By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

Disclosure of proof-of-exploit code for security bugs in Cisco routers for small businesses prompted hackers to scan for vulnerable devices in an attempt to take full control of them. Cisco this week announced updates for router models RV320 and RV325 that fix a command injection (CVE-2019-1652) and an information disclosure (CVE-2019-1653) vulnerability; both of them are in the routers' web management interface. Exploiting the former requires authentication and admin privileges to allow a remote attacker to execute arbitrary commands on the system. The latter security issue is also remotely exploitable, but it does not need authentication to get sensitive information from the router. A hacker chaining the two bugs could target RV320 and RV325 routers available online to obtain hashed access credentials for a privileged account and thus be able to run arbitrary commands as root. Germany company RedTeam Pentesting found the issues in Cisco RV320 and reported them privately to Cisco. The researchers also found that RV320 exposes diagnostic data. A superficial search on Shodan shows that there are about 20,000 Cisco RV320/RV325 routers reachable over the internet. Not all of them may be vulnerable, though. According to information today from Troy Mursch, chief research officer at Bad Packets, more than 9,500 of them were found to be affected by the information disclosure glitch, most of them in the United States. Learn more on OUR FORUM.

A European Commission Statement says that Data Protection Authorities across Europe received 95,180 complaints regarding the mishandling of personal data and companies reported a record number of 41,502 data breaches since the General Data Protection Regulation (GDPR) was enacted on 25 May 2018. According to the GDPR provisions, businesses have the obligation to report data breaches to their national DPA in under 72 hours if personal data of European citizens is unlawfully or accidentally disclosed. Following the 95,180 complaints introduced by both individuals and organizations mandated by individuals since the enactment of the GDPR, a number of 255 investigations were initiated by national Data Protection Authorities. 41,502 data breaches reported by companies since 25 May 2018. It is important to mention though that out of those, a couple of dozen GDPR investigations were also initiated outside the scope of the complaints advanced by individuals. Moreover, the European Commission's statistics say that the most common types of GDPR complaints were related to telemarketing, promotional e-mails, and to video surveillance/CCTV, which were found to violate multiple provisions.  Further details are posted on OUR FORUM.

As reported by Cisco in its Data Privacy Benchmark Study, companies that follow the requirements of the General Data Protection Regulation (GDPR) experience benefits such as lower frequency and effect of data breaches, as well as fewer records being impacted in the attacks, shorter downtimes and lower overall costs. GDPR is a user and data privacy regulation which came into effect in the European Union on May 25, addressing data protection of EU residents and the export of personal data outside the EU and EEA areas. The report used the data collected via a double-blind survey which was answered by over 3200 security professionals from 18 countries from all over the world and from all major industries. "Organizations have a long way to go to maximize the value of their private investments. Our research shows that the market is set and ready for those willing to invest in data assets and privacy may be the path forward to get there," according to Michelle Dennedy, Cisco's Chief Privacy Officer. When it comes to the level of GDPR readiness among the respondents, 59% of them said that they are meeting either all or most of GDPR’s provisions, while 29% of them stated that GDPR-readiness is one year away and another 9% indicated that they would need more than a year to be ready. Learn more by visiting OUR FORUM.

The abstract world of coding is ideal for people who are blind or have low vision, but to there is a high barrier to entry to getting started, with students first needing to learn to touch type for example. Today at BETT education show, Microsoft announced Code Jumper, a tethered hardware device designed to teach children who are blind or have otherwise impaired vision how to code. Instead of poking at tablet screens or typing into laptops, students are taking out brightly colored plastic pods, connecting them together with thick white wires and then adjusting the pod’s buttons and knobs. These physical components will be used to create computer programs that can tell stories, make music and even crack jokes. “There really isn’t an equivalent to this physical way of programming,” said Jonathan Fogg, head of computing and IT at New College Worcester. The early access to basic coding skills is important, Fogg said, because many kids who are blind or low vision are drawn to careers in computer science. He thinks that’s partly because many of the skills kids with low vision develop to navigate the world make them good at the kind of computational thinking that’s helpful for a computer science career. And, he said, traditionally it has been a career that is more accessible to people who are blind or have low vision, because of tools such as screen readers. There's more posted on OUR Forum.

On 25 and 28 May 2018, the National Data Protection Commission (CNIL) received group complaints from the association's None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”). LQDN was mandated by 10 000 people to refer the matter to the CNIL. In the two complaints, the associations reproach GOOGLE for not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalization purposes. The CNIL immediately started investigating the complaints. On 1st June 2018, in accordance with the provisions on European cooperation as defined in the General Data Protection Regulation (“GDPR”), the CNIL sent these two complaints to its European counterparts to assess if it was competent to deal with them. Indeed, the GDPR establishes a “one-stop-shop mechanism” which provides that an organization set up in the European Union shall have only one interlocutor, which is the Data Protection Authority (“DPA”) of the country where its “main establishment” is located. This authority serves as “lead authority”. It must, therefore, coordinate the cooperation between the other Data Protection Authorities before taking any decision about a cross-border processing carried out by the company. In this case, the discussions with the other authorities, in particular with the Irish DPA, where GOOGLE’s European headquarters are situated, did not allow to consider that GOOGLE had a main establishment in the European Union. More details can be found on OUR FORUM.

Cybercriminals are increasingly recognizing that smaller businesses can be lucrative targets as they are able to devote fewer resources to security. Phishing defense specialist Cofense is launching a new Managed Security Service Provider (MSSP) program aimed at providing SMBs with human-driven solutions designed to stop an active phishing attack. Cofense has partnered with a targeted group of service providers to provide their customers the dedicated resources required to strengthen defenses, build attack resiliency and ultimately stop real attacks in progress. "Phishing remains the top cause of security breaches, and when it comes to leveraging humans to help stop those threats in their tracks, SMBs can face a significant disadvantage compared to enterprises with more resources," says Robert Iannicello, VP of global channel sales at Cofense. "Our MSSP program will arm more small and mid-sized organizations with the necessary tools to build attack resiliency and most importantly, report, respond to and stop active phishing threats. Also, our programs will offer key incentives and pricing designed exclusively for our MSSP partners to ensure their go-to-market success. We look forward to enabling more partners and their customer organizations with the resources needed to thwart phishing attacks across the globe, regardless of company size and scope." Learn more by visiting OUR FORUM.

 

GTranslate