PC PORTAL

Experienced. Trusted. Solutions.

InfoSec

By

Cybersecurity in Schools: What Families Need to Know

Reading Time: ~ 3 min.

Our kids are more connected than any previous generation. From the moment they wake up, they have an instant connection to the internet through phones, tablets, and laptops. The internet is also now an important part of their learning experience, and many parents often assume that cybersecurity has risen as a priority for school administrators. But with many institutions struggling to modernize legacy systems, that assumption puts our children’s security at risk. Here are the top threats to cybersecurity in schools and how to protect against them, so you can send your kids out the door knowing they’re safe and secure. 

Learn how VPNs help safeguard your data and can enable private and anonymous web browsing.

Unsecured School WiFi

Many school WiFi networks are as vulnerable as any public network at a coffee shop or airport. In an attempt to secure WiFi networks in K-12 environments, many schools use pre-shared key (PSK) authentication. PSK authentication is the practice of sharing a single WiFi password with network users in order to grant access. This password often makes its way onto unauthorized devices, granting potentially malicious users access to the school’s network, and to your child’s digital footprint.

Weak Cybersecurity Practices

A school’s cybersecurity defense plan is only as strong as its weakest link, and that weak link is often the plan’s users and overseers. According to Verizon’s 2019 Data Breach Investigation Report, a startling 35% of all education sector data breaches were caused by human error. Mistakes as simple as using discontinued or out-of-date software can leave entire school systems vulnerable—even at prestigious institutions like Stanford University. Because Stanford was using discontinued software called NolijWeb, a white hat hacker was able to exploit a security flaw that left sensitive student data easily accessed through a simple change to a numeric ID in a URL. While exploring the scope of the vulnerability, 81 students’ private data was exposed, including information like Social Security numbers, citizenship status, criminal status, standardized test scores, ethnicity, and home addresses.

Targeted Cybersecurity Attacks

Due to the highly sensitive data stored within their systems, education IT infrastructure is consistently a top target for cybercriminals. K-12 school systems and higher education saw more than 48 million records exposed through data breaches in 2017 and 2018 alone. The threat has become a large enough issue that the FBI has released a public service announcement warning that the education sector was one of those most frequently targeted by social engineering schemes and phishing attacks. 

Beyond traditional cyber threats, schools often face a unique adversary—the students themselves. The Joint Information Systems Committee (JISC) recently conducted a survey that examined more than 850 cyberattacks against schools and concluded that a majority of those incidents had been perpetrated by students or school staff. Although an attacker who targets a school so that they won’t have to take a test may not be as costly as one that targets student data, it still can grind a school system to a halt.

How to Protect Your Student’s Cybersecurity

How can you protect your child’s cybersecurity while they are at school? Get involved. Ask the school’s administrators about their cybersecurity policy. Ask about their strength of their firewalls, their email security measures, and the amount of encryption applied to the data storage systems. If you’re not satisfied with their measures, be your child’s cybersecurity advocate.

Although you may have limited control over any school-provided devices, you can secure your child’s personal devices behind a trusted VPN (though they must know how to use it first). This will wrap your child’s data in a tunnel of encryption, protecting them from prying eyes wherever they go. In some cases, VPNs can prevent access to testing and curriculum sites on school networks, so students should know how to connect and disconnect to their VPN at will.

Most importantly, teach your child to be aware of the risks of cybercrime and how to combat them. Help them understand how a VPN and other measures can keep them safe, how to recognize phishing attacks, and why they should always be vigilant. Your child knows to wear a seatbelt when riding in someone else’s car, they should also know how to stay safe online, whether at home, school, or a friend’s house.

The key to truly protecting your children from potential cybersecurity threats is education, both for yourself and for your family. Follow us on Facebook and Twitter to stay up to date on the latest risk reports and security tips.

The post Cybersecurity in Schools: What Families Need to Know appeared first on Webroot Blog.

By

Cyber News Rundown: Hookup App Exposes Users

Reading Time: ~ 2 min.

Hookup App Leaks User Locations

Geo-locating and other sensitive data has been leaked from the hookup app 3fun, exposing the information for more than 1.5 million users. While some dating apps using trilateration to find nearby users, 3fun showed location data capable of tracing a user to a specific building or floor. Though users had the option to disable coordinate tracking, that data was nevertheless stored and available through the app’s API. 3fun has since resolved the leak and has hopefully implemented stronger security measures considering the private nature of their client’s activities.

Ransomware Attacks on DSLR Cameras

Malware authors continue to find new victims, as a ransomware variant has been found to be remotely attacking Canon DSLR cameras and demanding a ransom to regain access to the device. Researchers have found multiple vulnerabilities that could allow attackers to perform any number of critical functions on the cameras, including displaying a ransom note and remotely taking pictures with the camera. Fortunately, Canon has already begun issuing patches for some of its affected devices, though it’s taking longer to fully secure others.

Take back your privacy. Learn more about the benefits of a VPN.

Google Drive Exploit Allows Phishing Campaign to Flourish

A new phishing campaign has been discovered that uses a legitimate Google Drive account to launch a phishing campaign that impersonates the CEO asking the victim to open the Google Docs file and navigate to the phishing site’s landing page. Luckily for victims, the campaign has a few tells. The phony CEO email address uses a non-conforming naming convention and the email itself appears to be a hastily compiled template.

British Airways Data Leak

British Airways has again come under scrutiny, this time after it was discovered that their e-ticketing system was leaking sensitive passenger data. The leak stems from flight check-in links that were sent out to customers containing both their surname and booking confirmation numbers completely unencrypted within the URL. Even more worrisome, this type of vulnerability has been well-known since last February when several other airlines were found to have the same issue by the same security firm.

Android Trojan Adds New Functionality

Following in the footsteps of Anubis, an Android banking Trojan for which source code was recently revealed, Cerberus has quickly filled the void without actually borrowing much of that code. One major change is that Cerberus implemented a new method of checking if the device is physically moving or not, in hopes of avoiding detection by both the victim and any researchers who may be analyzing it. Additionally, this variant uses phishing overlays from several popular sites to further collect any login credentials or payment card data.

The post Cyber News Rundown: Hookup App Exposes Users appeared first on Webroot Blog.

By

Cyber News Rundown: Children’s Tablets Show Vulnerabilities

Reading Time: ~ 2 min.

Children’s Tablets Leave Users Vulnerable

At least one LeapPad tablet designed specifically for children has been found to harbor critical vulnerabilities in the app Pet Chat that could allow unauthorized access to online traffic. The vulnerabilities could be used locate the tablet’s owner by creating a temporary WiFi network to help the user connect with other devices in the area. In addition to the remote access, local attackers would be able to send messages to children through non-HTTPS communications.

UK Universities Lacking Security

A recent study found that nearly 65% of the UK’s top universities are currently operating with sub-standard cybersecurity, especially during the time that students would be sitting for final exams. Among the remaining 35% of universities that did have some domain authentication, only 5% of those were using settings that would fully block phishing emails. If UK university students are requesting any login changes, they should be cautious when opening anything they receive, as the message may be compromised.

Intel CPU Patch Issued by Microsoft

Microsoft just released a patch for an Intel CPU vulnerability that was brought to light in 2012. The flaw could have been used to breach memory data from the device. The researchers who discovered it found they could easily leak sensitive kernel memory data into the normal user operations, even though a system normally doesn’t allow this. Additionally, this vulnerability would allow for speculative execution, which is when the system begins executing certain operations pre-emptively, and simply deleting those that don’t occur.

AT&T Employees Bribed to Unlock Phones

Employees of AT&T were found to be illicitly installing hardware onto corporate systems that would allow an attacker to unlock phones that were prevented from being used on other mobile providers. Even though some of the conspirators were eventually fired, many continued to work from within and from outside the company to further compromise nearly 2 million individual devices until the scam, which had been ongoing for more than five years, was discovered.

Mobile Bank Customers’ PINs Exposed

Customers of Monzo, a mobile-only bank in the UK, are being warned to change their PINs after many customers’ were leaked into internal log files. Fortunately, the data wasn’t made available outside of the company and the problem of PINs being stored in an alternate location has been resolved. Even after the company fixed the data leak, though, many customers were still suspicious when receiving an email informing them of the PIN reset issue.

The post Cyber News Rundown: Children’s Tablets Show Vulnerabilities appeared first on Webroot Blog.

By

Security roundup: August 2019

Every month, we dig through cybersecurity research, trends, advice and news for our readers. This month: pwning an entire country, data protection developments, and why anonymised data could still add up to your identity.

Bulgarian rhapsody

As data breaches go, four million records barely registers on the scale these days but this one was different. Attackers breached Bulgaria’s National Revenue Agency and extracted personal information about 70 per cent of the country’s citizens. “It is safe to say that the personal data of practically the whole Bulgarian adult population has been compromised.” The BBC was quoting Vesselin Bontchev, a cybersecurity researcher and assistant professor at the Bulgarian Academy of Sciences.

The haul included people’s names, addresses, social security numbers and, in some cases, income levels. It also contained information from other government agencies that shared data with each other. Some of the data has since turned up online in hacker trading forums. Many Bulgarians reportedly live in fear of falling victim to scammers, although the NRA has denied this is a risk.

The breach became public after someone claiming to be responsible emailed local media with a link to the leaked data. The message, which apparently originated from a Russian email address, also labelled Bulgaria’s cybersecurity “a parody”. The tax agency claimed in a statement that the information amounts to around 3 per cent of its databases. Bulgarian authorities arrested three men who work for, ironically enough, a cybersecurity consultancy. The charges are for a form of terrorism.

More details are still emerging as we were writing this newsletter, but one thing seems clear. The story gives fresh ammunition to privacy campaigners who warn against trusting governments to protect citizens’ personal data.

Data protection developments: the latest

This month’s GDPRoundup (we’re copyrighting that) takes a trip between the sublime and the ridiculous. First, the EU Data Protection Board, which oversees consistent application of the General Data Protection Regulation across Europe, recently published its annual report for 2018. It includes the practical application of guidelines; the group’s recommendations and best practice; binding decisions; and the levels of data protection of natural persons in the EU.

Points of interest in the report include the EDPB’s plans near term and longer term. Over this year and next, it will consider issues like data subjects’ rights, the concepts of controller and processor, and legitimate interests. Looking further ahead, it plans to evaluate emerging technologies and related developments, including connected vehicles, blockchain, AI and digital assistants, video surveillance, search engine delisting, and data protection by design and by default. The report is free to download here.

Meanwhile, the UK Information Commission has published its draft data sharing code of practice. It’s a practical guide for organisations about how to share personal data while staying compliant with data protection legislation.

Some organisations could clearly do with advice about lots of aspects of GDPR, especially a tendency towards over-enforcing the rules. “In my experience, some organisations are hiding behind the GDPR,” BH Consulting COO Valerie Lyons told the Irish Independent. Poor understanding of the regulation, and inadequate staff training as a result, is to blame. “They are missing out on opportunities where they could be helping their customers because it’s easier to say no,” Valerie said.

Taking GDPR interpretation to extremes

We promised ridiculous, so try this: you won’t find visitor books at Ireland’s most popular heritage sites this summer. Tourists can no longer scrawl signatures or messages at locations like Kilmainham Gaol, Dublin Castle, the Hill of Tara or the Rock of Cashel. The Office of Public Works ordered the books’ removal because of, wait for it, data protection concerns.

The OPW took the view that visitors were recording personal data in the books, which were out of view of staff. Conversely, one privacy expert took the view that this was “insanity” and an “overly literal” interpretation of the regulations.

We can de-anonymise it for you wholesale

Staying with our privacy-themed roundup, here’s a worrying development. Researchers have discovered a way to identify people by reassembling pieces of information that should have rendered them anonymous.

The GDPR’s Article 28 expressly refers to anonymisation as a way to reduce the risk to sensitive personal information. For example, data controllers might use this de-identification approach when sharing large data sets as part of medical research. But a team of scientists from Imperial College London and Université Catholique de Louvain developed a machine learning program that proved wildly successful at beating this technique. As The New York Times reported, the algorithm could identify 99.98 per cent of Americans from almost any available data set with as few as 15 attributes, such as gender, ZIP code or marital status.

The researchers noted in the journal Nature Communications: “Our results suggest that even heavily sampled anonymized datasets are unlikely to satisfy the modern standards for anonymization set forth by GDPR and seriously challenge the technical and legal adequacy of the de-identification release-and-forget model.” Helpfully, the researchers also developed a free online tool that lets people check whether their individual characteristics could identify them.

Links we liked

Sound the trumpets: BH Consulting features in top 50 recommended infosec blogs. MORE

They grow up so fast: NoMoreRansom.org turns three, with 108m reasons to celebrate. MORE

Send this up the chain of command. Feds say CEO fraud nets scammers $8.7m a day. MORE

It must be true if the boss says so. Cybersecurity is the ‘biggest threat’ to global economy. MORE

A roadmap for improving security awareness programmes, courtesy of SANS. MORE

Here’s a look behind the UK NCSC’s efforts to ward off attacks. MORE

The Irish Government and National Cyber Security Centre join Have I Been Pwned. MORE

The kill switch that saved the internet from WannaCry: an in-depth report. MORE

Chaos engineering: the next evolution of pen testing. MORE

The Law Enforcement Directive (‘LED’) is a parallel piece of EU legislation to GDPR. MORE

 

The post Security roundup: August 2019 appeared first on BH Consulting.

By

Cyber News Rundown: Hackers Expose US Colleges

Reading Time: ~ 2 min.

Vulnerability Exposes Dozens of U.S. Colleges

At least 62 U.S. colleges have been compromised after an authentication vulnerability was discovered by hackers, allowing them to easily access user accounts. At several of the compromised colleges, officials were tipped off after hundreds of fraudulent user accounts were created within a 24-hour period. The vulnerability that was exploited stemmed from a Banner software program that is very widely used by educational institutions; however, many colleges had already patched the flawed software versions and so were unaffected.

Data Breach Affects Lancaster University Applicants

Officials recently announced that a data breach compromised the personal records of all 2019 and 2020 applicants of Lancaster University. Additionally, some applicants have been receiving fraudulent tuition invoices, which the University recommends recipients delete immediately. The breach occurred sometime on Friday, and University officials quickly began contacting the affected parties and securing their IT systems.

Facebook to Pay $5 Billion in FTC Fines

Nearly a year after the Cambridge Analytica discovery, the FTC has issued a record fine of $5 billion to be paid by Facebook in recompense for their deceitful use of the private information from their hundreds of millions of their users. The staggering sum Facebook must pay sets a strong incentive for all industries to handle their customers’ sensitive data with the appropriate security and care, and also to address follow-up actions in the wake of a breach more adequately than Facebook did.

Remote Android Trojan Targets Specific Victims

A new remote-access Trojan, dubbed Monokle, has been spotted working through the Android™ community with a laundry list of dangerous capabilities, most of which are designed to steal information from the infected devices. To make Monokle even more dangerous, it can also install trusted certificates that grant it root level access and near total control over the device.

Fake Browser Update Distributes TrickBot

As TrickBot continues its multi-year streak of mayhem for computer systems and sensitive information, criminals created a new set of fake updates for the Google™ Chrome and Mozilla™ Firefox browsers that would push a TrickBot download. The updates appear to have originated at a phony Office365 site that does give users a legitimate link to a browser download, though it quickly prompts the user to install an update which installs the TrickBot executable.

The post Cyber News Rundown: Hackers Expose US Colleges appeared first on Webroot Blog.