Authorities in California’s Orange County have launched a new initiative to help the public identify and report cyber-threats.

SafeOC is a localized version of the national ‘If You See Something, Say Something’ anti-terrorism public awareness campaign that emphasizes the importance of reporting suspicious items and behaviors to law enforcement.

A website and a social media account have been created to support the campaign. The website provides examples of suspicious cyber-activity and online threats, including configuration changes to files, sharing of account access and changes in user permissions.

Through the website, users can report suspicious activity directly to the Orange County Intelligence Assessment Center (OCIAC)

“Cyber is by far the up-and-coming crime and risk domestically,” said Orange County sheriff Don Barnes. 

He added: “Crimes happening online are much more prevalent than they were just a decade ago and criminals are finding new ways to create new victims and ways to victimize people.” 

Cyber-investigator with the OCIAC, Lance Larson, said solving cybercrime cases is challenging as bad actors often operate from overseas, and encryption makes it difficult to “follow the money.” He added that early detection was crucial in the fight against cybercrime.

“It gives us that ability to go on and be able to start the disruption process of stopping the cyber-attack, potentially being able to freeze money as it’s moving through the financial system potentially trying to go overseas,” said Larson.

The SafeOC website also provides information about the dangers children face when gaming online such as cyber-bullying, malware, spying and data loss. Advice offered to parents includes ensuring webcams and microphones are defaulted to the ‘off’ setting and ensuring children don’t create usernames that reveal any personal information.

The site also warns parents about hidden fees in freemium games that provide some content for free but charge users to access the game’s full features and functions. 

“In 2018, these ‘free’ games generated $61bn in revenue,” states the site before warning users never to share their payment card details with a freemium game and to regularly check their credit card bills for unapproved purchases.

A Swiss secure storage company has launched a creative cybersecurity awareness campaign to show how hackers gather personal data from social media.

The campaign by pCloud uses a fake influencer account on Instagram (@thealiceadams) to highlight how users unintentionally give away pieces of sensitive data through their bios and the content they post. 

“Through what we share online, the pictures we post and the locations we tag, hackers and criminals can guess your password in seconds, putting your identity and your bank accounts at risk of being stolen,” said a pCloud spokesperson.

In one post from the mock account, the influencer reveals her date of birth by sharing an image of birthday balloons that spell out her age. Other seemingly harmless posts give away information commonly used in passwords and security questions, including her pet’s name, where she went to school and her favorite movie.

Additional posts emphasize the importance of checking photographs for sensitive data before sharing them. Captured in an image of the influencer at her desk is a post-it note upon which a password has been written. Another shot of the influencer dining at a restaurant features her credit card, revealing her bank details. 

“You may be posting a picture of your birthday balloons, a heartwarming picture of your newborn baby or snapping that ‘picture perfect’ bar you spent the weekend at. But those seemingly harmless posts could actually be giving away security information that gives hackers access to all your accounts,” said pCloud.

Research performed by pCloud found that the most common themes for passwords that hackers are aware of include the last name followed by a number, date of birth, child or grandchild’s name and date of birth, pet name, place of birth and current place of residence. 

Other popular password choices are Qwerty (the first letters on a keyboard), favorite films, foods and nicknames. 

The company advised users to leave personal information out of their passwords and make their passwords long and nonsensical, making them more challenging for hackers to guess. It also recommended using different passwords for different accounts so that cracking one password won’t enable a hacker to access all accounts

An association for online advertising companies has been fined hundreds of thousands of dollars for developing an ad-targeting tool that violated European Union data laws. 

The Belgian Data Protection Authority (BE DPA) said it was necessary to impose “harsh sanctions” on IAB Europe because the association’s Transparency and Consent Framework (TCF) “could, for a large group of citizens, lead to a loss of control over their personal data.”

The TCF tool allows online publishers and websites to obtain users’ consent to process their personal data for targeted advertising. It was designed to facilitate real-time bidding (RTB) – a means by which advertising inventory is bought and sold on a per-impression basis via instantaneous programmatic auction. 

In a statement released October 2020, IAB Europe said that the TCF is a voluntary standard whose purpose is to assist companies in the digital advertising ecosystem to comply with EU data protection law.

“It contains a minimal set of best practices seeking to ensure that when personal data is processed, users are provided with adequate transparency and choice,” said IAB Europe. 

“Its policies do not assist or seek to assist the processing of special categories of data. It does not intend to replace legal obligations nor enable practices prohibited under the law.”

The Belgian data watchdog imposed a fine of €250k ($282,690) on IAB Europe and ordered the advertising association to implement a “series of remedies” to ensure that it complied with the EU’s General Data Protection Regulation (GDPR).

“Contrary to IAB Europe’s claims, the Litigation Chamber of the BE DPA found that IAB Europe is acting as a data controller with respect to the registration of individual users’ consent signal, objections and preferences by means of a unique transparency and consent (TC) string, which is linked to an identifiable user,” stated the BE DPA.

IAB Europe has been given six months to bring the framework into compliance with European law. 

David Stevens, a chairperson of the BE DPA, said: “Brave little Belgium has once again shown that it is not afraid to tackle major cases such as this one, which really concerns all European citizens that shop, work or play online.”

The fact that misinformation is rampant online is not a new phenomenon. Perhaps less understood is the intersection between how often an individual sees a piece of misinformation and how likely they are to believe it.

In a session at the Enigma 2022 conference on February 1, Patrick Gage Kelley, trust and safety researcher at Google, outlined the results of a two-year study conducted by Google about online misinformation. The study was conducted throughout 2020 and 2021 and involved a series of regular surveys that included feedback from over 50,000 people from 16 countries worldwide.

Kelley explained that the researchers had two basic lines of questioning. The first focused on exposure. The researchers asked about a certain statement of information and whether the survey participant heard the information once, many times or not at all. The second line of questioning focussed on beliefs. Respondents could tell the researchers if they strongly believe a specific statement, if they kind of believe it or if they strongly don’t believe it.

Pandemic Conspiracy Misinformation and Beliefs

The Google-led research asked about a series of pandemic-specific conspiracies and found a shocking level of awareness and belief in them.

“We asked people if Bill Gates, George Soros or some other powerful person is behind COVID-19, and 16% globally had that belief,” Kelley said. “We asked people if injecting cleaning products or UV light into people is an effective treatment for COVID-19 – that had an 11% belief.”

Kelley noted that the research wasn’t conducted as just a single point-in-time study but conducted with researchers doing the survey and asking similar questions every few months.

“One of the effects that we find over and over again is that although the narratives move quickly, once these fringe beliefs take hold, they’re difficult to change,” he said.

The researchers also tested views about multiple conspiracies related to the COVID-19 vaccinations, including the falsehood that the COVID-19 vaccine has microchips and is used to track those who get vaccinated secretly. In 2020, 11% of global respondents believed that falsehood to be true, dropping to 10% in 2021.

Reasons for Optimism

While there is much to worry about in terms of online misinformation, there is also some cause for optimism, according to Kelley.

Kelley said that overall, there was a higher level of belief in several positive public health statements that the researchers tested than in the more clear-cut misinformation statements tested.

One such statement was that wearing a face-covering in public is an effective way for slowing the spread of COVID-19. 73% of people globally believed that statement in 2020. Another tested statement was that social distancing, by staying at least six feet from people not in your household, effectively slows the spread of COVID-19, which was believed by 70% of respondents globally. In 2021 however, the results dropped by 5% for face masks and 7% for social distancing.

“While this keeps both above the 60% belief range, it shows how much effort is required to maintain these extremely high levels of belief,” Kelley said. “We take this to show how important continued unified proactive health messaging is.”

Kelley concluded his presentation by noting that Google overall continues to see substantial populations in every country believing in various misinformation and low-quality information statements after widespread exposure to that information.

“People are going to believe a wide range of things and what we need to make sure is that we continue to get access to good information,” Kelley said. “There’s going to be misinformation, and one of the things we can do is measure and understand that so that we can best respond.”

Nearly one-third (29%) of employees admitted taking data with them when they leave their job, according to new research from Tessian.

The findings follow the ‘great resignation’ of 2021, when workers quit their jobs in huge waves following the COVID-19 pandemic. Unsurprisingly, close to three-quarters (71%) of IT leaders believe this trend has increased security risks in their organizations.

In addition, nearly half (45%) of IT leaders said they had seen incidents of data exfiltration increase in the past year due to staff taking data with them when they left.

The survey of 2000 UK workers also looked at employees’ motives for taking such information. The most common reason was that the data would help them in their new job (58%). This was followed by the belief that the information belonged to them because they worked on the document (53%) and to share it with their new employer (44%).

The employees most likely to take data with them when leaving their job worked in marketing (63%), HR (37%) and IT (37%).

The research also found that 55% of workers are considering leaving their jobs in 2022, while two in five (39%) are currently working their notice or actively looking for a new job in the next six months, meaning organizations remain at high risk of data exfiltration.

Josh Yavor, chief information security officer at Tessian, commented: “It’s a rather common occurrence for employees in certain roles and teams to take data when they quit their job. While some people do take documents with malicious intent, many don’t even realize that what they are doing is wrong. Organizations have a duty to clearly communicate expectations regarding data ownership, and we need to recognize where there might be a breakdown in communication which has led to a cultural acceptance of employees taking documents when they leave.

“The great resignation, and the sharp increase in employee turnover, has exposed an opportunity for security and business leaders to consider a more effective way of addressing insider risk. It comes down to building better security cultures, gaining greater visibility into data loss threats and defining and communicating expectations around data sharing to employees – both company-wide and at departmental level. Being proactive in setting the right policies and expectations is a key step before investing in preventative controls.”

A study last year found that over three-quarters (78%) of insider data breaches involved unintentional data exposure or loss rather than any malice.

A critical vulnerability in a popular open-source networking protocol could allow attackers to execute code with root privileges unless patched, experts have warned.

Samba is a popular free implementation of the SMB protocol, allowing Linux, Windows and Mac users to share files across a network.

However, a newly discovered critical vulnerability (CVE-2021-44142) in the software has been given a CVSS score of 9.9, making it one of the most dangerous bugs discovered in recent years. Log4Shell was given only a slightly higher score of 10.0.

“All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read-write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit,” Samba explained.

“The specific flaw exists within the parsing of EA metadata when opening files in smbd. Access as a user that has write access to a file’s extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.”

Patches have been released, and Samba updates 4.13.17, 4.14.12 and 4.15.5 have been issued to fix the problem, with administrators being urged to upgrade to these releases or apply the patch as soon as possible. The vulnerability has not yet been exploited in the wild at the time of writing, but this is likely to change.

An additional workaround is possible if sysadmins remove the “fruit” VFS module from the list of configured VFS objects in any “vfs objects” line in the Samba configuration smb.conf.

The new vulnerability comes at a busy time for administrators, many of whom spent time over the holidays hunting for instances of vulnerable Log4j hidden in Java dependencies across their organization.

Last year was another record-setter in terms of the number of CVEs published to the National Vulnerability Database (NVD), the fifth year in a row this has happened.