Friday, May 20, 2022

Cyber Security Today, April 29, 2022 – Breast cancer website leaves data open, a warning on Microsoft Explorer and Facebook privacy controls questioned

Breast cancer website leaves data open, a warning on Microsoft Explorer and Facebook privacy controls questioned.

Welcome to Cyber Security Today. It’s Friday April 29th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.

Cyb er Security Today on Amazon Alexa Cyber Security Today on Google Podcasts Subscribe to Cyber Security Today on Apple Podcasts

 

Another misconfigured bucket of data stored in the cloud has been found. This time it held data and images of people by Breastcancer.org. It’s an American non-profit with a website that offers free research to women and men on breast cancer. It also has discussion forums people can subscribe to. In a report released this week researchers at SafetyDetectives found said last year they found an open Amazon S3 bucket holding 150 GB of data with over 350,000 files. Some of the files were user avatars, which are real or sketched pictures forum users can put beside their real or assumed names. Others were images posted with their comments in the forums. However, some digital images have what’s called EXIF data that can include general location information, such as where an image was shot. That could lead to the real identities of people being tracked down, say the researchers. Some data also included results of medical tests. In addition to this being a privacy problem the researchers say Breastcancer.org didn’t reply to warning messages. Ultimately researchers had to Amazon as well as the U.S.Computer Emergency Response Team to get the data secured. Two lessons from this incident: Organizations must have a combination of policies and IT procedures to ensure sensitive data employees have access to is locked down. And they need procedures for taking seriously email, phone and text complaints about security-related problems.

IT administrators allowing employees to use Microsoft’s Internet Explorer browser need to know threat actors are hunting for versions that haven’t patched a year-old vulnerability. The warning comes from security researchers at Bitdefender. Attackers are using the vulnerability to install the RedLine Stealer trojan. This is malware that steals passwords, credit card information and other sensitive data. This vulnerability was patched in March, 2021. There is no reason why companies, or individuals, should still be using an old version of any browser. Individuals should check once a week to make sure their browser is running the latest version.

Does Facebook have full control over the data of its users? Can it make privacy promises to users and reguators? No, say some employees. That’s according to a document written last year and seen by reporters at Motherboard. Authored by Facebook privacy engineers on the Ad and Business Product team, it says Facebook can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’ The problem, says the letter, is privacy regulators expect Facebook to make promises like that. A Facebook spokesperson replied the company has extensive processes and controls to comply with privacy regulations. There’s a link here to the article, so can you read it and judge yourself.

Finally, later today look for the Week in Review edition of the podcast. My guest is Terry Cutler, head of Montreal’s Cyology Labs. We’ll discuss the Lapsus$ extortion gang’s tactics, ransomware attacks on Costa Rica and a list of favourite vulnerabilities exploited last year by hackers.

Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Cyber Security Today Podcast