MENTIS

Week of November 16, 2018

MENTIS
news

Week of November 16, 2018

Black Friday Brings Out Hackers Looking To Rip You Off*:

With shoppers on the lookout for Black Friday and Cyber Monday deals, thieves are creating malicious apps to steal from eager buyers, as well as targeting online retailers with malware, according to researchers.

Black Friday and Cyber Monday, which come right after Thanksgiving Day, are two of the most popular days for shopping online, with retailers offering big discounts and deals to capitalize on the holiday season.

Last November, Cyber Monday was the largest online sales day ever, with people spending $6.59 billion, and Black Friday brought in more than $5 billion in sales.

With all that money comes hackers looking for a quick payday from unsuspecting shoppers, whether it's through attacking retailers or tricking people directly.

Hackers are fully aware of how much money they could steal from eager shoppers online looking for low prices.

Researchers looked up "Black Friday" in app stores, and found that 237 of 4,324 results were malicious, and 44 out of 959 "Cyber Monday" apps were also malicious.

Coming into the busiest online shopping season of the year, consumers are urged to be extra vigilant about their security and double check the integrity of websites before entering or downloading any data.

*Source: CNet, November 16, 2018

 


Firefox To Display Warning If You Visit A Site That’s Been Breached*:

The Firefox browser will soon issue a warning if you visit a site that recently suffered a data breach.

The warnings will appear on Firefox's desktop browser as pop-up notifications that tell you how many accounts were compromised in the breach.

The same pop-up will show you a link to Firefox Monitor, a free service that lets you check whether any of your internet accounts were ensnared in a data breach.

The new function will roll out to Firefox in the coming weeks, at a time when users are demanding more security and privacy features, Mozilla said.

When a breach occurs, you should change the password on the affected account and enable two-factor authentication if available.

Mozilla built its notification system using data from security researcher Troy Hunt, who maintains an active library of all the latest data breaches at Haveibeenpwned.

This alert will appear at most once per site and only for data breaches reported in the previous twelve months.

You'll see an additional alert if the website you visit experienced another reported breach within the last two months.

*Source: PC Mag, November 17, 2018

 


Quebec Region Pays $30,000 Bitcoin Ransom After Servers Hacked*:

On Sept. 10, municipal employees in a region between Montreal and Quebec City arrived at work to discover a threatening message on their computers notifying them they were locked out of all their files.

In order to regain access to its data, the regional municipality of Mekinac was told to deposit eight units of the digital currency Bitcoin into a bank account – roughly equivalent to $65,000.

Mekinac's IT department eventually negotiated the cyber extortionists down and paid $30,000 in Bitcoin, but not before the region's servers were disabled for about two weeks.

The attack highlights the inability of many small municipalities to adequately protect their data, but also the lack of guidance on cybersecurity provided to them by the Quebec government.

Bernard Thompson, reeve for the Mekinac regional municipality, said the ransom demand presented a real dilemma for his small organization.

Mekinac groups together 10 municipalities with a population of roughly 13,000 people.

Mekinac's attackers used malicious software – known as malware or ransomware – to demand money in return for keys to unlock the data.

Mekinac's servers were compromised after an employee opened and clicked on a link in a fraudulent email sent by the hackers.

Once opened, the malware was downloaded onto the computer, giving the hackers access to the entire network.

The hackers then encrypted all the data and held it hostage until they received their bitcoins.

Once a system's data is encrypted, it's virtually impossible to crack the code without a key – and there is nothing police can do about it.

The identity and location of Mekinac's hackers were never discovered.

Thompson said police seized some of his computers for analysis and told his office not to negotiate or pay the criminals.

But Thompson said his region couldn't heed that advice, because it would have meant months of data re-entry, costing significantly more than $30,000.

So they paid, got their data back and learned a valuable lesson.

*Source: CTV News, November 18, 2018

 


Singapore To Collaborate With Canada, US On Cybersecurity*:

The Cyber Security Agency of Singapore (CSA) said it signed a two-year Memorandum of Understanding (MoU) with Canada's Department of Foreign Affairs, Trade, and Development, which would include collaboration in various areas such as information exchange on cyber threats and cyberattacks and best practices on human resource development.

The partnership also would comprise the provision of technical and certification services, development of cybersecurity standards, and regional cybersecurity capacity building.

These initiatives aimed to boost Singapore's operational cybersecurity capabilities, including in critical infrastructure protection, domestic cybersecurity ecosystem development, and the development of "a secure and trusted regional cyberspace in Asean", said CSA.

Separately, the cybersecurity agency also inked a Declaration of Intent (DOI) to collaborate with the US government to develop a technical assistance programme for Asean member states.

This partnership would include elements of Singapore's Asean Cyber Capacity Programme (ACCP) and the US' Digital Connectivity and Cybersecurity Partnership initiative, according to CSA.

The Singapore agency added that the partnership aimed to facilitate three cybersecurity training workshops covering various aspects of technical cybersecurity capacity building and involving technology industry partners.

These workshops would be held in Singapore and other regional venues alongside participating Asean member states.

The two agreements were signed this week on the side-lines of the 33rd Asean Summit held in Singapore, which was attended by Canada Prime Minister Justin Trudeau and US Vice President Mike Pence.

The Singapore government also has existing cybersecurity partnership agreements with various nations including Australia, France, and India.

*Source: ZD Net, November 18, 2018

 


26 Million Texts Exposed In Poorly Secured Vovox Database*:

A poorly secured database exposed at least 26 million text messages, password reset links and codes, two-factor verification codes, temporary passwords, shipping alerts, and other information belonging to customers of companies including Microsoft, Amazon, and Google.

The leaky database, owned by communications firm Vovox, was found on Shodan by Sébastien Kaul, a security researcher based in Berlin.

Kaul discovered the database lacked password protection and left names, phone numbers, and text messages easily searchable.

Vovox took down the database after it was contacted with an inquiry from TechCrunch.

However, while the server was still running, anyone could have obtained two-factor codes sent by people attempting account logins.

This level of accessibility could have let someone easily take over an account protected with two-factor authentication and an SMS verification code.

While the codes and links exposed are only useful for a finite period of time, there is a risk that attackers were able to compromise users.

Security experts have long been wary of SMS verification, saying it's insufficient to properly protect users' data – a lesson learned in the August Reddit breach, which engineers said was rooted in SMS-based two-factor authentication.

*Source: Dark reading, November 16, 2018

 


Six Month Sentence Handed For Data Abuse In Landmark ICO Prosecution*:

A motor industry employee has been given a six-month prison sentence for accessing customer records without permission in a landmark prosecution led by the Information Commissioner's Office (ICO).

Mustafa Kasim pleaded guilty on one charge of securing unauthorised access to personal data between January and October 2016, and was sentenced to six months under the Computer Misuse Act (CMA) 1990.

Kasim, who worked for accident repair firm Nationwide Accident Repair Services (NARS), accessed the personal data of thousands of customers on the Audatex IT platform using his colleagues' login details.

This is the first time the ICO has led a prosecution charge in 28 years since the Act came into force, and was motivated by a desire to inflict a tougher punishment on Mustafa Kasim than is conventionally handed for data misuse.

Kasim continued to access customers' personal data when he left NARS and started a new job at a different car repair organisation which used the same software.

These details included customers' names, phone numbers, as well as vehicle and accident information.

NARS approached the ICO upon receiving increased complaints from customers about receiving nuisance calls.

Cases such as this, concerning data abuse, are normally prosecuted under Data Protection Act (DPA) 1998, or the EU's General Data Protection Regulation (GDPR) which came into force earlier this year.

However, with the timing of the case rendering GDPR inapplicable, and punishment under the DPA 1998 not deemed severe enough, the ICO opted to prosecute Kasim under different legislation.

In this case, the ICO chose section one of the CMA 1990, which prohibits the use of a computer to intentionally gain access to programmes or data held. This offence carries a maximum prison sentence of two years.

The data regulator said, "in appropriate cases" it had the remit to prosecute cases via alternative legislation "to reflect the nature and extent" of offences, and so that the court has "a wider range of penalties available".

*Source: IT Pro, November 13, 2018

 


CarsBlues Vehicle Hack Exploits Vehicle Infotainment Systems Allowing Access To Call Logs, Text Messages And More*:

Privacy4Cars, the first and only mobile app designed to help erase Personally Identifiable Information (PII) from modern vehicles, publicly disclosed today the existence of a concerning vehicle hack, titled CarsBlues, that exploits infotainment systems of several makes via the Bluetooth protocol.

The attack can be performed in a few minutes using inexpensive and readily available hardware and software and does not require significant technical knowledge.

As a result of these findings, it is believed that users across the globe who have synced a phone to a modern vehicle may have had their privacy threatened.

It is estimated that tens of millions of vehicles in circulation are affected worldwide, with that number continuing to rise into the millions as more vehicles are evaluated.

The hack was discovered by Privacy4Cars founder Andrea Amico during development of the namesake Privacy4Cars app in February 2018.

Upon discovery, Amico, a vehicle privacy and cybersecurity advocate, immediately notified the Automotive Information Sharing and Analysis Center (Auto-ISAC), the organization established by the automotive industry to share and analyse intelligence about emerging cybersecurity risks among its members.

Amico worked for months with Auto-ISAC to help its affected members understand how an attacker might access stored contacts, call logs, text logs, and in some cases even full text messages without the vehicle's owner/user being aware - and without the user's mobile device being connected to the system.

Amico recently noticed that at least two manufacturers have made systematic updates to their new 2019 models, making those new models immune to CarsBlues.

Those most at risk of having their personal information exposed include people who have synced their phones in vehicles that are no longer under their direct oversight, including but not limited to vehicles that have been rented, shared through a fleet or subscription service, loaned, sold, returned at the end of a lease, repossessed, or deemed a total loss.

Additionally, people who have synced their phones and given others temporary access to their personal vehicle, such as at dealerships' service centers, repair shops, peer-to-peer exchanges, and valets may also be at risk for CarsBlues.

Vehicle users should consider deleting personal data from any and all vehicle infotainment systems before allowing anyone access to their vehicle.

Industry players should consider instituting a policy to protect consumer data, either by helping customers delete their personal information or by performing the operation themselves – similarly to how telecom carriers handle returned smartphones.

*Source: PR Newswire, November 15, 2018

 


Carmakers Are Collecting Data And Cashing In – And Most Drivers Have No Clue*:

Vehicles are increasingly coming connected with Wi-Fi and may know more about you than you think – where you've been, what you're listening to and what kind of coffee you like.

Under the hood of one car, Ford's former head of tech John Ellis found four computers.

Inside the car, he hooked up his smart phone to show the data streaming in real time.

With enough data, one can discern patterns that seem to be almost non-existent to the human eye.

From the brakes to the windshield wipers, with as many as 100 points that generate data, today's cars pack the power of 20 personal computers and can process up to 25 gigs of data every hour – some of it beamed back.

Now, carmakers are rushing to turn your car's data into a revenue stream, reselling blocks of location information and, one day, information from cars' on-board cameras and sensors could be bought by mapping companies or apps that monitor traffic conditions.

Seventy-two percent of car owners said they had no idea was happening.

Soon, a car's data may be worth more than the vehicle itself, according to one car data company.

Driver data could add up to three-quarters of a trillion dollars industry-wide by 2030.

GM uses that data – with drivers' consent – to put popular brands at their fingertips.

GM calls it marketplace, an attempt to cash in on the 46 minutes per day the average American spends in a car.

If you’re low on gas or looking for food, the car can point you to the nearest gas station or restaurant based on your current location.

*Source: CBS News, November 13, 2018

 


70 Percent Of SMBs Suffer Cyberattacks*:

Cyberattacks are often thought of as being a problem just for large organizations.

But a new study by the Ponemon Institute shows that small businesses increasingly face the same cybersecurity risks as larger ones.

The number of attacks is on the rise -- with 67 percent experiencing a cyberattack and 58 percent experiencing a data breach in the last 12 months.

Yet nearly half of respondents (47 percent) say they have no understanding of how to protect their companies against cyberattacks.

As SMBs become more vulnerable, the risk of employees and contractors causing a data breach or ransomware attack is simultaneously increasing -- 60 percent of those surveyed cited a negligent employee or contractor as being the root cause for a breach, compared to 37 percent pointing to an external hacker.

More worrying, 32 percent of respondents assert that their companies could not determine the root cause of a data breach they have experienced in the past 12 months.

40 percent say their companies experienced an attack involving the compromise of employees' passwords in the past year, with the average cost of each attack being $383,365.

Accordingly, 19 percent more IT and security professionals consider password protection and management to be increasingly critical this year compared to last.

The results of the 2018 State of Cybersecurity in Small and Medium Size Businesses study underscore the critical importance of implementing a secure password management solution to protect not only SMBs' sensitive digital assets, but also their reputation and the longevity of their business operation.

Among other findings, SMBs continue to struggle with lack of personnel and budget, 74 percent of respondents say they don't have the appropriate personnel and 55 percent lack sufficient budget to effectively mitigate cyber risks.

The respondents who believe they are 'highly effective' at mitigating risks, vulnerabilities and attacks have bigger budgets and more in-house expertise.

These companies also dedicate a higher percentage of their IT budget to cybersecurity.

*Source: Beta News, November 16, 2018

 


2018 On Track To Be One Of The Worst Ever For Data Breaches*:

The number of reported data breaches this year between Jan. 1 and Sept. 30 was down 8% compared with the same point last year.

In addition, the number of exposed records for the first nine months of this year was lower by a substantial 49%.

Yet at the same time, the numbers still translated to 3,676 breaches and a staggering 3.6 billion records compromised.

That puts 2018 on track for having the second-most number of reported breaches in a year and the third-highest number of records exposed overall since 2005, according to Risk Based Security, which analysed data pertaining to breaches gathered from public sources, through automated and proprietary processes, and other means.

Seven of the breaches this year exposed 100 million or more records, and the 10 largest accounted for more than eight in 10 of all records compromised.

Among those suffering major data breaches this year were Facebook, Under Armour, Ticketfly, and Hudson's Bay Company.

That there were fewer data breaches and records compromised in the first nine months of 2018 compared with the same period last year could be that attackers were more engaged in crypto-currency mining activities in the early part of this year.

There were also no catastrophic events like the WannaCry and Petya/NotPetya outbreaks as in 2017, at least through the end of September.

Despite mounting regulatory pressures, this year saw little improvement in the interval between when organizations first discover a breach and when they publicly disclose the event.

In 2017, organizations took an average 47 days to publicly disclose an event; this year the number stood at 47.5 days.

For all the investments that organizations are making in breach detection and response, most discover a breach only after being informed of it by an external party.

Just 483 — or 13% —of the 3,676 publicly reported data breaches were discovered internally, according to Risk Based Security.

In well more than half the reported breaches the breached entity did not know about the intrusion until being informed by a third party.

As has been the case for several years, insiders posed the biggest threat to data.

Fraud — a term that Risk Based Security uses to describe any sort of malicious insider activity or no-technical methods of illegally accessing data — accounted for nearly 36% of the records compromised.

More than 30 of 51 data breaches involving intellectual property in the first nine months of 2018 stemmed from inside the organization.

In addition to malicious activity, many organizations suffered data compromises because of employees and others with insider access mishandling assets.

Email addresses, passwords, names, and, addresses were the most commonly exposed data types. But 18% of the breaches exposed Social Security numbers, 15% involved credit card data, and 11% compromised birth dates.

While insiders were responsible for the most number of records compromised, hacking by external parties continued to be the primary reason for security incidents at most organizations.

Somewhat surprisingly given current regulatory pressures, about 35% of organizations that suffered a breach this year did not or were not able to disclose the number of records impacted in the incident.

*Source: Dark Reading, November 12, 2018

 

Get in Touch With Us!

Are you interested in receiving more information about our products? Do you have questions about sensitive data security? Would you like a demo? Complete the details below and one of our specialists will get in touch with you.

We love to help our customers solve their data security problems. Please tell us about what you are trying to accomplish, details about your environment, and any other information that will help us understand your needs better.

Image CAPTCHA
scroll top