29 April 2019

News round-up 29 April 2019

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up: 

In our latest roundup, Australia’s privacy regulator receives promises of additional funding to support its workload responding to a growing number of privacy complaints and breach notifications. The compromises of an Indian outsourcing company and a Microsoft customer support account also remind us of the hops and jumps an attacker will make to ultimately reach sensitive data.

Key articles: 

Extra roles take new OAIC funding

Summary: A funding boost for the Office of the Australian Information Commissioner (OAIC) will be used to facilitate more timely responses to privacy complaints and support strengthened enforcement actions in relation to social media and other online platforms that breach privacy regulations.

Key risk takeaway: Regulators across the globe are adopting a stronger disposition to act against privacy infringements, and this funding boost will undoubtedly assist the OAIC to do so in Australia. With approximately a full year having passed since both the Notifiable Data Breaches (NDB) Scheme and General Data Protection Regulation (GDPR) have taken effect, regulators will now expect organisations to fully understand and implement processes to comply with these privacy regulations. The public also continues to become more aware and more expressive of its expectations of how consumer data is handled.

Tags: #privacy #regulation #trust

Microsoft: Hackers compromised support agent’s credentials to access customer email accounts

Summary: Microsoft has experienced a data breach of its web-based email services, with attackers gaining access to “a limited number” of customers’ email information after compromising a customer support account.

Key risk takeaway: While enterprise accounts were reportedly not affected, the breach is a reminder that cybercriminals often target email accounts to get to protected data. Gaining unauthorised access to an email account not only provides an attacker access to the sensitive and potentially lucrative data within the email account, it also enables the attacker to send convincing phishing or spam emails from that account, and to access online services where email account details are used as login credentials. In addition to user education, organisations should consider protecting email accounts by implementing measures such as multi-factor authentication. The breach of a customer support account in this instance also reflects the need for higher levels of protection for privileged accounts, or accounts with greater access to data.

Tags: #emailsecurity #multifactorauthentication #securityawarenesss

Facebook agrees to clearer T&Cs in Europe

Summary: Under pressure from the European Commission, Facebook  has agreed to amend its terms and conditions, making it clearer that free access to its service is contingent on users’ data being used to target with advertisements.

Key risk takeaway: Greater transparency is evidently a guiding principle for regulators across the globe in their mission to enhance privacy protections for consumers. We see this in examples like this story, but it’s also evident in the emphasis and celebration by authorities of transparency in relation to how data breaches are managed. Both transparency and accountability are fundamental principles that should inform an organisation’s approach to data protection processes and strategies, and are key ingredients to building trust. Meanwhile, Facebook has reportedly set aside US$3bn for an impending Federal Trade Commission fine relating to the Cambridge Analytica data scandal.

Tags: #privacy #transparency #trust

Experts: Breach at IT Outsourcing Giant Wipro

Summary: Indian technology outsourcing company Wipro has come in for criticism over how it handled enquiries about an apparent compromise of its systems as a result of phishing.

Key risk takeaway: Data breaches happen, but a poorly managed public response will accelerate loss of trust in an organisation by customers and partners. Wipro’s response, which has been characterised as “tone-deaf” and evasive, appears to have led to such an outcome. Attempting to dead-bat a story, or issue limited information in an attempt to downplay a breach, often leads to adverse consequences. Despite an organisation’s reluctance to issue information, journalists often still find data about a breach through public sources (eg. if the breached data is published by attackers) or via insiders. The resulting imbalance between what the organisation says and what is in public reports often leads to an impression that the organisation doesn’t understand the extent of the breach let alone that it has strategies in place to contain it and protect affected customers. The journalist who first broke the Wipro story, Brian Krebs, has chronicled in detail what he believes to have been Wipro’s failings in its response to this issue.

Tags: #breachresponse #transparency #trust

Millions using 123456 as password, security study finds

Summary: Breach analysis finds 23.2 million victim accounts worldwide used 123456 as password.

Key risk takeaway: The weaknesses represented by poor password practices by users is brought to life in this survey by the UK’s National Cyber Security Centre. The use of weak passwords combined with password re-use across multiple accounts are key contributing factors to data breaches and account compromises. The NCSC recommends combining three random but memorable words to create hard-to-guess passwords. Password managers can help users manage unique passwords across a large number of online services.

Tags: #securityawareness #passwords

Researcher who slowed ‘WannaCry’ attack pleads guilty to malware charges

Summary: A 24-year-old British security researcher who was hailed as a hero for neutralising the global WannaCry ransomware attack in 2017 has pleaded guilty to charges of writing malware in 2014-15.

Key risk takeaway: The underlying reality of this story is that certain skillsets valuable to modern information security teams – particularly offensive security or ethical hacking functions like red teaming and penetration testing – are sometimes learned in unofficial and less-conventional environments, such as online forums, hacking communities and university coding clubs. In this particular case, security researcher Marcus Hutchins, whose present work seeks to improve security for online users, first learned his skills carrying out less favourable activities such as creating and selling malware that steals banking details. When hiring security personnel, particularly into offensive security teams, organisations should ensure that background checks and thorough screening are a core part of recruitment processes. Clear ground rules and appropriate monitoring should also guide these teams’ ongoing activities. Journalist Brian Krebs has published a detail account of Marcus Hutchins’ activities here.

Tags: #employees #offensive security

Digital groups in election fundraising

Summary: A coalition of digital rights groups has launched a fundraising campaign to lobby during and after the upcoming federal election.

Key risk takeaway: Digital issues have not featured prominently in the current federal election campaign, other than this pledge by the Morrison Government to boost Australia’s cyber security capabilities. However our previous news roundups identified the imperative for businesses to be proactive in providing a perspective on government policy proposals that impact digital rights and the operation of cyberspace. The lack of coordination of industry voices in the lead up to passing of recent legislation, such as the encryption-related Assistance and Access Bill, has driven the formation of this coalition, which includes digital rights organisations and technology companies.

Tags: #policy #governmentoutreach

Click here to see past editions of the elevenM News Roundup