Only six months remain until the end of Windows 7 support

Despite the awareness that in six months Microsoft will officially end its support for its nearly 10-year-old operating system, Windows 7, 18% of large enterprises have not yet migrated to Windows 10, according to new research from Kollective.

At the start of 2019, researchers found that 43% of companies were still running Windows 7. Of those, 17% didn’t even know about the end of support. In its most recent analysis of 200 US and UK IT decision makers, the report revealed that organizations have a long way to go to prepare for the much anticipated end of Windows 7 support.

https://resiliencepost.com/2019/07/09/one-in-10-it-pros-would-steal-data-if-leaving-a-job/

Six months later, 96% of IT departments have started their migration, and 77% have completed the move. However, given that the migration from Windows XP to Windows 7 reportedly took some firms more than three years to complete, companies that have not started migration are at risk of missing the final deadline.

Read entire post Nearly 20% of organizations still run Windows 7 | Kacy Zurkus | InfoSecurity
Advertisements

UK firms hit by attacks every 50 seconds

The business ISP analyzed traffic for its customers during the period and found them to be on the receiving end of 146,491 attempted attacks each, on average. That’s 179% higher than the same period in 2018, when firms faced down 52,596 attacks on average.

IoT devices and file sharing services were most frequently targeted, hit by 17,737 and 10,192 attacks respectively during the quarter.

https://resiliencepost.com/2019/07/09/one-in-10-it-pros-would-steal-data-if-leaving-a-job/

This chimes somewhat with a FireEye report from last month which revealed a dramatic increase in attacks exploiting file-sharing services to deliver malware via email. From hardly being used in any attacks in Q4 2018, OneDrive was seen in over 60% by Q1, it claimed.

Read entire post UK firms hit by attacks every 50 seconds | Phil Muncaster | InfoSecurity

Facebook staff had access to hundreds of millions of people’s passwords

This time, the company acknowledges that it mishandled sensitive passwords for hundreds of millions of its users, primarily those who use its Facebook Lite product. The disclosure casts doubt on the company’s abilities to protect its users’ information as it focuses more on privacy.

On Thursday, Facebook said it didn’t properly mask the passwords of hundreds of millions of its users and stored them as plain text in an internal database that could be accessed by its staff.

The company said it discovered the exposed passwords during a security review in January and launched an investigation. Facebook did not say how long it had been storing passwords in this way.

Read entire post Facebook staff had access to hundreds of millions of people’s passwords | Donie O’Sullivan and Kevin Collier | CNN Business

Vendor compromises data of 808000 Singapore blood donors

Before the next WannaCry or NotPetya cyber-attack strikes, potentially resulting in widespread damage for which few are actually prepared, law enforcement in the EU have established an incident response protocol, according to a Europol press release.

“To prepare for major cross-border cyber-attacks, an EU Law Enforcement Emergency Response Protocol has been adopted by the Council of the European Union. The Protocol gives a central role to Europol’s European Cybercrime Centre (EC3) and is part of the EU Blueprint for Coordinated Response to Large-Scale Cross-Border Cybersecurity Incidents and Crises,” Europol wrote.

“It serves as a tool to support the EU law enforcement authorities in providing immediate response to major cross-border cyber-attacks through rapid assessment, the secure and timely sharing of critical information and effective coordination of the international aspects of their investigations.”

Read entire post Vendor exposes Singapore health blood donor data | Kacy Zurkus | InfoSecurity

A hacker in a restaurant

This article was originally published by Alexander Sverdlov on LinkedIn – https://www.linkedin.com/pulse/hacker-restaurant-alexander-sverdlov/

Day 1

A hacker comes into a restaurant and discovers that the salt shaker on the table can be unscrewed and one can pour anything into it. The hacker goes home and writes an angry letter to the manager of the restaurant: “I, meG@Duc, found a vulnerability in the salt shakers at your restaurant. An attacker can open them and pour poison inside! Take action immediately!”

Day 2

The manager, among other business letters, requests for food deliveries and courier receipts finds the notification letter and shrugs: “Who could even come up with this nonsense?”

Day 5

The hacker comes into the restaurant and pours poison in all the salt shakers. Three hundred people die, the manager is dragged three months in courts to prove the absense of a crime. The hacker writes a letter in the style of “Well, I told you!”.

Day 96

The manager orders his staff to buy specially designed salt shakers with a combination lock. Visitors of the restaurant feel like they are missing something very important in the meaning of life.

Day 97

The hacker discovers that the holes in the salt shakers pass salt in both directions. And not only salt, anything! He writes an angry letter to the manager after pissing in all the salt shakers. Three hundred people stop visiting the restaurant forever, thirty get admitted to the hospital with food poisoning.

The hacker sends an SMS to the restaurant manager: “How are you doing?” The manager is dragged through courts for three months and is released on probation.

The hacker discovers that the holes in the salt shakers pass salt in both directions. And not only salt, anything!

Day 188

The manager vows to no longer work in any kind of food establishment, and to peacefully cut timber in Siberia. Engineers are working on a new one-way valve for a salt shaker. Waitresses in the meantime withdraw all the old salt shakers and distribute the salt by hand.

Day 190

The hacker steals a salt shaker from the restaurant and carefully studies the device at home. He writes an angry letter to the manager: “I, meG@Duc, stole the salt shaker and I find this fact outrageous! Anyone can steal your salt shakers!” The previously fully sober manager goes home and drinks a bottle of vodka.

Day 193

The hacker discovers that all the salt shakers in the restaurant are chained and nailed to the table. He arrives at a hacker conference and reports on his progress, getting a well-deserved reward for the protection of the interests of society and consumers.

Fortunately, the manager never hears anything about it and will not die of alcohol poisoning, for now.

Day 194

As part of a diabolical, genius elaborate operation, BLACKHAT hackers break into the restaurant and pour all the salt from the salt shakers in their pockets. The hacker meG@Duc writes an indignant letter to the manager, alluding to the fact that there is no concern for the visitors in the restaurant as any criminal can deprive honest people from salt in an instant. A salt dispenser with a one-time authorisation is just necessary!

Engineers work in sweat on a new salt shaker, while waitresses hand out salt manually, again. The manager goes on vacation to the Seychelles and has dinner only in his room, avoiding any canteens, restaurants and bars.

Day 200

Visitors of the restaurant find in horror that in order to pour salt, they must go to the waitress, show their passport and get a special 8-digit one-time code to the shaker. For pepper they should repeat the procedure.

Where are we with GDPR?

It’s months past when the EU’s General Data Privacy Regulations (GDPR) went into effect, and many are wondering, “Where are we now?”

Among the many aspects of the GDPR talked about at today’s Infosecurity North America conference, Nashira Layade, SVP, CISO at Realogy Holdings Corp., and Elena Elkina, partner at Aleada Consulting, spent a bit of time focusing on data-subject requests.

In particular, one of the three types of data-subject requests is the right to be forgotten, which in itself can be tricky, Layade said. “Understanding where the data is will help you with data-subject requests, but the right-to-be-forgotten request means that you also have to look at the requirements on how long you are supposed to hold onto that data. Always check with your legal team to make sure you are complying with all of the regulations.

It’s also key to understand the 30-day-response requirement.

Read entire article #InfosecNA18: Where Are We with GDPR? | Kacy zurkus | InfoSecurity

Researchers warn of hackable baby monitor

Security researchers have concluded that a Chinese-made baby monitor sold on Amazon is riddled with vulnerabilities, confirming a mother’s suspicion that her device had been hacked to spy on her infant.

SEC Consult said the FREDI-branded device, which is designed to look like a puppy, is most likely the work of an OEM called Shenzhen Gwelltimes Technology Co., Ltd.

The device has a P2P cloud feature which allows supported smartphone and desktop apps to connect to it via the cloud, making it easy for users to interact with it without needing to be on the same network. There are also no firewall rules, port forwarding rules or DDNS setup, SEC Consult claimed.

> Read entire article Researchers warn of hackable baby monitor | Phil Muncaster | InfoSecurity

BMO and CIBC Simplii Financial reveal hacks of customer data

Two Canadian banks warned customers Monday that they have been the targets of hackers, and the personal information of tens of thousands of customers may have been stolen.

CIBC-owned Simplii Financial was the first to warn on Monday morning that hackers had accessed the personal and account information of more than 40,000 of the bank’s customers.

The bank said it received a tip over the weekend that hackers had obtained the data, and after a preliminary investigation decided to go public on Monday.

> Read entire article BMO and CIBC-owned Simplii Financial reveal hacks of customer data | Pete Evans | CBC

Data privacy by design: a new standard ensures consumer privacy at every step

The Internet-driven world shook when Facebook was recently exposed for having shared personal information about 87 million users to a private company, the aftershocks of which are still being felt as it becomes clear this is not a one-off event.

As new EU regulations come into force late this month that require companies to protect personal data, restricting the way it is collected and used, ISO is taking the consumer’s voice one step further. A team of privacy experts has been formed to develop the first set of preventative international guidelines for ensuring consumer privacy is embedded into the design of a product or service, offering protection throughout the whole life cycle.

The new ISO project committee, ISO/PC 317, Consumer protection: privacy by design for consumer goods and services, will develop guidelines that will not only enforce compliance with regulations, but generate greater consumer trust at a time when it is needed most.

Read entire article Data privacy by design: a new standard ensures consumer privacy at every step | ISO.org

Facebook Users Undeterred by Privacy Scandal

In the aftermath of the Facebook scandal, there have been some cries of outrage, with several users claiming that they will be deleting their accounts. Reuters recently polled users to see just how much impact the scandal has had on the social media giant.

The results show that Facebook has suffered little consequence. The Cambridge Analytica privacy scandal erupted on 16 March, prompting the hashtag #deletefacebook. Yet the number of monthly users continued to grow as the first quarter came to a close, with a recorded 241 million users in the United States and Canada as of 31 March.

Reuters found that 22% of the users polled confessed that they use Facebook more. Only 16% reported that they use the site less, while 43% said that they have not changed their frequency of use. That begs the question: how frequently are users accessing the Facebook site?

Read entire article Facebook Users Undeterred by Privacy Scandal | InfoSecurity | Kacy Zurkus

Irony of leaky app at RSA Conference not lost on attendees

Many members of the cybersecurity community are feeling a wide range of emotions – from unsurprised to angry – in the aftermath of learning about a leaky RSA Conference app. Few, however, are really shocked by the reported breach.

Sophos’s NakedSecurity reported that a Twitter user at RSAC 2018 discovered a security problem in the conference app.

RSAC tweeted a confirmation of the breach confessing, “Our initial investigation shows that 114 first and last names of RSA Conference Mobile App users were improperly accessed. No other personal information was accessed, and we have every indication that the incident has been contained. We continue to take the matter seriously and monitor the situation.

Read entire article Irony of Leaky App at #RSAC Not Lost on Attendees

Grindr under fire for sharing HIV status of users

Same-sex dating app Grindr has said it will stop sharing users’ HIV status after it was revealed that the details were shared with third-party analytics companies.

Published on InfoSecurity | By Dan Raywood

According to initial research by Antoine Pultier, a researcher at SINTEF, and verified by Buzzfeed News, Grindr shared HIV status along with users’ GPS data, sexuality, relationship status, ethnicity, phone ID and email to Apptimize and Localytics, which help optimize apps. This information, unlike the HIV data, was sometimes shared via plain text.

Buzzfeed News reported that under the app’s “HIV status” category, users can choose from a variety of statuses, which include whether the user is positive, positive and on HIV treatment, negative, or negative and on PrEP, the once-daily pill shown to effectively prevent contracting HIV.

In a statement, Grindr CTO Scott Chen said that as a company that serves the LGBTQ community “we understand the sensitivities around HIV status disclosure” and clarified that Grindr “has never, nor will we ever sell personally identifiable user information – especially information regarding HIV status or last test date – to third parties or advertisers.

Chen clarified that it does work with highly-regarded vendors to test and optimize how it rolls out the platform, and these vendors are under strict contractual terms that provide for the highest level of confidentiality, data security and user privacy.

Read entire article Grindr Under Fire for Sharing HIV Status of Users | InfoSecurity