As we wrap up August and jump into September, school is back in session for most students. Probably not coincidentally, we saw an uptick in the number of news stories regarding student and staff data related to school districts and schools. As incidents in education become more prevalent, the importance of our own education increases with it. The more we educate ourselves about common attack strategies, tools, and tactics, the better equipped we are to handle and avoid incidents. Here are some news stories (education and otherwise) that made an impact this month.
Attackers Schooling Communities
- Another school paid a ransomware ransom this month. Rockville Centre in New York is the latest in a long line of cities who’ve recently paid off attackers to get their systems and data back. It’s starting to feel like local governments and cities have set the precendent, and we’ll be seeing a lot more city- and school-aimed attacks. Something is going to have to change.
- Two large districts in Illinois were hit with attacks this month. The result? 8,700 students’ and faculty’s data leaked. It’s possible that we see an update including more districts and an increased victim number as we get more information. The leaked data was part of a nation-wide incident stemming from Pearson’s AIMSWeb—a student monitoring and assessment platform.
- Millions of students were saved by the bell this month when a teen found flaws in Blackboard’s Community Engagement software and Follett’s Student Information System. 18-year-old Bill Demirkapi presented his findings at DEFCON this year, outlining a three-year project where he found 5 million vulnerable grades, immunization records, cafeteria balances, schedules, cryptographically hashed passwords, and photos across the two systems. Thankfully, these flaws weren’t found by someone with ill-intent.
Fixing the Broken Industry
- The information security industry has a lot of room for improvement. Thankfully businesses and organizations all over the world are striving to make it better. And what better way to entice people to help than a cool $1M? Apple has offered a $1M bounty to those who can hack iOS’s core, ultimately garnering data they can use to decrease the number of exploits.
- Data privacy is an increasingly discussed topic all over the globe. Unfortunately, it often takes some type of law or regulation to convince companies to do a better job of protecting the data entrusted to them. But, forced or not, any step in getting people to protect information more effectively feels like a good one. The Senate Judiciary Committee’s new tech task force leader, Marsha Blackburn, aims to take one of those steps by passing data privacy legislation—particularly to hold Silicon Valley tech giants accountable.
- New Hampshire joins Ohio, South Carolina, and Michigan in enacting a new data security law directed at insurers. As part of creating a written information security program, licensees are mandated to conduct risk assessments. Getting a baseline risk assessment is a critical starting point for all organizations, so this law will hopefully push more organizations into understanding and improving their security stature.
Technology and Machinery
- The Department of Homeland Security issued a security alert for operators of small planes at the beginning of August. Flight systems are vulnerable to hacking if someone gains unauthorized physical access to their planes—all it takes is adding a small device to plane wiring to manipulate electrical messages.
- Russian probing doesn’t stop at elections. Microsoft warned that Russia-linked attackers are gaining access to networks through poorly configured devices, such as office printers and VOIP phones.
- No one is immune to security incidents, but that doesn’t mean we should welcome them with open arms. The Pentagon knowingly purchased thousands of computers, printers, security cameras, and networking equipment that contained confirmed cybersecurity vulnerabilities.
- With the increased number of vehicles being internet-connected, the chances of vulnerabilities and incidents increases. This is causing some extreme concern among a group of security advocates who are suggesting a September-eleventh-like attack could be on the horizon.
- On the good side of consumer news, Apple announced this month that they will no longer allow contractors to listen to Siri conversations—a QA practice the company used to employ.
- It can be hard to stay safe from incidents when there are internal forces at work. An AT&T employee was bribed by an attacker to unlock and gain access to mobile devices. While this incident only impacted AT&T employee devices, a similar event at another telecommunications provider could spell disaster for any mobile device users.
- This industry can be scary as it is. Behind every piece of stolen information is a person that it impacts. When that person happens to be a child, we start to enter pretty uncomfortable territory. A flaw in LeapFrog tablets was revealed in August, which made tablet locations visible and allowed for strangers to send communication—both things that could be devastating under the wrong circumstances.
- If State Farm is your insurance provider, you may have been part of a large compromise this month. The agency (which serves 83 million US households) experienced a credential-stuffing attack in July that was uncovered in early August. While the insurance giant has since reset user passwords, credential stuffing can snowball. It’s important to change credentials of any accounts that utilize the same password and login combo.
- A popular Android app was pulled from the Google Play store after it started delivering malware to devices. CamScanner, which had been downloaded over 100 million times, says to have removed the malicious code placed in the app and has begun adding the version back to the store.
Following information security news and trends is important. It gives you an idea of what’s going on in the industry so you can continue to protect yourself and your business. Follow FRSecure on Twitter and LinkedIn for consistent updates on information security news like this, and visit our site to learn how your organization can continue to make improvements to its security measures.