Skip to main content

Friday Five: 10/25 Edition

by Chris Brook on Tuesday September 15, 2020

Contact Us
Free Demo

The FBI warns about e-skimming, a VPN is hacked, and the best and worst states for online privacy. Catch up on the news of the week with the Friday Five!

1. Justice official: U.S. private and public sectors face the same Chinese spying tactics by Sean Lyngaas

Cyberscoop checks in from DC CyberTalks, a conference it runs with speakers from all walks - the NSA, DHS, CISA, the FBI, including a handful of private sector companies. In a talk on Thursday, John Demers, the Assistant Attorney General for National Security, suggested that when it comes to harvesting intellectual property, Chinese spies are carrying out the same techniques, both in the U.S. private and public sector. "Chinese intelligence officers have looked to recruit employees at U.S. companies and use that foothold to steal trade secrets in sophisticated operations," Sean Lyngaas writes. The U.S. has been resolute in its stance against hackers who steal IP of late. The Pentagon, the U.S. Air Force and the Department of Justice have all ramped up efforts to combat Chinese espionage over the last two years.

Read more

2. FBI Issues Payment Card Skimming Warning by Akshaya Asokan

In case you missed the memo, it’s October – cybersecurity month in the U.S. – and the FBI did its part this week by sharing a warning for small and medium sized businesses and government agencies who take credit card payments online around electronic skimming or e-skimming. It's unclear if the FBI has seen an uptick in this style of attack, which relies on attackers inserting malicious code into the checkout pages of online retail sites but nonetheless, it's valuable advice, especially the "update and patch all systems" tip, something that may seem obvious to some but not regularly followed in retail environments.

Read more

3. ID card scandal deepens: Irish government vows to defy Data Protection Commission’s ruling against Public Services Card by Glyn Moody

Last week, in an article about Ireland's data protection commission, we briefly glossed over a story that's been making headlines in the country all summer. The DPC said earlier this year that it was unlawful for the State to keep data on more than three million people who have a public services card. Now it seems like the Irish government is preparing to not comply, if not outright defy the Data Protection Commissioner's report. Since the DPC’s report, Ireland’s Minister for Employment Affairs and Social Protection Regina Doherty has gone on the record that her department isn't planning to comply with the DPC's directions, meaning the two parties will likely have to fight it out in the courts. The main complaint of the DPC is that the card is essentially an identity card and Irish citizens can't reasonably exercise control over their information, “whether safeguards and controls had been built into the system; and whether the PSC is “consistent with applicable provisions of data protection law.”

Read more

4. Popular VPN service NordVPN confirms data center breach by Oscar Gonzalez and Rae Hodge

We learned this week that not even virtual private networks (VPNs) are infallible to breaches as NordVPN, one of the more heavily marketed VPNs, disclosed a breach. The incident, which occurred in 2018, stems from what CNET refers to as an unauthorized user accessing a server the VPN was renting from a provider in Finland. It doesn't sound like any usernames or passwords were implicated in the incident but the company is changing how it does business with data centers, including discontinuing its contract with the unnamed company, going forward. In a statement the company released on Monday it revealed that while the attacker didn't take user data, a TLS key from the server was taken, something which could have have let he or she could have decrypted sessions with the Finnish server.  “The only possible way to abuse website traffic was by performing a personalized and complicated MiTM attack to intercept a single connection that tried to access,” the company said, downplaying the issue.

Read more

5. The best and worst states for online privacy by Margaret Harding McGill

A quick recap here via Axios on some research via Comparitech, a UK-based company that regularly researches, compares, and rates technology, on the states that best protect users' privacy in 2019. Emerging victorious were California, Delaware, and Utah. That California was in the top spot should come as little surprise; the state is readying its sweeping new data privacy legislation, the California Consumer Privacy Act, set to go into effect in January. The state ranked the worst at protecting users privacy was Wyoming, largely because of its lack of a law from protecting journalists from exposing sources, also because companies there don't have to eliminate users' personal data after a set amount of time. Readers interested in a more visual representation of how state laws protect users should review our United States data breach heatmap infographic if they haven't done so already.

Read more

Tags:  Privacy Government

Recommended Resources

The Definitive Guide to DLP

All the essential information you need about DLP in one eBook.

The Ultimate Guide to Data Protection

Everything you need to know about data protection but were afraid to ask.