Newsletter:

Technology Updates - June-July 2021 Issue

25 August 2021



Innovation and technology are drivers for organisation growth and the key to enhance competitiveness of different industries. Just as technology rapidly evolves, so does the sector. In every monthly issue of our ‘Technology Updates’, it will include the latest updates from cybersecurity, emerging technology & data privacy.


Cyberattack shuts major US fuel pipeline

The Colonial Pipeline is the largest pipeline system for refined oil products in the US. The pipeline - consisting of two tubes - is 5,500 miles (8,850 km) and can carry 3 million barrels of fuel per day between Texas and New York.

On 7 May 2021, Colonial Pipeline said that a cyberattack forced the company to proactively close down operations and freeze IT systems after becoming the victim of a cyberattack.

Colonial Pipeline was hit with a ransomware attack. Bloomberg reported the hackers began their hack on 6 May 2021 by stealing about 100 gigabytes of data in a double extortion scheme that holds the data hostage and threatens to leak it. The company shut some of its operations after discovering malicious software in order to prevent it from spreading and thereafter led to temporary fuel shortages along the East Coast of US.

Meanwhile, the CEO of Colonial Pipeline paid the requested ransom US$4.4 million within several hours after the attack and the hacker group sent Colonial Pipeline a software to restore their network and IT infrastructure.

So, how can security analysts spot hackers early in the network intrusion cycle and before they reach the ransom demand stage? It requires continuous managed security services eg round-the-clock security monitoring over your IT infrastructure and critical servers and computers.

What is managed security services?

The managed security services (MSS) are network security services that managing an organisation's security needs by systematic approach. The services may be conducted in-house or outsourced to a service provider that oversees other companies' network and information system security. It typically provides real-time security monitoring and management of intrusion detection systems and firewalls, overseeing patch management and upgrades, performing security assessments and security audits, and responding to emergencies.

The longer that a cyber security exploit is not fixed, the greater the potential damage and expense to your organisation will occur. Therefore, contact our consultant today and understand how our cybersecurity consultancy services help your business enhance your IT security.

Read more:
Bloomberg, https://www.bloomberg.com/news/articles/2021-05-09/colonial-hackers-stole-data-thursday-ahead-of-pipeline-shutdown


Cloud services misconfiguration exposes PII, real-time and payment data and on popular Android apps

Despite the obvious benefits of contemporary cloud-based, mobile application development solutions—such as cloud storage, notification management, real-time databases, and analytics—many developers of these solutions fail to properly take into account the potential security risks involved when these apps are misconfigured.

According to Check Point Research (CPR), it recently discovered that in the last few months, many application developers have left their data and millions of users’ private information exposed by not following best practices when configuring and integrating third party cloud-services into their applications. Check Point researchers discovered that many developers failed to follow proper security practices when configuring and integrating cloud services. “By not following best practices when configuring and integrating third-party cloud services into applications, millions of users’ private data was exposed,” researchers said.

As a result, many Android app cloud databases were unsecured, allowing anybody to access sensitive user information of over 100 million users. Personal data includes emails, chat messages, location, passwords and photos, which, in the hands of malicious actors, could lead to fraud, identity theft and service swipes. This misconfiguration of real-time databases is not new and continues to be widely common, affecting millions of users, the report said.

What is security penetration test?

A penetration test, also called ethical hacking, is a simulated cyber attack and security assessment that test against your IT system to identify any exploitable vulnerabilities. It can involve the attempted breaching of any number of application systems, (eg application protocol interfaces (APIs), frontend/backend servers) to uncover vulnerabilities, such as unsanitised inputs that are susceptible to code injection attacks.

The more importance of your IT infrastructure and application, the sooner you should conduct security test such as penetration test and reduce potential and great damage caused by cyber-attack. Therefore, contact our consultant today and understand how our cybersecurity consultancy services help your business improve cybersecurity.

Read more:
Check Point, https://blog.checkpoint.com/2021/05/20/misconfiguration-of-third-party-cloud-services-exposed-data-of-over-100-million-users/


Marshall Islands launches national cryptocurrency

The Marshall Islands, a country of around 50,000 people spread across more than 1,000 islands, plans to issue a national currency on the basis of the blockchain, replacing the United States dollar as the primary currency.

The Marshall Islands had passed a Sovereign Currency Act in 2018, declaring its intent to release its new national digital currency. The nation has until now been using the United States dollar as the official currency for all payments, debts, public charges, taxes and dues.

"Many of our citizens send or receive money using remittance services, paying fees of up to 10% per transaction. Even simple things like acquiring and installing ATMs become complicated when you're in the middle of the Pacific Ocean!" Minister Paul said.

The new currency will be based on blockchain technology developed by Silvio Micali, the Ford Professor of Engineering in MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL), and commercialised by Micali’s startup, Algorand.

What is blockchain?

Blockchain can be used as solution to improve data integrity to the highest standards. A blockchain is essentially a distributed database of records, or public ledger of all transactions or digital events that have been executed and shared among participating parties. By design, blockchains are inherently resistent to change of data. Blockchain ledgers are indisputable such that if data addition or transaction has been made.

In addition, blockchains are not only a data storage but a timekeeping data structure that it can provide proof of the history of data eg transportation records, sales records are easily reportable and maintained. Organisations facing different challenges from audit, regulatory compliance requirements, or legal can use blockchain technology to improve data integrity.

We have seen different business face varies challenges from traditional business operation flows, outdated system design, lack of technology driven processes and so on. The longer your organisation waits, the more difficult to catch up industries. Don’t wait and do gap analysis assessment as well as proof-of-concept works on emerging solution to meet new business needs.

Read more:
Massachusetts Institute of Technology, https://news.mit.edu/2021/unlocking-potential-blockchain-0616


Hackers hit Microsoft customer service system, make off with data

On 25 June 2021, Microsoft Corp. said hackers compromised a computer used by a Microsoft customer support employee that could have provided access to different types of information, including ‘metadata’ of accounts and billing contact information for the organisation.

The pilfered data included billing contact information and what services the customers pay for, the news outlet said. Hackers can use such basic data in bogus emails and phone calls as part of phishing attacks that can help them gain access to more-sensitive information.

The incident was part of a broader campaign—which involved other hacking techniques beyond leveraging the information taken from its support system—that primarily targeted technology companies and government agencies in 36 countries.

“The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign,” Microsoft said. “We responded quickly, removed the access and secured the device.”

What is data protection and its principles?

Personal and critical data must put in place appropriate technical and organisational measures to implement the data protection. Business processes and/or IT system that handle those data must be designed and built with consideration of principles of data protection and provide safeguards to protect data.

Read more:
Microsoft, https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/


How can BDO help?

The BDO Risk Advisory Services (RAS) team is formed by a group of dedicated IT professionals. We are well equipped, qualified, experienced and well prepared to assist your board or management to perform IT security assessments, vulnerability assessments, gap analysis and proof of concept (PoC) for new technology application to business operation or any other IT matters relating to regulatory requirements. Please do not hesitate to contact us and talk to our consultants. We are pleased to provide further insight or assistance if needed.