GDPR from a Data Privacy Officer’s Perspective: 4 Keys to Know
GDPR will persist for many years to come but questions will arise about how it is applied as technology evolves.
For example, following the explosion of large language models like ChatGPT.
But with novelty and ease of profiling comes uncertainty, huge conversation has occurred around this from a data compliance perspective, leaving professionals wondering if GDPR is encompassing enough or whether we need separate legislation.
@Cyber_Security_Channel
University of Minnesota Confirms Data Breach, Says Ransomware Not Involved
The university also said that scans it has performed revealed no ongoing activity related to the incident and there were no system disruptions.
“Our investigation is continuing, but our security professionals have not detected any system malware (including ‘ransomware’), encrypted files or fraudulent emails related to the incident.
There have been no known disruptions to current University operations as a result of this data security incident,” the university said.
@Cyber_Security_Channel
3 Data Privacy Principles to Adopt Now, Even While Governments Still Debate
The good news is brands don’t have to be in a bad position. Yes, these issues are extremely complex and legislation will take time.
But it’s more important than ever to design your own systems to protect individuals and – as a result – to protect your own brand’s future.
Three low-risk, high-reward practices around data privacy and security:
1. Build a foundation of fairness
2. Maximize data transparency
3. Stop hoarding data.
@Cyber_Security_Channel
Adobe Patches Critical Deserialization Vulnerability, but Exploits Persist
Adobe recommends that customers apply the security configuration settings "as outlined on the ColdFusion Security page as well as review the respective Lockdown guides".
It also recommends "updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 11."
This is because applying the ColdFusion update without a corresponding JDK update will not allow for a secure server.
@Cyber_Security_Channel
US Government Publishes Guidance on Migrating to Post-Quantum Cryptography
According to the document, existing cryptographic products, protocols, and services, which rely on public key algorithms, will likely be updated or replaced to become quantum-resistant and protect against future threats.
CISA, NSA, and NIST encourage organizations to proactively prepare for migrating to products that adhere to post-quantum cryptographic standards and to implement measures to reduce the risks posed by a ‘cryptanalytically-relevant quantum computer’ (CRQC).
@Cyber_Security_Channel
Smart Light Bulbs Could Give Away Your Password Secrets
For better or for worse (the authors of the paper don’t say whether any disclosure dates were agreed with TP-Link, so we don’t know how long the company has been working on its patches), the researchers have now revealed how their attacks work, albeit without providing any copy-and-pastable attack code for wannabe home-hackers to exploit at will.
@Cyber_Security_Channel
Tesla Data Breach Investigation Reveals Inside Job
In a subsequent investigation of the breach, Tesla found that two former employees "misappropriated the information in violation of Tesla's IT security and data protection policies and shared it with the media outlet."
Handelsbatt has informed Tesla that it does not intend to publish the compromised information, nor would it legally be allowed to.
@Cyber_Security_Channel
Ivanti Ships Urgent Patch for API Authentication Bypass Vulnerability
The vulnerability, tagged as CVE-2023-38035, affects Ivanti Sentry versions 9.18 and prior, and could be exploited by malicious hackers to change configuration, run system commands, or write files onto the system, Ivanti said in an advisory.
“If exploited, this vulnerability enables an unauthenticated actor to access some sensitive APIs that are used to configure the Ivanti Sentry on the administrator portal (port 8443, commonly MICS),” the company said.
While the issue carries a 9.8/10 CVSS severity score, Ivanti notes there is low risk of exploitation for enterprise administrations who do not expose port 8443 to the internet.
@Cyber_Security_Channel
Ad Firm Plans to Use People’s Data in a Maneuver to Sink Data Privacy Bill
SB 362, known as the Delete Act, would require companies to delete all data on individuals upon request — including data purchased or acquired from third parties.
This would shrink the trove of personal information they hold, such as browsing history, birthdates and past purchases.
Data brokers compile this information to build profiles of people, which can be used to craft advertisements tailored to an individual’s preferences.
But that also grants them access to some of people’s most sensitive details, such as whether they are pregnant or suffering from mental illness.
@Cyber_Security_Channel
Metabase Q Bags $3m Funding to Bolster Cybersecurity in Latin America
Metabase Q, through the recently raised funds, aims to strengthen and expand its capital-efficient operations.
Their objective is to redefine the methodologies modern enterprises adopt to manage, gauge, and advance their cybersecurity endeavours.
The company’s traction is evident, with an impressive 403% quarter-over-quarter surge in new bookings, underscoring Metabase Q’s innovative approach as the cybersecurity industry’s future trajectory.
@Cyber_Security_Channel
Experts Believe AI Could Help Prevent Some Cybersecurity Attacks in Schools
One of the benefits of AI is that they can be that set of virtual eyes on the school networks when the IT staff are not able to do that,” he said.
He explains that some vendors are incorporating AI into tools that schools are already using.
“Not only can [AI] keep their eyes on the network, they can actually take proactive steps to help defend those networks from cyber criminals who are trying to penetrate their systems and steal valuable data about students and teachers,” said Levin.
But he warns some of these high-tech upgrades may come at a major cost.“In some ways, it’s going to save schools for having to invest maybe in more IT professionals dedicated to security,” he said.
“At another level, I wouldn’t be surprised to see the prices for these solutions to continue to rise.
@Cyber_Security_Channel
Paperclip SAFE® Adds Data Masking to its Breakthrough Searchable Encryption Solution
Data masking, also referred to as de-identification or anonymization, is the process of modifying sensitive data in such a way that it is of no or little value to unauthorized intruders while still being usable by software or authorized personnel.
The addition of data masking to SAFE was driven by user feedback and changing compliance requirements.
Data masking is required by many compliance frameworks such as GDPR, CCPA, HIPAA and ISO 27002:2022 (Control 8.11) and is recognized by Gartner as a growing category within data security technology.
@Cyber_Security_Channel
Why Ransomware Gangs Opt for Encryption-Less Attacks
Attackers have shifted their strategies in the face of increased law enforcement attention and the desire to encourage ransom payments.
This strategy to minimize business disruption helps keep the victim's business functional while pressuring them to pay the ransom discreetly.
They also want to increase the chance of a victim paying ransom because in many of the cases - and this is not in large numbers - the victim will not even report it.
They will pay it off and keep it under the wrap. It's a win-win situation if you think about it from their perspective.
@Cyber_Security_Channel
CISA Posts Remote Monitoring & Management Systems Cyber Defense Plan
The Cybersecurity and Infrastructure Security Agency (CISA) published the Cyber Defense Plan for Remote Monitoring and Management (RMM), the first proactive plan developed by industry and government partners through the Joint Cyber Defense Collaborative (JCDC) as part of their 2023 Planning Agenda.
Part of the 2023 Planning Agenda, the RMM Cyber Defense Plan provides a roadmap to advance security and resilience of this critical ecosystem, including RMM vendors, managed service providers (MSPs), managed security service providers (MSSPs), small and medium sized businesses (SMBs) and critical infrastructure operators.
@Cyber_Security_Channel
DEF CON's AI Village Pits Hackers Against LLMs to Find Flaws
"We will be going through the anonymized data and finding patterns of vulnerabilities that participants discovered during the challenge and produce a report that will hopefully help ML and security researchers gain better insights into LLMs and policymakers make more informed regulations about AI," Ghosh says.
While he won't answer questions directly about any of the winning LLM hacks, Ghosh says he was able to use the LLMs to generate discriminatory code, credit card numbers, misinformation, and more.
@Cyber_Security_Channel
Speaking Up About Data Privacy in Ed Tech
A large majority of those vendors actually want to hear from education users who find something in those policies they don't like, or need clarification on part of a vendor's privacy policy.
We did truly amazing things with that data privacy program. We got kids involved, we got them excited.
We partnered with external organizations like the Future of Privacy Forum to provide different incentives for kids, as well as educational and awareness videos called Think Privacy, to really embrace a culture of privacy, safety, and security.
@Cyber_Security_Channel
The 7 Best Encryption Apps for Windows, According to MUO
To cut down your search time, we went through a host of options and have listed down the best encryption tools for Windows.
1. 7-Zip
2. VeraCrypt
3. Age
4. Gpg4win
5. BitLocker
6. Cryptomator
7. AxCrypt
Encryption, and cybersecurity in general, is no more just a passion for a select few hobbyists.
With almost everything going digital, it’s of utmost importance to keep up with the best cybersecurity practices; using an encryption app is one such practice.
@Cyber_Security_Channel
Case from one week ago: Telegram Ban in Iraq Due to “National Security Concerns” Lifted
The national security ban of Telegram appeared to be touched off by the discovery of channels that shared the names, addresses and family relationships of residents of Iraq.
The Ministry of Communications reportedly asked the messaging app to remove these channels, but received no response.
The ban was in place for a little over a week, lifted on August 14 with a post from the Ministry indicating that Telegram had responded to its requests.
@Cyber_Security_Channel
Newer, Better XLoader Signals a Dangerous Shift in macOS Malware
The new XLoader has no such flaw — it's written natively in C and Objective C.
It's packaged in an application file with the legitimate-sounding name "Office Note," the macOS Microsoft Word logo, and an Apple developer signature. Apple has since revoked the signature, but "it won't make much difference," Stokes says.
"All it means is that the developers will have to pivot to another signature. Developers' signatures are bought and sold on the Dark Net, or they're fakes.
They can even ad hoc sign, which means it doesn't actually have a developer signature, but it will still get past Apple's gatekeeper detection."
@Cyber_Security_Channel
FBI Finds 1,580 Bitcoin in Crypto Wallets Linked to North Korean Hackers
Previously, the hackers stole crypto assets in attacks against Harmony’s Horizon bridge and Sky Mavis’ Ronin Bridge.
“Private sector entities should examine the blockchain data associated with these addresses and be vigilant in guarding against transactions directly with, or derived from, the addresses,” the FBI says.
@Cyber_Security_Channel
'Cuba' Ransomware Group Uses Every Trick in the Book
Once inside the network, Cuba deployed BUGHATCH, its own custom downloader.
BUGHATCH establishes a connection to a command-and-control (C2) server, then downloads attacker payloads (It can also execute files and commands).
One of BUGHATCH's downloads this time, for example, was Metasploit, which it used to cement its foothold in the target environment.
@Cyber_Security_Channel
Energy One Investigates Cyberattack
The company said it took immediate steps to limit the impact of the incident, engaged specialists CyberCX, and alerted the Australian Cyber Security Centre and UK authorities.
As part of the investigation, Energy One has disabled links between its corporate and customer-facing systems as a precaution.
@Cyber_Security_Channel
AI’s Personalization Paradox: Tailored Experiences vs Data Privacy
The power of AI-driven personalization is alluring - but first, we need to solve how it clashes with data privacy.
Balancing tailored experiences with ethical considerations is going to be closely watched in the years to come.
Prioritizing privacy while empowering users - these are the challenges to navigate for a responsible AI landscape.
AI-powered personalization employs AI and machine learning to create customized customer experiences by analyzing extensive data such as browsing history, purchases, interactions, and demographics
@Cyber_Security_Channel
Motherboard Mishaps Undermine Trust, Security
As of Aug. 28, neither Microsoft nor MSI has uncovered the cause of the issue, and neither company returned a request for comment.
"Both MSI and Microsoft are aware of the 'UNSUPPORTED_PROCESSOR' error and have begun investigating the root cause," MSI wrote in its statement.
"While the investigation is underway, we recommend that all users temporarily refrain from installing the KB5029351 Preview update in Windows".
@Cyber_Security_Channel
Privacy, Data and Cybersecurity Quick Clicks
The Securities and Exchange Commission (SEC) adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy and governance.
The SEC also adopted rules requiring foreign private issuers to make comparable disclosures.
@Cyber_Security_Channel
Why Browser Security Is Crucial
Tall identified two approaches to ensure secure browser adoption: the complete "rip and replace" of existing browsers, which could warrant changes in customer behavior, and the extension of security to current browsers.
But in the realm of cybersecurity tools, secure browsing is still nascent.
Barriers to the adoption of secure browsing, Tall said, stem from the fact that these security tools are often influenced by distribution players, and "it's just a little bit of inertia.
@Cyber_Security_Channel
How to Hire Cybersecurity Professionals
"Hiring and retaining talent can often feel like an uphill battle, but there are a number of things that leaders can be doing to make more strides in this area," said Rob Rashotte, vice president of global training & technical field enablement at Fortinet.
Cybersecurity professionals "should also be offered a little space to experiment," Brown said. "Like many tech people, cyber professionals like to learn by doing and to continually optimize solutions.
Give them room to do this, even just a little, in terms of time and resources."Rashotte and other experts outline four things that employers can do to build their cybersecurity workforces.
@Cyber_Security_Channel
Why Online Choice Architecture is a Data Protection Priority
Online Choice Architecture (OCA) is defined as the way that companies present information and choices to users of websites and other online services.
It can include the way prices are displayed on a website, personal recommendations presented to consumers and the options available to consumers.
OCA practices can also be used to exploit behavioural biases of consumers and lead them to make riskier decisions.
OCA has an impact on individual's privacy rights, an impact on how businesses compete and how consumers are treated.
@Cyber_Security_Channel
“Snakes In Airplane Mode” – What If Your Phone Says it’s Offline But isn’t?
The bad news, however, is that the software shenanigans used aren’t the typical tricks associated with malware or date exfiltration code.
That’s because “fake airplane” mode doesn’t itelf snoop on or try to steal private data belonging to other apps, but works simply by showing you what you hope to see, namely visual clues that imply that your device is offline even when it isn’t.
@Cyber_Security_Channel
📩 Our partners at Hacklido released a new version of their newsletter: Cyber Security Round Up - August 15th, 2023
It includes materials on the following topics:
• XXE attack
• Blockchain
• API security
• IOT Hacking
• OpenredireX
• SQL injection
• DNS Takeover
• C2 server Hacking
• Web race conditions
And more...
You can find the full version of the newsletter here.
——
✨ If your company / project / community is willing to become a partner of Cyber Security News, feel free to contact us: @cybersecadmin
——
@Cyber_Security_Channel