This week:
3 – Surveillance for One is Surveillance for All
2 – IT Service Providers are becoming regulated entities
1 – Browser Extensions are convenient. And dangerous.
3 – Surveillance for One is Surveillance for All
“Employee monitoring app leaks 21 million screenshots in real time”
Source: cybernews
What’s the story?
The employee monitoring application WorkComposer is designed to track employee productivity by logging activity and snapping regular screenshots of employees’ screens. Unfortunately, it has inadvertently leaked over 21 million of these screenshots due to a misconfigured cloud environment. The screenshots included images of internal business documents, login credentials, and personal information, posing significant privacy and security risks to organisations using the WorkComposer app.
So what?
As the author says:
“Your boss watching your screen isn’t the end of the story. Everyone else might be watching, too.”
When any surveillance tool is in use, there is always a risk that this surveillance could become accessible to unauthorised individuals.
2 – IT Service Providers are becoming regulated entities
“Expanding the scope of the regulations to include [IT] managed services [providers] will enhance the security of IT infrastructure and reduce the risks of cyber attack. [..] While we expect this measure to have associated costs related to security improvements and compliance, these investments will position MSPs as trusted and reliable partners in the cyber security landscape.”
Source: UK Government Press Release
What’s the story?
The UK’s proposed (NIS2) Cyber Security and Resilience Bill aims to enhance national cyber security by expanding the scope of existing regulations. Key measures include bringing Managed Service Providers (MSPs) into scope for the regulation.
So what?
Your security depends on the security of your IT service provider(s). After all, they probably have more access to your data and systems than you do, and attackers know that a successful attack on one IT service provider enables further attacks on all of the IT service provider’s clients.
That’s why it’s no surprise that the UK has followed the EU’s lead by bringing IT service providers into regulatory scope.
If you haven’t asked your IT service provider about what they are doing to comply with the requirements of regulations such as NIS2 in Europe, or the Cyber Security and Resilience Bill in the UK, now’s a good time to ask them.
And if they ask you ‘What is the NIS2 Directive?’, it may be time to find a new IT service provider.
1 – Browser Extensions are convenient. And dangerous.
“The Cookie-Bite [browser extension] proves what we already knew: browser extensions can be very dangerous to your security and privacy.”
Source: Intego
What’s the story?
When we log into a website through a browser, a small text file (called a session cookie) is stored on our device. This session cookie ensures we are not asked to log in again every time we move from one page to another. It’s like a temporary access card that remains valid for a pre-defined period of time.
If an attacker can get a copy of your session cookie, they may be able to use this to gain access to your account from their computer.
The ‘Cookie-Bite’ browser extension was recently developed by security researchers to demonstrate how browser extensions can be used by attackers to get their hands on your session cookies. The researchers focused on their victim’s Microsoft 365 / Azure account, but a similar approach could be used for any website.
So what?
As the author states:
“Though popular, Web browsers extensions are not necessarily safe. Just like any software you might install on your computer, they can contain malicious code designed to do evil things.”
We all know that we need to manage and restrict the applications in use within the organisation.
As this story demonstrates, keeping tabs* on all of the browser extension apps is a key part of this activity.
* Pun intended!