{"id":34358,"date":"2023-01-20T15:10:05","date_gmt":"2023-01-20T20:10:05","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=522863"},"modified":"2023-01-23T10:03:27","modified_gmt":"2023-01-23T15:03:27","slug":"cyber-security-today-week-in-review-for-friday-january-20-2023","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/cyber-security-today-week-in-review-for-friday-january-20-2023\/","title":{"rendered":"Cyber Security Today, Week in Review for Friday, January 20, 2023"},"content":{"rendered":"<p data-ar-index=\"0\">Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, January 20th, 2023. From Toronto, I\u2019m Howard Solomon, contributing reporter on cybersecurity for <em>ITWorldCanada.com<\/em> and <em>TechNewsDay.com<\/em> in the U.S.<\/p>\n<p data-ar-index=\"1\"><iframe style=\"border: none;\" title=\"Libsyn Player\" src=\"https:\/\/html5-player.libsyn.com\/embed\/episode\/id\/25660215\/height\/90\/theme\/custom\/thumbnail\/yes\/direction\/forward\/render-playlist\/no\/custom-color\/000000\/\" width=\"100%\" height=\"90\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/www.amazon.com\/ITWC-Cyber-Security-Today\/dp\/B07BRNG89P\/ref=sr_1_1?s=digital-skills&amp;ie=UTF8&amp;qid=1522688435\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396718 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-alexa-200.png\" alt=\"Cyb er Security Today on Amazon Alexa\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<td><a href=\"https:\/\/www.google.com\/podcasts?feed=aHR0cDovL2N5YmVyc2VjdXJpdHl0b2RheS5saWJzeW4uY29tL3Jzcw%3D%3D\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"thumbnail aligncenter wp-image-408712 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2018\/09\/sub-gp-200.png\" alt=\"Cyber Security Today on Google Podcasts\" width=\"200\" height=\"74\" \/><\/a><\/td>\n<td><a href=\"https:\/\/itunes.apple.com\/ca\/podcast\/cyber-security-today\/id1363182054\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396720 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-itunes-200.png\" alt=\"Subscribe to Cyber Security Today on Apple Podcasts\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p data-ar-index=\"2\">In a few minutes David Shipley of New Brunswick\u2019s <a href=\"https:\/\/www.beauceronsecurity.com\/\" rel=\"noopener\">Beauceron Security<\/a> and I will discuss some recent cybersecurity news. But first a review of headlines from the past seven days:<\/p>\n<p data-ar-index=\"3\"><strong>CircleCI,<\/strong> a continuous integration platform used by application developers, <a href=\"https:\/\/circleci.com\/blog\/jan-4-2023-incident-report\/\" rel=\"noopener\">published an explanation<\/a> of how it was compromised in December. David and I will look at that. We\u2019ll also look at recent comments made by an American government security leader who wondered why organizations still put up with buggy software. And with Data Privacy Week starting on Monday we\u2019ll have thoughts on how businesses treat the personal information they collect.<\/p>\n<p data-ar-index=\"4\"><strong>Companies are still not<\/strong> doing enough to protect themselves from phishing attacks. The latest example is the c<a href=\"https:\/\/www.itworldcanada.com\/article\/nunavut-power-utilitys-servers-hit-by-cyber-attack\/522899\" rel=\"noopener\">ompromise of email marketing service provider Mailchimp<\/a>. This week it said the accounts of 133 customers were hacked. Mailchimp employees also fell for a phishing scam last August.<\/p>\n<p data-ar-index=\"5\"><strong>The cyberwar<\/strong> between Russia and Ukraine continues. <a href=\"https:\/\/cip.gov.ua\/ua\/news\/ukrinform-mogli-atakuvati-khakeri-z-ugrupuvannya-sandworm-pov-yazanogo-z-rosiiskim-gru-poperedni-dani-doslidzhennya-cert-ua\" rel=\"noopener\">Ukraine says its Computer Emergency Response team foiled an attack<\/a> on the country\u2019s national news agency. While some of the agency\u2019s infrastructure was hit by a data wiper, news operations are still running.<\/p>\n<p data-ar-index=\"6\"><strong>Separately,<\/strong> <a href=\"https:\/\/blogs.blackberry.com\/en\/2023\/01\/gamaredon-abuses-telegram-to-target-ukrainian-organizations\" rel=\"noopener\">BlackBerry issued a report<\/a> on a Russian-state-sponsored cyber espionage group called Gamaredon that has been attacking targets in Ukraine since 2013. The gang\u2019s latest tactic is using network infrastructure from Crimea, which Russia occupied in 2014.<\/p>\n<p data-ar-index=\"7\"><strong>The majority owner<\/strong> of the Bitzlato cryptocurrency exchange <a href=\"https:\/\/www.justice.gov\/opa\/pr\/founder-and-majority-owner-cryptocurrency-exchange-charged-processing-over-700-million\" rel=\"noopener\">was arrested in Miami<\/a> and charged with allegedly processing illicit funds. It is alleged the company marketed itself to crooks as a no-questions-asked cryptocurrency exchange. At the same time as the arrest, French authorities dismantled Bitzlato\u2019s digital infrastructure.<\/p>\n<p data-ar-index=\"8\"><strong>Thousands of users<\/strong> of Norton Password Manager began receiving notices that their accounts were hacked. They were compromised following a brute force attack using credentials likely bought on the dark web.<\/p>\n<p data-ar-index=\"9\"><a href=\"https:\/\/www.databreaches.net\/34942-paypal-users-notified-of-data-security-incident-in-december\/\" rel=\"noopener\">PayPal has started sending data breach notifications<\/a> to over 34,000 users. This comes after the discovery of an incident in December when a number of subscriber accounts were compromised. The attacker would have been able to copy users\u2019 names, addresses, dates of birth, Social Security numbers, and government tax identification numbers.<\/p>\n<p data-ar-index=\"10\"><strong>Nissan North America<\/strong> <a href=\"https:\/\/www.itworldcanada.com\/article\/cyber-security-today-jan-18-2023-data-hacked-of-nissan-owners-a-github-vulnerability-alert-holes-in-gitlab-found-and-more\/522553\" rel=\"noopener\">is notifying some 18,000 buyers<\/a> of its vehicles some of their personal data is at risk. This is because a customer list Nissan gave to an outside software developer for testing was stolen.<\/p>\n<p data-ar-index=\"11\"><strong>A new piece of Android malware<\/strong> aimed at stealing the bank account passwords of people from their smartphones has been discovered. <a href=\"https:\/\/www.threatfabric.com\/blogs\/hook-a-new-ermac-fork-with-rat-capabilities.html\" rel=\"noopener\">Researchers at ThreatFabric say<\/a> the malware, called Hook, is a variant of the Ermac family of banking malware. It can capture banking information from financial institutions in the U.S., Canada and many other countries. Hook is being sold to hackers for incorporation in their schemes.<\/p>\n<p data-ar-index=\"12\"><strong>And GitLab told users<\/strong> of its Community and Enterprise editions to upgrade to the latest versions after the discovery of vulnerabilities. Separately, application developers using GitHub\u2019s Codespaces feature were urged to lock down their projects after the discovery of a serious vulnerability.<\/p>\n<p data-ar-index=\"13\"><em>(The following is a partial transcript of our discussion. To hear the full talk, with discussion on the CircleCI and Mailchip hacks as well as on why we tolerate buggy software, play the podcast)<\/em><\/p>\n<p data-ar-index=\"14\"><strong>Howard:<\/strong> Next week is Data Privacy Week. What should data protection, IT and cybersecurity leaders be thinking about this?<\/p>\n<p data-ar-index=\"15\"><strong>David Shipley:<\/strong> One of the things that I\u2019ve preached for years is the easiest way to reduce your risk is to get rid of the data you don\u2019t need to protect. Data retention is a really, really important part of this equation. In so many different breaches I have seen have included data that was no longer valid, useful, or beneficial still being kept and available on databases. And when those databases get hit through some kind of security vulnerability, some kind of a lapse in a security control the entire data set spills out \u2014 and then you\u2019ve got to to reach out to all of those affected users. Here\u2019s an example: There was a recent story here in Atlantic Canada about a package delivery company that had an open Amazon S3 bucket of data where you could actually easily guess the tracking URL that had been sent. It would link you back to an image taken [by the delivery service] of the home to confirm you actually had delivery. In some cases the label might show the person\u2019s name, address, etc. After a package has been delivered and after a certain period of time if they [the service] shouldn\u2019t have that data still retained. The scope of that breach could have been reduced massively. We talk a lot about privacy in terms of the use of encryption and other things. But the first thing to do [by every organization] is to look hard at data retention and tackle the myth all data could have future value so let\u2019s keep it.<\/p>\n<p data-ar-index=\"16\"><strong>Howard:<\/strong> That package delivery service security problem is one we\u2019ve seen before where the customer has a tracking number and when you go to the website to track the progress of the package that number is also reflected in the URL. All you have to do is change one digit and you can start seeing other people\u2019s tracking information. I\u2019ve heard of this before where there\u2019s a string of digits in the URL that reflect the customer data and all I have to do is change one digit and boom, you have a privacy breach.<\/p>\n<p data-ar-index=\"17\"><strong>David:<\/strong> Security is never going to be 100 per cent, but privacy and security are two sides of the same coin. So have a good understanding of why are you collecting data. What are you using it for? Did you have the proper consent for it? And are you only keeping it for as long as it\u2019s useful?<\/p>\n<p data-ar-index=\"18\">The other part of this privacy story is the increasingly large number of datasets that are being lost out there that are being combined in unique and problematic ways \u2026AI (artificial intelligence) is going to have a field day developing the next generation of phishing attacks [with that stolen data].<\/p>\n<p data-ar-index=\"19\"><strong>Howard:<\/strong> Another example this week of a data privacy breach was car maker Nissan North America acknowledging there was a loss of customer data that had been sent to an outside software developer that was developing an application for Nissan. To test the application it needed data. So Nissan shipped a chunk of customer data to this external third-party software developer. Somebody there made a mistake; they uploaded it to a cloud storage site. But there was enough time that someone was able to steal that data. There\u2019s a third-party hack. I think there are two issues here: One, should you be sending real data to an external company, and the second is how do you make sure that any data that you have to send to a company is properly protected?<\/p>\n<p data-ar-index=\"20\"><strong>David:<\/strong> There was absolutely no reason other than just rushing that a company can\u2019t take real data, write a script and replace all the PII [personally identifiable information]. You can keep all the fields and all the information and depersonalize or anonymize it. You can easily create fake structured data to test applications. Take the hour to have someone on your team write the script and then you send the fake data [outside the company] \u2026 If there\u2019s one message it\u2019s, \u2018Script it, fake it, that way you can test it.\u2019 So even if they do screw up and put it in an Amazon S3 bucket it doesn\u2019t hurt you.<\/p>\n<p data-ar-index=\"21\">The post <a href=\"https:\/\/www.itworldcanada.com\/article\/cyber-security-today-week-in-review-for-friday-january-20-2023\/522863\">Cyber Security Today, Week in Review for Friday, January 20, 2023<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This episode features a discussion on hacks at Mailchimp and CircleCI, a Nissan stolen databas<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[360,16],"tags":[389],"class_list":["post-34358","post","type-post","status-publish","format-standard","hentry","category-podcasts","category-security","tag-cyber-security-today"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/34358","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=34358"}],"version-history":[{"count":3,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/34358\/revisions"}],"predecessor-version":[{"id":34436,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/34358\/revisions\/34436"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=34358"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=34358"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=34358"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}