Tag Archive for: journal

Charities hit by major hack, internet security a bad joke as usual – Digital Journal


Network cables plugged into a server. — © Michael Bocchieri/AFP/Getty Images

Those fun folks on the dark web are making themselves useful again with a serious hack of Australian charities. This is the usual story of getting information for fake IDs, phishing, etc. The information includes names and addresses.

One of the problems was that the hacked company, an intermediary called Pareto Phone, had a lot of old information dating back 9 years. In Australia, records are required to be kept for the statutory limit of 6 years. The charities seem to have been completely unaware that the information was still held by the company.

A few obvious technical matters also arise – Older storage systems would naturally be more vulnerable to hacking. The data was also apparently still accessible to hackers online. It’s a bit of a 101 for data archiving, but it’s pretty common.

Less impressive is the allegation that the data was stored in contravention of Australian Privacy Principles, These are basic rules which govern the management of personal data by third parties. Pareto Phone is now working with investigators to analyze the issues.

This is a standard hack, perpetrated by the usual suspects with the usual outcomes so far. The distinguishing feature is the targeting of charitable donors.  Maybe the little dears had nothing else to do that day.

This hack is representative of the hideously dysfunctional state of internet security. If you’ve ever been hacked or had your money laundered it’s nice to know so little is being done to shut it down.

I’ve had both of those experiences, years ago, and I can’t pretend to be impressed. Hacking of everything, including AI, simply isn’t getting proper attention and oversight. Hacking AI could well be catastrophic given the mindless acceptance of it in the corporate world. Hacking human neural links could be fatal.

…Or maybe the incredibly lax state of global internet security is the problem? This has been going on for decades. It’s made money laundering a breeze. There’s not that much chance of getting caught.

In the Age of Deregulation, which has been a daily lottery win for every criminal on the planet, it’s to be expected….

Source…

Zero-Day Exploits Dominate Malware from Web Traffic in Q1 — THE Journal


Information Security

Zero-Day Exploits Dominate Malware from Web Traffic in Q1

In the first quarter of 2023, a massive 93% of detected malware from encrypted web traffic and 70% of malware from unencrypted web traffic came from zero day malware, according to a new report. And 51 new ransomware variants were detected.

According to WatchGuard Technologies’ Q1 Internet Security Report, part of an ongoing series of quarterly reports on data security across all sectors, “Zero day malware can infect IoT devices, misconfigured servers, and other devices that don’t use robust host-based defenses….”

Meanwhile, on the ransomware front, according to WatchGuard, “In Q1 2023, the Threat Lab tallied 852 victims published to extortion sites and discovered 51 new ransomware variants. These ransomware groups continue to publish victims at an alarmingly high rate; some are well known organizations and companies in the Fortune 500.”

Other trends noted in the Q1 report included:

  • Malware droppers are targeting Linux systems, “a stark reminder that just because Windows is king in the enterprise space, this doesn’t mean organizations can afford to turn a blind eye to Linux and macOS,” according to WatchGuard;

  • Attackers are exploiting browser notifications more now that browsers have more protections in place against abuse of pop-ups;

  • Three-fourths of new attacks in Q1’s top-10 list originated in China and Russia;

  • Exploits targeting Microsoft Office and Microsoft’s end of life products persist; and

  • “Living-off-the-land” attacks — attacks that use a system’s built-in tools to accomplish their goals — continue to rise. “The continued appearance of Microsoft Office- and PowerShell-based malware in these reports quarter after quarter underscores the importance of endpoint protection that can differentiate legitimate and malicious use of popular tools like PowerShell,” according to the report.

The complete report and an executive summary can be accessed free of…

Source…

Trends in Privacy and Data Security | Practical Law The Journal


As the National Security Agency (NSA) noted in its 2022 cybersecurity yearly review, “[c]yberspace is dangerous” (NSA: NSA Cybersecurity Year in Review: 2022). Reports of sophisticated cyberattacks and ransomware threats were prevalent in 2022. The government, manufacturers, and others further developed standards for securing digital infrastructure like 5G, cloud services, cryptography, internet protocols, and internet of things (IoT) devices. Organizations deployed zero trust cybersecurity strategies more frequently to close operational technology gaps. On the data privacy side, businesses now face an increasing array of state laws in the absence of comprehensive federal data protection regulation.

Organizations must keep up with the dynamic and increasing legal obligations governing privacy and data security, understand how they apply, monitor cyber risks and attack trends, and manage their compliance to minimize exposure. This article reviews important privacy and data security developments in 2022 and highlights key issues as the year ahead takes shape. It addresses:

  • Federal and state guidance, regulations, and enforcement actions.
  • Private litigation.
  • Federal and state legislation.
  • International developments likely to affect US companies, including cross-border data transfer issues.
  • Trends likely to gain more attention in 2023.

(For the complete version of this article, which includes more on new federal and state regulations and legislation as well as private litigation and industry self-regulation and guidance, see Trends in Privacy and Data Security: 2022 on Practical Law.)

Several federal agencies issued guidance and took notable privacy and data security enforcement actions in 2022, including:

  • The Federal Trade Commission (FTC).
  • The Department of Health and Human Services (HHS).
  • The Department of Commerce and its National Institute of Standards and Technology (NIST).
  • The Department of Homeland Security (DHS) and its Cybersecurity and Infrastructure Security Agency (CISA).
  • The Federal Communications Commission (FCC).

(For information on guidance and enforcement activity by the Securities and Exchange Commission (SEC), various other federal agencies, and the White House, see Trends…

Source…

Avoid falling prey to employment scams – Rexburg Standard Journal



Avoid falling prey to employment scams  Rexburg Standard Journal

Source…