You can do it. The IT Privacy and Security Weekly Update for the week ending September 12th 20239/12/2023 We’d like to start by letting you know that we are taking our first pod-break in over 3 years. We’ll be heading up to the highlands to ruminate before returning on the 3rd. of October. It’s a perfect time to catch up on some of our previous pods Thank you for joining in for the last 157 episodes and we look forward to serving up many more! In this week’s IT Privacy and Security weekly update, episode 158 we have some really uncomfortable news about your new ride. You may want to sit down for this story, but... just not in the car. We follow that with another related update... but this one is a little closer to home. Running out of disk space and how that cost one automobile company the loss in production of about 13,000 vehicles a day for at least a couple days. From there we move to details of our familiar friends at Last Pass and what the backup breach might be costing former customers, and what you should do if you too used LastPass. We have a new quota from the US Customs and border patrol that might have those leaving the US powdering their noses. We finish with a couple of stories out of China that will have you doing a double take the next time you get a text on your phone and wondering why you ever complained about the “One” job you have. And here is the best in IT Privacy and Security.... - click the pic for the podcast - Global: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy https://foundation.mozilla.org/en/privacynotincluded/articles/its-official-cars-are-the-worst-product-category-we-have-ever-reviewed-for-privacy/ In a startling revelation, Mozilla has exposed a concerning data collection practice by automakers, including industry giants like BMW, Ford, Toyota, Tesla, and Subaru. These companies are amassing a broad range of personal information from drivers, including sensitive details such as race, facial expressions, weight, and even health information. Shockingly, some vehicles have been found to collect data about sexual activity, race, and immigration status. Nissan, in particular, stands out as the worst offender, with its privacy policy indicating the collection of deeply personal data, such as sexual activity and genetic information, without clear disclosure on data gathering methods. Nissan also reserves the right to share this information with data brokers, law enforcement, and third parties. Volkswagen gathers data on driving behaviors, like seatbelt and braking habits, coupled with personal details like age and gender for targeted advertising. Kia's privacy policy allows the monitoring of a person's "sex life", and Mercedes-Benz ships vehicles with privacy concerns, pre-installing TikTok on infotainment systems. Furthermore, many automakers engage in "privacy washing", presenting misleading information that downplays privacy concerns. Consent issues are equally troubling, with some brands suggesting that being a passenger implies consent for data collection. Complex and fragmented privacy policies further compound these problems. So what's the upshot for you? This alarming report underscores the urgent need for transparency, accountability, and stronger data protection regulations in the automotive industry JP: Toyota says filled disk storage halted Japan-based factories https://www.bleepingcomputer.com/news/security/toyota-says-filled-disk-storage-halted-japan-based-factories/ Toyota recently faced a major production disruption in Japan as 12 out of 14 car assembly plants ceased operations due to a system malfunction on August 29th. The halt resulted in daily production losses of approximately 13,000 cars, jeopardizing exports to the global market. The issue arose during planned IT systems maintenance on August 27th, where data organization and deletion of fragmented data were scheduled. However, storage reached capacity prematurely, causing a system shutdown. Toyota's main servers and backup systems operated on the same infrastructure, leading to a simultaneous failure with no switchover option and subsequently halting factory operations. The situation was resolved on August 29th when a larger capacity server was prepared to accept partially transferred data, enabling the restoration of the production ordering system and plant operations. Toyota issued an apology, emphasizing that this malfunction was not due to a cyberattack. So what's the upshot for you? The incident highlights the intricacies of IT challenges and the potential multimillion-dollar consequences when routine maintenance tasks are not meticulously planned Global: Experts Fear Crooks Are Cracking Keys Stolen In LastPass Breach https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/ In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults. Taylor Monahan is founder and CEO of MetaMask, a popular software cryptocurrency wallet used to interact with the Ethereum blockchain. Since late December 2022, Monahan and other researchers have identified a highly reliable set of clues that they say connect recent thefts targeting more than 150 people, Collectively, these individuals have been robbed of more than $35 million worth of crypto. Monahan said virtually all of the victims she has assisted were longtime cryptocurrency investors, and security-minded individuals. Importantly, none appeared to have suffered the sorts of attacks that typically preface a high-dollar crypto heist, such as the compromise of one's email and/or mobile phone accounts. So what's the upshot for you? It certainly appears that the connection is Last Pass. We were initially shocked by LastPass' handling of this situation, but what it boils down to is this. If you were a LastPass user, consider all your passwords and secrets compromised until you move your passwords to a different password manager and update them. Crypto currencies should be moved into new wallets with seed phrases handled and stowed very, very carefully. US: Leaked Email: CBP Tells Airports Its New Facial Recognition Target is 75% of Passengers Leaving the US https://www.404media.co/leaked-email-cbp-facial-recognition-75-percent/ Customs and Border Protection (CBP) has told airports it plans to increase its targets for scanning passengers with facial recognition as they leave the U.S., according to an internal airport email obtained by 404 Media. The new goal will be to scan 75 percent of all passengers, the email adds. The news signals CBP's increasing focus on biometric, and in particular facial recognition, systems at airports. Although it is unclear if related to the shift in goals, one traveler was also recently told by airline industry staff "CBP said everyone has to do it" when they asked to opt-out of facial recognition while boarding for an international flight last month. So what's the upshot for you? “This is a national, not per airport, goal, and applies to flights departing the U.S.,” the spokesperson added. CBP’s ultimate Congress-mandated goal is 97 percent or greater biometric exit compliance. CN/US: Chinese-Speaking Cybercriminals Launch Large-Scale iMessage Smishing Campaign in U.S. https://thehackernews.com/2023/09/chinese-speaking-cybercriminals-launch.html A new wave of cyber attacks is happening in the U.S., typically classed as "smishing." This is when scammers send fake text messages pretending to be from well-known delivery companies. They use compromised Apple iCloud accounts to do this. Their goal is to steal personal information and credit card details. The people behind this attack are offering their tools to other criminals for $200 a month SmaaS <--Smishing as a Service. These tools let them pretend to be delivery companies in many countries. The tricky part is that they use stolen iCloud accounts to send fake messages saying a package delivery failed. They ask you to click on a link to reschedule the delivery, but it's a trick to get your credit card information. Resecurity's analysis of the smishing kit revealed an SQL injection vulnerability that it said allowed them to retrieve over 108,044 records of victims' data.. They think the scammers might be secretly collecting this information to sell or use themselves. The Telegram group associated with Smishing Triad includes graphic designers, web developers, and sales people, who oversee the development of high-quality phishing kits as well as their marketing on dark web cybercrime forums. They work with others, too. Besides package scams, they also infect online shopping websites to steal customer information. So what's the upshot for you? Users tend to trust SMS and iMessage communication channels more than e-mail, this attack has successfully compromised numerous victims. Be careful with text messages, even if they seem real. The scammers are getting better, and that means you need to be more cautious. CN : One Chinese woman held 16 jobs for 3 years and never showed up to work https://www.businessinsider.com/chinese-woman-held-16-jobs-at-once-never-showed-fraud-2023-9?op=1 A Chinese woman engaged in a labor-fraud scheme, held 16 corporate jobs over three years without actually ever working at any of them. The scheme was worth nearly US$7 million and involved multiple individuals. She kept track of her hirings on paper and shared fake interview photos on company channels to maintain the illusion of working. When overloaded, she passed job offers to friends and took a commission. The woman and her husband used the earnings to purchase an apartment in Shanghai through multiple bank accounts. The scheme unraveled when a tech CEO, Liu Jian, discovered one of his employees was working for another company simultaneously and called in the police This discovery resulted in the arrest of 53 individuals. So what's the upshot for you? What do you think? Managing that many jobs at once with up to 53 people sub-contracting through her and a turnover of US$7million sounds to us like she had some serious leadership skills! - click the pic for the podcast - This week's wrap up: We covered your new car, and it’s coverage of you. We followed with the “missing 26,000 cars” or what can happen when you run out of disk space. We gave you an update on further repercussions from the Last Pass backup thefts and why you should be changing your password manager, your passwords and your crypto wallets sooner, rather than later. There was the new mandate for US Customs and Border Patrol that will have 97% of us leaving the US with our photographs in their system. We presented another reason to be extra carefull with iMessages and text messages as smishing campaigns increase and finally... The story about the woman who just couldn’t hold down a job, so she held down 16 of them. Appropriately our quote of the week comes from US Army officer and first African American Secretary of State - Colin Powell. “Leadership is the art of accomplishing more than the science of management says is possible.” That’s it for this week. Stay safe, stay secure, work hard, do those jobs well and…. we’ll see you in twenty one!
Karen
9/13/2023 08:19:29 am
Easy to listen to, easy to understand, this podcast is my secret source for staying current with privacy stories. This week's story on cars was a home run hit!!
Reply
Leave a Reply. |