At a glance.
- Canon faces lawsuit over ransomware attack.
- Privacy trends.
- Update on New Zealand central bank breach.
- TikTok upgrades privacy for child protection.
- CISA's advice on threats to privacy in the cloud.
Canon faces lawsuit for ransomware attack.
The US district court for the Eastern District of New York has filed a class action lawsuit against American camera manufacturer Canon USA, Inc. for a recent ransomware attack, reports Data Privacy + Security Insider. The November incident exposed the personal data (including social security numbers and financial info) of current and former employees, as well as their beneficiaries and independents. The plaintiffs have accused Canon of negligence in their handling of the data and allege that the company did not inform the compromised individuals of the breach in a timely fashion.
Okera’s 2021 privacy trends.
Secure data access provider Okera has published their predictions for the top five data privacy trends of 2021, reports PR Newswire. Understandably, the COVID-19 pandemic and the resultant reliance on electronic data will be the major motivating factor behind the direction of the industry in the coming year. Security became a top concern for many businesses in 2020, and in 2021 a company’s privacy policies will likely determine where they stand among their competitors in their industry. Data catalogs and metadata management will be a focus, and integrated data platforms will help businesses connect across cloud applications. As well, with many companies hiring Chief Data Officers, leadership will adopt a top-down approach in ensuring that all employees take responsibility for proper data handling. .
Update: Reserve Bank of New Zealand data breach.
ZDNet has released an update on the Reserve Bank of New Zealand (RBNZ) breach the CyberWire noted earlier this week. Though RBNZ initially declined to name the third-party associate that was the source of the breach, they have now stated that the attack was directed at US-based file sharing service Accellion, which provides the bank with an FTA file transfer product. RBNZ was not singled out as a target; other Accellion clients have also been impacted. The bank is receiving guidance from GCSB's National Cyber Security Centre to ascertain the scope of the breach and determine exactly what data were compromised, and they are withholding some details from the public to avoid hindering the investigation.
TikTok says it's improved protections for the TinyTots.
Also not so tiny ones. Erik Han, head of US Safety at TikTok, announced yesterday that the popular social media app is modifying its privacy policies for users under eighteen. In an effort to better protect younger community members, changes include making “private” the default setting for accounts belonging to users thirteen to fifteen years old, limiting comment and download options for videos posted by younger users, and partnering with media company Common Sense Networks to better support TikTok for Younger Users, a special app experience for those under thirteen. “We'll continue to evolve our policies, work closely with regulators and experts in minor safety, and invest in our technology and teams so that TikTok remains a safe place for everyone to express their creativity,” Han stated.
CISA's advice on keeping emails private in the cloud.
The US Cybersecuriy and Infrastructure Security Agency (CISA) has issued a warning about successful cyber operations directed against cloud services whose users are afflicted with poor cyber hygiene. CISA’s Analysis Report singles out three classes of attack for particular attention. All of them are direct threats to privacy:
- Phishing. Phishing is, of course, common. The threat actors use phishing emails whose malicious links are designed to harvest credentials for cloud service accounts.
- Forwarding rules. also figure prominently in the threat actors’ behavior. In some cases they’ve modified an existing email rule to redirect emails to an account they control. In other instances they modified existing rules to pick out certain keywords--typically financially related terms--and had emails containing them forwarded to the threat actor’s account. And the threat actors also created new mailbox rules that forward certain messages to the legitimate users’ RSS feeds ro RSS subscription folder. This technique was intended to evade detection and consequent warning.
- Authentication abuse. Finally, there were instances of authentication abuse, in which threat actors accessed their victims’ accounts with proper multi-factor authentication. In some cases this may have involved defeating multi-factor authentication with pass-the-cookie attacks. The threat actors also attempted, generally without success, to brute-force user logins.
Roger Grimes, of KnowBe4, sent comments on CISA's advisory:
"Sadly, none of the things the CISA discussed today are new. In fact, they are the opposite of new. Most are things hackers have been successful at for decades. The attack that bypassed MFA uses something known as session token/cookie hijacking. It’s been around since the beginning of computers and dozens, if not hundreds, of hacking tools exist to help attackers do it. We even discussed this exact type of attack a few years ago with a live demonstration by KnowBe4’s chief hacking officer, Kevin Mitnick. When Kevin did this video, we were surprised by how many computer professionals thought Kevin had invented something new. They were wondering if we were going to report it as a new exploit method when the truth was that it was the oldest type of MFA bypass possible. It’s also the very first MFA bypass attack method I discuss in my book, Hacking Multifactor Authentication, out of the over 50 types that I cover. It is important to note that not understanding the weaknesses and potential hacking bypasses of MFA is almost as bad as not using it. If you think you’re far less likely to be hacked because of MFA (and that isn’t true), then you are more likely to let your defenses down. But if you understand how MFA can be attacked, and share that with the end users of the MFA and designers of the systems that it relies on, you’re more likely to get a better, less risky outcome. The key is to realize that everything can be hacked. MFA doesn’t impart some special, magical defense that no hacker can penetrate. Instead, strong security awareness training around any MFA solution is crucial, because to do otherwise is to be unprepared and more at risk."