The SecuriTea News - Issue #9
Every Friday The Weekly SecuriTEA Report brings you the latest week’s trending Information Security News. Here's what is new for this week:
No Security Training, No Email Access. This happened to a city leader in Memphis, Tennessee as he was banned from using his corporate email for refusal to complete a 45 minute security awareness training. Alderman Dean Massey is one of the city leaders and told a publication he doesn't "think its appropriate for a city employee to tell what they have to do to access their email". As a result the IT director cut off access to email for Massey but has resulted in another issue - circumvention by the user as Massey created a new personal email account to conduct city business. This email can be accessed at all times by the user and is now no longer under the management of the IT department for the city. Everyone with a corporate email was asked to complete a 45-minute online cybersecurity training, common for most corporations as security awareness is key for a proper enterprise security program. The city leaders refusal of this request leads one to question if it is reckless and deserves consequences such as limited access by the director. Having leadership approval and support is crucial when implementing security programs and his refusal could lead to the refusal of others at a time where humans remain the weakest link in a security threat chain.
California Bill Sets The Tone For Facial Recognition. The California Senate has passed a bill, in a 22-15 vote, that would ban the use of facial recognition by law enforcement via body cams. The bill states that officers are “prohibited from installing, activating or using any biometric surveillance system in connection with an officer camera or data collected by an officer camera.” Additionally, it also provides for the seeking of damages in the event the law is violated: “The bill would authorize a person to bring an action for equitable or declaratory relief against a law enforcement agency or officer who violates that prohibition,”. It is a move that is unprecedented and if signed by the Governer, would go into effect this upcoming New Years. This comes on the heels of another measure, brought to the federal government by companies via letter - like AT&T, Dell, IBM - who are asking for federal courts to create an overarching regulation for data privacy to combat the measures being set forth at the State level like in California and New York. The United States trails other nations when it comes to consumer privacy laws on a national level, to rival the likes of GDPR set forth by the European Union.
Mobile Users At Risk Because Of SIM Card Flaw. A vulnerability has been found in mobile SIM cards that can allow an attacker to track phone owner's locations, intercept calls, and more by simply sending a SMS message to victims according to AdaptiveMobile Security researchers. This vulnerability has currently been found to be exploited for the past two years by a "specific private company that works with governments to monitor individuals" and it is known to impact several mobile operations putting the number of devices at risk in the billions. The attack is started with a text message to the victim to see if their phone uses a specific SIM card that has an embedded technology. If so, this text message triggers commands that capture data, such as location and specific device information, and can be sent back to the attacker via triggered text message. All of this is unbeknownst to the user and can open the door to personal safety risk. Though the exploit affects billions of users, its realized impact is said to be minor. Nevertheless, users can check to see if they are vulnerable by investigating, either yourself or with your carrier, to see if your SIM card is susceptible to this type of attack.
Another Day, Another Email Blunder Leaking Personal Information. This time by charity organization UNICEF who accidentally sent the names, email addresses, gender, and professional information of its portal users to 20,000 inboxes. According to a published report the incident took place on August 26 and included the information for approximately 8300 users. The leak was the result of a human error when an internal user ran a report that included more information than necessary. After realizing the error 24 hours later, UNICEF disabled their portal functionality that allows you to send out reports of this type as well as email attachments. While the information leaked is categorized as basic information for users in the United States, the stakes are higher for those regulated under the GDPR protection that went into effect last May. GDPR, or the General Data Protection Regulation, imposes strict protections on how organizations process data and can impose record fines on organizations that are not careful with this data (as seen with Facebook and Google recently). While this has created incentive for companies to become more vigilant to protect confidential data, leaks continue to occur, especially for organizations with limited security resources such as this example. US organizations, both small and large, will need to seriously rethink their methods and understand the consequences of human error in regards to data privacy and leaks.
And that's a wrap for your Weekly SecuriTea Report. Be sure to check out the latest every week for the latest in Information Security News.