Breast cancer website leaves data open, Microsoft Explorer warning and Facebook privacy controls questioned.
Welcome to Cyber Security Today. Today is Friday, April 29, 2022. I’m Howard Solomon, contributing cybersecurity reporter for ITWorldCanada.com.
Another misconfigured dataset stored in the cloud was found. This time it contained data and images of people by Breastcancer.org. It is an American non-profit organization with a website that offers free breast cancer research to women and men. It also has discussion forums that people can subscribe to. In a report published this week, researchers from SafetyDetectives said they found an open Amazon S3 bucket last year containing 150 GB of data with more than 350,000 files. Some of the files were user avatars, which are real or sketched images that forum users can put next to their real or assumed names. Others were images posted with their comments in the forums. However, some digital images contain what is known as EXIF data which may include general location information, such as where an image was taken. This could lead to tracing people’s true identities, the researchers say. Some data also included medical test results. Besides being a privacy issue, researchers say Breastcancer.org did not respond to warning messages. Ultimately, the researchers had to call on Amazon as well as the United States Computer Emergency Response Team to secure the data. Two lessons learned from this incident: Organizations should have a combination of IT policies and procedures in place to ensure that sensitive data that employees have access to is locked down. And they need procedures for taking email, phone, and text complaints about security-related issues seriously.
IT administrators allowing employees who use Microsoft’s Internet Explorer browser should be aware that hackers are looking for versions that have not patched a year-old vulnerability. The warning comes from Bitdefender security researchers. Attackers use the vulnerability to install the RedLine Stealer Trojan. It is malicious software that steals passwords, credit card information and other sensitive data. This vulnerability was patched in March 2021. There is no reason for businesses or individuals to still use an older version of any browser. Individuals should check once a week to ensure their browser is running the latest version.
Does Facebook have full control over its users’ data? Can it make privacy promises to users and regulators? No, say some employees. That’s according to a document written last year and seen by Motherboard reporters. Written by Facebook’s privacy engineers on the Ad and Business Product team, it says Facebook cannot confidently make controlled policy changes or external commitments such as “we will not use X data to purposes Y”. The problem, the letter says, is that privacy regulators expect Facebook to make such promises. A Facebook spokesperson responded that the company has extensive processes and controls in place to comply with privacy regulations. There is a link here to the article, so you can read it and judge yourself.
To finish, later today, look for the Week in Review edition of the podcast. My guest is Terry Cutler, director of the Montreal Cyology Laboratories. We’ll discuss the tactics of the Lapsus$ extortion gang, ransomware attacks in Costa Rica, and a list of favorite vulnerabilities exploited by hackers over the past year.
Remember that links to podcast story details are in the text version on ITWorldCanada.com. This is where you will also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.