Four members of China’s military were charged with hacking into credit reporting agency Equifax, and stealing trade secrets and the personal data of about 145 million Americans in 2017.
Read more about this topic at: https://www.nytimes.com/2020/02/10/us/politics/equifax-hack-china.html
The passwords of millions of Facebook users were accessible by up to 20,000 employees of the social network. Security researcher Brian Krebs broke the news about data protection failures, which saw up to 600 million passwords stored in plain text. Most of the people affected were users of Facebook Lite, which tends to be used in nations where net connections are sparse and slow.
Read more about this topic at: https://www.bbc.com/news/technology-47653656
AI enables computers to make intelligent decisions in order to perform diverse tasks while operating to learn by collecting, processing, and linking huge amounts of data, of which a large part might be personal data. Also called machine learning, this principle simply means that the more data that is available to be consumed, the better and more credible the AI is. On the other hand, this massive collection of data on which the AI relies on, is problematic from a privacy perspective. That is why the EU has put these activities under a data protection microscope with the GDPR. Questions rise:
– How data is protected and processed?
– Is access given to this information to any party?
– How to organize human intervention?
– What about the data rights of the subject?
– How to withdraw consent?
– How to implement the requirements of the GDPR into AI?
Read more about this topic at: https://brusselstalking.blog/2019/03/07/ai-vs-gdpr-finding-the-balance-between-ethics-and-innovation/
Tech giant ASUS is believed to have pushed malware to hundreds of thousands of customers through its trusted automatic software update tool after attackers compromised the company’s server and used it to push the malware to machines. Half a million Windows machines received a malicious backdoor through the ASUS update server, although the attackers appear to have been targeting only about 600 of those systems.
Hydro with 35,000 employees with smelting plants, factories and offices in 40 countries – globally experienced a ransomware attack since Monday was forced to switch some systems to manual operation. The ransomware used might have been the relatively new and difficult-to-detect strain, dubbed LockerGoga, which criminals use to quickly encrypt computer files, before demanding payment to unlock them.
Read more about this topic at: https://www.wired.co.uk/article/norsk-hydro-cyber-attack
Group-IB said it discovered and reported to FILA UK malware known as GMO that was active on the fashion brand’s website for the past four months – and may have sniffed the payment card information of thousands of customers placing online orders through the tainted pages.“Cybercriminals might have injected a malicious code by either exploiting a vulnerability of Magento CMS, used by FILA.co.uk, or simply by compromising the credentials of the website administrator using special spyware or cracking password with brute force methods.
Publisher Elsevier has leaked the unencrypted passwords and e-mail addresses of users via an unsecured server. The data was accessible to everyone on the internet. How long the data was online and how many users were affected is still unclear.
Security investigator Mossab Hussein discovered Elsevier’s server. It contained unencrypted passwords of users and their e-mail addresses. Among other things, it would be about students and teachers from universities and educational institutions, according to Hussein on the basis of the .edu e-mail addresses found.
The researcher shared his discovery with Vice Magazine, which informed Elsevier. The publisher has launched an investigation into the data breach. “It looks like a server was incorrectly set up because of a human error,” said a spokesperson.
The server is now secured. The publisher says it will inform the Dutch Data Protection Authority, as well as all affected users. It will also reset the passwords of all affected accounts.
Read more about this topic at: https://motherboard.vice.com/en_us/article/vbw8b9/elsevier-user-passwords-exposed-online
IMAP (Internet message access protocol) is an authentication protocol enabling an account to be accessed from multiple devices. This is often used by desktop and mobile phone email clients to retrieve email from the email server.
No additonal layer of protection is possible with multi-factor authentication. IMAP support is “on” by default on Office 365 and G Suite making them vulerable for password-spraying attacks.
Password-spraying attacks means to leave a large number of usernames and combining them with a single password. which look like isolated failed logins.
Read more about this topic at: https://www.helpnetsecurity.com/2019/03/20/imap-based-password-spraying/
ENISA launched a smartphone guidelines tool with the following subjects: – Ensure correct usage of biometric sensors and secure hardware; – Secure data integration with third party code;
– Implement user authentication, authorization and session management correctly;
– Ensure sensitive data is protected in transit;
– Consent and privacy protection;
– Protect paid resources;
– Secure the backend services and the platform server and APIs;
– Identify and protect sensitive data on the mobile device;
– Protect the application from client side injections;
– Secure software distribution;
– Check device and application integrity;
– Handle runtime code interpretation correctly;
– Handle authentication and authorization factors securely on the device.
Read more about this topic at: https://www.enisa.europa.eu/topics/iot-and-smart-infrastructures/smartphone-guidelines-tool
The security of IoT devices is becoming a growing concern. ETSI has therefore created a “security baseline” for these IoT devices. ETSI: “People entrust their personal data to a growing number of online devices and services. In addition, traditionally offline products and appliances are now connected and must be designed to withstand cyber threats.
To meet the specifications, IoT devices must adhere to 13 rules, including f.e.:
– Vulnerability management;
– Secure communication;
– Up2date software and guarantee software integrity;
– Prevent use of universal default passwords;
– Secure sensitive, personal data and credential storage. The standard is designed to suit a wide range of consumer-facing devices.
– Children’s toys and baby monitors;
– Security systems;
– TV and speakers;
– Wearable sanitary fittings;
– Home automation systems.