I’m sure the release of the GDPR on 25th May hasn’t escaped anyone’s attention. After years of warnings about the EU parliament’s intended tough stance on enforcing the human right to privacy in the digital realm, a real ‘game changer’ of a global privacy regulation has finally landed, which impacts any organisation which touches EU citizen personal data.
The GDPR’s potential hefty financial penalties for breaching its requirements is firmly on the radar of directors at large enterprises and small businesses alike, hence the massive barrage of emails we have all have received in recent weeks, on changes to company privacy statements and requesting consent, many of which I noted as not being GDPR compliant as obtaining “explicit consent” from the data subject. So there is a long way to go for many organisations before they become truly GDPR compliant state based on what I’ve seen so far in my mailbox.
Cybercriminals have been quick to take advantage of the GDPR privacy emails deluge, using the subject matter in their phishing attacks to cheat access to accounts and con victims.
- NatWest Customers targeted by Scammers
- Phishing campaign targeting Airbnb customers
- Phishing campaign targeting Apple.
- GDPR Fraudster con people with wave of Phishing Emails
On a positive GDPR note, also on 25th May, IBM developerWorks released a three-part guidance series written by myself, aimed at helping Application Developers to develop GDPR compliant applications.
Developing GDPR Compliant Applications Guidance
- Part 1: A Developer’s Guide to the GDPR
- Part 2: Application Privacy by Design
- Part 3: Minimizing Application Privacy Risk
Overshadowed by the GDPR coming in force, was the release of new NHS Data Security and Protection Toolkit, aimed at the NHS and their service providers, and the European NIS Directive (for telecom providers) went under the radar, but they are significant to those working in those industries.
Always make sure your Broadband Router\Hub does not permit remote administrative access (over the internet) and is always kept up-to-date with the latest security patches, otherwise, it will be at serious risk of being hacked and remotely controlled by cyber-criminals. As evidenced with month, after a DNS flaw in over 800,000 Draytek Routers has allowed hackers to take them over, malware called VPNFilter has infected 500,000 routers, and serious vulnerabilities has been reported in TP-Link EAP controllers.
IBM made headlines after banning its workers from using USB sticks, which I think is a good and reasonable policy. As quite frankly any modern enterprise, whether large or small, with a decent IT infrastructure and cloud services, staff shouldn’t need to use USB devices to move data either internally or externally with third parties, so I see this as a rather smart business and security move to ban all USB devices, as it forces staff to use the more secure and more efficient technology made available.
As my @securityexpert twitter account crossed the 10,000 follower threshold Twitter advised 300 million users to reset their passwords after internal error. Apparently, the passwords for the Twitter accounts were accidentally stored in a database in their “plain text” value instead of using a hashed value for the password, as per best practice. I always strongly recommend Twitter users to take advantage and use the multi-factor authentication system Twitter provides, which reduces the risk of account hacking.
Breaches of note in May included a T-Mobile website bug which exposed personal customer data, Coca-Cola said an insider breached 8,000 accounts, and BMW cars were found to have over a dozen security vulnerabilities.
As always a busy month of new security patch releases, with Microsoft, Adobe, PHP, PGP, Google, Git, and Dell all releasing critical security updates to fix significant security flaws. Click the links for the full details.
Analysis of DDoS Attacks at Cloudflare, has revealed that while organisations in the UK have certainly upped their spending on DDoS mitigation, cyber-criminals are now responding by switching to Layer 7 based DDoS attacksSome interesting articles about the Welsh Cyber Security Revolution and a review of the NHS a year on from the WannaCry outbreak.
Reports of interest this month include the Thales Data Threat Report, which found UK businesses to be the most breached in Europe. The LastPass Psychology of Passwords Report which found 59% of people surveyed used the same passwords across multiple accounts, despite 91% of them knowing that using the same password for multiple accounts is a security risk. The 2017 Cylance Report stated the number of cyber-attacks on industries such as healthcare, manufacturing, professional services, and education rose by about 13.4% between 2016 and 2017.
- IBM Release Application Developers Guidance to the GDPR (written by me)
- NHS gets new Data Security and Protection Toolkit
- European Directive NIS Comes into Force
- Twitter Advises 330 Million Users to Change Passwords after Internal Leak
- IBM Workers Banned from using USB Sticks
- T-Mobile Website bug Exposed Personal Customer Data
- UK Colleges Hit by 12 Cyber Attacks A Week
- Coca-Cola Hit with Insider Breach, 8,000 Affected
- London Cyber Crime pair Jailed for £1m Phishing Scam
- A Year after WannaCry, is NHS better prepared?
- The Welsh Cyber Security Revolution
- UK begins to Formalise its Legal approach to Cyber War
- BMW Cars found to contain more than a Dozen Flaws
- Scammers are using GDPR email alerts to Conduct Phishing Attacks
- Microsoft Patches 70 Vulnerabilities for Windows IE/Edge, Exchange, Hyper-V & Chakra
- Adobe Releases Critical Fixes for Flash Player
- PHP Programming Languages updated to Fix Multiple Bugs
- Critical Vulnerabilities found in PGP/GPG, S/MIME
- DNS Flaw allows Hackers to change DNS settings in 800,000 Draytek Routers
- Multiple Flaws in TP-Link EAP Controller
- Google Fixes 24 bugs in Chrome OS, Security Pass Flaw in reCAPTCHA Feature
- Six Security Flaws discovered in Dell EMC RecoverPoint Devices
- Flaw in Git could result in Remote Code Execution
- ‘Roaming Mantis’ Malware is now ‘Spreading across the Globe’
- VPNFilter Malware Infects 500,000 Routers
- Cyber-Criminals Switching to Layer 7 based DDoS Attacks
- SilverTerrier uses Malware to drive BEC Attacks
- BackSwap Banking Malware bypasses Browser Protections with Clever Technique
*** This is a Security Bloggers Network syndicated blog from IT Security Expert Blog authored by Dave Whitelegg. Read the original post at: http://feedproxy.google.com/~r/securityexpert/~3/JI2xDCCBVAE/cyber-security-roundup-for-may-2018.html