Cyber Security, Data Privacy Critical for Growth of Digital India*:
- One of the major challenges that India is currently facing is related to data security and addressing the privacy issues.
- The need of the hour is to ensure growth of the digital economy while keeping personal data of citizens secure and protected.
- Data is being considered as the new oil and in the current economic climate all organisations are looking to exploit the information it holds as much as possible.
- With data breaches multiplying in frequency and scale, the importance of addressing cyber-security at the highest levels of corporate leadership cannot be understated.
- As the data breaches increase in scale and frequency, business today must prepare to ensure an effective, swift and well-orchestrated response.
- India’s cyber security market size is about $4 billion, and is expected to grow to $35 billion by 2025.
- GDPR has given more power to the consumers, and it has also brought an open kind of environment for the lawmakers to investigate.
- There is a need to relook into the cyber security strategy.
- Another challenge on the security front is phishing.
- Phishing attacks are becoming very common and as a nation we will have to do something in a very comprehensive way to tackle this issue such as public awareness campaigns.
- The only remedies that the consumer today have are under the Information Technology Act, but there is a need for a stronger law as the IT Act on its own is not sufficient.
- Cybercrimes are the new normal and all users should do their own due diligence.
*Source: DNA India, June 23, 2018
Ukraine Says Russian Hackers Preparing Massive Malware Strike*:
- Hackers from Russia are infecting Ukrainian companies with malicious software to create "back doors" for a large, coordinated attack according to Ukraine’s cyber police chief.
- The hackers are targeting companies, including banks and energy infrastructure firms, in a roll out that suggests they are preparing to activate the malware in one massive strike.
- Law enforcement and corporate security teams around the world pay close attention to cyber threats in Ukraine, where some of the most destructive hacks in history have originated.
- Malware dubbed "NotPetya" hit Ukraine in June 2017, taking down government agencies and businesses before spreading to corporate networks around the globe, causing companies billions of dollars in losses.
- It is difficult to contain the impact of a cyberattack within one nation, so it is possible this new threat could spread around the globe.
- Since the start of the year, Ukraine police have identified viruses in phishing emails sent from legitimate domains of state institutions whose systems were hacked and fake webpages mimicking that of a real state body.
- Hackers have sought to evade detection by breaking malware into separate files, which are put onto targeted networks before they activate them.
- Analysis of the malicious software that has already been identified and the targeting of attacks on Ukraine suggest that this is all being done for a specific day.
- One expert believes this is support on a government level - very expensive and much synchronized. Without the help of government bodies, it would not be possible.
- Ukraine is better prepared to withstand such attacks thanks to cooperation with foreign allies including the United States, Britain and NATO.
- There are some Ukrainian companies that have not cleaned their computers after NotPetya struck, which means they are still infected by that virus and vulnerable to being used for another attack.
*Source: Computer World, June 27, 2018
Hackers Weaponised Secure USB Drives to Target Air-Gagged Networks*:
- A cyber-espionage group is targeting a specific type of secure USB drive created by a South Korean defence company in a bid to gain access to its air-gapped networks.
- This attack was carried out by a group called Tick which carries out cyber-espionage activities targeting organisations in Japan and Korea.
- Researchers said that weaponisation of a secure USB drive is an uncommon attack technique and likely done in an effort to spread to air-gapped systems, these networks are normally not connected to the internet.
- The malware used in these attacks will only try to infect systems running Microsoft Windows XP or Windows Server 2003.
- This is despite the fact that the malware appears to have been created when newer versions of Windows software were available.
- The USB stick installs a program called "SymonLoader" as a trojanised version of a Japanese language GO game.
- It then extracts a hidden executable file from a specific type of secure USB drive and executes it on the compromised system.
- While the identity of the file SymonLoader writes to the USB is unknown, they added that they know enough about it to know it is malicious.
- In contrast to HomamLoader, which requires an Internet connection to reach its C2 server to download additional payloads, SymonLoader attempts to extract and install an unknown hidden payload from a specific type of secure USB drive when it's plugged into a compromised system. This technique is uncommon and hardly reported among other attacks in the wild.
- Employees that work in sensitive organisations that have air-gapped networks should be particularly vigilant against plugging in devices.
- In some cases, even approved USB drives should be tested in a separate environment prior to being loaded in secure areas.
- Prevention aside, critical systems should have threat detection controls that can alert where an infected drive has been plugged into an endpoint and take remedial steps beyond raising an alarm, such as isolating an infected machine from the rest of the network.
- Integrating regular and up to date security training to educate employees will ensure they are aware of the most recent tactics used to target systems and what can be done to prevent these.
- In addition, implementing solutions to ensure that employees only have access to areas of the network and devices that their role requires can mitigate these types of attacks.
*Source: SC Magazine UK, June 27, 2018
Marketing Firm Exactis Leaked a Personal Info Database with 340 Million Records*:
- Marketing and data firm Exactis exposed a database that contained close to 340 million individual records on a publicly accessible server.
- The haul comprises close to 2 terabytes of data that appears to include personal information on hundreds of millions of American adults, as well as millions of businesses.
- The precise number of individuals included in the data isn’t clear – and the leak doesn’t seem to contain credit card information or Social Security numbers – but it goes into minute detail for each individual listed.
- It seems like this is a database with pretty much every US citizen in it.
- It is not clear whether any criminal or malicious hackers have accessed the database, but it would have been easy enough for them to find.
- After being notified, Exactis protected the data so it is no longer accessible.
- Aside from the sheer breadth of the Exactis leak, it may be even more remarkable for its depth: Each record contains entries that go far beyond contact information and public records to include more than 400 variables on a vast range of specific characteristics: whether the person smokes, their religion, whether they have dogs or cats, and interests as varied as scuba diving and plus-size apparel.
- An independent researcher verified the data’s authenticity, though in some cases the information is outdated or inaccurate.
- While the lack of financial information or Social Security numbers means the database isn't a straightforward tool for identity theft, the depth of personal info nonetheless could help scammers with other forms of social engineering.
- Without confirmation from Exactis, the precise number of people affected by the data leak remains tough to count.
- If the Exactis leak does in fact include 230 million people's information, that would make it one of the largest in years, bigger even than 2017's Equifax breach of 145.5 million people's data, though smaller than the Yahoo hack that affected 3 billion accounts, revealed last October.
- The timing of the breach, just after the implementation of Europe's General Data Protection Regulation, highlights the persistent lack of regulation around privacy and data collection in the US.
- A GDPR-like law in the US, might not have prevented Exactis from collecting the data it later leaked, but it might have required the company to at least disclose to individuals what sort of data it collects about them and allow them to limit how that data is stored or used.
*Source: The Wired, June 28, 2018
California Passes Sweeping Law to Protect Online Privacy*:
- California has passed a digital privacy law granting consumers more control over and insight into the spread of their personal information online, creating one of the most significant regulations overseeing the data-collection practices of technology companies in the United States.
- The new law grants consumers the right to know what information companies are collecting about them, why they are collecting that data and with whom they are sharing it.
- It gives consumers the right to tell companies to delete their information as well as to not sell or share their data.
- Businesses must still give consumers who opt out the same quality of service.
- The legislation, which goes into effect in January 2020, makes it easier for consumers to sue companies after a data breach.
- It gives the state’s attorney general more authority to fine companies that don’t adhere to the new regulations.
- The California law is not as expansive as Europe’s General Data Protection Regulation, a new set of laws restricting how tech companies collect, store and use personal data.
- California’s privacy measure was one of the most comprehensive in the United States, since most existing laws do little to limit what companies can do with consumer information.
*Source: NY Times, June 29, 2018