At a glance.
- A warning about commercial surveillance tools.
- Panasonic confirms data breach.
- Europol directed to purge data.
- How to minimize your online trail.
- Observations about the FinalSite ransomware incident.
US NCSC issues alert about commercial spyware.
On Friday, the US State Department and the National Counterintelligence and Security Center issued a warning regarding commercial surveillance tools, stating governments and other entities have purchased spyware capable of recording audio, tracking a device’s location, and essentially giving the user access to all of the content on a target’s device. Security Week notes, although the alert does not directly name any particular spyware, the warning is clearly the US government’s direct acknowledgment of the abuse of surveillance software like NSO’s Pegasus, recently discovered to be used by a number of world governments to track the devices of journalists, dissidents, and other undesirables. The warning also includes mitigation recommendations before ultimately advising that “it’s always safest to behave as if the device is compromised.”
Panasonic confirms data breach.
Consumer electronics giant Panasonic disclosed that in November an intruder gained unauthorized access to a file server located in Japan via the server of an overseas subsidiary. The exposed data includes personal information pertaining to candidates who applied for positions at the company, as well as data belonging to business partners. Although files on the server did contain information about business partner personnel, the information was primarily standard business contact details. With the assistance of an external security advisor, the investigation revealed that no customer data had been compromised, and none of the data that were compromised appears to have been leaked.
EDPS orders Europol to delete its “big data ark.”
Europol has been ordered to delete a massive cache of personal data that the European Data Protection Supervisor (EDPS) has determined was gathered illegally, the Guardian reports. The “big data ark,” as privacy experts are calling it, is comparable in size to a fifth of the US Library of Congress and contains billions of points of information gathered from crime reports, hacked from encrypted phone services, and collected from asylum seekers with no connection to a crime over the past six years. Privacy advocates say the size of the data store includes sensitive data on upwards of 250,000 individuals, currently or formerly suspected of terrorism or other serious crimes.
EDPS has ordered Europol to immediately delete any data gathered more than six months ago, and the police agency has one year to sift through the rest and determine what else must be expunged. The ruling underlines the ongoing conflict between EDPS and Europol, which last year led the EU Home Affairs Commission to propose major changes to Europol’s powers that, if passed, would make the police agency’s data collection legal as part of a testing program for machine learning tools. EU home affairs commissioner Ylva Johansson commented, “Law enforcement authorities need the tools, resources and the time to analyse data that is lawfully transmitted to them.”
Delete that old Hotmail account, already.
With tech giants like Apple, Facebook, and Google constantly vacuuming up user data, and data brokers like Acxiom, Equifax, and Experian buying and selling third-party personal information, the old adage “the internet never forgets” seems more valid than ever. While it’s nearly impossible for anyone to completely wipe their internet presence, Wired offers tips for minimizing your online trail. Advice includes using the Privacy Rights Clearinghouse database to figure out how to opt out of data brokers. Users can also ask Google to update search results to exclude out-of-date hits or remove harmful content. Deleting old accounts and removing unnecessary data from current accounts are also easy steps to take, and in general, experts recommend avoiding Big Tech for online activities when possible, and educating yourself about what data platforms are collecting and how they’re using it.
Observations about the FinalSite ransomware attack.
Ric Longenecker, CISO of Open Systems, wrote to point out that schools and the third-party applications they use will remain attractive targets for ransomware gangs:
“Schools continue to be ransomware attack targets, as illustrated by the recent Finalsite attack. With so many educational institutions continuing to rely on remote learning, these organizations – which have a wealth of data, including addresses, banking and credit card details, medical information and Social Security numbers – are particularly attractive to bad actors.
"Although it seems that Finalsite and the thousands of schools that use its software escaped the attack without their data being compromised, this event highlights the need for schools to increase their cybersecurity efforts and decrease their attack surfaces. Schools can take these important steps by working with a managed detection and response (MDR) solution provider.
"An experienced MDR provider combines AI technology and human know-how to assess threats and speed up effective mitigation of attacks before they spread and impact students, faculty and parents. A better MDR provider goes beyond detection and response to actual reduction of the attack surface and increase of the school’s security maturity, to prevent future breaches.”
Simon Jelley, a ransomware expert at Veritas Technologies, shared five points on ransomware that may help place the threat in context:
"Ransomware is a legitimate illegitimate business. The rate at which ransomware matured as a business model over the course of 2021 is astonishing. Today, ransomware has all the earmarks of a successful, albeit unlawful, industry: growth, profits and innovation.
"Ransomware gangs are awfully good at what they do. Cybercriminals behind ransomware are smarter and more innovative than ever, now using two-stage extortion schemes and leveraging the latest developments in artificial intelligence and machine learning.
"Ransomware is no minor crisis. Governments are beginning to take the ransomware threat extremely seriously, and companies are following suit as they look for ways to protect themselves from attack.
"Ransomware protection is conspicuously absent from cloud service providers’ terms and conditions. Far too many companies think their cloud service provider is responsible for the protection of their cloud-based data against threats like ransomware, and don’t learn the truth until it’s too late.
"Ransomware resiliency capabilities are clear as mud. Ransomware is the marketing soup du jour, which is making knowing how to actually defend against it and which partners are the right partners to help you do that more confusing than ever."