Following the news that researcher Sam Jidali has uncovered “DataSpii”, a massive data leak revealing private information for 45 major companies and millions of individuals, Boris Cipot, Senior Security Engineer at Synopsys offers the following commentary. Boris Cipot, Senior Security Engineer at Synopsys: Browser extensions, or any other add-ons that are extending software functionality, are applications and must be regarded as such. Therefore, companies need to keep a close watch on what users can install, including add-ons. The best way to prevent the risk coming from browser extensions is to never allow installation of extensions as default, rather to have a list of allowed extensions that users can…
ISBuzz Team
Internet service providers (ISPs) based in Kazakhstan are being instructed to force their users to install government-issued root certificates on their devices to allow agencies to intercept web traffic. The Kazakh government has taken concrete steps towards bypassing this added layer of protection by launching an encryption-busting Qaznet Trust Certificate in the nation’s capital Nur-Sultan, according to local media. This is more commonly known in security circles as a man in the middle (MiTM) attack. https://twitter.com/TheHackersNews/status/1152151143411146752 Expert Comments: Paul Bischoff, Privacy Advocate at Comparitech.com: “The Kazakh government’s decision to intercept all HTTPS traffic is about surveillance, not security. This is a man-in-the-middle attack at…
Reuters is reporting that credit-reporting company Equifax Inc will pay up to a record $650 million to settle U.S. federal and state probes into a massive 2017 data breach of personal information, authorities said on Monday. The largest-ever settlement for a data breach draws to a close multiple probes into Equifax by the Federal Trade Commission, the Consumer Financial Protection Board and nearly all state attorneys general. [su_row][su_column size=”1/2″] https://twitter.com/AP/status/1153264957095665664 [/su_column] [/su_row]
Insights gathered by Delphix reveals that companies are not masking sensitive data Delphix, the data virtualisation platform, has found that companies in the UK are leading their CEO to believe they compliant with GDPR (General Data Protection Regulation), when they actually have significant amounts of unprotected personal data. This was revealed when Delphix spoke to custodians of data to hear what they have to say when it comes to balancing access to data with data security. Companies today are rushing to be more digital and for many organisations that means innovating at breakneck speeds. It becomes easier for things to fall through the cracks, and development / testing…
U.S. cybersecurity firm FireEye has warned of a malicious phishing campaign that it has attributed to the Iranian-linked APT34—whose activity has been reported elsewhere as OilRig and Greenbug. The campaign has been targeting LinkedIn users with plausible but bogus invitations to join a professional network and emailed attachments laced with malware that seeks to infect systems with a hidden backdoor and steal data and credentials. According to a FireEye blog post published on Thursday (July 18), the campaign targets specific industries that are clearly of interest to the regime in Teheran: “This threat group has conducted broad targeting across a variety of industries operating in the Middle…
No business is immune from the risk of insider fraud. The latest CIFAS Employee FraudScape report actually shows that 381 cases of fraud were committed by a company’s own staff in the UK in the last year alone – an alarming number. There’s no lack of examples, either. In 2018, healthcare leader Bupa was the victim of an employee breach. It has since been issued with significant fines by UK regulators for ‘systematic data protection failures’ after an employee attempted to sell 500 million client records on the dark web. Another strikingly similar example is a major broadband company which had to suspend a customer service…
The incidents of Mirai malware with 60 known variants targeting the enterprise through IoT devices, has more than doubled between the first quarter of 2018 through the first quarter of 2019 according to IBM X-Force researchers. Expert Comments: Bob Noel, VP of Strategic Relationships at Plixer: “Without dynamic identification, classification and policy enforcement of enterprise IoT devices, they pose a serious security threat. To mitigate this threat, IoT devices must be deployed in a zero trust mode, with an enforcement policy of least privilege. Anything less leaves the business open to significant risk. IoT devices are purpose built which means that although…
Brian Krebs broke the story today that Cloud hosting provider iNSYNQ is trying to recover from a ransomware attack that shut down its network and has left customers unable to access their accounting data for the past three days. Unfortunately for iNSYNQ, the company appears to be turning a deaf ear to the increasingly anxious cries from its users for more information about the incident. Expert Comments: Jonathan Bensen, CISO at Balbix: “Ransomware attacks against cloud data hosting and SaaS companies can completely eliminate that business’ ability to serve customers. iNSYNQ promises customers that moving their Quickbooks into the cloud with iNSYNQ grants the ability to access and edit company…
According to research from analyst, Frost & Sullivan, the overall video and web conferencing market is on a high growth trajectory and is forecast to grow from $8.5 billion in 2017 to $11.0 billion by 2023. This expansion is also in turn, fuelling growth in virtual meetings, which offers participants a wide range of advantages from cost savings to reduced environmental footprint to increased productivity and efficiency to real-time information sharing. Virtual meetings, in short, offer a myriad of benefits to participating organisations but they also bring with them challenges and risks. Company meetings often discuss sensitive and confidential information – so if this information…
Slack will reset the passwords of users it believes are affected by a historical data breach that affected the company more than four years ago. In 2015, the company said it was hit by hackers who gained access to its user profile database, including their scrambled passwords. But the hackers inserted code that scraped the user’s plaintext password as it was entered by users at the time. According to TechCrunch, Slack said it was recently contacted through its bug bounty about a list of allegedly compromised Slack account passwords. The company said the security incident does not apply to “the approximately 99%…