{"id":32133,"date":"2022-12-02T15:06:06","date_gmt":"2022-12-02T20:06:06","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=516535"},"modified":"2022-12-05T09:04:06","modified_gmt":"2022-12-05T14:04:06","slug":"cyber-secuity-today-week-in-review-for-friday-december-2-2022","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/cyber-secuity-today-week-in-review-for-friday-december-2-2022\/","title":{"rendered":"Cyber Secuity Today, Week in Review for Friday, December 2, 2022"},"content":{"rendered":"<p data-ar-index=\"0\">Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, December 2nd, 2022. From Toronto, I\u2019m Howard Solomon, contributing reporter on cybersecurity for <em>ITWorldCanada.com.<\/em><\/p>\n<p data-ar-index=\"1\"><iframe style=\"border: none;\" title=\"Libsyn Player\" src=\"https:\/\/html5-player.libsyn.com\/embed\/episode\/id\/25194192\/height\/90\/theme\/custom\/thumbnail\/yes\/direction\/forward\/render-playlist\/no\/custom-color\/000000\/\" width=\"100%\" height=\"90\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/www.amazon.com\/ITWC-Cyber-Security-Today\/dp\/B07BRNG89P\/ref=sr_1_1?s=digital-skills&amp;ie=UTF8&amp;qid=1522688435\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396718 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-alexa-200.png\" alt=\"Cyb er Security Today on Amazon Alexa\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<td><a href=\"https:\/\/www.google.com\/podcasts?feed=aHR0cDovL2N5YmVyc2VjdXJpdHl0b2RheS5saWJzeW4uY29tL3Jzcw%3D%3D\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"thumbnail aligncenter wp-image-408712 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2018\/09\/sub-gp-200.png\" alt=\"Cyber Security Today on Google Podcasts\" width=\"200\" height=\"74\" \/><\/a><\/td>\n<td><a href=\"https:\/\/itunes.apple.com\/ca\/podcast\/cyber-security-today\/id1363182054\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396720 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-itunes-200.png\" alt=\"Subscribe to Cyber Security Today on Apple Podcasts\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p data-ar-index=\"2\">In a few minutes David Shipley of <a href=\"https:\/\/www.beauceronsecurity.com\/\" rel=\"noopener\">Beauceron Security<\/a> will join me to discuss recent cybersecurity news. But first a look back at some of what happened in the last seven days:<\/p>\n<p data-ar-index=\"3\"><strong>A member of the Alberta legislature<\/strong> <a href=\"https:\/\/edmonton.ctvnews.ca\/mla-dang-ordered-to-pay-7-200-for-breaching-alberta-vaccine-portal-1.6173255\" rel=\"noopener\">was fined $7,200<\/a> for an unauthorized penetration test of a provincial vaccine portal. Did he do anything different from what security researchers and reporters do? David will have some thoughts.<\/p>\n<p data-ar-index=\"4\"><strong>Speaking of fines<\/strong>, Facebook\u2019s parent company Meta Platforms was fined the equivalent of US$227 million by Ireland\u2019s privacy commissioner for not adequately protecting personal information last year, allowing hackers to scrape the profile data of over 500 million people. And France\u2019s data protection regulator <a href=\"https:\/\/thehackernews.com\/2022\/11\/french-electricity-provider-fined-for.html\" rel=\"noopener\">fined an electricity provider<\/a> the Canadian equivalent of $840,000 for storing customers\u2019 passwords with a weak algorithm. A question David and I will discuss: Do fines work? And if so, under what circumstances?<\/p>\n<p data-ar-index=\"5\"><strong>Finally,<\/strong> we\u2019ll take a look at a <a href=\"https:\/\/www.dell.com\/en-us\/dt\/data-protection\/gdpi\/index.htm#scroll=off\" rel=\"noopener\">Dell survey<\/a> of IT professionals on data protection issues. One finding: 40 per cent of respondents said they couldn\u2019t recover data from their current method of backup<\/p>\n<p data-ar-index=\"6\"><strong>In other news,<\/strong> <a href=\"https:\/\/www.medibank.com.au\/health-insurance\/info\/cyber-security\/timeline\/\" rel=\"noopener\">hackers released another batch of data stolen<\/a> from Australia\u2019s private health provider, Medibank. Data of about 9.7 million current and former customers was copied in October. Medibank says the personal data stolen isn\u2019t sufficient to enable identification or financial fraud. Some stolen health claims data, for example, isn\u2019t joined with people\u2019s names.<\/p>\n<p data-ar-index=\"7\"><strong>Security researchers have found<\/strong> vulnerabilities in the mobile apps of several major car manufacturers that could have allowed hackers to control the locks, engine, and trunks of some vehicles. Their work is r<a href=\"https:\/\/therecord.media\/researchers-find-bugs-allowing-access-remote-control-of-cars\/\" rel=\"noopener\">eported by the cyber news site The Record<\/a>. Compromising the apps may in some cases start with an attacker scanning the vehicle\u2019s VIN number, which can be seen on a dashboard. Hyundai has patched its app. Sirius, a wireless broadcasting service offered to car owners, has also updated its mobile app.<\/p>\n<p data-ar-index=\"8\"><strong>More troublesome Android app<\/strong>s have been discovered in the Google Play store. These apps pretend to be education-related applications in several languages. But <a href=\"https:\/\/www.zimperium.com\/blog\/schoolyard-bully-trojan-facebook-credential-stealer\/\" rel=\"noopener\">according to researchers at Zimperium,<\/a> their goal is to steal Facebook passwords. The apps have been downloaded some 300,000 times in 71 countries, including Canada and the U.S.<\/p>\n<p data-ar-index=\"9\"><strong>Separately,<\/strong> the <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/malicious-android-app-found-powering-account-creation-service\/\" rel=\"noopener\">Bleeping Computer news site reported<\/a> that Google has removed a suspicious app called Symoo from the Play store. It\u2019s supposed to be an SMS text app, but many user reviews complain it hijacks their smartphones and generates multiple one time passcodes. Its real purpose appears to be creating accounts on other services.<\/p>\n<p data-ar-index=\"10\"><strong>And researchers at Synopsys<\/strong> <a href=\"https:\/\/www.synopsys.com\/blogs\/software-security\/cyrc-advisory-remote-code-execution-vulnerabilities-mouse-keyboard-apps\/\" rel=\"noopener\">found several vulnerabilities<\/a> in three applications that allow an Android device to be used as a remote keyboard and mouse for desktop or laptop computers. The apps are called Lazy Mouse, Telepad and PC Keyboard.<\/p>\n<p data-ar-index=\"11\">(<i>The following transcript has been edited for clarity)<\/i><\/p>\n<p data-ar-index=\"12\"><strong>Howard<\/strong>: Joining now from Toronto is David Shipley.<\/p>\n<p data-ar-index=\"13\">Let\u2019s start first with the member of the Alberta legislature who wanted to prove the provincial health department\u2019s COVID vaccine website wasn\u2019t secure. According to a news story the MLA, Thomas Dang, claims he was contacted last year by a constituent with concerns about Alberta\u2019s online vaccine verification portal. To do a test Dang needed to enter a person\u2019s birth date, so without approval he used the birth date of the Premier of Alberta at that time, which, was publicly known. He also used the Premier\u2019s vaccination status, which was also publicly known. Hiding his IP address Dang ran a computer script for four days to see what he could access. What he got was the vaccination records of a woman who had the same birth date as he was searching for. Dang pleaded guilty to violating the provincial Health Information Act. In sentencing, the judge said Dang didn\u2019t need to access a stranger\u2019s records to prove the concern. David, was this foolish or justified to gain evidence?<\/p>\n<p data-ar-index=\"14\"><strong>David Shipley:<\/strong> This was extremely foolish. I think it\u2019s important to set the context: Dang had the skills to write this script. He has a computer science background. He knew there was a problem right off the bat. What he should have done as the MLA to the Health Department to say, \u2018This is a problem and here\u2019s why,\u2019 and just showing the structure and nature of the web page and the relationship to the data. He could have asked, \u2018Are you going to do something about it? You could do a captcha [as an extra login step], you could do other things.\u2019 But he wanted to make a point. And in doing so he accessed someone\u2019s personal information, which is against the Alberta health records legislation. He didn\u2019t need to prove this. If the department had said no, we don\u2019t think this is serious, he could have held a press conference brought in other computer science experts and really raised attention to the issue. The key thing here is consent.<\/p>\n<p data-ar-index=\"15\"><strong>Howard:<\/strong> So if he had the consent of a third party to use their birth date for the purpose of a test that would have been better?<\/p>\n<p data-ar-index=\"16\"><strong>David:<\/strong> Partly. I definitely think having the consent of someone who you want to use to access the record might have been a really good defense for inappropriately accessing the information. But the other part is you still need the consent of the system provider. In cases where people do not have a security disclosure process, or a bug bounty process or an ethical reporting process in place you don\u2019t have their consent to do a penetration test. Essentially, what he tried to do \u2014 and you can get yourself into a lot of hot water. This is a really important lesson for a lot of young aspiring cybersecurity researchers and those passionate about security issues. They genuinely want to fix these problems. But if you don\u2019t have consent you can\u2019t.<\/p>\n<p data-ar-index=\"17\"><strong>Howard:<\/strong> Don\u2019t some security researchers do the same thing as this Alberta politician did? Off the top of my head, I\u2019m thinking of some reports where a researcher tried to see if a web address or URL at a company is secure and it has a number that corresponds to a customer\u2019s account. So after legitimately logging into the site, by changing one digit in the URL the researcher can see another customer\u2019s profile. Then they publicize that they found that the company has bad security.<\/p>\n<p data-ar-index=\"18\"><strong>David:<\/strong> There\u2019s a couple of different things that perhaps some people will see as semantic arguments. But I\u2019ll structure it this way: This [the Alberta incident] wasn\u2019t the case of a URL kind of situation. It was a case of input variables on a web form. It was a brute-force attack in the truest sense of the word. He literally had a script run for four days to try and break into an account. We can all acknowledge that the elements needed to prove identity for access to the vaccination portal was an example of inappropriate identity access management control, but you don\u2019t need to test that to make that argument. As for trying to find if URLs reveal customer data there are a couple of breakdowns of security as well. But I would argue that, yes, absent consent to go and do that test you may in fact, be breaking laws. So you have to be very careful in testing. If you already have an account say with an airline or a service you\u2019re far better off raising this issue with them than pulling the data to make your point. It\u2019s also different from finding publicly available, like data left in open Amazon S3 buckets, because there\u2019s no authentication mechanism to access that data. The moment you start working around authentication mechanisms you\u2019re hacking. In order to ethically hack you need consent.<\/p>\n<p data-ar-index=\"19\"><strong>Howard:<\/strong> What questionable activity have you seen by security researchers or reporters \u2014 or politicians for that matter?<\/p>\n<p data-ar-index=\"20\"><strong>David:<\/strong> The most egregious breach that I\u2019ve ever seen was the old phone voicemail hacking that plagued the U.K.<\/p>\n<p data-ar-index=\"21\"><strong>Howard:<\/strong> The reporter who was doing the hacking was betting that the victims had not changed their default PIN numbers. That\u2019s how they were able to get into their phone answering systems.<\/p>\n<p data-ar-index=\"22\"><strong>David:<\/strong> But that was still hacking. And so it\u2019s not ethical hacking. If you\u2019re trying to stay within the confines of the law there are ways of making your point without accessing somebody else\u2019s data. Companies have a duty of care to protect personal data, but proving they\u2019re not living up to that duty of care does not give you permission to see my records.<\/p>\n<p data-ar-index=\"23\"><strong>Howard:<\/strong> So there\u2019s a difference between taking apart software and finding vulnerabilities and hacking a company to show that there\u2019s a vulnerability.<\/p>\n<p data-ar-index=\"24\"><strong>David:<\/strong> Exactly. Dang could have copied the source code from the Alberta Health webpage and shown people the flaw and that it\u2019s a common example of inappropriate authentication controls, and someone could easily do the following. You don\u2019t need smoking gun evidence every single time, particularly when that smoking gun comes a result of the bullet hitting somebody and causing a privacy violation. There\u2019s a \u2018Do no harm\u2019 aspect that we need to make sure exists with security research. You can\u2019t say, \u2018I did limited harm I saw only a couple of people\u2019s records to make my point.\u2019 There\u2019s also a distinction if after a data breach and data is leaked on the dark web and journalists pick a couple of records and call people. The reporters didn\u2019t defeat an authentication controller or a system. Someone else did. The reporter is trying to figure out if there actually was a hack.<\/p>\n<p data-ar-index=\"25\"><strong>Howard:<\/strong> Is there a need for legislation to protect legitimate researchers as long as they don\u2019t keep personal data that they found and they immediately report a vulnerability to an organization? Or does that create problems with defining who can do what would normally be a criminal offence?<\/p>\n<p data-ar-index=\"26\"><strong>David:<\/strong> It\u2019s an interesting conundrum. I wish I was smart enough to say I had a definitive answer. But as I think about it, what are the potential ways this legislation could go wrong? Could a criminal say, \u2018I was just joshing I just wanted to find a vulnerability. I only looked at one record.\u2019 \u2026 There might be a middle ground here with respect to saying, \u2018You are protected if you are doing security research on a company that has agreed to be the subject of that research to improve their security and if you find something you do report that as quickly as possible.\u2019 Within that framework, I\u2019m okay with legislation that protects that person. I\u2019m not okay with, \u2018Anybody can hack anything, go see if it\u2019s broken.\u2019<\/p>\n<p data-ar-index=\"27\"><strong>Howard:<\/strong> News item number two: As I said in the podcast intro, fines were a big part of this week\u2019s news. Meta was hit with the equivalent of US$227 million dollars in fines by Ireland\u2019s data protection commission for not adequately protecting personal information last year. That\u2019s when hackers scraped the profile data of over 500 million people. This was a violation of the EU\u2019s General Data Protection Regulation (GDPR). It\u2019s another example of the toughest privacy legislation in the world being used. Also, France\u2019s data protection regulator fined an electricity provider under the GDPR the Canadian equivalent of $840,000 for storing customers\u2019 passwords with a weak algorithm. Let\u2019s start with the Meta fine. What struck you about this?<\/p>\n<p data-ar-index=\"28\"><strong>David:<\/strong> It is meaningful. In Canada [under the Personal Information Protection and Electronic Documents Act, PIPEDA] if you don\u2019t report a data breach where there is a real risk of significant harm to persons you might get a $150,000 fine. Who cares about that at publicly- traded company? Shareholders and boards care when the fines are in the millions. Are fines perfect? No. Do they send signals that can change behavior? Yes, but you\u2019ve got to exercise them and they\u2019ve got to be meaningful to actually do anything.<\/p>\n<p data-ar-index=\"29\"><strong>Howard:<\/strong> The Reuters news agency noted that this was the fourth fine against a Meta company \u2014 Meta is the parent company of Facebook, Instagram, and Whatsapp \u2014 by the Irish regulator. For those who don\u2019t know, the data protection regulator in Ireland essentially is the lead privacy regulator for the entire European Union and its rulings basically stand for all EU members. What\u2019s going on here with Meta?<\/p>\n<p data-ar-index=\"30\"><strong>David:<\/strong> This is a company clearly not afraid to burn a lot of money. Look at the billions of dollars that have been sunk into the Metaverse project. Right now Mark Zuckerberg still has the broad support of shareholders and his board, and they\u2019re okay with these business practices. This is a cost of doing business. However, as you point out, it\u2019s the fourth one. Sooner or later this starts to get material. I think these are warning shots across the bow. I think regulators may need to ramp it up if they don\u2019t see behavior actually change. I think what\u2019s going to be really interesting is what do they do with [new Twitter owner] Elon Musk. He was warned last week [by French regulators] about the gutting of Twitter\u2019s content moderation other things. It will be interesting to see if regulators throw a bigger book at Musk.<\/p>\n<p data-ar-index=\"31\"><strong>Howard:<\/strong> The fine against the French electricity company is interesting. Its offense was not only using a weak algorithm for hashing passwords, it also didn\u2019t hash and salt passwords for the best protection. Which raises the question? What do governments have to do to get organizations to follow best [privacy and cyberscurity] practices? Do they have to have better definitions in the legislation, or raise fines?<\/p>\n<p data-ar-index=\"32\"><strong>David:<\/strong> This is the interesting challenge between business, risk-based models with industry experts setting the tempo of what risk appetite and appropriate controls could look like, and governments\u2019 extremely prescriptive and specific controls that say, \u2018You must use do this.\u2019 That\u2019s great for the point in time when the regulations come out, but god help you if they don\u2019t update it for five years and the security ball moves. It\u2019s the tension between having no rules and letting businesses handle it themselves, and very specific rules that a regulator can nail you for not following \u2026 There\u2019s also how does IT get the budget to maintain what is mandatory? Maybe there have to be regulations that say you have to have a process for the secure development and lifecycle of the IT services that you offer. If you want to avoid getting a big fine you better show some due diligence in that you kept up to date with the life of this product and you kept up to date with industry best practices \u2026 That really gets into cybersecurity policy and legislation in Canada, when Bill C-26 [which includes the Critical Cyber Systems Protection Act (CCSPA)] emerges back from Ottawa slumber sometime this spring. [<a href=\"https:\/\/www.itworldcanada.com\/article\/designated-canadian-firms-would-have-to-report-cyber-breaches-under-proposed-law\/488372\" rel=\"noopener\">C-26 puts cybersecurity and data breach reporting obligations on four critical infrastructure sectors<\/a>]<\/p>\n<p class=\"western\" data-ar-index=\"33\">Howard: News item three: Dell released its Annual Data Protection index, a survey of about 1,000 IT decision-makers around the world in organizations with over 250 employees. I\u2019m going to cherry-pick some of the responses: Forty per cent of respondents said they couldn\u2019t recover data from their current data protection system. That compares to about 26 per cent who said they couldn\u2019t do that in each of the previous three years. So for some reason in the last 12 months there\u2019s been a great increase in data recovery problems. What does this mean? Was there something this year that caused data recovery problems, or is this a question that doesn\u2019t really give any useful information to IT pros?<\/p>\n<p class=\"western\" data-ar-index=\"34\"><strong>David:<\/strong> I don\u2019t have any evidence to back up what I\u2019m going to say, but data recovery is not just about having a system in place. It\u2019s also the skilled personnel who know how to do it, because. some of these things can be a lot more finicky than expected. Skill matters, and guess what? We\u2019re in a talent shortage. So maybe processes were met missed in the care and feeding and maintenance of the things that keep the backups recoverable. Maybe we\u2019ve lost some very important institutional knowledge on how to successfully recover from existing systems, or maybe we\u2019ve moved to the Brand New Cloud Thing because everyone\u2019s riding the Cloud Train and we didn\u2019t do it right. So I think it\u2019s worth talking about. This is about more than just buying an IT solution. It\u2019s the care, feeding and practicing of using that solution.<\/p>\n<p class=\"western\" data-ar-index=\"35\"><strong>Howard:<\/strong> Here\u2019s another question pulled out from that survey: Sixty-four per cent of respondents believe that if their organization suffers a ransomware attack they\u2019re going to get all their data back if a ransom is paid. And 54 per cent of the respondents believe that if their organization pays a ransom they\u2019re not going to be attacked again.<\/p>\n<p class=\"western\" data-ar-index=\"36\"><strong>David:<\/strong> I like to save my beliefs for the holiday season as part of the kindness and goodness of humanity. But criminals do what criminals do, and there\u2019s a track record of it. They come back. And if you\u2019ve got one gang playing around in your IT environment odds are a second gang is, too. Maybe, altruistically the first gang doesn\u2019t come back. But there\u2019s data that argues against that. By the way, if you\u2019ve got one gang in you might have more than one coming; they just might stagger. So these survey response are stunning. To be honest, it\u2019s fascinating. We\u2019ve seen so many news stories where ransomware data recovery tools provided by ransomware actors don\u2019t work. These are bad beliefs. These are not beliefs that you should take to the bank in terms of the ease of ransomware recovery The example that comes to mind is some of the difficulties that the Irish healthcare system had using the decryption tools the [ransomware] criminals gave them. It was not a fun time. So you can see why ransomware is still a good business to be in for criminals because of the beliefs of prospective \u201ccustomers.\u201d<\/p>\n<p data-ar-index=\"37\">\n<p data-ar-index=\"38\">The post <a href=\"https:\/\/www.itworldcanada.com\/article\/cyber-secuity-today-week-in-review-for-friday-december-2-2022\/516535\">Cyber Secuity Today, Week in Review for Friday, December 2, 2022<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This episode features a discussion on ethical hacking, fines for privacy offences and unusual results from a poll<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[360,16],"tags":[389],"class_list":["post-32133","post","type-post","status-publish","format-standard","hentry","category-podcasts","category-security","tag-cyber-security-today"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/32133","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=32133"}],"version-history":[{"count":3,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/32133\/revisions"}],"predecessor-version":[{"id":32225,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/32133\/revisions\/32225"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=32133"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=32133"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=32133"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}