{"id":27177,"date":"2022-08-19T15:24:50","date_gmt":"2022-08-19T19:24:50","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=498783"},"modified":"2022-08-22T11:29:25","modified_gmt":"2022-08-22T15:29:25","slug":"cyber-security-today-week-in-review-for-friday-august-19-2022","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/cyber-security-today-week-in-review-for-friday-august-19-2022\/","title":{"rendered":"Cyber Security Today, Week in Review for Friday, August 19, 2022"},"content":{"rendered":"<p>Welcome to Cyber Security Today. From Toronto this is the Week in Review edition for the week ending Friday, August 19th, 2022. I\u2019m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.<\/p>\n<p><iframe style=\"border: none;\" title=\"Libsyn Player\" src=\"https:\/\/html5-player.libsyn.com\/embed\/episode\/id\/24099300\/height\/90\/theme\/custom\/thumbnail\/yes\/direction\/forward\/render-playlist\/no\/custom-color\/000000\/\" width=\"100%\" height=\"90\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/www.amazon.com\/ITWC-Cyber-Security-Today\/dp\/B07BRNG89P\/ref=sr_1_1?s=digital-skills&amp;ie=UTF8&amp;qid=1522688435\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-396718 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-alexa-200.png\" alt=\"Cyb er Security Today on Amazon Alexa\" width=\"200\" height=\"74\" border=\"none\"><\/a><\/td>\n<td><a href=\"https:\/\/www.google.com\/podcasts?feed=aHR0cDovL2N5YmVyc2VjdXJpdHl0b2RheS5saWJzeW4uY29tL3Jzcw%3D%3D\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" loading=\"lazy\" class=\"thumbnail aligncenter wp-image-408712 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2018\/09\/sub-gp-200.png\" alt=\"Cyber Security Today on Google Podcasts\" width=\"200\" height=\"74\"><\/a><\/td>\n<td><a href=\"https:\/\/itunes.apple.com\/ca\/podcast\/cyber-security-today\/id1363182054\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-396720 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-itunes-200.png\" alt=\"Subscribe to Cyber Security Today on Apple Podcasts\" width=\"200\" height=\"74\" border=\"none\"><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>In a few minutes I\u2019ll be joined by Terry Cutler, head of <a href=\"https:\/\/www.cyologylabs.com\/?r_done=1\" rel=\"noopener\">Cyology Labs<\/a> in Montreal to talk about some of what\u2019s been going on in cybersecurity. But first a look back at the headlines from the past seven days:<\/p>\n<p><strong>The Zero Day Initiative<\/strong>, which pays people to find vulnerabilities in software applications around the world, is tired of seeing bugs in security patches. Security patches are supposed to fix bugs, not introduce new ones. <a href=\"https:\/\/www.zerodayinitiative.com\/blog\/2022\/8\/11\/new-disclosure-timelines-for-bugs-from-faulty-patches\" rel=\"noopener\">So it has decided<\/a> bugs that result from faulty or incomplete patches will be publicly reported after 30 or 60 days of being discovered, instead of 120 days. One of its officials <a href=\"https:\/\/www.securityweek.com\/apple-patches-new-macos-ios-zero-days\" rel=\"noopener\">told Security Week<\/a> that as many as 20 per cent of all the vulnerabilities it buys come from bad patches. These can come from some of the biggest names in IT including Microsoft, Adobe, Google, Oracle, VMware, Cisco, Apple, HP and Dell. Terry and I will discuss this.<\/p>\n<p><strong>Speaking of patches,<\/strong> <a href=\"https:\/\/chromereleases.googleblog.com\/2022\/08\/stable-channel-update-for-desktop_16.html\" rel=\"noopener\">Google this week issued<\/a> a Chrome browser update that deals with one critical and six high severity vulnerabilities. In addition, Apple released emergency patches for iPhones, iPads and Macs.<\/p>\n<p><strong>Terry and I<\/strong> will also discuss whether companies are collecting too much data on their customers. T<a href=\"https:\/\/www.cell.com\/patterns\/fulltext\/S2666-3899(22)00172-6#relatedArticles\" rel=\"noopener\">his comes after an academic publication published research<\/a> on the amount of data collected by medical-related companies and shared with Facebook for advertising and product lead generation.<\/p>\n<p><strong>And we\u2019ll also<\/strong> look at a report that a North Korean group is pushing out a fake job description infected with malware for Macs.<\/p>\n<p><strong>Attacks that wipe<\/strong> organizations\u2019 data completely are on the rise. That\u2019s according to researchers at Fortinet. A review of cyber attacks from the first six months of the year shows at least seven new wiper variants are circulating. Many were identified hitting Ukraine before and after the Russian invasion in February. However, Fortinet says disk-wiping malware has also been used by threat actors this year against organizations in 24 other countries. Fortinet told one service that typically wiper-ware isn\u2019t used by criminals. That suggests it\u2019s a tactic used by foreign governments or activists.<\/p>\n<p>Python application developers continue to be warned about malicious packages in the open source Python Package Index. The repository is more commonly known as PyPI. Researchers at Kaspersky found two malicious packages that could steal developers\u2019 passwords. These two packages pretended to be a legitimate tool called \u2018requests.\u2019 The report is another reason for developers carefully check and scan anything downloaded from open source repositories.<\/p>\n<p>And the Android app that subscribers to Amazon\u2019s Ring home video security service can use recently had a serious vulnerability. That\u2019s according to researchers at Checkmarx who found it. The hole could have allowed an attacker to get the names, email addresses, phone numbers and video recordings of customers. After being warned of the problem Amazon issued a fix in May. Amazon doesn\u2019t believe the information of any customers was compromised.<\/p>\n<p><em>(The following transcript of my conversation with Terry Cutler has been edited for clarity. To hear the full discussion play the podcast.)<\/em><\/p>\n<p><strong>Howard:<\/strong> Let\u2019s start with the decision by the Zero Day Initiative to pressure companies to issue better security updates. For those who don\u2019t know, the ZDI is a program run by security company Trend Micro to buy vulnerabilities discovered by anyone in application code. The idea is better a legitimate company buys the bugs than crooks. Trend Micro alerts companies that their software has a hole. The companies benefit by fixing the vulnerability and issuing a security patch. Trend Micro benefits by adding filters to its antivirus products that protect against the newly-discovered bugs. Trend Micro usually gives companies about 120 days to fix and quietly distribute a bug patch before it publicizes that there was a hole and that it\u2019s been fixed. And that period also gives time to IT departments and end users to install the patch. Sounds great. However, Trend Micro is seeing a disturbing trend: An increasing number of vulnerabilities that researchers find are in previously-released software updates. In other words, because of sloppy work companies aren\u2019t fixing everything in their fixes. So last week Trend Micro said the 120-day notice period is going to be shortened. Public notice is going to be released as soon as 30 days for critical bug reports that result from previously issued faulty or incomplete patches. If companies don\u2019t want to be embarrassed they\u2019d better do better work. Is this a valid tactic?<\/p>\n<p><strong>Terry Cutler:<\/strong> Let me give you my perspective from the days I used to work for a software vendor. Some of your listeners might know I used to work for Novell for 10 years as a primary premium support engineer. Whenever we released software a lot of times it got rushed out to keep up with the competition. But when code is not being done properly it really upsets customers and they start pissing on the vendor. Excuse my language. I\u2019ll give an example.<\/p>\n<p>Novell had what\u2019s called a single user interface which means you couldn\u2019t have multiple users logging into its console at the same time. But malicious hackers were able to find a way to bypass that functionality, which stunned the Novell developers. That was going to be revealed at a Black Hat conference, so we had about a day to try and reproduce this problem and find a fix or we\u2019d look really bad. So they came out with a band-aid fix. But what could happen is that when patches get rushed out it breaks functionality at the customer site, and if you\u2019re dealing with large environments it\u2019s going to cause a lot of problems. For example, printer functions that were working before might not work anymore. Band-aid fixes could lead to a code rewrite, which means a large patch will be released at some point which could break other stuff. You never know what you never know what.<\/p>\n<p><strong>Howard:<\/strong> Trend Micro says that the problem is bad patches mean IT departments are losing their ability to accurately estimate the risk to their systems because IT and security teams have to choose a priority for installing patches. Bad patches also cost organizations money and resources as patches get re-released and re-applied.<\/p>\n<p><strong>Terry:<\/strong> I experienced that about five years ago with a Microsoft patch that was rushed out. One of the issues that really burned me was an intermittent problem where the Exchange Server would stop all email services at exactly every 12 hours. We could actually time it to the second it was going to happen. It took weeks of troubleshooting to fix. We had to bring in other tech support guys from other IT vendors to try and help us. Later on we found out that it was a [bad] Microsoft patch. Microsoft released another patch days later which corrected the problem, but we had to go and find this issue for them.<\/p>\n<p><strong>Howard:<\/strong> This is a quality of code problem. Organizations are supposed to have extensive processes to ensure that all the software and the security fixes are thoroughly scrutinized before being released So what should companies do to ensure the quality of their code before being released?<\/p>\n<p><strong>Terry:<\/strong> Developers aren\u2019t coding with security in mind. What we\u2019re seeing is that codes are being built for convenience and the developers are being rushed because of release dates. They have deadlines to reach and they\u2019re not properly testing the code. One thing that they can do is follow a methodology from OWASP [<a href=\"https:\/\/owasp.org\/www-project-top-ten\/\" rel=\"noopener\">the Open Web Application Security Project<\/a>], where they can test the most common vulnerabilities in web applications against things like malicious injection, cross-site scripting or SQL injection before code is released. Unfortunately not all of them are going do these tests before things are released \u2026. There has to be more testing on applications.<\/p>\n<p><strong>Howard:<\/strong> Right now ZDI is the group that\u2019s putting pressure on software companies to smarten up with their code. Are there other ways that IT departments can let their vendors know that they\u2019re unhappy with the quality of the security patches they\u2019re getting?<\/p>\n<p><strong>Terry:<\/strong> Usually we don\u2019t have access to the vendor source code, unless it\u2019s an open source project and we can see what\u2019s going on there. We\u2019re at the mercy of the vendor to do a good job. It\u2019s also very, very difficult for a vendor to release a patch that\u2019s going to fit every single environment \u2026<\/p>\n<p><strong>Howard<\/strong>: What about telling the vendor, \u2018We\u2019re tired of getting your buggy code. We\u2019re switching products unless you smarten up.\u2019<\/p>\n<p><strong>Terry:<\/strong> That\u2019s a valid point. But here\u2019s what goes on: Some of the code is written in India, other codes are written in Russia \u2026 There\u2019s like maybe three locations where the code is being written. And when the code is passed on from group to group \u2014 because one group is working from 9 to 5, and when they go to bed Russia takes over \u2014 they try to fix each other\u2019s code all the time. And if you have a junior guy fixing up the code and releasing it, there might be problems.<\/p>\n<p><strong>Howard:<\/strong> Topic 2: Is your company\u2019s brand at risk for collecting too much customer data? The academic journal Patterns looked at the advertising tactics of five cancer-related health companies to see how much data they collect from things like trackers in browsers or from signing up for a health app. Why? because some of this data gets sent to Facebook, where it gets used for targeted ads and product lead generation. Lots of people with medical conditions turn to Facebook groups for information on their conditions. This makes Facebook a good place for companies selling medical products and services to push targeted ads. There are two problems: One is all the browsing data collected by the companies studied, plus other information gathered from things like online surveys, pose risks if the data isn\u2019t stored properly There\u2019s a risk that what\u2019s supposedly anonymous data can identify individuals and then the stolen data could be used to push fake remedies to specific people. Another problem is Facebook or another social media site where people are going to could push inappropriate ads to people. Doesn\u2019t this report suggest that many companies are collecting too much data?<\/p>\n<p><strong>Terry:<\/strong> It\u2019s been said if the app is free you are the product. If they\u2019re giving away free stuff [like health information] in their app they\u2019ve got to find a way to sell you services or upsell you something The goal is to stay top of mind. But I agree if a company has too much data they can target you with fake ads, or somebody else can take advantage of that information and send you fake ads. Companies have to be more transparent.<\/p>\n<p>I\u2019ll give you an example. Folks use our Fraudster app. We have access to things like their location and email address, first name, last name. I can go on to Facebook and launch an ad campaign telling Fraudster members \u2018Be the 10th person to buy the book and receive a gift.\u2019 Companies need to be transparent about the data they collect and what it will be used for. Facebook is trying to fix that by creating a tab that explains why you are seeing an ad. But you may have gotten on someone\u2019s like and you don\u2019t know where an add is coming from<\/p>\n<p><strong>Howard:<\/strong> Consumers should realize is you don\u2019t have to give your real name when you\u2019re signing up for an app or filling in an online survey. That\u2019s one way you\u2019re going to be protected.<\/p>\n<p><strong>Terry:<\/strong> But there are things called tracking pixels in browsers. It gets embedded the moment your device visits a survey or a specific website. You don\u2019t have to log in or even give away your email address or first name last name. If your PC or your device has that pixel on it you\u2019ll see that ad.<\/p>\n<p><strong>Howard:<\/strong> What have you seen in your years in the IT industry of companies collecting and storing too much data on consumers?<\/p>\n<p><strong>Terry:<\/strong> The common thing I see is that once a data breach occurs there\u2019s a lot of sensitive information, especially medical. That\u2019s where a privacy commissioner is going to get involved. Usually fines or penalties will be given out, especially in the U.S. They take that much more seriously than we do. I don know if the newer laws are going to clamp down but I don\u2019t see enough penalties here in Canada. Customers should be able to download their [personal]data so they\u2019re able to see what the vendor of the company has on them. Google is a perfect example. Even Facebook lets you download your data so you can see what you\u2019ve done [on its platform] and what they know about you.<\/p>\n<h4><a href=\"https:\/\/www.itworldcanada.com\/article\/breaking-news-government-files-latest-attempt-at-privacy-legislation-reform\/488771\" rel=\"noopener\">Related content: Canada\u2019s proposed new privacy law&nbsp;<\/a><\/h4>\n<p><strong>Howard<\/strong>: One problem for firms is that publicly-released studies can damage the brand of the companies. This one named which companies were studied. Two of them allegedly didn\u2019t even follow their own data privacy rules on what they collected. That\u2019s got to be bad for their brands \u2014 and a lesson to other companies to be careful about what they collect, how much they collect and how they store it.<\/p>\n<p><strong>Terry:<\/strong> This is a perfect example of how legal and IT are out of sync. There are a lot of new functions or features and capabilities that IT makes available, and companies want to be the first to leverage them. But they don\u2019t necessarily tell legal about them. Nor would legal even understand what IT did. There has to be better communication between these two departments.<\/p>\n<p><strong>Howard:<\/strong> It reminds me of a <a href=\"https:\/\/news.harvard.edu\/gazette\/story\/2019\/03\/harvard-professor-says-surveillance-capitalism-is-undermining-democracy\/\" rel=\"noopener\">book written recently by Shoshana Zuboff<\/a> in which he said companies are gathering and exchanging so much personal data that we\u2019re in an age of surveillance capitalism. Do you agree?<\/p>\n<p><strong>Terry:<\/strong> There\u2019s so much stuff being collected right now that it\u2019s very, very difficult to hide on this planet. The problem is when information falls into the wrong hands and is used against you.<\/p>\n<h4><a href=\"https:\/\/www.itworldcanada.com\/article\/balsillie-calls-for-tough-privacy-regulation-to-fight-surveillance-capitalism\/405083\" rel=\"noopener\">Related content: Balsillie calls for regulations to fight surveillance capitalism<\/a><\/h4>\n<p><strong>Howard:<\/strong> Topic 3: Security firm ESET says the infamous [North Korean-based] Lazarus group is trying to hack people by publishing fake job offers from the cryptocurrency exchange called Coinbase. Presumably the group is looking for people with cryptocurrency experience to snoop on victims with Mac computers who click on the job description. They get infected. We\u2019ve seen reports before about crooks and countries circulating fake job offers and fake resumes on Linkedin. I recall a story about fake job offers in the aerospace industry where the goal was to infiltrate military contractors to get information about current and future products. So individuals have to be careful about online job offers they see on the internet or that get mailed to them.<\/p>\n<p><strong>Terry:<\/strong> Last year I saw a ton of these circulating. In fact, we had to do an investigation on one of them. A retailer was in the process of mass hiring new staff because the pandemic was coming to an end. They need to bring back more staff, so they launched a campaign to hire staff. But scammers created a fake hiring campaign against retailer. Next thing you know people are applying to the scammers for jobs. The scammers would say, \u2018We think you\u2019re a perfect candidate for this, but you\u2019re gonna have to get a computer,\u2019 and send them a fake quote from IT reseller. The victim had to send money or bitcoin to buy the computer \u2014 but it was a scam. You mentioned also Linkedin. I\u2019ve gotten a lot of job offers from random people saying, \u2018Terry, I think you\u2019d be a perfect fit for our board of directors.\u2019 Attached to the email was a zip file or a document. It would probably be malicous. That\u2019s where I think a lot some of the Macs were getting hit, because when victims open up the file and enabled scripts it downloads malware from the internet.<\/p>\n<p><strong>Howard:<\/strong> One message is individuals have to be careful about job offers that they see online or get sent to them. Companies have to watch job sites to detect and stop phony ads as well.<\/p>\n<p><strong>Terry:<\/strong> There are a couple of things companies can do. One is to set up Google alerts. Go to wwww.google.com\/ alerts and type in keywords to search for, such as your company\u2019s name. The moment a new site or an article or something comes online that has those keywords you\u2019ll receive an email. A company can also set up domain name monitoring to look for any lookalike domains that might be created.<\/p>\n<p>The post <a href=\"https:\/\/www.itworldcanada.com\/article\/cyber-security-today-week-in-review-for-friday-august-19-2022\/498783\">Cyber Security Today, Week in Review for Friday, August 19, 2022<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This podcast includes a discussion on buggy security patches, companies collecting too much data and fake<\/p>\n","protected":false},"author":17,"featured_media":20709,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[360,16],"tags":[389],"class_list":["post-27177","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-podcasts","category-security","tag-cyber-security-today"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/27177","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=27177"}],"version-history":[{"count":3,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/27177\/revisions"}],"predecessor-version":[{"id":27274,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/27177\/revisions\/27274"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media\/20709"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=27177"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=27177"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=27177"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}