Cyber Security Today, Week in Review for Friday, January 20, 2023

Share post:

Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, January 20th, 2023. From Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsDay.com in the U.S.

Cyb er Security Today on Amazon Alexa Cyber Security Today on Google Podcasts Subscribe to Cyber Security Today on Apple Podcasts

In a few minutes David Shipley of New Brunswick’s Beauceron Security and I will discuss some recent cybersecurity news. But first a review of headlines from the past seven days:

CircleCI, a continuous integration platform used by application developers, published an explanation of how it was compromised in December. David and I will look at that. We’ll also look at recent comments made by an American government security leader who wondered why organizations still put up with buggy software. And with Data Privacy Week starting on Monday we’ll have thoughts on how businesses treat the personal information they collect.

Companies are still not doing enough to protect themselves from phishing attacks. The latest example is the compromise of email marketing service provider Mailchimp. This week it said the accounts of 133 customers were hacked. Mailchimp employees also fell for a phishing scam last August.

The cyberwar between Russia and Ukraine continues. Ukraine says its Computer Emergency Response team foiled an attack on the country’s national news agency. While some of the agency’s infrastructure was hit by a data wiper, news operations are still running.

Separately, BlackBerry issued a report on a Russian-state-sponsored cyber espionage group called Gamaredon that has been attacking targets in Ukraine since 2013. The gang’s latest tactic is using network infrastructure from Crimea, which Russia occupied in 2014.

The majority owner of the Bitzlato cryptocurrency exchange was arrested in Miami and charged with allegedly processing illicit funds. It is alleged the company marketed itself to crooks as a no-questions-asked cryptocurrency exchange. At the same time as the arrest, French authorities dismantled Bitzlato’s digital infrastructure.

Thousands of users of Norton Password Manager began receiving notices that their accounts were hacked. They were compromised following a brute force attack using credentials likely bought on the dark web.

PayPal has started sending data breach notifications to over 34,000 users. This comes after the discovery of an incident in December when a number of subscriber accounts were compromised. The attacker would have been able to copy users’ names, addresses, dates of birth, Social Security numbers, and government tax identification numbers.

Nissan North America is notifying some 18,000 buyers of its vehicles some of their personal data is at risk. This is because a customer list Nissan gave to an outside software developer for testing was stolen.

A new piece of Android malware aimed at stealing the bank account passwords of people from their smartphones has been discovered. Researchers at ThreatFabric say the malware, called Hook, is a variant of the Ermac family of banking malware. It can capture banking information from financial institutions in the U.S., Canada and many other countries. Hook is being sold to hackers for incorporation in their schemes.

And GitLab told users of its Community and Enterprise editions to upgrade to the latest versions after the discovery of vulnerabilities. Separately, application developers using GitHub’s Codespaces feature were urged to lock down their projects after the discovery of a serious vulnerability.

(The following is a partial transcript of our discussion. To hear the full talk, with discussion on the CircleCI and Mailchip hacks as well as on why we tolerate buggy software, play the podcast)

Howard: Next week is Data Privacy Week. What should data protection, IT and cybersecurity leaders be thinking about this?

David Shipley: One of the things that I’ve preached for years is the easiest way to reduce your risk is to get rid of the data you don’t need to protect. Data retention is a really, really important part of this equation. In so many different breaches I have seen have included data that was no longer valid, useful, or beneficial still being kept and available on databases. And when those databases get hit through some kind of security vulnerability, some kind of a lapse in a security control the entire data set spills out — and then you’ve got to to reach out to all of those affected users. Here’s an example: There was a recent story here in Atlantic Canada about a package delivery company that had an open Amazon S3 bucket of data where you could actually easily guess the tracking URL that had been sent. It would link you back to an image taken [by the delivery service] of the home to confirm you actually had delivery. In some cases the label might show the person’s name, address, etc. After a package has been delivered and after a certain period of time if they [the service] shouldn’t have that data still retained. The scope of that breach could have been reduced massively. We talk a lot about privacy in terms of the use of encryption and other things. But the first thing to do [by every organization] is to look hard at data retention and tackle the myth all data could have future value so let’s keep it.

Howard: That package delivery service security problem is one we’ve seen before where the customer has a tracking number and when you go to the website to track the progress of the package that number is also reflected in the URL. All you have to do is change one digit and you can start seeing other people’s tracking information. I’ve heard of this before where there’s a string of digits in the URL that reflect the customer data and all I have to do is change one digit and boom, you have a privacy breach.

David: Security is never going to be 100 per cent, but privacy and security are two sides of the same coin. So have a good understanding of why are you collecting data. What are you using it for? Did you have the proper consent for it? And are you only keeping it for as long as it’s useful?

The other part of this privacy story is the increasingly large number of datasets that are being lost out there that are being combined in unique and problematic ways …AI (artificial intelligence) is going to have a field day developing the next generation of phishing attacks [with that stolen data].

Howard: Another example this week of a data privacy breach was car maker Nissan North America acknowledging there was a loss of customer data that had been sent to an outside software developer that was developing an application for Nissan. To test the application it needed data. So Nissan shipped a chunk of customer data to this external third-party software developer. Somebody there made a mistake; they uploaded it to a cloud storage site. But there was enough time that someone was able to steal that data. There’s a third-party hack. I think there are two issues here: One, should you be sending real data to an external company, and the second is how do you make sure that any data that you have to send to a company is properly protected?

David: There was absolutely no reason other than just rushing that a company can’t take real data, write a script and replace all the PII [personally identifiable information]. You can keep all the fields and all the information and depersonalize or anonymize it. You can easily create fake structured data to test applications. Take the hour to have someone on your team write the script and then you send the fake data [outside the company] … If there’s one message it’s, ‘Script it, fake it, that way you can test it.’ So even if they do screw up and put it in an Amazon S3 bucket it doesn’t hurt you.

The post Cyber Security Today, Week in Review for Friday, January 20, 2023 first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

40 thousand routers compromised: Hashtag Trending for Wednesday, March 27th, 2024

A new cyberthreat is taking down home routers. Germany passes a law insisting on end to end encryption. Reports expose the craziness of tech hiring practices, the US government has had it with SQL injection attacks and Elon Musk gets a smackdown from a federal judge as we see more from the X files –

Cyber Security Today, March 27, 2024 – A botnet exploits old routers, a new malware loader discovered, and more warnings about downloading code from...

This episode reports on a new network of 40,000 infected small and home office routers and other devices that are part of a criminal botnet

Apple gets hammered by the EU again: Hashtag Trending for Tuesday, March 26, 2024

Apple gets hammered by the EU once again while there’s a threat in the US of breaking up the big tech giants. Google appears to have another problem AI implementation, Steve Wozniak is back as an unlikely critic of the TikTok ban, a new open source AI that runs on your computer an an Amazon

CIOs complain of “application sprawl” – Hashtag Trending, Monday March 25th, 2024

Apple may get an unexpected penalty from the US Governments new lawsuit, survey of CIOs complains of application sprawl but proposes that the way to get out of it is “more applications”, 1% of employees cause 89% of data loss events and information surfaces about some potentially enormous developments in AI in the coming months.

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways