Breast cancer website leaves data open, a warning on Microsoft Explorer and Facebook privacy controls questioned.
Welcome to Cyber Security Today. It’s Friday April 29th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Another misconfigured bucket of data stored in the cloud has been found. This time it held data and images of people by Breastcancer.org. It’s an American non-profit with a website that offers free research to women and men on breast cancer. It also has discussion forums people can subscribe to. In a report released this week researchers at SafetyDetectives found said last year they found an open Amazon S3 bucket holding 150 GB of data with over 350,000 files. Some of the files were user avatars, which are real or sketched pictures forum users can put beside their real or assumed names. Others were images posted with their comments in the forums. However, some digital images have what’s called EXIF data that can include general location information, such as where an image was shot. That could lead to the real identities of people being tracked down, say the researchers. Some data also included results of medical tests. In addition to this being a privacy problem the researchers say Breastcancer.org didn’t reply to warning messages. Ultimately researchers had to Amazon as well as the U.S.Computer Emergency Response Team to get the data secured. Two lessons from this incident: Organizations must have a combination of policies and IT procedures to ensure sensitive data employees have access to is locked down. And they need procedures for taking seriously email, phone and text complaints about security-related problems.
IT administrators allowing employees to use Microsoft’s Internet Explorer browser need to know threat actors are hunting for versions that haven’t patched a year-old vulnerability. The warning comes from security researchers at Bitdefender. Attackers are using the vulnerability to install the RedLine Stealer trojan. This is malware that steals passwords, credit card information and other sensitive data. This vulnerability was patched in March, 2021. There is no reason why companies, or individuals, should still be using an old version of any browser. Individuals should check once a week to make sure their browser is running the latest version.
Does Facebook have full control over the data of its users? Can it make privacy promises to users and reguators? No, say some employees. That’s according to a document written last year and seen by reporters at Motherboard. Authored by Facebook privacy engineers on the Ad and Business Product team, it says Facebook can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’ The problem, says the letter, is privacy regulators expect Facebook to make promises like that. A Facebook spokesperson replied the company has extensive processes and controls to comply with privacy regulations. There’s a link here to the article, so can you read it and judge yourself.
Finally, later today look for the Week in Review edition of the podcast. My guest is Terry Cutler, head of Montreal’s Cyology Labs. We’ll discuss the Lapsus$ extortion gang’s tactics, ransomware attacks on Costa Rica and a list of favourite vulnerabilities exploited last year by hackers.
Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.