Week of September 30, 2016


Week of September 30, 2016

Germany Orders Facebook to Stop Collecting Data on Whatsapp Users*:

  • A German privacy regulator issued an order this week prohibiting Facebook from collecting user data on German WhatsApp users, calling the company’s actions misleading and in violation of the nation’s data protection law.
  • The move comes a few weeks after a recent WhatsApp policy change that said the company would begin sharing users’ data with its parent company, Facebook.
  • Caspar, the Commissioner for Data Protection and Freedom of Information, said sharing of customer data is permissible only if the companies have established a legal basis for doing so, adding that Facebook has not gotten the consent of users.
  • In a prepared statement, a Facebook spokesperson said the company will work with Hamburg’s Data Protection Agency to sort through lingering issues.
  • WhatsApp, which was acquired by Facebook for $19 billion in 2014, announced in August that it would transfer some of its customers’ data, including phone numbers, to Facebook’s systems in order to offer better friend suggestions and more relevant ads.
  • India’s Delhi High Court weighed in on the move five days ago, ordering WhatsApp to delete data of users who opted out before September 25 – when the policy came into effect.

*Source: Threat Post, September 28, 2016


You Might be Surprised to Learn Who’s Collecting Your Data*:

  • Every company is a digital company, from the biggest tech companies to the neighbourhood corner store.
  • A large ecosystem of partners and suppliers enables those companies to provide the services they do.
  • Most people understand that in order for digital services to work properly or stay free they may need to allow the services to track some of their data.
  • There are also partners and third-parties that operate behind the scenes – typically ISPs, cloud services, or content-delivery networks (CDNs) – through which 45% of the internet’s traffic passes.
  • What many people don’t realize is that these third-parties could also be tracking and selling their online behaviors as data.
  • The FCC is cracking down on ISPs for selling user data without consent, but now some CDNs are also getting in on the game.
  • More than 90% of adults agree that consumers have lost control of how their data is collected and shared online; it will soon be imperative that companies disclose to their users who has access to their data.

*Source: Tech Crunch, October 1, 2016


Millions of Canadians Don’t Have to be Told if Health Information Breached*:

  • The personal health information of hundreds of patients is breached every year, but most Canadians live in provinces where health-care providers don't have to tell victims.
  • A CBC News investigation found six provinces, which have a combined population of about 20 million, have no legislation in place requiring hospitals, doctors and other health-care providers notify patients of a breach of their medical files.
  • A breach can be anything from someone accidentally sending records to the wrong destination to someone stealing health information and selling it.
  • In the jurisdictions that do have some form of notification requirement, the legislation has a minimum harm threshold – for example “risk of significant harm as a result of the security breach.”

*Source: CBA, September 28, 2016


Yahoo is Sued for Gross Negligence Over Huge Hacking*:

  • Yahoo was sued by a user who accused it of gross negligence over a massive 2014 hacking in which information was stolen from at least 500 million accounts.
  • The lawsuit was filed in the federal court in San Jose, California, one day after Yahoo disclosed the hacking, unprecedented in size, by what it believed was a “state-sponsored actor.”
  • The lawsuit seeks class-action status and unspecified damages.
  • The attack could complicate chief executive Marissa Mayer’s effort to shore up the website’s flagging fortunes, two months after she agreed to a $4.8 billion sale of Yahoo’s Internet business to Verizon.
  • User information including names, email addresses, phone numbers, birth dates and encrypted passwords had been compromised in late 2014.

*Source: Fortune, September 23, 2016


Hacker Faces 20 Years in Prison for Helping ISIS*:

  • The US just broke new ground in its bid to fight pro-terrorist hackers.
  • A judge has sentenced Kosovo citizen Ardit Ferizi to 20 years in prison for hacking a US company in order to collect information about 1,300 government and military personnel and help ISIS create a hit list.
  • It's the country's first conviction for terrorism-related hacking, according to Assistant Attorney General John Carlin.
  • The 20-year term isn't as tough as it could have been (Ferizi was facing a maximum of 35 years), but American officials still see it as a warning.
  • This isn't going to deter the most committed ISIS hackers (at least not those operating from ISIS-occupied territories), but it may give pause to others who are still considering cyber-attacks.

*Source: Engadget, September 25, 2016


An Employee Just Admitted to Selling Private Phone Records*:

  • A former Verizon Wireless employee has plead guilty to illegally selling customer phone records and location data to a private investigator.
  • Daniel Eugene Traeger, who worked in Alabama, was accused of selling the confidential records from 2009 to 2014 after he was contacted by a private investigator who offered to pay him for the breach.
  • Consumerist reports that Traeger originally sold the records for as little as $50 a month, but increased the price to $750 a month in 2013; over the five years, he reportedly made about $10,000.
  • Traeger would log into the Verizon computer system to access customer’s call records.
  • Security breaches have become a massive problem in the U.S. in recent years, with the news of Traeger’s case just days behind Yahoo announced over 500 million user accounts were hacked.
  • Traeger currently faces up to five years in prison, but since he accepted responsibility, prosecutors are recommending a lesser sentence.

*Source: Fortune, September 27, 2016


Did Russia Hack the NSA?*:

  • Lately Russia has been taking the blame for hacking everyone from the Democratic National Committee to former Secretary of State Colin Powell to the National Security Agency.
  • When it emerged last month that the world's most elite hackers might themselves have been hacked, all eyes turned to Russia.
  • But as the investigation proceeds, the facts of what happened may turn out to be more complicated.
  • NSA deputy director Chris Inglis was the Agency's number two at the time when Edward Snowden copied top-secret files and disclosed them to the world, and the prospect of another possible inside job is not lost on him.
  • Of the various explanations that have been floated for the NSA breach, cyber security experts say that while Russia may have been responsible for making the files public, Russia likely got them from an NSA insider.

*Source: NPR, September 23, 2016


Official: No ‘Manipulation’ of Data Seen in Election Hacks*:

  • Hackers have made their way into state election systems "in a few cases," but the federal government hasn't found "any manipulation" so far of voting information.
  • Twenty-one states have contacted the agency for help in safeguarding their election systems, and Jeh Johnson is urging additional requests for cybersecurity assistance.
  • A department official told The Associated Press on Friday that hackers have targeted the voter registration systems of more than 20 states in recent months.
  • Federal officials and many cybersecurity experts have said it would be nearly impossible for hackers to alter an election's outcome because election systems are decentralized and generally not connected to the internet.
  • FBI Director James Comey told lawmakers this past week that the FBI is looking "very, very hard" at Russian hackers who may try to disrupt the U.S. election.

*Source: AP News Archive, October 1, 2016


Swiss Voters Back Controversial Surveillance Law*:

  • Swiss voters have approved a new surveillance law granting their national intelligence service greater powers to spy on "terrorist" suspects and cyber criminals.
  • The legislation that will let security agents tap phones and computer networks under certain conditions won more than 65 percent of the five million voters.
  • Left-wing groups warned that the law would violate citizens' privacy and undermine Switzerland's neutrality as the secret service would also be allowed to cooperate with foreign intelligence agencies.
  • But the government insisted it was not aiming to set up a vast data-gathering apparatus, similar to the one developed by the US National Security Agency (NSA) that came into the public eye in part through former contractor Edward Snowden's revelations.
  • Rights group Amnesty International said it regretted Sunday's result, arguing the new law will allow "disproportionate" levels of surveillance, adding it posed "a threat to freedom of expression."
  • The law was approved by parliament in 2015, but an alliance of opponents including from the Socialist and Green parties, got enough signatures to force Sunday’s referendum.
  • The poll was part of Switzerland's direct democracy system, in which votes are held on a wide range of national issues four times a year, and even more frequently at regional and municipal levels.

*Source: AL Jazeera, September 25, 2016


Cisco Warns of Critical Flaw in Email Security Appliances*:

  • Cisco Systems released a critical security bulletin for a vulnerability that allows remote unauthenticated users to gain complete control of its email security appliances.
  • Cisco first issued a security bulletin last week for the IronPort AsyncOS, but updated that alert with more information including a software update that addresses the security flaw.
  • Cisco released software updates for each DoS vulnerability.
  • Cisco also released software that patches two security bulletins rated medium and tied to its Firepower Management Center.
  • Earlier this month, Cisco warned of 12 security vulnerabilities, one critical relating to its WebEx Meeting Server.

*Source: Threat Post, September 29, 2016


Hackers Trawl User Data in Hopes a Small Target Will Lead to a Big One*:

  • In disclosing that at least 500 million of its user accounts had been hacked, Yahoo blamed an unnamed “state-sponsored actor” for the intrusion. While Yahoo customers were caught by surprise, officials in Washington were not.
  • For more than a year, they had been getting warnings from threat researchers that hackers were targeting their personal Yahoo email.
  • This expanded hacking strategy presents a new challenge: While top-secret material is usually kept in more secure computer systems, it is hard if not impossible to predict what information people are exchanging in personal email accounts.
  • In 2014, Yahoo also investigated attacks by Russian hackers that targeted dozens of private Yahoo accounts, one person with knowledge of Yahoo’s investigation said, but it is not yet clear whether the same hackers were behind the larger hack.
  • Hackers working on behalf of governments can match stolen Yahoo account data with their own material or information available on the criminal underground and published on the website WikiLeaks for a variety of purposes.
  • In the two years since Yahoo believes the hackers first penetrated its network, state-sponsored hackers have stolen tens of millions of records from the insurance companies Anthem and Premera Blue Cross, including Social Security numbers, health records, birth dates, addresses, emails, passwords and employment information — basically, everything you’d need to know about a person.
  • It may sound like a crazy collection of unrelated information, but it’s not very difficult to make connections among seemingly random bits of information using data-sifting technology.
  • Intelligence officials and private security researchers say it’s not just prominent US officials being targeted; it’s also their spouses, staff members, lawyers, and business partners who may not have the same level of security on their data and communications.

*Source: New York Times, September 23, 2016


Get in Touch With Us!

Are you interested in receiving more information about our products? Do you have questions about sensitive data security? Would you like a demo? Complete the details below and one of our specialists will get in touch with you.

We love to help our customers solve their data security problems. Please tell us about what you are trying to accomplish, details about your environment, and any other information that will help us understand your needs better.

scroll top