GDPR and what it means for cyber security
The General Data Protection Regulation (GDPR) comes into force today, 25th May, setting clear instructions about the appropriate technical and organisational measures that must be in place to securely process personal data.
While there has been a lot of messaging around GDPR, what you may not know is that the NCSC has been working closely with the Information Commissioner’s Office (ICO) to develop a set of security outcomes. The guidance provides an overview of what GDPR says about security and describes a set of related outcomes which all organisations that process personal data should seek to achieve.
Some overarching information around GDPR has been produced by the NCSC which serves as a good starting point before tackling GDPR security outcomes. The ICO, which is the UK’s supervisory authority for GDPR, has also published plenty of useful guidance on its own website too.
The NCSC’s Principal Technical Director for Risk Management Capability, Ian M, has also blogged about GDPR which may be a good starting point for those looking for more information about the impact upon cyber security.
Children’s details leaked in monitoring app breach
Media reports detail an Amazon S3 bucket misconfiguration that has led to a serious data breach. According to ZDnet, a UK-based security researcher found two public S3 buckets belonging to TeenSafe, a mobile app for iOS and Android, that allows parents to monitor the texts, calls, locations and social media exchanges of their children. The buckets were reportedly left unsecured and accessible to anyone without a password. This breach exposed at least 10,200 records covering the preceding three months, including children’s Apple ID and plaintext passwords, device names and their device’s unique identifier.
This latest incident is another instance of an Amazon S3 Bucket being misconfigured, making it publicly accessible. This breach is particularly serious due to the potential for online predators to access the personal details of minors. It may also leave the affected children (and their parents) more vulnerable to identity theft in the future.
By default, all new Amazon S3 resources including buckets are private, and since November they have also been encrypted. For a bucket and its contents to be made public, it must be configured to be so. Permissions inheritance can be complicated, so AWS provides a free tool for their customers to identify any buckets that are publicly accessible.
If you are using or considering using Cloud technology, we recommend reading the NCSC's Cloud Security Collection and Implementing the Cloud Security Principles.
‘Sharenting’: increasing the risk of identify fraud?
Research by Barclays Bank has indicated that the sharing of family life on social media by parents, known as ‘sharenting’, could leave their children exposed to online identity fraud when they grow up.
For example, a photo celebrating a child’s birthday reveals a date of birth; a reference to their first pet could be used as an answer to a bank security question; or the child’s favourite football team may also be a useful clue to a password. If this information is obtained by fraudsters it gives them a head-start in breaking into their future online lives. Also given that many adults use this kind of information when choosing passwords, this can also expose the parent to online fraud.
It is advisable for users to check the privacy settings on social media accounts.
The NCSC has also provided guidance on choosing good passwords, and CPNI has produced some useful material on minimising your digital footprint.
For those building services, it is advisable not to use easily discoverable information for password resets.
Up to 800,000 DrayTek routers at risk due to zero-day exploit
Network equipment vendor Draytek has said several of its wireless routers (details here) are vulnerable to a suspected ‘zero-day’ exploit allowing hackers to remotely change the device's settings. This could allow attackers to re-direct traffic or conduct man-in-the-middle attacks in order to steal information and credentials from users.
Researchers suggest up to 800, 000 routers are at risk. Reports from victim IT departments suggest the exploit is bypassing password-based security and even access control lists (which restrict connections to trusted devices only). UK-based technical online forums indicate there are multiple UK victims. Draytek has issued a security advisory, encouraging users to manually update firmware.
Users should also ensure regular patching is undertaken across all device types. Where possible, users should set devices to automatically apply all security updates as they become available. The NCSC's approach to patch management can be found here.