Fortnite login security problem discovered, new U.S. data privacy laws proposed and more personal data found accidentally exposed on the Internet.
Welcome to Cyber Security Today. It’s Friday January 19th. To hear the podcast, click on the arrow below:
The popular online game Fortnite has been the target of hackers, who either tried to convince users to install a phony Android version or get them to log into fake websites to get game currency. Security vendor Check Point Software this week said it discovered a new problem: The game’s website had a vulnerability that could have allowed a hacker to take over a user’s account. It would work if the player tried to login using their third party username and password, like Facebook or Google. However, the login page that would show up on their screens would be fake, allowing the hacker to steal the credentials. This is why organizations have to regularly check their entire IT infrastructure to make logins are properly verified. Check Point and Fortnite’s creator, Epic Games, also encourage game users to enable two-factor authentication to safeguard their accounts. That’s good advice for anything you have to log into.
Should the United States have a national data privacy law? Many states have privacy protection laws, but should there be a country-wide standard companies have to follow? According to the Associated Press, a number of privacy groups say yes. This week they proposed creating a new federal data protection agency that would set limits on what data companies can collect, and prevent them from giving customer data to to government unless it’s to help a criminal investigation. Meanwhile last week a tech industry group called the Information Technology and Innovation Foundation called for a “grand bargain” that establishes a clear set of federal data privacy rights for consumers based on the sensitivity of the data and the context in which it is collected. The group suggests this new law would override state laws. And on Wednesday U.S. Senator Marco Rubio introduced a bill to get the Federal Trade Commission to create privacy rules. 2019 could be a year of data privacy law fights in Congress.
Finally, two more examples of organizations not being careful about how employees store and protect data. Researchers at security vendor UpGuard this week revealed they discovered three terrabytes of data on a server open to be copied by anyone on the Internet. The server belonged to the Oklahoma Department of Securities. There were decades of data available for theft including email backups and a database with social security numbers of 10,000 securities brokers. There was also a list of usernames and passwords for some department applications. It’s thought the data was exposed only for a week. The hole is now closed, but it was likely created by an employee who misconfigured the server to give public access. In a similar incident also revealed this week, a U.S. communications provider called VOIPO accidentally left a huge amount of customer data including text message. VOIPO said someone had left a development server open to the public.
IT security teams have to do a better job of monitoring what their firms are leaving open on the Internet.
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon