The Budapest Convention on fighting cybercrime is improved, and some websites secretly capture personal data.
Welcome to Cyber Security Today. It’s Friday May 13th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
A number of countries including the U.S. began signing an addition to the 2004 Budapest Convention on Cybercrime yesterday. The update will improve co-operation in gathering digital evidence for prosecutions. It will do it by allowing law enforcement agencies to more easily get domain registration, internet subscriber information and traffic data held by service providers outside their home nations. Some of this information can’t be handed over now without the use of time-consuming mutual legal assistance treaties. The additional protocol will speed up access to this data by allowing direct requests to be made to domain registrars and service providers. The addition includes a provision for speedy access to information in emergencies such as terrorist or hostage situations. There are also provisions for the protection of personal data transferred to other countries. The addition still needs to be ratified by those countries that sign on.
Canada participated in the negotiations on the addition, and a member of the Canadian team was a member of an international panel yesterday explaining the addition to the press. However, a spokesperson for the Justice department couldn’t say when or if Canada will sign.
Among the countries that aren’t parties to the Budapest Convention are Russia, China, North Korea, India and Pakistan.
Meanwhile the U.S. is seeking the extradition of a British citizen who has been charged with being part of a gang that hacked into computers of American financial institutions and stealing millions from online bank and brokerage accounts.
Separately a judge in Florida this week sentenced a Ukrainian man to four years in a federal prison for conspiring to traffic in stolen computer passwords. He controlled a botnet that broke passwords with brute-force attacks. He was extradited from Poland last year.
Many websites have marketing add-ons that may be secretly capturing email address and passwords as you type into a digital form. That’s according to a story on Wired.com on work done by European university researchers. Imagine, for example, filling in a form on a website to subscribe to a newsletter or get a brochure, or to log into the site. You change your mind and erase what you typed before hitting the ‘Submit’ button. Too bad. These sites have already captured what you typed before deleting it. Or, more accurately, the third-party marketing and analytics services the websites use capture things as you type. After that, who knows what the data is used for. Meta Pixel and TikTok Pixel trackers were found grabbing hashed passwords this way, say the researchers. The companies have been notified.
Network administrators using certain models of Zyxel firewalls are urged to make sure the devices have the latest patches. Models affected are the APT, VPN and USG Flex series. Zyxel quietly issued security updates two weeks ago to close a serious vulnerability.
Finally, if you use the Chrome browser make sure it has the latest security update. It plugs 13 vulnerabilities. The newest version starts with 101 and ends with .64
That’s it for now. But later today the Week in Review podcast will be out with a discussion on ransomware and insider attacks.
Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.