- Hackers have breached the systems of 62 colleges and universities by exploiting a vulnerability in an enterprise resource planning (ERP) web app, the US Department of Education said in a security alert sent out this week.
- The vulnerability is in Ellucian Banner Web Tailor, a module of the Ellucian Banner ERP that lets universities customize their front-facing web applications.
- The vulnerability also impacts Ellucian Banner Enterprise Identity Services, a module for managing user accounts.
- Earlier this year, a security researcher named Joshua Mulliken discovered a vulnerability in the authentication mechanism used by the two modules that can allow remote attackers to hijack victims’ web sessions and gain access to their accounts.
- But in a security alert published on Wednesday, the Department of Education says hackers have started exploiting this vulnerability.
- One victim reported that the attackers created thousands of fake accounts over days, with around 600 accounts created during a 24-hour period.
- Officials are now urging colleges and universities which use versions of the ERP modules that are vulnerable to apply patches.
- “Attackers are utilizing bots to submit fraudulent admissions applications and obtain institution email addresses through admission application portals,” Ellucian added.
- “Ellucian recommends adding reCAPTCHA capabilities to the admission process to reduce the likelihood of experiencing fraudulent applications for admissions, even if institutions are not currently experiencing this issue.”
- According to its website, the Ellucian Banner ERP is used by over 1,400 colleges, universities, and other institutions.
*Source: ZDNet, July 19, 2019
- Israeli security company NSO is reportedly advertising to governments that its Pegasus software can crack encrypted cloud storage, including iCloud, OneDrive, and Google Drive.
- A report from The Financial Times says the company, known for its previous malware attack capabilities related to WhatsApp, is able to harvest both information on users’ devices as well as data stored in popular cloud services, though the company has denied that it markets any such technology.
- In a statement to Apple Insider, the company said, “We do not provide or market any type of hacking or mass-collection capabilities to any cloud applications, services or infrastructure.”
- NSO says that it only markets its technology to governments, which is, I guess, some consolation that at least it’s not likely to end up in the hands of criminal hackers.
- Companies like Google and Facebook make enormous amounts of profit by targeting you with ads that it determines are relevant based on the information it collects.
- Bad actors want very much to access sensitive information like banking and credit card credentials, or even medical records.
- What’s far scarier is the idea that the government is very much just as interested in making sure it can get your information if it wants.
*Source: inc, July 19, 2019
- Red faces in Moscow this weekend, with the news that hackers have successfully targeted FSB—Russia’s Federal Security Service.
- The hackers managed to steal 7.5 terabytes of data from a major contractor, exposing secret FSB projects to de-anonymize Tor browsing, scrape social media, and help the state split its internet off from the rest of the world.
- A week ago, on July 13, a hacking group under the name 0v1ru$ that had reportedly breached SyTech, a major FSB contractor working on a range of live and exploratory internet projects, left a smiling Yoba Face on SyTech’s homepage alongside pictures purporting to showcase the breach.
- BBC Russia broke the news that 0v1ru$ had breached SyTech’s servers and shared details of contentious cyber projects, projects that included social media scraping (including Facebook and LinkedIn), targeted collection and the “de-anonymization of users of the Tor browser.”
- As well as defacing SyTech’s homepage with the Yoba Face, 0v1ru$ also detailed the project names exposed: “Arion”, “Relation”, “Hryvnia,” alongside the names of the SyTech project managers.
- The projects themselves appear to be a mix of social media scraping (Nautilus), targeted collection against internet users seeking to anonymize their activities (Nautilus-S), data collection targeting Russian enterprises (Mentor), and projects that seem to relate to Russia’s ongoing initiative to build an option to separate the internal internet from the world wide web (Hope and Tax-3).
- Contractors remain the weak link in the chain for intelligence agencies worldwide—to emphasize the point, just last week, a former NSA contractor was jailed in the U.S. for stealing secrets over two decades.
- Digital Revolution passed the information to journalists without anything being edited, removed or changed—they said. Little is known about 0v1ru$ and the group has not come forward with any comment.
*Source: Forbes, July 20, 2019
- One of the most well-known points of criticism for the cryptocurrency and blockchain industry is that they lack the will to be submitted to regulation by competent authorities.
- This is hardly a surprise, considering one of the key premises on which cryptocurrencies were initially built: a disdain for government control and a utopian dream to move beyond fiat currencies and into a decentralized system.
- The new Regulation, called GDPR for short, passed into law in 2016 but came into effect on May 25, 2018, causing a frenzy for most businesses rushing to become GDPR-ready at the last minute.
- In order to fall in line with the provisions of GDPR, businesses must set up and implement a range of technical and organizational measures aimed at increasing privacy and security.
- This includes data discovery and classification in order to properly identify and address the risks, as well as establishing safeguards such as pseudonymizing personal data through techniques like data masking.
- However, what is slightly trickier to grasp is the delicate balance between blockchain and the GDPR – as well as specific cryptocurrencies.
- According to research across 600 organizations, a whopping 27% of respondents stated that regulatory uncertainty is the biggest issue and another 4% went for concerns over audit and compliance.
- Of course, this all makes sense in cases where the GDPR actually applies – but given that its scope covers any company providing products or services or even just monitoring the behavior of individuals that are based within the EU, it is extremely probable that every cryptocurrency will fall under its scope in that sense.
- As we move towards an increasingly regulated cryptocurrency industry, adhering to the GDPR rules will have a deep impact on the sector and trigger further developments with regard to how focused on privacy the industry is.
*Source: Kryptomoney, July 18, 2019
- In light of recent news that your webcam could potentially record you without you even knowing, it’s not surprising that people are worried about being spied on online.
- In fact, according to a new study from HP, as many as six in 10 people are so worried, they still physically cover their webcam with tape, post-it notes, or even Band-Aids.
- In reality, online security needs much more than a Band-Aid.
- Email Phishing is still the most common online security issue, and despite the fact that the bad guys have gotten more and more sophisticated, it’s also the easiest to prevent.
- Don’t click on any links in emails from someone you don’t recognize, and even if you do, don’t click if anything seems even a little off.
- Many of the browser extensions people use are collecting your Web browsing history and selling it off as marketing research.
- The biggest one: don’t install third-party browser extensions that require permissions to collect your data.
- Having your personal banking, credit card, medical records, or other sensitive data leaked is still the worst-case scenario at this point.
- It’s also the one that’s hardest to protect against since it’s mostly out of your control. You depend on the service providers to keep your information secure because it can have catastrophic results when they don’t.
- As a business, however, you can consider using services that offer end-to-end encryption when you store your data, which means that even if your data leaks, it’s extremely unlikely anyone will be able to make any sense of it.
- Attackers are certainly getting more sophisticated, but you can protect yourself by educating your employees on basic internet safety– like don’t click on unfamiliar links, never download files in emails from suspicious senders, and never run or install applications that don’t come from a reputable source.
*Source: inc, July 19, 2019