Data Breach Exposes Social Security Numbers, Birth Dates of Hundreds of Texas Students*:
- Personal information from students in 39 Texas school districts was likely exposed in a data breach involving a Texas Department of Agriculture employee's laptop.
- The state-issued laptop was attacked by ransomware, and the breach is said to have exposed Social Security numbers, home addresses, birth dates and personal phone numbers of students and their families.
- The department, which oversees the federal nutrition program that provides school breakfasts and lunches, has identified more than 700 students whose personal information was likely leaked as a result of the attack.
- The director for the TDA said all affected districts were notified, though some email notifications have gone into spam or trash folders.
- The TDA said releasing the security notification is “entirely precautionary,” and that there is no evidence that leaked information has been misused.
- The department recommends that affected students and their families contact three major credit bureaus, Equifax, TransUnion and Experian, and activate fraud alerts or security freezes to combat potential fraud.
- Click the below link to view the full list of the school districts affected by the breach.
*Source: Dallas News, December 08, 2017
Most Mainframe Users Lag in GDPR Readiness*:
- Only one in four IBM mainframe customers questioned in a UK survey are confident that their system security complies.
- Within the 75% that aren’t confident about it, 31% think they’re not compliant, while 40% aren’t sure. (Around 4% are unsure what the GDPR is in the first place.)
- That’s according to a poll of 55 mainframe users conducted by Macro 4 in November 2017.
- While IBM Z systems have long been respected for their security, most of the users surveyed recognize that mainframe security needs more attention and only around 7% feel there is no need for improvement.
- Growing web and mobile access to the mainframe, combined with hackers getting smarter – and tougher rules and sanctions around data breaches – makes mainframe security a priority.
- Almost all of respondents agreed that data encryption is an important way of securing the mainframe.
- IBM now supporting multi-factor authentication as a more secure alternative to traditional password-only access.
- About 58% of the sample recognizes the importance of data minimization, which involves strictly limiting the personal data that is collected and stored to the minimum necessary to accomplish a specific purpose.
*Source: Info Security, December 01, 2017
Collection of 1.4 Billion Plain-Text Leaked Passwords Found Circulating Online*:
- Online users’ habit of reusing the same password across multiple services gives hackers opportunity to use the credentials gathered from a data breach to break into their other online accounts.
- A new collective database was discovered on the dark web that contains a whopping 1.4 billion usernames and passwords in clear text.
- The aggregate database has been said to be the largest ever aggregation of various leaks found in the dark web to date.
- The archive had been last updated at the end of November and didn’t come from a new breach, but from a collection of 252 previous data breaches and credential lists.
- The collective database contains plain text credentials leaked from Bitcoin, Pastebin, LinkedIn, MySpace, Netflix, RedBox, Minecraft, and several others.
- The database has been neatly organized and indexed alphabetically, too, so that would-be hackers with basic knowledge can quickly search for passwords.
- Although some of the breach incidents are quite old, the success ratio is still high for criminals due to users lousy habit of re-using their passwords across different platforms and choosing easy-to-use passwords.
- To protect yourself, you are strongly advised to stop reusing passwords across multiple sites and always keep strong and complex passwords for your various online accounts.
*Source: The Hacker News, December 11, 2017
NatWest Bank Spat Prompts Web Security Changes*:
- NatWest bank has enhanced the security of its website following a spat with security experts who spotted a vulnerability.
- Several researchers had asked why some banks used encrypted HTTPS connections for online banking, but not on their main customer-facing websites.
- Attackers could redirect visitors trying to access NatWest's online banking service, from the official address nwolb.com to something visually similar such as nuuolb.com.
- A spokesman for the parent company told the BBC, “While we do not currently enforce HTTPS on some of our websites, we are working towards upgrading this in the next 48 hours.”
- Security researchers found several other major banks did not use HTTPS on their homepages.
- Online banking websites use HTTPS connections to help keep customer data private.
- When a website uses HTTPS, any information sent between your device and the website is encrypted, so it cannot be read if it is intercepted.
- NatWest originally tweeted that it did not use HTTPS on its homepage because it only contained "general information".
- The researchers suggested that without HTTPS an attacker could theoretically modify elements of a bank’s website and send victims to a fake online banking site and steal their information.
*Source: BBC, December 14, 2017
Password Stealing Apps With Over a Million Downloads Found on Google Play Store*:
- Even after so many efforts by Google – like launching bug bounty program and preventing apps from using Android accessibility services – malicious applications somehow manage to get into Play Store and infect people with malicious software.
- Security researchers discovered at least 85 applications in Google Play Store that were designed to steal credentials from users of Russian-based social network VK.com and were downloaded millions of times.
- Since these apps looked like they came from VK.com (for listening to music or monitoring user page visits), requiring a user to login to his account did not look suspicious at all.
- The stolen credentials were then encrypted and uploaded to a remote server controlled by the attackers.
- The malicious apps were targeting Russian, Ukrainian, Kazakh, Armenian, Azerbaijani, Romanian, Belarusian, Kyrgyz, Tajik, and Uzbek users.
- Researchers also noted that they found several other apps on Google Play Store that were submitted by the same cybercriminals and published as unofficial clients for the popular messaging app Telegram.
- All of the apps have since been removed by Google from the Play Store.
- Those who have already installed one of the apps on their device should make sure their devices have Google Play Protect enabled.
- Play Protect is Google's newly launched security feature that uses machine learning and app usage analysis to remove malicious apps from users Android smartphones to prevent further harm.
- Moreover, you are strongly advised to always keep a good antivirus app on your mobile device that can detect and block such malicious apps before they can infect your device.
*Source: The Hacker News, December 12, 2017
Masking Personal Data to Protect Privacy Crucial for India*:
- Using the concept of de-identification to protect an individual’s right to privacy and creating laws that constantly re-evaluates the difference between harmful and good use of data is crucial for India.
- That could mean developing a token system that lets the Unique Identification Authority of India (UIDAI) hold a master-list of data through Aadhaar, while generating token numbers for all other Know Your Customer (KYC) requirements.
- De-identification could include anything from deleting or masking personal identifiers, like names, to generalizing or suppressing others, like an individual’s pin code.
- Finding a way to protect privacy is critical for India, with the Supreme Court hearing petitions challenging the mandatory linking of Aadhaar to avail various social and welfare benefits.
- One of the grounds for challenge is that the use of biometric information of an individual encroaches upon the individual’s privacy.
- Under one proposed method, an individual can use a smart card and a personal identification number (PIN), rather than biometrics, at a UIDAI-controlled booth and generate a token number.
- Another method could be shifting the emphasis to revoking consent rather than grant of consent to collect and store data.
- This could be done using the same method that currently exists to filter unwanted calls and messages on phones via the do-not-disturb registry.
- The data protection law must balance the interests of all three stakeholders—the common citizens, data collectors and the state – and not focus on just one or two.
- There should also be methods in place to penalize companies or agencies in case of data breaches or misuses.
*Source: Live Mint, December 11, 2017
NIST Releases Updated Draft of Cybersecurity Framework*:
- The National Institute of Standards and Technology (NIST) announced the publication of a second draft of a proposed update to the Framework for Improving Critical Infrastructure Cybersecurity.
- The second draft was explicitly designed to maintain compatibility with Version 1.0 so that current users of the Cybersecurity Framework are able to implement the Version 1.1 “with minimal or no disruption.”
- Notable changes between the versions include:
- Increased emphasis that the Cybersecurity Framework is intended for broad application across all industry sectors and types of organizations.
- An explicit acknowledgement of a broader range of cybersecurity threats.
- Augmented focus on cybersecurity management of the supply chain.
- Increased emphasis on cybersecurity measures and metrics.
- NIST is soliciting public comments on the draft Cybersecurity Framework and Roadmap no later than January 19, 2018, and NIST intends to publish a final Cybersecurity Framework Version 1.1 in early calendar year 2018.
*Source: National Law Forum, December 08, 2017