Report on Canadian government data breaches, kill that recorder Android app and Web site woes for U.S. government
Welcome to Cyber Security Today. It’s Friday Sept. 28th. To hear the podcast click on the arrow below:
Do Canadian federal employees take privacy problems seriously? Maybe not, if the latest annual report from the country’s privacy commissioner is any guide. The report notes that officially it received 286 data breach reports in the last fiscal year. However, the government told Parliament it had suffered many more. It is obvious that some material breaches go unreported and, more importantly, others likely go entirely unnoticed in many institutions, said the report filed Thursday. The privacy commissioner did a survey of a few departments. Many admitted that their employees don’t fully grasp what constitutes personal information and their obligations under federal law, said the report. Here’s an example: When asked if they would consider a lost valid passport to be a material privacy breach, some answered: “yes,” some said “no”, and some said “it depends”. The government said it will soon release new rules for employees to make sure they understand their obligations.
Do you have an Android app on your smart phone called QRecorder that allows you to record phone calls? If so delete it, because its malware. Its real purpose is to give hackers the ability to get at your bank password if you do any banking with your phone. It worked even if you had two-factor SMS text authentication. This app has now been removed from the Google Play Store. Although it appeared to mainly target banks in Germany, Poland and the Czech Republic, it could have been used against other banks. It’s another reminder that the fewer apps you have on your smart phones the better.
Stealing personal information through phishing is one of the major ways attackers toy with victims. Playing around with web sites is another. This week it was learned a site of the U.S. Department of Agriculture was hacked, allowing the posting of articles on marijuana, video games, and beauty products. Apparently the way the attacker got in was by compromising a web form on a page, which is how another group of hackers I reported on recently was skimming off credit card numbers as they were being entered for purchases. This month security vendor SiteLock issued a report reminding web site operators they have to follow basic security practices: Make sure all security updates and patches are installed as soon as possible, protect sites with a web application firewall and make it hard for attackers to take over administrators’ accounts by using strong passwords and two-factor authentication.
SiteLock analyzed 6 million web sites recently and found nine per cent had at least one vulnerability.
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Play, or add us to your Alexa Flash Briefing. Thanks for listening.