A browser that’s vulnerable even if you don’t use it?
Internet
Explorer flaw leaves Windows users vulnerable to hackers -- even
those who don't use the browser
A zero-day exploit found in Internet Explorer
means hackers could steal files from Windows users. What's
particularly interesting about this security flaw is that you don't
even need to be an Internet Explorer user to be vulnerable.
A security researcher has revealed details of an
unpatched exploit in the way IE handles MHT files, and the problem
affects Windows 7, Windows 10 and Windows Server 2012 R2. It leaves
users vulnerable not only to having their files stolen by hackers,
but also means they could be spied upon.
Details of the vulnerability were exposed by
security researcher John Page after Microsoft refused to issue a
patch.
Not the best news for Marketing.
Catalin
Cimpanu reports:
Microsoft Office products are today’s top target for hackers, according to attack and exploitation data gathered by Kaspersky Lab.
In a presentation at its security conference –the Security Analyst Summit– the company said that around 70 percent of the attacks its products have detected in Q4 2018 are trying to abuse a Microsoft Office vulnerability.
Read
more on ZDNet.
Who
gets to declare war? Is Cyberwar different?
Big
US companies discover insurance may not cover a cyberattack
… Mondelez,
owner of dozens of well-known food brands such as Cadbury chocolate
and Philadelphia cream cheese, was one of the hundreds of companies
struck by the NotPetya cyberstrike in 2017.
… Mondelez's
insurer, Zurich Insurance, said it would not be sending a
reimbursement cheque. It cited a common, but rarely used, clause in
insurance contracts: the "war exclusion", which protects
insurers from being saddled with costs related to damage from war.
Mondelez
was deemed collateral damage in a cyberwar.
Would
they do this for anyone else? Did the police ask them to keep the
post up? The article does not make that clear.
Twitter
Left Up Ilhan Omar Death Threats So Law Enforcement Could Investigate
… Twitter
would’ve typically taken down the threatening
tweets once
they were reported, but the company left them up to enable potential
law enforcement collaboration, a source close to the company told
BuzzFeed News. The Capitol Hill police are working on the issue, the
source said.
The
incident highlights Twitter’s flawed approach to dealing with death
threats on its platform. Instead of reporting death threats to law
enforcement as a policy, Twitter simply deletes them. This means its
users can make these threats with little fear of retribution, since
the tweets usually disappear before police can review them.
Is the FBI trying to keep this quiet?
Alex
Johnson reports:
A nonprofit organization affiliated with the FBI confirmed that hackers breached the web servers of multiple chapters and published the names and addresses of hundreds of law enforcement personnel and thousands of other people online.
The hacked materials. which were released late last week and obtained Sunday by NBC News, include names, job descriptions, email addresses and, in some cases, street addresses of more than 23,000 people in multiple databases. More than 1,000 of the email addresses belong to the FBI.gov domain and the domains of other federal, state and local law enforcement agencies.
Read
more on NBC
News.
There’s
a lot that’s creating buzz about this group of threat actors and
their leaks, not the least of which is the reluctance of
major media outlets to name the group or provide details on the
leaked data. DataBreaches.net has obtained the freely offered data
dumps, and I assume that many other news outlets and non-news parties
have also obtained the data by now.
So
what are these threat actors really up to? Their claim over the
weekend that “We demand freedom for Peter Levashov,” a convicted
Russian spammer, may not appear to be credible at first blush, but
Levashov is also a virus creator, and this group have also offered
ransomware on their site — ransomware that others have declared not
to be recognizable as the work of previously known ransomware
creators.
As
of this morning, Twitter appears to have suspended the group’s
twitter account, but their web site is still online, with links to
the data dumps that have concerned many. Their most recent dump,
which they described as “A
list of people being watched by the FBI,” contains more
than 22,000 rows or entries with people’s first and last names,
company, work area, and email address, appears to contain a lot of
media people, but not nationally prominent people for the most part.
So what does it mean that the FBI is “watching” them? Is the FBI
merely watching a lot of reporters as part of its usual activities,
or are these people “special” somehow? This database doesn’t
quite make sense as described – at least, not yet.
Of
course, the data of greatest concern (so far) have been the contact
details (phone, work email) of those in agencies such as DHS, TSA,
the Secret Service, Capitol Police, etc. Anything that might
increase the effectiveness of a phishing attack is necessarily
concerning.
So
what will today bring or this week? It’s hard to predict. It
seems that the attackers wish to market data and have been creating
interest in what they have to offer. But what price will they ask
for it, and what will the quality of their offering be? I guess
we’ll just have to wait and see.
Do
I believe it? (Podcast)
The Doctor
Is in: What HIPAA Compliance Means for Amazon
Drexel's
Robert Field and Wharton's Arnold "Skip" Rosoff discuss
Amazon's announcement that its Alexa device is now HIPAA compliant.
(Related)
Smart
speakers’ installed base to top 200 million by year end
Smart
speakers’ global installed base is on track to top 200 million by
the end of this year, according to a report
out
today from analysts at Canalys. Specifically, the firm forecasts the
installed base will grow by 82.4 percent, from 114 million units in
2018 to 207.9 million in 2019.
Sue em all,
sue em all, the long and the short and the tall
Efforts
to Expand CCPA’s Private Right of Action Remain in Question
… Recent
developments in the California Assembly and Senate may preview
whether California businesses and consumers should expect an expanded
private right of action:
Continued
clarification?
European
Commission Issues Updated Q&A on Interplay between the GDPR and
the Clinical Trials Regulation
Is this an
anti-GDPR? Can anyone comply with both?
The
U.S. Is Losing a Major Front to China in the New Cold War
A
swathe of the world is adopting China’s vision for a tightly
controlled internet over the unfettered American approach, a stunning
ideological coup for Beijing that would have been unthinkable less
than a decade ago.
Vietnam
and Thailand are among the Southeast Asian nations warming to a
governance model that twins sweeping content curbs with
uncompromising data controls – because it helps preserve the regime
in power.
The eSting? Aren’t the police being ‘invited’
in?
Four Steps
Facebook Should Take to Counter Police Sock Puppets
EFF:
“Despite Facebook’s repeated warnings that law enforcement is
required to use “authentic identities” on the social media
platform, cops continue to create fake and impersonator
accounts
to secretly spy on users. By pretending to be someone else, cops are
able to sneak past the privacy walls users put up and bypass legal
requirements that might require a warrant to obtain that same
information. The most recent examples—and one of the most
egregious—was revealed by The
Guardian
this
week. The U.S. Department of Homeland Security executed a complex
network of dummy Facebook profiles and pages to trick immigrants into
registering with a fake college, The University of Farmington. The
operation
netted
more than 170 arrests. Meanwhile, Customs and Border Protection
issued a privacy
impact assessment
that
encourages investigators to conceal their social media accounts…”
Looking North! (Long)
Canadian
Internet Law Update - 2018*
This paper summarizes selected developments in
Canadian Internet law during 2018. Internet law is a vast area that
continues to develop rapidly. Reference to current legislation,
regulatory policies, guidelines and case law is essential for anyone
addressing these issues in practice.
No comments:
Post a Comment