISM and Upstream which Edward Snowden famously uncovered.
- Facebook is split up into two companies: Facebook Inc., the parent company, and Facebook Ireland Ltd., which operates the company’s international business outside of the US and Canada.
- Facebook Ireland Ltd. Sends all its user data to its parent company in the US, which is why the case is being tried in Ireland.
- The transfer of data to the parent company means that personal data of EU citizens is stored where the US government could employ its questionable mass digital surveillance – and possibly infringe upon the rights of the EU citizens to privacy.
- Technically, the EU bans all data transfers from Europe to any country outside the EEA, but many companies utilize an exception called SCC (Standard Contractual Clauses).
- The Irish High Court has decided to refer questions about the validity of SCC to CJEU, Europe’s highest court, to determine definitively if it’s infringing on EU citizen’s privacy.
- The CJEU’s next ruling on SCC could have massive impact on data transfer in Europe.
- No actual disruption (depending on the verdict) will happen until the CJEU rules on the validity of SCC, which can take up to one and a half years.
- Whatever the CJEU’s ruling will be on SCC, it’s certain that it will have huge implications, both inside and outside of Europe.
*Source: The Next Web, October 03, 2017
Privacy Tech Vendor Report, V1.4, Expands as Quickly as the Marketplace*:
- The International Association of Privacy Professionals (IAPP) is releasing the newest update to our 2017 Privacy Tech Vendor Report, v1.4, a resource designed to help you assess the many privacy technology vendors both new and old, big and small that are emerging in the marketplace.
- Since the first release of the report back in January, the number of vendors in the report has nearly doubled: from 51 to 99.
- The EU General Data Protection Regulation has been a huge driver in the space, as companies ramp up and begin to operationalize their compliance strategies.
- Whether organizations need to discover what data they have, locate where it's stored, map data flows, manage customer consent, anonymize collected data, or protect internal communications, there are many solutions out there to help accomplish this.
- Many vendors are working hard to create and improve upon their technology to help the privacy office and the enterprise as a whole.
- Venture capitalists and investors are seeing value in privacy and compliance technology; serious funding is pouring into the marketplace right now.
- Last month a group of vendors announced the formation of the Alliance of Global Privacy Solution Providers, which includes a suite of privacy tech vendors that aim to help educate privacy professionals on making informed decisions in the market.
- Whether you’re ramping up for GDPR, trying to make your privacy office more efficient, or trying to bolster your compliance initiatives, there are vendors out there that can help.
Source: IAPP, October 05, 2017