This week in the world of infosec, a report finds almost 200,000 Irish office workers have fallen victim to a phishing scam.
One of the major pieces of news in the infosec area last week was IDA Ireland and Cork Institute of Technology joining forces on an initiative to establish Cyber Ireland, a national cybersecurity cluster.
Cyber Ireland will provide a collective voice to represent the needs of the cybersecurity sector across the country and will address key challenges including skills needs, research, and the development of a national community that connects industry, academia and government.
Up to 185,000 Irish office workers on end of phishing scams
Our work emails seem to be forever bombarded with some obvious – and not so obvious – attempts by scammers to access our accounts. Now, a new survey released by Datapac and Sophos has found that as many as 185,000 office workers might have been fooled by at least by one phishing scam.
When breaking it down to different generations, millennials claim to be the most resistant to phishing scams, with just 14pc saying that they aren’t confident of knowing what a suspect email looks like.
Meanwhile, among Generation X office workers, this increases to 17pc, with more than one-quarter of baby boomer office workers also putting themselves in that bracket.
Despite this, more than twice as many millennials (17pc) have fallen victim to a phishing scam than members of Generation X (6pc) or baby boomers (7pc).
Facebook facing multibillion-dollar fine for breaches
The Data Protection Commission (DPC) in Ireland is set to investigate Facebook’s latest series of data breaches and whether the social network infringed GDPR rules. Under the guidelines, Facebook and any company operating within the EU have to declare they have been on the end of a data breach within 72 hours of its discovery.
On Friday (14 December), Facebook announced that it had discovered a bug, potentially affecting almost 7m users. The bug allowed third-party apps to access photos without the users’ permission between 13 and 25 September.
“We’re sorry this happened. Early next week, we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug,” Facebook said in its announcement.
This latest investigation will be separate to, and added on to, the previous major Facebook breach announced in September.
Facebook delays its ‘clear browsing history’ feature
In the wake of the Cambridge Analytica scandal in May, Facebook promised that users would soon be able to clear their browsing history. In doing so, users would no longer have their browsing history tied into Facebook to target them with ads and services.
When discussing a timeline for release of the feature called ‘Clear History’, the company said it would be released in a few months. Now, according to Recode, that timeline has changed after total radio silence on the topic, with Facebook’s head of its privacy product team, David Baser, saying it will be available for testing in spring 2019.
The issue is down to the technical challenges of implementing the system and specifically how data is stored on Facebook’s servers. However, given that Facebook’s major revenue stream comes from such a service, Baser admitted that it will be somewhat limited.
“We can’t actually stop data collection,” he said. “But what we can do is strip away the identifier that would let us know whose it was.”
Iranian phishing campaign bypasses common 2FA protections
ArsTechnica has reported that scammers working on behalf of the Iranian government managed to target US government officials, activists and journalists to access Gmail and Yahoo Mail by bypassing its two-factor authentication (2FA) system.
Discovered by Certfa Lab, the hackers collected large amounts of information on their targets through phishing emails designed to test their level of operational security. When a fake Gmail or Yahoo security page was clicked on and a password entered, the hacker would be almost simultaneously entering the details on a real login page.
In the event that 2FA was enacted when the hackers tried to gain access, they would then prompt the target with a new, fake page asking for a one-time password, which they would use to access the target’s profile.
“In other words, they check victims’ usernames and passwords in real time on their own servers, and, even if 2FA such as text message, authenticator app or one-tap login are enabled, they can trick targets and steal that information, too,” Certfa Lab said.