Warnings to data collectors, an alert on remote access technologies and a caution to those using wireless device location systems.
Welcome to Cyber Security Today. It’s Wednesday, August 17th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Businesses love collecting data that tells them about customers. But I have two pieces of recent news about consumer data collection that serve as warnings to corporate data privacy officers.
First, researchers this week published a report that raised questions about data collected online by medical-related companies and shared with Facebook for advertising and product lead generation. The report comes from a data science journal called Patterns. It suggests common marketing tools used by health or pharmaceutical companies may be sharing sensitive health data of people with Facebook without their consent for advertising. This is important, researchers say, because Facebook groups are places where many people go for support from their peers and for health information. But, the report says, the browsing data of people who go to the websites of some health companies, who sign up for digital health apps or give data by filling in online surveys might identify those who thought they were anonymous. That raises worries about the impact of data theft and the resulting targeting of misleading health-related ads by scammers to people. Researchers also pointed out that three of the five cancer-related health companies they studied using cross-site browser tracking tools didn’t comply with their own privacy policies.
The second item is the announcement last week that the U.S. Federal Trade Commission is thinking about creating regulations to crack down on what it calls harmful online commercial surveillance of people and lax data security of companies that collect data. Firms collect personal data on a massive scale, said commission chair Lina Khan. Businesses that hoover up sensitive user data may unlawfully handle that data, she said. The FTC also worries about the processing of data through machine learning algorithms that could discriminate against consumers based on race, gender, religion and age. That could be used against them when they look for jobs or want to get loans. Americans interested in letting the FTC know if it should — or shouldn’t — get into this area have until mid-October to file a brief. There will also be an online public forum for Americans to discuss the issue on September 8th.
Privacy experts say businesses need to think carefully about what personal data they collect, whether they need to collect as much as they do, whether it should be anonymized, how personal data is stored, how long it should be held until it is destroyed, whether it will be sold to third parties — and, most importantly, how to be upfront to the public about all of this.
Attention IT, OT and security leaders: There are thousands of vulnerable internet-facing virtual network computing endpoints out there. And they are vulnerable because they don’t require authentication to log in. According to researchers at Cyble, hackers are exploiting these remote access endpoints to get into organizations’ networks. Alarmingly, some of that access connects to industrial devices in water treatment plants, manufacturing plants and research facilities. Virtual network computing, or VNC, is a graphical desktop sharing system. Ideally, systems and applications using VNC shouldn’t be linked to the internet. If they are they should be secured with strong passwords, multifactor authentication and limited access. For best security, any critical asset like a server or machine should be behind a firewall.
Here’s another warning, this time to organizations using ultra-wideband real-time locating wireless systems. These systems use tags or other technologies to help find devices in hospitals, factories, buildings, components in a factory assembly line or in smart cards employees carry. What researchers at Nozomi Networks found are vulnerabilities in products made by two solution manufacturers that allow an attacker to access sensitive location data over the air. Organizations using real-time wireless locating systems should segregate systems on their networks, put them behind firewalls and make sure their data is encrypted.
Finally, I’ve quoted experts before warning internet users of the dangers of installing untested extensions to their browsers. These utilities are supposed to help you by doing everything from checking spelling and blocking ads — but they’re helpful only if they aren’t malicious. In a report issued yesterday researchers at Kaspersky noted bad extensions even get into legitimate places. For example, Google had to remove 106 bad extensions from its Chrome Web Store in 2020. Kaspersky estimates over 1.3 million of its subscribers tried to download malicious or unwanted extensions at least once in the first six months of this year. More than 4.3 million users were attacked by adware hiding in browser extensions. It helps — but not all the time — to only download extensions from trusted web stores. Whenever you do, check the access to resources an extension asks for. Be suspicious of extensions that want to access a device’s camera, contact list, microphone and data if it logically doesn’t need to. Why does an antivirus app need to access your microphone? The best defence is to limit the extensions you have and regularly review them to see if they are really needed.
That’s it for now. Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.