Tag Archive for: poor

Poor risk assessment jeopardizing Manitoba government’s computer systems: report

/in


The province is not doing a good enough job identifying and managing the risks associated with the aging computer systems it uses to carry out its business, says the latest report from the office of the auditor general. 

The audit looked into the various hardware such as servers, routers and firewalls, as well as the software the provincial government uses to collect, process, store, and share information.

It found that a significant number of business applications and their supporting technologies are old and should be replaced.

Further, the report says, the province’s methods of identifying when its aging hardware and software should be replaced or upgraded is insufficient, and its inventory is incomplete. 

This could leave the province open to system outages, decreased system reliability, and increased security risks, the report says. 

That in turn could impact a wide range of services the province provides to Manitobans, including online registrations, provincial program applications and fee payments. 

The auditor general’s office recommends that the provincial government improve the practices it uses to monitor its computer systems to make sure they are replaced or upgraded as needed. 

It also recommends that the province’s business transformation and technology department prepare a risk assessment report on these aging computer systems.

Reg Helwer, the minister responsible for government services, will comment on the report once he has read it, a spokesperson for the province said Thursday. 

Source…

Florida Water Plant Hackers Exploited Old Software And Poor Password Habits

/in


The world took notice when a cyber attacker breached a Florida city’s water treatment plant and tried to poison the water supply. New details about the incident reveal serious cyber security shortcomings at the plant.

As reported by Ars Technica, a Private Industry Notification (PIN) from the FBI noted two major issues. One was that the compromised computer at the Oldsmar water treatment facility was running an “outdated Windows 7 operating system.”

That statement applies to pretty much any computer running Windows 7 at this point. As of January 14 last year Microsoft had stopped offering software updates, security updates or fixes and technical support for Windows 7. Ahead of that date Microsoft had warned that “While you could continue to use your PC running Windows 7, without continued software and security updates, it will be at greater risk for viruses and malware.”

Microsoft had already extended support for Windows 7 on a couple of occasions and the company provides plenty of notice when it’s ending support. Nevertheless it’s not uncommon for organizations to continue using an operating system beyond its end-of-support date.

Specialized applications — like those that control the water treatment system at the Florida plant — may not be compatible with a newer OS. Faced with the possibility of a broken piece of critical software, many organizations choose to continue running the outdated OS. This incident once again underscored just how risky that practice can be.

Another failing revealed in the Bureau’s notification is that staff all utilized the same password for remote access via the Teamviewer application. That same password was used on all of the plant’s computers and it’s believed that the attacker(s) used that password to break in.

That’s two very big cyber security strikes already. The third? The plant’s computers “appeared to be connected directly to the Internet without any type of firewall protection installed.”

Firewalls provide a first line of defense against unauthorized access. They’re an important part network security in any situation. In a case where the…

Source…

Poor Password Security Led to Recent Water Treatment Facility Hack

/in


New details have emerged about the remote computer intrusion at a Florida water treatment facility last Friday, highlighting a lack of adequate security measures needed to bulletproof critical infrastructure environments.

The breach involved an unsuccessful attempt on the part of an adversary to increase sodium hydroxide dosage in the water supply to dangerous levels by remotely accessing the SCADA system at the water treatment plant. The system’s plant operator, who spotted the intrusion, quickly took steps to reverse the command, leading to minimal impact.

password auditor

Now, according to an advisory published on Wednesday by the state of Massachusetts, unidentified cyber actors accessed the supervisory control and data acquisition (SCADA) system via TeamViewer software installed on one of the plant’s several computers that were connected to the control system.

Not only were these computers running 32-bit versions of the Windows 7 operating system, but the machines also shared the same password for remote access and are said to have been exposed directly to the Internet without any firewall protection installed.

It’s worth noting that Microsoft Windows 7 reached end-of-life as of last year, on January 14, 2020.

Adding to the woes, more often than not, many small public utilities are saddled with aging infrastructure, and the IT departments tend to be under-resourced, lacking in budget and expertise to upgrade their security posture and address vulnerabilities in a timely fashion.

“Restrict all remote connections to SCADA systems, specifically those that allow physical control and manipulation of devices within the SCADA network,” Massachusetts state officials said. “One-way unidirectional monitoring devices are recommended to monitor SCADA systems remotely.”

“Keep computers, devices, and applications, including SCADA/industrial control systems (ICS) software, patched and up-to-date,” the alert cautioned, adding “use two-factor authentication with strong passwords.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in a separate alert published today, warned of “cybercriminals targeting and exploiting desktop sharing software and computer networks running operating systems…

Source…

Privacy survey: Consumers have poor understanding of data privacy yet think they are taking proactive steps

/in


The vast majority of consumers have a poor understanding of data privacy issues yet think they are proactive in protecting themselves, according to a survey of US and UK residents.

More than 83% of 1,000 people surveyed said they were proactive in maintaining their data privacy however, they did not take basic precautions to protect their data — showing a lack of education without a corresponding drop in confidence. 

The survey from Entrust, a US Identity management and data privacy company, also found that 64% are willing to share personal data if it makes it easier to access key services. 

And a whopping 83% say they are comfortable storing their biometric data with apps or third-party identity verification systems such as those at airports.

Consumers exhibited a split personality in that they had high confidence in their abilities to protect their personal data but 79% also said they were somewhat or highly concerned about their data. 

About one third (34%) of consumers were very pessimistic saying that they believed they had little control over their data and nearly one-quarter said the issues were too complex to understand and 30% did not know where to begin.

A key difference between countries: UK consumers had a significantly higher trust in their employers, banks and government agencies to hold their personal data secure. 

Major Internet platforms have come under fire for their use and misuse of consumer personal data. In 2021 US and UK lawmakers are looking at potential regulations to control the use of personal data. This will have huge consequences on multi-billion dollar online advertising markets and data sellers. 

The Entrust survey shows that voters will need to become better educated to be able to understand and support upcoming data privacy regulations. 

More survey findings are here.

Source…