Archive for the ‘Uncategorized’ Category

Virginia Passes New Data Protection Law

Virginia Passes New Data Protection Law

Virginia governor Ralph Northam has signed a new state data protection act into law. 



The Virginia Consumer Data Protection Act (CDPA) requires people conducting business in the Commonwealth of Virginia to comply with a novel set of data security and privacy requirements. 



The CDPA, which mirrors some of the provisions laid out in the EU’s General Data Protection Regulation (GDPR), comes into effect on January 1, 2023. 



Businesses found to have violated the CDPA will be given 30 days to correct their behavior before they are fined up to $7,500 per violation by the Virginia attorney general. 



While similarities exist between the CDPA and the GDPR and also between the CDPA and the California Consumer Privacy Act (CCPA) that took effect on January 1, 2020, the laws are different enough so that compliance with one does not equal compliance with the other. 



Under the CDPA, Virginia residents have the right to view and obtain the personal data held by a covered entity, to correct errors in it, and to delete it. 



Other consumer rights granted to Virginians under the new law allow them to opt out of processing of personal data for targeted advertising purposes and to appeal the denial of a business to act on a request within a time frame of 45 days.



Consumers cannot take legal action against a business if they believe their CDPA rights have been violated as the new law contains no private right of action. 



The CDPA applies to any person or business that controls or processes the personal data of 100,000 or more residents of Virginia in a calendar year. It also applies to any business or person that controls or processes the data of 25,000 or more Virginia residents in a calendar year and also derives 50% or more of its gross revenue from the sale of personal data.



Under the law, personal data is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.”



Nonprofit organizations, higher education institutions, and any body, authority, board, bureau, commission, district, or Virginian agency or Virginian political subdivision are exempt from CDPA compliance. 


Source: Infosecurity
Virginia Passes New Data Protection Law

Hackers Target Texas University

Hackers Target Texas University

An ongoing network outage at a university in Texas is believed to have been caused by a malicious hack.



The computer network of the University of Texas at El Paso was turned off out of caution after a “potentially malicious intrusion” was detected in the early hours of Friday morning.



Email and the server hosting the university’s website were affected by the incident, forcing faculty and students to communicate via Blackboard. The cyber-attack has also led to the closure of the university’s walk-up COVID-19 testing sites.



IT staff have been working through the weekend to test each campus system and bring them back online one by one. 



Priority has been given to recovering the university’s online teaching and learning systems. Faculty have been asked to extend deadlines for students who were impacted by the security incident. 



In a statement posted on social media on March 7, the university said that it did not think any personal information had been compromised in the attack. 



“Early Friday morning, UTEP detected an unauthorized and potentially malicious intrusion in our on-campus network,” said the university.



“Following our standard procedures, we immediately turned off all of our campus systems and have been working throughout the weekend to test and bring each system back online after checking it thoroughly.



“We have been checking diligently and we are not aware of any personal information that has been compromised. Of course, we will continue to look for this in the coming days.”



Until the network is restored, all students, staff, and non-essential faculty have been asked to work from home. 



“We are trying to have Blackboard up and running beginning Monday morning so that all online classes can resume. Faculty should work with students and adjust deadlines and coursework accordingly. Because faculty and staff email continues to be down, faculty and students should communicate via Blackboard regarding any questions about in-person classes,” said a UTEP spokesperson.



“We are also continuing to work to safely bring all of our other systems online. This is a time-consuming process because every machine on campus must be checked. We will accomplish this as quickly and safely as possible.”



Source: Infosecurity
Hackers Target Texas University

CVE-2020-5014

IBM DataPower Gateway V10 and V2018 could allow a local attacker with administrative privileges to execute arbitrary code on the system using a server-side requesr forgery attack. IBM X-Force ID: 193247.
Source: NIST
CVE-2020-5014

CVE-2020-4903

IBM API Connect V10 and V2018 could allow an attacker who has intercepted a registration invitation link to impersonate the registered user or obtain sensitive information. IBM X-Force ID: 191105.
Source: NIST
CVE-2020-4903

CVE-2020-4695

IBM API Connect V10 is impacted by insecure communications during database replication. As the data replication happens over insecure communication channels, an attacker can view unencrypted data leading to a loss of confidentiality.
Source: NIST
CVE-2020-4695

CVE-2021-21329

RATCF is an open-source framework for hosting Cyber-Security Capture the Flag events. In affected versions of RATCF users with multi factor authentication enabled are able to log in without a valid token. This is fixed in commit cebb67b.
Source: NIST
CVE-2021-21329

TiG Acquires ThirdSpace

TiG Acquires ThirdSpace

British tech company TiG Data Intelligence has successfully completed the acquisition of identity and security company ThirdSpace



ThirdSpace began life in 2002 as Oxford Computer Group UK. The company’s first ever client, University West of England, is still working with them today.



Operating as a specialist arm of TiG, ThirdSpace will retain its independent capability and expertise and its current management structure. 



“We are delighted to be realising one of ThirdSpace’s strategic goals in expanding our security capabilities with a full Managed Service Cloud offering,” said Neil Coughlan, CEO at ThirdSpace.



“With Microsoft as our combined platform of choice, and with our joint security and management proposition, ThirdSpace and TiG are uniquely positioned to give our clients the peace of mind that they remain in control.”



Coughlan will join the TiG board as chief strategy officer. ThirdSpace’s sales director, Nick Lamidey, will join the TiG board as chief sales officer.



Established in 2001, TiG is a multi-award-winning managed service provider and the largest UK-based specialist provider to the financial services sector. 



“We have a long-established and strong relationship with TiG,” stated ThirdSpace on March 4. “As a team, we know and trust them implicitly, and as an organization they share the same culture of supporting and developing great people to enable client success.”



By joining forces, TiG and ThirdSpace now have over 210 employees tasked with the mission of delivering security, data, and identity solutions. The group said its ambition is to become the UK’s leading advanced digital MSP.



Des Lekerman, CEO at TiG, said: “Over the years and with a number of strategic acquisitions, we have built a business that we are extremely proud of. This acquisition is transformational as we can now provide a deeper and broader set of services to our clients. There is huge demand in the market for an advanced digital MSP with a customer-centric flexible approach. The combined suite of services are a key differentiator in the market and a fantastic opportunity for all our people.”



The acquisition was completed with the financial backing of minority investor BGF.


Source: Infosecurity
TiG Acquires ThirdSpace

The Edge Pro Tip: Proceed With Caution

Security pros offer up their post-SolarWinds patch-management advice.
Source: DarkReading
The Edge Pro Tip: Proceed With Caution

CVE-2021-21327

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 non-authenticated user can remotely instantiate object of any class existing in the GLPI environment that can be used to carry out malicious attacks, or to start a “POP chain�. As an example of direct impact, this vulnerability affects integrity of the GLPI core platform and third-party plugins runtime misusing classes which implement some sensitive operations in their constructors or destructors. This is fixed in version 9.5.4.
Source: NIST
CVE-2021-21327

CVE-2021-21326

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 it is possible to create tickets for another user with self-service interface without delegatee systems enabled. This is fixed in version 9.5.4.
Source: NIST
CVE-2021-21326