Security News

Dataguise announced a patent-pending method of projecting unique data counts that enables organizations to report the impact of a data breach faster and more accurately than ever before. This capability comes in the latest release of the company's Personal Data Discovery and Protection software, continuing its tradition of helping organizations manage risk and costs as they store and use personal data to drive business value.

Southern Water - British supplier of the liquid of life - botched its internal Sharepoint implementation so badly that a customer was able to view other people's account details. Reg reader Chris H discovered that the way Southern Water had set up Sharepoint to host customer information as a "Your account" style section of their website exposed URLs that could be tweaked to view other people's account information.

Now the industry's biggest player, Carnival Corporation, has also come down with a case of ransomware. The company on Tuesday issued a regulatory filing [PDF] in which it admitted: "On August 15, 2020, Carnival Corporation and Carnival plc... detected a ransomware attack that accessed and encrypted a portion of one brand's information technology systems. The unauthorized access also included the download of certain of our data files."

The flaws could also have helped attackers obtain usernames, phone numbers, voice history, and installed skills, says Check Point Research. Silently installed skills and apps on a user's Alexa account.

UPDATE. Vulnerabilities in Amazon's Alexa virtual assistant platform could allow attackers to access users' personal information, like home addresses - simply by persuading them to click on a malicious link. Researchers with Check Point found several web application flaws on Amazon Alexa subdomains, including a cross-site scripting flaw and cross-origin resource sharing misconfiguration.

iProov announced its partnership with self-sovereign identity specialists, Evernym. Evernym is the market leader in SSI, working with over 100 organizations in the technology, government, nonprofit, finance, insurance, communications, and healthcare sectors to issue, accept and verify portable digital identity credentials.

Video conference users should not post screen images of Zoom and other video conference sessions on social media, according to Ben-Gurion University of the Negev researchers, who easily identified people from public screenshots of video meetings on Zoom, Microsoft Teams and Google Meet. While there have been many privacy issues associated with video conferencing, the BGU researchers looked at what types of information they could extract from video collage images that were posted online or via social media.

Hackers infiltrated Collabera, siphoned off at least some employees' personal information, and infected the US-based IT consultancy giant's systems with ransomware. Collabera identified malware in its network system consistent with a ransomware attack.

Rather than simply knocking the law firm out of action temporarily, the ransomware crooks are said to have stolen personal data from a laundry list of celebrity clients, too - allegedly more than 750GB in total including contracts, contact information and "Personal correspondence". In other words, the financial extortion is no longer just a "Kidnap ransom" to get your files back, but also a blackmail demand to stop the crooks leaking your data - or, worse still, your customers' data - to the world.

The Terbium team reckons that these guides, which help newbie crooks through the process of things like setting up bank fronts, crafting phishing emails and stealing money out of victim accounts, make up just under half of all data transactions on the store. "What they have in common is detailed information on how to export an organization's current policies," Terbium Labs said of the guides.