Concerned citizens call the European Parliament on Article 13

In the past two weeks, more than 1200 citizens have called European Members to convince them to vote against the proposed new copyright rules. They did this via the website Pledge2019.eu, a campaign website.

With less than two weeks to go to the final vote only the European Parliament can stop the upload filter. On the upload filter in the European Parliament, more than 100 Members of the European Parliament have declared through Pledge2019 to vote against Article 13 of the proposed copyright directive.

Read more about this topic at: https://pledge2019.eu/en

Aluminium maker defends itself against ransomware with manual plan

Hydro with 35,000 employees with smelting plants, factories and offices in 40 countries – globally experienced a ransomware attack since Monday was forced to switch some systems to manual operation. The ransomware used might have been the relatively new and difficult-to-detect strain, dubbed LockerGoga, which criminals use to quickly encrypt computer files, before demanding payment to unlock them.

Read more about this topic at: https://www.wired.co.uk/article/norsk-hydro-cyber-attack

Dataleak: Fila UK formjacked with malicious code in payment process

Group-IB said it discovered and reported to FILA UK malware known as GMO that was active on the fashion brand’s website for the past four months – and may have sniffed the payment card information of thousands of customers placing online orders through the tainted pages.“Cybercriminals might have injected a malicious code by either exploiting a vulnerability of Magento CMS, used by FILA.co.uk, or simply by compromising the credentials of the website administrator using special spyware or cracking password with brute force methods.

Threat actors were able to compromise 4,800+ websites every month during 2018 according to a Symantec Report, using injected JavaScript code to steal payment information such as debit and credit cards from customers of eCommerce sites. The most high-profile formjacking attacks were against British Airways and Ticketmaster, but according to Symantec cyber criminals who used this technique also got a huge chunk of their illicit earnings from smaller online retailers who accept payments from their customers via online portals.

Read more about this topic at: https://vmvirtualmachine.com/hackers-cop-a-fila-thousands-of-uk-card-deets-after-slinking-onto-clothing-brands-servers-%E2%80%A2-the-register/

Dataleak: Elsevier Left Users’ Passwords Exposed Online

Publisher Elsevier has leaked the unencrypted passwords and e-mail addresses of users via an unsecured server. The data was accessible to everyone on the internet. How long the data was online and how many users were affected is still unclear.

Security investigator Mossab Hussein discovered Elsevier’s server. It contained unencrypted passwords of users and their e-mail addresses. Among other things, it would be about students and teachers from universities and educational institutions, according to Hussein on the basis of the .edu e-mail addresses found.

The researcher shared his discovery with Vice Magazine, which informed Elsevier. The publisher has launched an investigation into the data breach. “It looks like a server was incorrectly set up because of a human error,” said a spokesperson.

The server is now secured. The publisher says it will inform the Dutch Data Protection Authority, as well as all affected users. It will also reset the passwords of all affected accounts.

Read more about this topic at: https://motherboard.vice.com/en_us/article/vbw8b9/elsevier-user-passwords-exposed-online

IMAP on email vulnerable for password-spraying attacks

IMAP (Internet message access protocol) is an authentication protocol enabling an account to be accessed from multiple devices. This is often used by desktop and mobile phone email clients to retrieve email from the email server.

No additonal layer of protection is possible with multi-factor authentication. IMAP support is “on” by default on Office 365 and G Suite making them vulerable for password-spraying attacks.

Password-spraying attacks means to leave a large number of usernames and combining them with a single password. which look like isolated failed logins.

Read more about this topic at: https://www.helpnetsecurity.com/2019/03/20/imap-based-password-spraying/

Online safety education for 4-7 year olds

In 2018, 25% of their parents said they were worried about children giving out details to inappropriate people online – a rise from 18% the previous year. Children aged four to seven are now being targeted in a new online video campaign from the National Crime Agency (NCA). The series of videos called Jessie & Friends is intended to teach children how to keep themselves safe online, with a view to protecting them from sexual abuse and other threats.

Episode 1 – Watching Videos
Episode 2 – Sharing Pictures
Episode 3 – Playing Games

Do you think this will help create awareness and keep the children safe online?

Read more about this topic at: https://www.bbc.com/news/technology-47553456

ENISA launched Smartphone Secure development Guidelines

ENISA launched a smartphone guidelines tool with the following subjects: – Ensure correct usage of biometric sensors and secure hardware; – Secure data integration with third party code;

– Implement user authentication, authorization and session management correctly;
– Ensure sensitive data is protected in transit;
– Consent and privacy protection;
– Protect paid resources;
– Secure the backend services and the platform server and APIs;
– Identify and protect sensitive data on the mobile device;
– Protect the application from client side injections;
– Secure software distribution;
– Check device and application integrity;
– Handle runtime code interpretation correctly;
– Handle authentication and authorization factors securely on the device.

Read more about this topic at: https://www.enisa.europa.eu/topics/iot-and-smart-infrastructures/smartphone-guidelines-tool

Is it possible to escape from face detection while shopping in Australia?

Digital billboards in shopping areas in Australia record customers’ reactions to advertisements tailored to them, but not in accordance with the GDPR. Who is safeguarding the Australians’ privacy? Face detection makes it possible to distuingish f.e. age, gender and mood. The French manufacturer emphasizes that all data collected remains anonymous and that they are using facial detection, not facial recognition technology. They’re not identifying who the person is, they’re just identifying the characteristics of that person.

The global FRT market is worth approximately US$3bn (A$4.1bn) and is expected to grow to US$6bn by 2021. But there are major concerns about how to protect the privacy of those whose data is collected. In January a coalition of 85 civil rights groups wrote to Microsoft, Amazon and Google demanding the companies commit not to sell face surveillance technology to governments. According to Microsoft three main problems governments needed to address, namely the risk of bias and discrimination, new intrusions into privacy, and the potential for mass surveillance to “encroach on democratic freedoms”.

Read more about this topic at: https://www.theguardian.com/technology/2019/feb/24/are-you-being-scanned-how-facial-recognition-technology-follows-you-even-as-you-shop

ETSI lanches first security baseline for consumer IoT devices

The security of IoT devices is becoming a growing concern. ETSI has therefore created a “security baseline” for these IoT devices. ETSI: “People entrust their personal data to a growing number of online devices and services. In addition, traditionally offline products and appliances are now connected and must be designed to withstand cyber threats.

To meet the specifications, IoT devices must adhere to 13 rules, including f.e.:

– Vulnerability management;
– Secure communication;
– Up2date software and guarantee software integrity;
– Prevent use of universal default passwords;
– Secure sensitive, personal data and credential storage. The standard is designed to suit a wide range of consumer-facing devices.

These include:
– Children’s toys and baby monitors;
– Security systems;
– TV and speakers;
– Wearable sanitary fittings;
– Home automation systems.

Read more about this topic at: https://www.etsi.org/newsroom/press-releases/1549-2019-02-etsi-releases-first-globally-applicable-standard-for-consumer-iot-security

Data breaches in 2018: An overview

Risk Based Security came out with their annual data breach report. Some highlights:

– Compared to 2017, the number of reported breaches was down 3.2% and the number of exposed records was down approximately 35.9% from 7.9 billion.
– The Business sector accounted for 65.8% of the records exposed followed by Unclassified at 31.8% and Government at 2.2%. The Medical and Education sectors combined accounted for 9.9 million records exposed, or less than 0.02% of the total records exposed in the year.
– Web regained the top spot for the breach type exposing the most records, accounting for 3% of compromised records, while
– Hacking remained the top breach type for number of incidents, accounting for 57.1% of reported breaches. 5% of breached organizations were unwilling or unable to disclose the number of records exposed.
– 6,515 breaches were reported through December 31, 2018, exposing approximately 5 billion records.
– the average number of days between discovery and disclosure has gone up from 48.6 in 2017 to 49.6 days in 2018.

Read more about this topic at: http://www.govtech.com/blogs/lohrmann-on-cybersecurity/data-breaches-what-do-the-numbers-mean.html