InfoSec News 20230705
Top News
-
Google Analytics data transfer to U.S. brings $1 million fine to Swedish firms
"The Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten – IMY) has fined two companies with 12.3 million SEK (€1 million/$1.1 million) for using Google Analytics and warned two others about the same practice.
In a decision published yesterday, the agency explains that by using Google Analytics to generate web statistics the firms were breaching European Union's General Data Protection Regulation (GDPR).
Specifically, the companies were in violation of the GDPR Article 46(1), which forbids the transfer of personal data to countries or international organizations that lack safeguards that warrant safety and legal remediation mechanisms.
The United States has been deemed as a risky location for the storage of data of European users, as per the July 2020 "Schrems II" judgment, where the Court of Justice of the European Union (CJEU) ruled that any data transfers to the U.S. in the context of the then-existing mechanism, "Privacy Shield," were illegal."
TLP1 : Green
-
UK’s top universities agree on AI principles in education
"The Russell Group, an association of leading universities in the UK, agrees on a new set of principles to ensure that students and staff are “AI literate.”
The new policy was backed by all 24 research-intensive universities belonging to the Russell Group, including world-famous institutions like Cambridge and Oxford.
It was signed by the universities’ vice chancellors and developed in partnership with AI and educational experts."
TLP1 : Green
Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism
-
EU Court Deals Blow to Meta in German Data Case
"Facebook, Instagram and WhatsApp may need to overhaul how they collect the data of users in Europe after the top EU court ruled against parent company Meta on Tuesday.
The European Court of Justice (ECJ) ruled in favour of Germany’s anti-cartel watchdog, which had argued that it could take data privacy issues into account when considering antitrust cases.
One of the key issues in the case was Meta’s ability to link data across platforms, which allows it to closely target adverts at users, the principal way it makes money."
TLP1 : Green
-
Japan’s largest port stops operations after ransomware attack
"The Port of Nagoya, the largest and busiest port in Japan, has been targeted in a ransomware attack that currently impacts the operation of container terminals.
The port accounts for roughly 10% of Japan's total trade volume. It operates 21 piers and 290 berths. It handles over two million containers and cargo tonnage of 165 million every year.
The port is also used by the Toyota Motor Corporation, one of the world’s largest automakers, to export most of its cars."
TLP1 : Green
-
Class-Action Lawsuit for Scraping Data without Permission
"I have mixed feelings about this class-action lawsuit against OpenAI and Microsoft, claiming that it “scraped 300 billion words from the internet” without either registering as a data broker or obtaining consent. On the one hand, I want this to be a protected fair use of public data. On the other hand, I want us all to be compensated for our uniquely human ability to generate language."
TLP1 : Green
-
Instagram's Twitter Alternative 'Threads' Launch Halted in Europe Over Privacy Concerns
"Instagram Threads, the upcoming Twitter competitor from Meta, will not be launched in the European Union due to privacy concerns, according to Ireland's Data Protection Commission (DPC).
The development was reported by the Irish Independent, which said the watchdog has been in contact with the social media giant about the new product and confirmed the release won't extend to the E.U. "at this point."
Threads is Meta's answer to Twitter that's set for launch on July 6, 2023. It's billed as a "text-based conversation app" that allows Instagram users to "discuss everything from the topics you care about today to what'll be trending tomorrow.""
TLP1 : Green
-
Manufacturing exposed: over half of IT managers tackling costly ransomware attacks
"Ransomware attacks in manufacturing and production have crept up to a level where 56% of IT and cybersecurity managers must address ransomware attacks within a year, the newest Sophos 2023 Threat Report shows. The report also highlights adversaries’ appetite for ransom payments, which have more than quadrupled.
The number of affected manufacturing organizations continues the growth trend — it’s slightly higher than the previous year when 55% of respondents reported their organization was hit by ransomware.
More attacks now end up successfully encrypting organizations’ data. 68% of affected respondents reported that their data was encrypted during an attack, an 11 percentage point increase from the previous year or a 19 PPT increase across two years."
TLP1 : Green
Breaches: Data Breaches and Hacks
-
MOVEit attack on Aon exposed data of the staff at the Dublin Airport
"Data of about 3000 employees of Dublin Airport (DDA) were compromised after professional service provider Aon fell victim to a MOVEit Transfer attack. Dublin Airport notified local authorities and Ireland’s Data Protection Commission.
Aon is the last victim of the attacks exploiting the flaw CVE-2023-34362 affecting the Progress Software’s MOVEit file transfer platform.
MOVEit Transfer is a managed file transfer that is used by enterprises to securely transfer files using SFTP, SCP, and HTTP-based uploads."
TLP1 : Green
-
US healthcare firm breach, child patient data at risk
"ARx Patient Solutions says it suffered a cyberattack in 2022 that may have exposed personal details relating to more than 40,000 people, many of them child patients. Why it took it so long to make the disclosure is unclear.
The Kansas-based healthcare provider made the disclosure on its website and notified the Attorney General’s Office of Maine, which imposes strict reporting requirements on any data breaches involving its residents, on July 3rd."
TLP1 : Green
-
Selfies and passports of Philippine police exposed in data leak
"A misconfiguration in the systems of the Philippine National Police caused a significant data leak and put its officers at risk.
The Philippine National Police (PNP) leaked more than 1.6 million files, including passports, national ID photos, marriage and death certificates, and selfies with the IDs of their officers.
The leak was caused by a misconfiguration of police systems that left its storage publicly accessible to anyone.
The exposed data is very concerning as it reveals officers' identities. It’s also a gold mine for fraudsters who might exploit victims with various scams.
Cybernews contacted the PNP, and access to the bucket was secured."
TLP1 : Green
-
Indiana University breach exposed nearly 250K user records
"Attackers posted a Indiana University (IU) database containing hundreds of thousands of records, including user emails and full names.
The database was posted on a leak forum, a website that cybercrooks use to share stolen data. The Cybernews research team has confirmed the database contains nearly 250K records.
“On Tuesday 4th July, the Indiana University [iu.edu] suffered a data breach that exposed over 248,300 records. The exposed data includes email addresses and full names,” the post’s author said."
TLP1 : Green
Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits
-
Firefox 115 Patches High-Severity Use-After-Free Vulnerabilities
"Mozilla on Tuesday announced the release of Firefox 115 to the stable channel with patches for a dozen vulnerabilities, including two high-severity use-after-free bugs.
Tracked as CVE-2023-37201, the first of the high-severity issues is described as a use-after-free flaw in WebRTC certificate generation.
An open source project, WebRTC enables real-time communication in web browsers and mobile applications, via application programming interfaces (APIs).
“An attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS,” Mozilla explains in an advisory."
TLP1 : Green
Incident Response: Infrastructure, Training, SIEM and Incident Handling
-
AI singularity: waking nightmare, fool’s dream, or an answer to prayers?
"The singularity, or more specifically the technological singularity, is often thought of as a point in future history when artificial intelligence overtakes that of its human creators — essentially rendering homo sapiens obsolete and therefore ending our dominance of the planet.
More specifically and less apocalyptically, it can be defined as the time when growth in machine intelligence attains such a rate that it becomes unstoppable and irreversible, leading to a radical transformation of human life."
TLP1 : Green
-
Secrets, Secrets Are No Fun. Secrets, Secrets (Stored in Plain Text Files) Hurt Someone
"Secrets are meant to be hidden or, at the very least, only known to a specific and limited set of individuals (or systems). Otherwise, they aren't really secrets. In personal life, a secret revealed can damage relationships, lead to social stigma, or, at the very least, be embarrassing. In a developer's or application security engineer's professional life, the consequences of exposing secrets can lead to breaches of security, data leaks, and, well, also be embarrassing. And while there are tools available for detecting source code and code repositories, there are few options for identifying secrets in plain text, documents, emails, chat logs, content management systems, and more."
TLP1 : Green
Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography
-
Rock Tsai, Taiwan Mobile: “the most significant cyberthreat that organizations face today is social engineering attacks”
"Cybercriminals have found ways to exploit social engineering techniques, infiltrating systems that directly impact the supply chain and financial industry. Disruptions in telecommunications, including mobile phones, make such breaches possible.
Failure to take the right measures to protect personal data places companies at risk of exposure, leaks, financial losses, and regulatory violations. Experts have weighed in and recommend individuals and organizations use every security tool at their disposal. From finding the best VPN and leading antivirus software to “robust security measures like encryption, biometric locks, or remote wipe capabilities.”
To gain a deeper understanding of how cyberattacks can impact the communications industry, we spoke with Rock Tsai, Chief Information Officer at Taiwan Mobile – a forerunner in digital innovation, providing mobile, fixed-line, cable TV, and broadband services to over 7.5 million users."
TLP1 : Green
-
Node.js Users Beware: Manifest Confusion Attack Opens Door to Malware
"The npm registry for the Node.js JavaScript runtime environment is susceptible to what's called a manifest confusion attack that could potentially allow threat actors to conceal malware in project dependencies or perform arbitrary script execution during installation.
"A npm package's manifest is published independently from its tarball," Darcy Clarke, a former GitHub and npm engineering manager, said in a technical write-up published last week. "Manifests are never fully validated against the tarball's contents."
"The ecosystem has broadly assumed the contents of the manifest and tarball are consistent," Clarke added."
TLP1 : Green
-
Ransomware Criminals Are Dumping Kids’ Private Files Online After School Hacks
"The confidential documents stolen from schools and dumped online by ransomware gangs are raw, intimate and graphic. They describe student sexual assaults, psychiatric hospitalizations, abusive parents, truancy — even suicide attempts.
“Please do something,” begged a student in one leaked file, recalling the trauma of continually bumping into an ex-abuser at a school in Minneapolis. Other victims talked about wetting the bed or crying themselves to sleep."
TLP1 : Green
1Traffic Light Protocol (TLP) [1] for information sharing:
- Red:Not for disclosure, restricted to participants only.
- Amber: Limited disclosure, restricted to participants organizations.
- Green: Limited disclosure, restricted to the community.