Security Updates 9th May 2019
The latest news from the sector sees HMRC fall foul of GDPR rules on biometric data content, Dell and Sierra Wireless rush out patches to fix flaw issues, farming businesses now targeted by cybercriminals, new rules on IoT hardware being devised by HM Government …
HMRC falls foul of GDRP with Biometric Voice ID Data
HMRC unveiled a new customer verification process in January 2017. This resulted in nearly 6 million biometric data sets being collected from helpline users. The ICO, thanks to the right-wing Big Brother Watch pressure group, has found that HMRC customers did not get access to “sufficient information” and maybe did not consent in the right way – post-GDPR!
According to the HMRC:
“We welcome HMRC’s prompt action to begin deleting personal data that it obtained unlawfully. Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its Voice ID service.
Innovative digital services help make our lives easier, but it must not be at the expense of people’s fundamental right to privacy. Organisations must be transparent and fair and, when necessary, obtain consent from people about how their information will be used. When that doesn’t happen, the ICO will take action to protect the public.”
Big Brother Watch similarly stated:
“This is a massive success for Big Brother Watch, restoring data rights for millions of ordinary people around the country. To our knowledge, this is the biggest ever deletion of biometric IDs from a state-held database.
This sets a vital precedent for biometrics collection and the database state, showing that campaigners and the ICO have real teeth and no Government department is above the law.”
The “My Voice is My ID” biometric system will continue but tweaked to meet GDPR principles.
HSBC Issue Cyber Crime Warning To Farmers Before Major Subsidy Payment Deadline Period
According to HSBC, farming services fell victim to nearly £1.2 billion pound’s worth of cybercrime scams. The bank also noted that financial services providers had successfully stopped a further £1.66 billion in unauthorised fraud from occurring. However, the growing sophistication of online cybercrime and fraud opens up farm services to greater risk.
According to Farmers Weekly:
“HSBC’s head of agriculture Neil Wilson said the fraudsters often had some knowledge of farming and knew when to target businesses.
Attacks are usually timed when farm businesses are most likely to have money in their accounts, such as during the Basic Payment Scheme window.
This very real threat comes in many forms and can be devastating for those businesses and individuals that fall victim,” said Mr Wilson.
It might be easy to fall into the trap of thinking ‘it will never be me’, however, these fraudsters are professional. They just need to catch you at a busy moment, or when you are distracted, and they can achieve their goal very quickly.”
If you run a farm, agricultural business or farming-related organisation and want to know more about protecting your IT infrastructure from cybercrime, HSBC provides useful cybersecurity advice for small businesses through its Cyber Aware campaign – found here.
Sierra Wireless Patches AirLink Router Critical Flaw Problems
Sierra Wireless has issued urgent guidance on its popular Sierra Wireless AirLink ES450 LTE router and its ALEOS software (used by a further 11 hardware products manufactured by the company) which create problematic flaws when used with Internet of Things products – like Alexa speakers.
These critical flaws caused Sierra Wireless to rush out a series of patch updates to help fix these critical issues.
According to Threat Post:
“Sierra Wireless’ LTE AirLink routers are targeted toward embedded applications like transmitting data for fleets of vehicles (for example, in law enforcement settings, the routers collect data on whether a police car has engaged its lights and siren) and industrial machines (tracking the location of heavy equipment and assets for instance). ALEOS is the software powering these in-field devices, which enables users to collect and view data in real time.
Overall, the company patched seven vulnerabilities – including two critical flaws, and five medium-severity vulnerabilities stemming from the ALEOS software on the AirLink routers:
“Successful exploitation of these vulnerabilities could allow attackers to remotely execute code, discover user credentials, upload files, or discover file paths,” according to a Thursday advisory.”
UK Government To Create New Laws for IoT Hardware Vendors
As more and more companies jump on the smart technology bandwagon that the Internet of Things ecosystem has created, the risks therein are creating a policy headache for the UK Government. The lack of government-approved standards risks individuals’ own security and privacy protection needs. As more and more companies, some with lax approaches to security, create IoT technologies the risks therein are even more prominent for society-at-large.
HM Government wants to create a new trusted labelling system that allows consumers to know whether the IoT device has a unique default password system, the longevity of patch updates and a public point-of-contact for cybersecurity vulnerabilities. The Digital Minister, Margot James wants to roll out this voluntary code of conduct scheme with trusted generic labelling to help improve accountability.
According to the Department for Digital, Culture, Media and Sport:
“Many consumer products that are connected to the internet are often found to be insecure, putting consumers privacy and security at risk. Our Code of Practice was the first step towards making sure that products have security features built in from the design stage and not bolted on as an afterthought.
These new proposals will help to improve the safety of Internet-connected devices and is another milestone in our bid to be a global leader in online safety.”
Dell’s Latest Support Tools Have Big Security Flaws
Remote Code Execution (RCE) issues in Dell’s client support tool – SupportAssist Client – now means this pre-installed resource could pose a long-term security threat for IT estate leadership. The latest RCE flaw (CVE-2019-3719) has been given a security advisory notice from Dell.
According to ThreatPost:
“The bug, which was discovered by John C. Hennessy-ReCar, could be exploited by an unauthenticated remote attacker who could launch CSRF attacks on users of the impacted systems. CSRF allows an attacker to send malicious commands from one site to another using the credentials of a user that the destination site trusts. Further details on the flaw were not made available.
The computer-maker has had its fair share of security concerns, including last November, when the company warned its Dell.com customers of unauthorized activity on its network. Adversaries attempted to access names, email addresses and hashed passwords — which prompted a reset of all Dell.com customer passwords.”
DELL has published a guidance note, available here, that outlines the affected products, the remedial steps required to fix this security issue and the download links for fixes. If you are worried about patch updates, why not develop your own organisational patch update plan? Computer World provide a live blog which is updated every month with the latest Windows updates – available here.
WordPress Plug-in Flaw Puts More Than 60,000 UK Websites At Risk?
WordPress, the ubiquitous content management platform, used by hundreds of millions of business websites worldwide, has a long history of plug-in vulnerability risks. The latest confirmed vulnerability comes from the WooCommerce Checkout Manager extension.
The patch for the plug-in is available here – and website owners are advised to log-in and update their WordPress plug-ins regularly.
The developers behind WooCommerce Checkout Manager released a statement:
“Earlier this week, an arbitrary file upload vulnerability has been found in popular WordPress plugin WooCommerce Checkout Manager which extends the functionality of well-known WooCommerce plugin,”
The old plug-in has been removed but the risk posed by the vulnerability can impact 60,000 UK businesses. If you are unsure about how this impacts your SME’s website, why not get your web developer to help you update your WordPress platform? Or alternatively, use WordPress.org’shelpful guides to help you learn more about patch updates?
Until next time.
Ready to find out more?
Drop us a line today for a free quote!