Deadline looms for Women In Cyber Day petition, data theft from insurance quote websites and advice from Canada’s top cyber agency
Welcome to Cyber Security Today. It’s Monday, May 10. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Attention Canadian listeners: You have only one more day to electronically sign a petition asking the government of Canada to declare September 1st International Women in Cyber Day. This would recognize the achievements of women in the industry, and support the retention of women in this workforce. The petition also asks the government to support programs raising awareness and removing barriers for women and marginalized groups who want to enter and stay in the profession. There’s a link to the petition here. Or you can go to the House of Commons website and look under Petitions. It’s number e-3092. Or go to womencybersecurity.org. The deadline to sign the petition is tomorrow, Tuesday, May 11th at 2 pm Eastern.
Attention software developers: If you use the Composer PHP language package manager make sure you’re running the latest version. It closes a major vulnerability.
Attention WordPress administrators: If you run the CleanTalk antispam plugin make sure you’ve got the latest version. It closes a major vulnerability.
Attention users of the Foxit PDF reader. Make sure you have the latest version. Security patches fix serious vulnerabilities,
I’ve talked before about third party or supply chain attacks, where one organization is victimized by an internet attack through a partner or supplier. Here are the latest examples, both of which involve American insurance companies — and both of which are very similar: Hackers got personal information this year on people held by a third-party service provider by going through insurance companies’ online quote services. It worked like this: The attacker applies online for an insurance quote using names and other information of people they’ve already compiled – probably through data thefts. The insurance companies have an automatic link to a service provider that fills in information in the online application, such as the applicant’s driver’s licence or birth date. Then the attacker copies that added information, which they didn’t already have. With information like name, address and driver’s license number, the attacker could apply for state unemployment benefits, or create fraudulent ID. One insurance company is notifying over 280,000 victims. Another is notifying over 97,000 people.
If your organization offers free quotes and uses a third party to help fill in an application, make sure it isn’t open to data-stealing attacks like this
Fermilab is an advanced physics laboratory and accelerator near Chicago that does things like smash particles together to see what matter is made of. But according to a group of researchers, its cybersecurity isn’t very advanced. Doing some sleuthing on the internet they were able to find open servers with names, user passwords, project descriptions and file attachments with sensitive scientific information. One of the researchers told a news site that Fermilab fixed the problems fast after being told. No one knows if a nation-state or criminals also were able to see the data.
Finally, I covered an online cybersecurity conference from Vancouver last week. One of the speakers was Scott Jones, the head of the government of Canada’s Cyber Security Centre. He had a couple of things to say that were noteworthy. One was aimed at the general public: You have a lot of control over the personal data you give out to websites and social media platforms. You don’t have to tell a website everything when you register. Does that site really need your birthday? Do you take advantage of the privacy controls websites and social media platforms offer? His point was the less personal information you give out the less will be available for crooks to steal.
As for organizations, Jones had this to say: Think about every piece of personal information you collect from customers or clients. Do you really need it? If so, do you need it enough to take responsibility for fully protecting the data from theft?
That’s it for now. Remember links to details about podcast stories are in the text version of this podcast at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.