An alarming increase in cyber vulnerabilities for small and medium sized business in the US and Canada, the US government says its okay to launch cyber attacks at Russia and some old attacks methods using PDFs may be back and Canadian chain Tim Hortons admonished for breach of Canadian privacy laws.
I’m Jim Love, CIO of IT World Canada sitting in for the vacationing Howard Solomon and this is Cybers Security Today for Friday, June 3rd.
Alarming Increase in Cyber Vulnerabilities for Small and Medium-Sized Businesses in US and Canada
Cybersecurity firm CyberCatch announced the publication of its quarterly Small and Medium-Sized Businesses Vulnerabilities Report (SMBVR) for Q1 2022.
The report noted “an alarming rise in vulnerabilities detected in Internet-facing websites, servers and applications.”
“82% of U.S. and 78% of Canadian SMBs have spoofing vulnerabilities that attackers can easily exploit.”
Of greatest concern, CyberCatch’s SMBVR has detected – for the first time in the report’s history – substantial levels of vulnerability among both U.S. and Canadian SMBs to “session riding” attacks, an insidious tactic that forces authenticated users to unknowingly submit malicious requests that can have drastic consequences.”
The report notes that given their size, knowledge and resources, many SMBs may not be able to recover from cyber attacks launched by sophisticated attackers who view them as the “weakest link” in the chain and a way to get access to larger targets for whom these SMBs may be suppliers.
Earlier in May of this year the group the “5 eyes” – representing US, Canada, New Zealand, Australia and the UK warned of expected increased attacks targeting Managed Service Providers (MSPs) focusing on their customers (downstream risk).
This SMB report warns of weaknesses in a wider range of additional companies, including – frighteningly – defence contractors, but also manufacturers, technology companies, colleges and universities, legal and accounting firms and medical practices all of which have significantly higher rates of vulnerabilities both in the U.S. and Canada.
US Government has declared that attacks against Russia are not against US policy
The vulnerabilities of businesses are even more disturbing in the light of a potential escalation of cyber conflict resulting from the war in Ukraine.
In a short but troubling announcement by the US government this week a Reuters report noted that the “White House said on Wednesday that any offensive cyber activity against Russia would not be a violation of U.S. policy of avoiding direct military conflict with Russia over its invasion of Ukraine.”
Not only would such attacks be permitted but the White House press secretary Karine Jean-Pierre commented on statements from U.S. cyber command chief General Paul Nakasone, told Sky News on Wednesday the United States has actually conducted a series of digital operations in support of Ukraine.
PDF malware is not dead
Cross fire in the cyber war is not the only issue for vulnerable companies. Some old reliable attacks are still proving their usefulness.
For years, cyber crooks have been packaging malware in Microsoft Office file formats, particularly Word and Excel. In fact, security firm HP Wolf Security reported that in Q1 2022 nearly half (45%) of malware stopped by their software used Office formats. They note in a recent blog that “the reasons are clear: users are familiar with these file types, the applications used to open them are ubiquitous, and they are suited to social engineering lures.”
Not surprisingly, more and more endpoint security is aimed at trying to detect and prevent these attacks.
To circumvent this, attackers are using a clever twist, embedding the word or docx file in a PDF document and tricking Adobe reader to prompt the user to open a file which has the phrase “has been verified” in the file name and making it appear like this phrase “has been verified’ is a prompt from Adobe.
For users where Protected View is disabled, Word downloads a rich text format (.rtf) file from a web server and opens it. In a complex sequence outlined in the blog a malicious executable file is downloaded.
This attack is not new and has been around for almost 4 years according to the blog, which also notes that this resurgence would indicate that this attack is still very effective.
Iconic Canadian coffee chain found to violate privacy laws
According to a report in IT World Canada, the results of a joint investigation launched in June 2020 by the Office of the Privacy Commissioner of Canada (OPC) and Canada’s three provincial private sector privacy authorities in Alberta, British Columbia, and Quebec, has found that iconic Canadian coffee franchise Tim Hortons and its parent company Restaurant Brands International (RBI) violated federal and provincial privacy laws with its app’s location tracking.
The investigation was launched after a reporter for the Financial Post published a story detailing how the app was tracking his movements even when it did not have permission. The author set the permissions to only allow tracking when it was open, but the app continued to track him when it was supposedly closed. He reported that it tracked him 2,700 times in less than five months to his home, his work, when he was travelling and even when he was visiting a competitor.
The IT World Canada report notes the investigation not only found that the app potentially violated the law, but concluded that “Tim Hortons continual and vast collection of location information was “not proportional to the benefits it may have hoped to gain from better targeted promotion of its coffee and other products”. It also found that even after the company shelved plans to use the data for targeted advertising, it continued to collect it until after the investigation was launched.
Despite the finding and because Canadian privacy laws don’t have the teeth of some other jurisdictions, Tim Hortons got away with expressing remorse, agreeing to delete some of this data and of course, being double double sorry.
That’s Cyber Security today for Friday June 3rd, 2022.
Follow Cyber Security Today where ever you get your podcasts – Apple, Google or other sources. You can also have it delivered to you via your Google or Alexa smart speaker.
I’m Jim Love, CIO of ITWC, publishers of IT World Canada and creators of the ITWC podcasting network. Howard will be back on Monday