Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, June 23rd, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes David Shipley of New Brunswick’s Beauceron Security will be here to discuss recent cybersecurity news. But first a look back at headlines from the past seven days:
Several civil rights groups this week called on the Canadian government to tighten up its proposed cybersecurity law. It would force companies do certain things to protect their IT networks, but the groups say the circumstances under which they could be forced to act are too vague. David and I will look at their complaints.
We’ll also talk about the proper way companies should notify victims of a data breach after UPS Canada began notifying some customers of a text scam. A different and complex email and phone scam aimed at stealing cryptocurrency is on our agenda, as is why cybercrooks like using the Telegram Messaging service, and whether reporters should be forbidden by the courts from publishing copies of stolen data posted by hackers.
Also in the news, owners and network managers of certain unpatched routers and network devices are at risk of being compromised by a variant of the Mirai botnet. That’s the word from researchers at Palo Alto Networks. Threat actors have recently been trying to infect vulnerable devices from D-Link, Arris, Telesquare, Tenda, Nortek, Netgear, TP-Link and others. Botnets of connected devices are used to spread malware. The report is another warning to IT administrators that password and patching security are vital to preventing this kind of intrusion.
Millions of GitHub repositories may be vulnerable to being hijacked. That’s according to researchers at AquaSec. The problem is in repositories that organizations or individual owners have chosen to re-name. A vulnerability allows an attacker to get around the limitation of accessing old repository names and therefore get into the newly-named repository. From there attackers could change code in the repository to add malware. If your organization changes a GitHub repository name make sure it still owns and protects the previous name.
Gen Digital, the parent company of Avast, Avira, Norton and LifeLock, has joined the list of organizations admitting they were victimized by the vulnerability in the MOVEit file transfer software. The company says some personal information of employees and contingent workers was copied.
Internet-exposed Linux-based devices are being targeted by hackers, according to Microsoft researchers. Their tool is a patched version of the OpenSSH utility to take control of devices and install cryptomining malware.
And VMware has patched high-severity security vulnerabilities in vCentre Server. These memory corruption bugs need to be addressed as soon as possible by applying security updates.
(The following is an edited transcript of one of the news stories discussed. To hear the full conversation play the podcast)
—Howard: What’s the right way organizations should notify victims of a data breach? This week UPS Canada sent a letter to an unknown number of Canadians about a text smishing scam. The headline of the letter is “Re: Fighting Phishing and Smishing — an Update from UPS.” It goes on to say “At UPS, we are committed to fighting fraud. We want to let you know what phishing and smishing are and what you can do to protect yourself.” It goes on to define email and text-based scams where crooks message people they own money for delivery of a UPS package. A hundred and twenty-eight words or so later the meat of the letter becomes clear: UPS Canada has discovered that people have received fraudulent text messages demanding payment before a package can be delivered. They are getting this message after UPS Canada realized anyone searching its website for information about a package could get information about anyone’s delivery including a recipient’s name, address, order number and phone number. With that phone number a crook could send a smishing message to a potential victim who is expecting a UPS package. The problem was available from February 1, 2022 to April 24, 2023. The letter doesn’t specifically say the recipient had their data accessed. But then again why else would it be sent to a named person. Is this a proper format for a data breach notification letter.
David Shipley: This is 100 per cent the wrong way to do this It’s disingenuous at best and manipulative at worst now I want to be really really clear I am not a lawyer. But I don’t know how this notification would pass the guidance given by Canada’s federal privacy commissioner on their website that says breach notifications to end users must be “conspicuous” which, when I checked out our friends at Dictionary.com, means easy to be seen. So I don’t think 128 words in [to the letter] is easy to be seen.
Howard: I became aware of this letter because it was sent to Brett Callow, a Canadian-based threat analyst for the cybersecurity firm Emsisoft, who posted it on Twitter. He said this is not what a data breach notification should look like. He feels a data breach notification letter should immediately make it clear within the first sentence or to what the letters about.
David: Absolutely, and I think the good guidance from the federal privacy commissioner on their website seems to support that view. When researching for this episode I looked for really good guidance for data breach notification letters and I came across the International Association of Privacy Practitioners (IAPP) and a sample that Thompson Reuters had prepared of a sample data breach notification with detailed advice and guidance covering various scenarios, including the nuances of different U.S. state privacy legislation — which actually sometimes can have conflicting guidance about what level of details you should or should not include in it. It’s a phenomenal resource. I want to encourage organizations if you look at that letter, within the first sentence they’re letting somebody know your information has been impacted in a data breach. I think that is best practice. It gives a whole bunch of really helpful guidance. But I don’t think folks should be following the UPS example. I think you know that’s a trip to the doghouse for UPS on this one.
UDATE: More than 24 hours after we asked UPS for comment, and after the podcast was recorded, it emailed this reply:
“Apologies for the delay. We did not have a spokesperson available for comments or an interview. Below is the statement that has been provided to other outlets:
“We are constantly vigilant when it comes to phishing and other attempts from bad actors. UPS is aware of reports relating to an SMS phishing (“Smishing”) scheme focused on certain shippers and some of their customers in Canada. UPS has been working with partners in the delivery chain to understand how that fraud was being perpetrated, as well as with law enforcement and third-party experts to identify the cause of this scheme and to put a stop to it. Law enforcement has indicated that there has been an increase in smishing impacting a number of shippers and many different industries.
“Out of an abundance of caution, UPS is sending privacy incident notification letters to individuals in Canada whose information may have been impacted. We encourage our customers and general consumers to learn about the ways they can stay protected against attempts like this by visiting the UPS Fight Fraud website.”