In today’s cybersecurity news…
Public Wi-Fi hacked at some of the UK’s busiest train stations
Train passengers connecting to free WiFi at many major rail stations in England were greeted by an Islamophobic message on their devices when logging on and connecting to the WiFi network’s landing page. The incident is now being investigated by Network Rail, the UK non-departmental public body responsible for repairing and developing train infrastructure, along with the network’s operator, a company called Telent, also UK based. Muhammad Yahya Patel, lead security engineer at Check Point Software, pointed out how public Wi-Fi is often unencrypted and easily accessible, and provides an ideal entry point for attackers. He further pointed out how “outdated hardware and software create exploitable vulnerabilities, which is a growing concern for systems as vital as public transport.”
Data privacy watchdog files complaint against Mozilla for ad tracking feature
The European data privacy advocacy group None of Your Business (noyb) made the announcement on Wednesday over the fact that the developer of the Firefox browser had “quietly changed” its privacy features in order to track users’ website activities. This is a result of what Mozilla calls a “privacy preserving attribution” feature, which was automatically installed as part of a software update, according to a noyb press release. It allows advertisers to monitor their campaigns not by using cookies but instead requiring websites to ask Firefox to store information about people’s ad interactions.
NIST drops password complexity, mandatory reset rules
In the second public draft version of its password guidelines, the National Institute of Standards and Technology is making two changes. The first is that credential service providers stop requiring that users set passwords that use specific types or characters, and the second is to stop mandating periodic password changes (commonly every 60 or 90 days). This first suggestion actually paves the way for longer passwords of between 15 and 64 characters and that they include ASCII and Unicode characters. The second supports the idea that password resets should only occur in the case of a credential breach. Making people change passwords frequently was resulting in people choosing weaker passwords.
CISA speaks out regarding Kansas water incident
Following up on a story we covered on Wednesday regarding the cybersecurity issue at the water treatment facility in Arkansas City, Kansas, CISA released a new advisory yesterday, Thursday, as a reminder that “exposed and vulnerable OT/ICS systems may allow cyber threat actors to use default credentials, conduct brute force attacks, or use other unsophisticated methods to access these devices and cause harm.” The agency urged operators to apply its previously released recommendations to defend their systems.
Huge thanks to our sponsor, Vanta
With Vanta Questionnaire Automation, security & compliance teams can complete security reviews up to 5 times faster, giving you time back to focus on running your security & compliance programs.
Over 8,000 global companies like ZoomInfo, SmartRecruiters and Noibu use Vanta to save time on security reviews.
Visit vanta.com to learn more about Questionnaire Automation.
Cybercriminals deliver info-stealing malware to North American transportation companies
According to cybersecurity firm Proofpoint, a specific threat actor, which has not been named, but appears to be financially motivated, is using compromised legitimate email accounts belonging to transportation and shipping companies, to send malicious links and attachments within existing email conversations. The attachments deliver info stealer malware including Lumma Stealer, StealC, DanaBot and Arechclient2. Some attacks also impersonate legitimate software used exclusively in transport and fleet operations management, including Samsara, AMB Logistic and Astra TMS. Proofpoint adds that the language used in the lures and content suggests familiarity with the industry and with typical business workflows.
Study finds European car resellers failing to delete driver data
Industry watchdog Privacy4Cars has released a study showing that “four out of every five cars resold in Germany, the UK, and Italy are hitting the market with prior drivers’ personal data stored and easily accessible.” This includes location data, home addresses, and in at least half of the cases, can access prior owners’ call logs and text messages. Such omissions are in strict contravention of privacy laws such as GDPR. A UK judge who reviewed the report wrote, in an opinion, “dealerships and other vendors cannot rely on individual employees to delete the personal data they find and must have structured programs in place to ensure data is erased.”
AutoCanada says employee data lifted in cyberattack
Following up on a story we covered on August 15, AutoCanada a multi-location car dealership that sells multiple brands of cars through 66 locations in Canada as well as some in Illinois, now confirms that employee data was stolen during an August attack. The attack itself was carried out by the Hunters International group, who claim to have databases, NAS storage images, executives’ information, financial documents, and HR data, including information on salaries and bonuses, social insurance numbers and bank account numbers used for direct deposits. There is currently no indication that customer data was obtained.
DoNotPay has to pay for falsely promoting untested AI lawyer services
The Federal Trade Commission has announced that DoNotPay, which had been advertised as “the world’s first robot lawyer” with the ability to “sue anyone with the click of a button,” must pay $193,000 and must refrain from making false claims about its services. The FTC stated that the company “conducted no testing to determine whether its AI chatbot’s output was equal to the level of a human lawyer, [and]… also did not “hire or retain any attorneys to help verify AI outputs or validate DoNotPay’s legal claims.” It must be noted that according to a statement from the company, the complaint upon which this finding was based relates to the usage of a few hundred customers some years ago (out of millions of people), with services that have long been discontinued.”