ADPPA and Data Security

ADPPA and Data SecurityThe American Data Privacy and Protection Act (ADPPA) is working its way through the house and senate with bipartisan support. The bill would provide comprehensive regulations for consumer data at the Federal level. The bill still has some hurdles to overcome, but experts believe a version of the strong consumer protection will pass in the near future. The bill focuses on companies only collecting the data they need and comes down hard on third-party collection like the kind used for unlimited advertisement. Have you ever searched for a product, and then that product follows you around the web for weeks, advertised on every site you visit? One part of ADPPA would largely limit data sharing that currently makes third-party advertisement possible.

“The reason I really like this bill is, it takes a data-minimization approach first,” says Sara Collins, senior policy council at Public Knowledge, a consumer advocacy group in DC. “The bill at the outset is like, ‘One, you don’t collect any more data than you reasonably need, and two, here’s a list of reasons you might need this data.'”

The landmark bill is strong on consumer protection, but what will it mean for your business, and how should you start preparing for comparable legislation?

In the current version of the bill, businesses with more than 15 employees will be affected and will be limited in the type of data they are allowed to collect. Companies will also be limited to only collecting and processing necessary data by 17 permitted purposes. Start looking forward to the new legislation by limiting the data your business collects now. A company is only responsible for protecting the data they collect, so don’t ask for it if it’s not needed.

Next, add layered security to protect the data required to do business. Part of the bill requires companies to identify and mitigate privacy risks when protecting data and be able to defend the decisions made when designing the infrastructure. The Quanexus Q-Stack is an example of a layered security infrastructure designed to protect data.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Cybersecurity, Information Security, Recent Posts, Small Business

Uber Breach

Uber BreachUber suffered a data breach Thursday on many internal systems. The company did not know they had been breached until the hacker announced himself on an internal Slack account connecting employees. “I announce I am a hacker and Uber has suffered a data breach,” the message said, along with a list of breached tools. Uber shut down many internal tools, including Slack and developer access, but kept the public ride-share and food delivery apps online.

“We have no evidence that the incident involved access to sensitive user data (like trip history),” the company said. “All of our services including Uber, Uber Eats, Uber Freight, and the Uber Driver app are operational.”

The 18-year-old hacker posted screenshots of internal systems, Uber source code, and email systems on the web. Uber said Monday it believed the hacker group LAPSUS$ was behind the attack. The group is thought to be composed mainly of teenagers.

The attacker used social engineering to gain access to internal systems by convincing an employee he worked for Uber’s internal IT department. The compromised employee apparently also passed along two-factor authentication credentials. Critics point to the attack as another place where an attacker bypassed MFA and 2FA. The incident is included in a recent string of attacks, including Twilio, Cloudflare, Cisco, and LastPass. Security professionals cite these as incentives to move more quickly toward physical security keys that follow FIDO2 compliance guidelines. Read our blog post on the FIDO Alliance and Apple passkey here.

Uber previously suffered a breach that exposed the names, email addresses, and phone numbers of 57 million people in 2016. That breach also exposed the driver’s license information of 600,00 US drivers. Uber kept the breach secret for more than a year.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Cybersecurity, Information Security, Recent Posts, Virtualization

Apple Passkey

Apple PasskeyWith the release of iOS 16 Monday, Apple took a significant step forward in killing the password as we know it. The new technology will be known as passkeys and will allow users to log into apps and websites without a password. In the future, supported platforms will allow account creation without creating a username and password. Passkeys will sync across the iCloud Keychain for backup in the event of a lost or broken device.

Passkeys are not proprietary to Apple; they are a part of open standards from the FIDO Alliance that Google, Microsoft, and Apple are using to eliminate the need for traditional passwords.

“Now is the time to adopt them,” Garrett Davidson, an authentication technology engineer at Apple, said in a WWDC talk about passkeys. “With passkeys, not only is the user experience better than with passwords, but entire categories of security — like weak and reused credentials, credential leaks, and phishing — are just not possible anymore.”

The open standard works on the premise of a pair of mathematically related keys. One key is stored on a public server and is not secret. The second key is stored on the user’s device and is confidential. When the website or app gets a request to unlock the user, they send a request to the smartphone or device on file. The smartphone authenticates through face-ID or fingerprint and sends the authentication back to the site without sharing the private key.

Traditional usernames and passwords make the website or app responsible for the lock. Passkeys put the lock in the hands of the user. The result is a technology that’s much more difficult to phish and does not rely on user-created passwords, which are notoriously terrible.

Apple is the first to add the technology to smartphones, but Microsoft uses passwordless login with their authenticator app and Windows Hello. Android announced passkey technology would be available to developers by the end of the year. Read more on our blog post A Future Without Passwords.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Cybersecurity, Information Security, Recent Posts, Small Business

Phishing as a Service with MFA

Phishing as a Service with MFAA hacking group is getting attention for combining two of the recent attack vectors we have covered on the blog. EvilProxy is in the news for offering Phishing-as-a-Service (Phaas) along with the ability to bypass Multi-Factor Authentication (MFA). We explored Adversary in the Middle (AiTM) attacks just a couple of weeks ago; now, the method is being used for a fee to compromise accounts associated with Apple, Facebook, Google, Microsoft, Twitter, and Instagram.

EvilProxy uses a similar process to the one we described in a previous post. The attack starts with a phishing campaign. When the user clicks the link, they are directed to a page that looks like the Microsoft or Google login page being spoofed. The fake phishing page forwards the credentials to the actual site like Microsoft and Google. This is the first place the attack vector differs from a typical phishing attack. By passing the credentials on to the actual site, the phishing page will determine if the username and password are correct and if the user has MFA enabled for the account. If the username and password check out, the MFA request is transferred back to the user, who answers the security question as they normally would.

The second place these new tactics are different from a typical phishing attack is the capture of cookie data when the MFA request is sent back to the user. This method allows hackers to continue logging into the account without authentication because they captured the login session. This means they can continue to access the email, Facebook page, or Twitter account without triggering an MFA request.

EvilProxy is monetizing the technique for as little as $400 per month. Research also suggests they are targeting software developers and IT engineers to gain access to more services to expand the list of companies they can attack.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Cybersecurity, Information Security, Recent Posts, Small Business