Securing VPNs. Threats to privacy on campus. Evasive spyware. Private vaccine passport application exposed user data.
In one look.
- NSA and CISA publish fact sheet on secure use of VPNs.
- Edtech software can expose student data.
- The evil twin of Campus Wi-Fi.
- FinSpy becomes more evasive.
- The private vaccination passport application exposes user data.
Security agencies warn of VPN challenges.
The United States National Security Agency and the Cybersecurity and Infrastructure Security Agency have joined forces to offer advice on securing virtual private networks, or VPNs, against attacks. VPNs are often targeted by nation-state threat actors who exploit network vulnerabilities in order to steal data or hijack corporate networks. To protect against such threats, the fact sheet recommends choosing VPN devices from the National Information Assurance Partnership (NIAP) ‘s list of well tested compliant products. The tips also include using multi-factor authentication, updating regularly to ensure all security patches have been performed, and disabling non-VPN related features.
Educational software exposes student data.
At the height of the pandemic, many schools became dependent on virtual education software to enable distance learning, and the 74 million reports this software offering of this type has potentially exposed the data of millions of students. After examining Netop Vision Pro Education’s monitoring software, used by 9,000 school systems and designed to allow teachers to keep tabs on student-supplied devices, McAfee researchers found four critical vulnerabilities that left communications teacher-student unencrypted and could inadvertently allow hackers to hijack student devices. McAfee explains, “The hacker could activate webcams and microphones on the target system, allowing them to physically observe your child and their surroundings. Netop has been made aware of the issues, most of which were fixed earlier this year, but the incident highlights recent security issues faced by education monitoring technology companies like ProctorU and Gaggle.
Evil Twin Wi-Fi steals college degrees.
Still in the world of education, WizCase researchers discovered a bug in the software of the Wi-Fi company eduroam, a free Wi-Fi provider for universities and other higher education establishments. A simple misconfiguration could allow hackers to create a malicious eduroam network, an “evil twin” that could trick users’ devices into exposing user credentials. It should be noted that the error is not strictly the fault of eduroam, but rather an issue of incorrect configuration instructions being disseminated by administrators. When informed, eduroam replied: “We are indeed sometimes informed of eduroam identity providers who do not comply with eduroam policy requirements and leave their own users unprotected. We totally agree with your opinion that this is unacceptable behavior on their part. “
The FinSpy stealth attack dodges detection.
Kaspersky researchers have discovered that FinSpy spyware has the ability to support a machine’s Windows UEFI boot loader in order to infect target devices. The legality of “lawful interception” spyware has already been questioned, and now Security Week reports that FinSpy’s software was able to bypass firmware security checks to replace the bootkit with a malicious loader. Additionally, updates made since 2018 allow spyware to hide behind four levels of obfuscation in order to evade security scanning. “The amount of work that goes into making FinFisher inaccessible to security researchers is particularly disturbing and somewhat impressive … It seems that developers are putting at least as much work into obfuscation and anti-scanning measures as they are into the Trojan horse itself, ”Kaspersky said. Igor Kuznetsov.
The vaccine passport suffers a data exposure incident.
Radio-Canada News reports that the Portpass app, a private vaccination passport widely used in Canada, experienced a data exposure incident. The CBC says data at risk of compromise includes “email addresses, names, blood groups, phone numbers, birthdays, as well as identity photos like driver’s licenses and passports.” Trevor Morgan, product manager at comforte AG, sees this kind of data neglect as its own unfortunate contribution to vaccine skepticism:
According to the report, sensitive data, including driver’s license information, was not encrypted and could be easily viewed in plain text. Aside from political views, this type of exposure is one of the main reasons why many members of the general public are wary of mandatory digital and mobile -unless the app provider goes to great lengths to enforce data-centric security, such as encryption that preserves format or tokenization to protect sensitive data by obscuring sensitive pieces of data, situations like this will happen again and again, and people will be reluctant to adopt such tools.Whenever an organization collects and processes information on human health, it has the ultimate responsibility to protect this data and to ensure that it is never presented in a readable format to users not allowed. Situations like this are certainly not accepted! “