Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, January 20th, 2023. From Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsDay.com in the U.S.
In a few minutes David Shipley of New Brunswick’s Beauceron Security and I will discuss some recent cybersecurity news. But first a review of headlines from the past seven days:
CircleCI, a continuous integration platform used by application developers, published an explanation of how it was compromised in December. David and I will look at that. We’ll also look at recent comments made by an American government security leader who wondered why organizations still put up with buggy software. And with Data Privacy Week starting on Monday we’ll have thoughts on how businesses treat the personal information they collect.
Companies are still not doing enough to protect themselves from phishing attacks. The latest example is the compromise of email marketing service provider Mailchimp. This week it said the accounts of 133 customers were hacked. Mailchimp employees also fell for a phishing scam last August.
The cyberwar between Russia and Ukraine continues. Ukraine says its Computer Emergency Response team foiled an attack on the country’s national news agency. While some of the agency’s infrastructure was hit by a data wiper, news operations are still running.
Separately, BlackBerry issued a report on a Russian-state-sponsored cyber espionage group called Gamaredon that has been attacking targets in Ukraine since 2013. The gang’s latest tactic is using network infrastructure from Crimea, which Russia occupied in 2014.
The majority owner of the Bitzlato cryptocurrency exchange was arrested in Miami and charged with allegedly processing illicit funds. It is alleged the company marketed itself to crooks as a no-questions-asked cryptocurrency exchange. At the same time as the arrest, French authorities dismantled Bitzlato’s digital infrastructure.
Thousands of users of Norton Password Manager began receiving notices that their accounts were hacked. They were compromised following a brute force attack using credentials likely bought on the dark web.
PayPal has started sending data breach notifications to over 34,000 users. This comes after the discovery of an incident in December when a number of subscriber accounts were compromised. The attacker would have been able to copy users’ names, addresses, dates of birth, Social Security numbers, and government tax identification numbers.
Nissan North America is notifying some 18,000 buyers of its vehicles some of their personal data is at risk. This is because a customer list Nissan gave to an outside software developer for testing was stolen.
A new piece of Android malware aimed at stealing the bank account passwords of people from their smartphones has been discovered. Researchers at ThreatFabric say the malware, called Hook, is a variant of the Ermac family of banking malware. It can capture banking information from financial institutions in the U.S., Canada and many other countries. Hook is being sold to hackers for incorporation in their schemes.
And GitLab told users of its Community and Enterprise editions to upgrade to the latest versions after the discovery of vulnerabilities. Separately, application developers using GitHub’s Codespaces feature were urged to lock down their projects after the discovery of a serious vulnerability.
(The following is a partial transcript of our discussion. To hear the full talk, with discussion on the CircleCI and Mailchip hacks as well as on why we tolerate buggy software, play the podcast)
Howard: Next week is Data Privacy Week. What should data protection, IT and cybersecurity leaders be thinking about this?
David Shipley: One of the things that I’ve preached for years is the easiest way to reduce your risk is to get rid of the data you don’t need to protect. Data retention is a really, really important part of this equation. In so many different breaches I have seen have included data that was no longer valid, useful, or beneficial still being kept and available on databases. And when those databases get hit through some kind of security vulnerability, some kind of a lapse in a security control the entire data set spills out — and then you’ve got to to reach out to all of those affected users. Here’s an example: There was a recent story here in Atlantic Canada about a package delivery company that had an open Amazon S3 bucket of data where you could actually easily guess the tracking URL that had been sent. It would link you back to an image taken [by the delivery service] of the home to confirm you actually had delivery. In some cases the label might show the person’s name, address, etc. After a package has been delivered and after a certain period of time if they [the service] shouldn’t have that data still retained. The scope of that breach could have been reduced massively. We talk a lot about privacy in terms of the use of encryption and other things. But the first thing to do [by every organization] is to look hard at data retention and tackle the myth all data could have future value so let’s keep it.
Howard: That package delivery service security problem is one we’ve seen before where the customer has a tracking number and when you go to the website to track the progress of the package that number is also reflected in the URL. All you have to do is change one digit and you can start seeing other people’s tracking information. I’ve heard of this before where there’s a string of digits in the URL that reflect the customer data and all I have to do is change one digit and boom, you have a privacy breach.
David: Security is never going to be 100 per cent, but privacy and security are two sides of the same coin. So have a good understanding of why are you collecting data. What are you using it for? Did you have the proper consent for it? And are you only keeping it for as long as it’s useful?
The other part of this privacy story is the increasingly large number of datasets that are being lost out there that are being combined in unique and problematic ways …AI (artificial intelligence) is going to have a field day developing the next generation of phishing attacks [with that stolen data].
Howard: Another example this week of a data privacy breach was car maker Nissan North America acknowledging there was a loss of customer data that had been sent to an outside software developer that was developing an application for Nissan. To test the application it needed data. So Nissan shipped a chunk of customer data to this external third-party software developer. Somebody there made a mistake; they uploaded it to a cloud storage site. But there was enough time that someone was able to steal that data. There’s a third-party hack. I think there are two issues here: One, should you be sending real data to an external company, and the second is how do you make sure that any data that you have to send to a company is properly protected?
David: There was absolutely no reason other than just rushing that a company can’t take real data, write a script and replace all the PII [personally identifiable information]. You can keep all the fields and all the information and depersonalize or anonymize it. You can easily create fake structured data to test applications. Take the hour to have someone on your team write the script and then you send the fake data [outside the company] … If there’s one message it’s, ‘Script it, fake it, that way you can test it.’ So even if they do screw up and put it in an Amazon S3 bucket it doesn’t hurt you.
The post Cyber Security Today, Week in Review for Friday, January 20, 2023 first appeared on IT World Canada.