Category Archives: News Bites

Short news items

Cybersecurity News for the Week Ending March 25, 2022

FCC Publishes Notice of Inquiry on Digital Redlining

The recently passed jobs act gave the FCC two years to adopt rules that will “facilitate equal access to broadband internet access service.” Congress says that these rules should prevent “digital discrimination … based on income level, race, ethnicity, color, religion, or national origin”. The FCC is asking, publicly, an awful lot of questions. Stay tuned for what happens next. Comments are due by May 16th. Credit: Wiley Law

EU and US Sign New Data Transfer Deal

The EU and US signed a deal to replace Privacy Shield today, in Brussels. We have not seen the details of the deal and Max Shrems, who killed the last two versions of the deal in court says his group will review it in detail for compliance with EU law, so this is not over yet, but it is a good sign for US businesses who are looking for some certainty when it comes to data transfers. Credit: Security Week

Hackers Unlock and Remote Start Honda Civics for $300 in Parts

Nobody told Honda that sending security information from the fob to the car unencrypted or sending the same information each and every time to unlock or start the car is a problem. If you are worried about your Honda being stolen, the only thing you can do is, well, not much. The article says you can put your key fob in Faraday bag, but reality is, that doesn’t help at all. Credit: The Register

Google Trains Employees to CC: Attorneys to Claim Privilege

In the face of the massive anti-trust lawsuit between the feds, 14 attorneys general and Google, the government is asking the judge to sanction Google for arbitrarily CC:ing lawyers on sketchy emails and ask for an opinion. Google’s attorneys understand this is a scam and don’t respond. Google even trains its employees to do this. We shall see what the judge decides. Credit: Ars Technica

Security News for the Week Ending March 11, 2022

Trump is Not Happy About Launch of Twitter-Like Truth Social

Apparently not happy is a bit of an understatement. He has a lot to lose if this is not successful. As part of the SPAC deal with Digital World, he has a lot of shares. If the stock, which is still going up slowly, tanks, he stands to lose a bunch of dough. Many people who downloaded the app said that they could not create accounts or were waitlisted. The reality is that people use social media to stay connected and if you have a choice between Twitter’s billions of users and Truth Social’s thousands of users, the choice is pretty clear. Analysis suggests that it is doing about the same as or worse than Gab and Gettr, which is also a problem. Twitter won because it was the only player. Now you have 3 players all going after the same highly targeted slice of market. At least it has not been hacked (publicly) since it’s launch which is more than Gab and Gettr can say. Credit: MSN

Hackers Targeted US LNG Producers in Run-Up to Ukraine Invasion

In February hacjkers penetrated computers belonging to current and former employees at nearly two dozen major natural gas suppliers including Chevron and Kinder Morgan.

Security firm Rescurity discovered a small group of hackers including one linked to Strontium, nickname for a hacking group inside Russia’s GRU military intelligence.

The wanted to gain and maintain access into the U.S. energy supply so that they could destabilize the world energy market when Russia invaded Ukraine. Unfortunately for Putin, while these early attacks were successful, they were discovered before they could do any significant damage. Credit: Bloomberg Quint

 Google Acquires Mandiant for $5 Billion in Cash

It is nice to be able to write a check for $5 billion.  Mandiant, best known for its breach response and threat intelligence services, is being acquired by Google.  Depending on what Google does with it, that could be good news for Google cloud services users. Mandiant does have its own cloud security products and together, if Google doesn’t do anything stupid, it will give Mandiant access to a lot of capital.  Credit: CSO Online

Alexa, Go Hack Yourself

The good news is that Amazon patched this feature after researchers demonstrated that they could get an Alexa to unlock your door, set your microwave to run with nothing in it, possibly causing a fire and other cute stuff. The attack is very simple, so it is good that it has been patched now. Aren’t you glad that you don’t have any smart devices in your house? Credit: Ars Technica

Chinese Use Herd Management App to Hack State Networks

Mandiant says that the Chinese hackers APT41 AKA Barium used a bug in an app that many state governments use to track animal diseases in livestock herds called USAHERDS. Mandiant warned the developer of the high severity bug and they have patched it. In the meantime, Mandiant thinks the Chinese have successfully hacked at least 6 state government networks. Maybe as many as 18 states. Think about that before you install that next app. Credit: Wired

Security News for the Week Ending March 4, 2022

Apple Scrambles to Try and Figure Out How to Stop Stalkers From Using AirTags

Their newest idea is, when you initialize a new AirTag, it will tell you that Stalking may be illegal in your country. I really, really, doubt that will have any effect. They are also shortening the time window for notifying you that you are being stalked. Users of newer Apple devices will be able to find out how far away Apple thinks that rogue AirTag is. They are trying, but there is no simple fix. Credit: Yahoo

China Outs NSA Hacking Tool

Just like the U.S. outs foreign hacking tools when it suits our purposes, China is now doing the same thing. Likely this is for internal consumption, but it does give us a little bit of insight into their thinking and for sure, that certain hacking tools are no longer secret. Credit: Vice

Anonymous Hacks High Profile Russian Leaning Websites

First Anonymous hacks the Russian Ministry of Defense and posted the stolen data online for free. The data includes officials passwords, phone numbers and emails (Credit: Cyber News) and then they claim to have broken into Belarusian weapons maker Tetraedr and stole a couple hundred gigabytes. The data stolen included emails and they even, conveniently indexed all of them and handed the data to DDoS Secrets. They call this Operation Cyber Bully Putin. (Credit: Cyber News). It sounds like there will be more web sites hacked. Stay tuned.

Apple Responds to Russian Invasion of Ukraine

Each company is doing its own thing. In Apple’s case, they have paused all product sales in Russia. Apple pay and other services have been limited. Apple maps have stopped live update and Russian propaganda apps have been taken off the Apple store (why were they there in the first place?). Credit ZDNet

FCC to Review Border Gateway Protocol Security

In 1989 an engineer from Cisco and one from IBM wrote down an idea on two napkins (that have been preserved). That was the basis of Border Gateway Protocol or BGP. Needless to say, they did not think about security. BGP has been hacked by China and North Korea, among many others, so many times that we have all lost count. But BGP is a critical part of the Internet’s routing system. Finally, twenty five years too late, the FCC is “looking into” BGP security. We shall see what happens. Change on the Internet goes slowly. IPv6 was approved 10 years ago and still, it is the minority of traffic on the Internet (it is used a LOT on the backbone, just not at the edge). Credit: Data Breach Today

Security News for the Week Ending Feb. 18, 2022

Missouri Prosecutor Wisely Decides Governor is not Tech Smart

Remember when the governor got his feeling hurt after a St. Louis newspaper revealed that the education department’s website was publishing the PII of tens of thousands of teachers and asked the Highway Patrol to prosecute the reporter who embarrassed him? The PII was, as a reminder, just sitting there in the HTML code for anyone to find. The prosecutor has, wisely, decided to deal with the governor’s wrath rather than getting laughed out of court. I suspect he figures that the wrath is temporary while the court’s verdict is permanent. Don’t be surprised if there is a countersuit filed. Credit: Portswigger

New Tool Renders Pixelating Useless

Most of us have seen a picture when they rearrange the pixels on an image like a license plate or someone’s name to make it more “secure”. Now a tool is available on Github that allows anyone to do this for free. The tool, called UNREDACTOR, needs a little bit of information to do its magic, but it has that, it is game over. Credit: Hackread

Five Canadian Banks Online Systems go Down at Once

Users could not access online systems for hours, stranding them at stores and stopping them from making transfers. The banks – Royal Bank of Canada, Bank of Montreal, Scotiabank, and Canadian Imperial Bank of Commerce – started having trouble around 5 PM Eastern time. This happened right after the government invoked the Emergencies Act amid the truckers’ protest. Are these related? Is the Russia? We don’t know yet. Credit: Bleeping Computer

Dad Takes Down Town’s Internet to Stop His Kids From Using Their Phones

Turns out dad’s strategy was super effective. Possibly a little too effective. Dad wanted his kids to go to sleep at night instead of playing on their phones. SO, dad went out and bought a signal jammer. Apparently, it was a pretty good one. Turns out this French father took out the cellular network in the neighboring town. The French authorities traced the jammer to dad and now the jammer-er may go to the slammer – err bad pun. But the French prosecutors are investigating. Penalties could be as much as (e) 30,000 and 6 months in jail. It is a similar crime here. Credit: Bleeping Computer

Russia Continues to Make Token Effort to Reduce Cyberattacks

Russia continues to make modest efforts to cut down cyberattacks against other countries. They have arrested a third hacking group; this one specializes in fraudulent credit cards. While the Russians have not provided any details, three carding websites have mysteriously gone away (they actually show a banner that says they were seized) – likely the work of the nice folks of the Russian police. This is only a spit in the ocean, so we should not get our hopes up too high, still, any help is good. Credit: Bleeping Computer

Security News for the Week Ending Feb. 11, 2022

Google Decreased Account Takeovers by 50% by Mandating 2FA

Late last year Google forced about a hundred fifty million users to start using multi-factor authentication. What results did they see? Account takeovers in that group were reduced by 50%. Google has previously said that only 10% of their users were using MFA. Now they are forcing the issue. Credit: Cybernews

Attacks on Crypto Continue – $320 Million in Ethereum Stolen

The Wormhole token bridge that allows users to send and receive cryptocurrency between Ethereum, Solana, BSC, Polygon, Avalanche, Oasis, and Terra without a centralized exchange experienced a security exploit resulting in the loss of 120,000 wETH tokens worth $321 million from the platform. Again, the hackers found a bug in the software that allowed them to hack the company. This is the root problem with decentralized finance – it is counting on software being bug free and that just does not exist. In their case, they are very lucky because the Jump Trading Group, which is an investor in Wormhole ponied up the $320 mil to make their customers whole. That doesn’t happen often. Credit: Metacurity and

Apple Says It Won’t Do Biz With Companies that Use Conflict Minerals

According to a report that Apple filed with the SEC, they have terminated relationships with 163 smelters and refiners since 2009 for failing to pass human rights and mineral standards. This is the seventh year of requiring these firms to pass a third party audit. This year 12 companies got axed from the vendor list. Good for Apple. Credit: Vice

French Data Protection Authority Says Google Analytics Violates GDPR

The problem, the French privacy folks say, is that Google transfers your data to the U.S. and, after Shrems II, in which the EU high court struck down the US-EU Privacy agreement called Privacy Shield, the US was deemed to not have equivalent privacy protections. They would like you to forget that they are playing with a stacked deck because the European intelligence agencies do the same stuff the US does, but they don’t have to comply. They suggest anonymizing the data, which is okay for stats but not targeted ads or kicking Google to the curb, which was kind of the EU’s goal in the first place. I think Google could choose to leave EU data in the EU, which simplifies the privacy stuff, but it makes life more complicated for Google because the probably could not do a number of things with your data that they would like to. Credit: The Record

Senators Say CIA is Collecting Bulk Data on US Citizens

Executive Order 12333, issued by Reagan in 1981, covers, among many activities, the data collection practices of the intelligence agencies who operate outside the rules of the FISA court. There is a group that is supposed to watch over the CIA called the PCLOB, but many people think it has a pretty cozy relationship with the CIA and doesn’t have the same level of (very limited) transparency that the FISA Court does. Unlike the Patriot Act and USA Freedom Act, which have to be reauthorized, EO 12333 lives forever with no public discussion. Senators Wyden and Heinrich wrote the Director of National Intelligence asking for more transparency. Credit: Data Breach Today

Schools (And Others) Will Pay More for Cyber Insurance

As a result of the massive increase in cyberattacks against schools (and others), cyber insurance premiums will likely face major premium hikes this year, assuming that you can even get coverage. Hikes of from 100% to 300% are likely if you don’t have the best security controls. One California insurance executive said her school clients were declined for insurance 37 times, saw deductibles climb from $25,000 to a million dollars and premiums increase by up to ten times. This will force some organizations to become self insured, making cybersecurity practices even more important. Credit: The Journal

Security News for the Week Ending February 4, 2022

Who is Interested in Attacking My Little Website?

I have written about this before but it is worth repeating. I have a simple firewall on my blog sites. There is nothing terribly sensitive there; it is not connected to my company’s network, but still I continue to be amazed. Yesterday there were 1175 attacks from Lithuania alone on one of my sites last week. This included a sustained attempted SQL injection attack. These are mass, indiscriminate attacks. Imagine what the attack drumbeat looks like if you are targeted. Are you protected? Do you care if you website goes down due to an attack? Or is defaced? Or is made unavailable?

CISA is Getting Aggressive on Patching Flaws

CISA has produced a list of bugs that are being actively exploited and is requiring that executive branch agencies actually install the patches (imagine that). This requirement came out of a Binding Operational Directive. While no one is going to jail if they do not follow a BOD, it is not likely to make the boss happy, which could affect both your budget and job security. This list is now over 350 bugs (compare that to the number of CVEs -bugs- publicly indexed in 2021, which is over 10,000, and was over 18,000 in 2020, so this is a tiny fraction of the total bugs. And, it seems, that they add new bugs every week. While this is mandatory for agencies, it is just smart for everyone else. If you are not watching this list, you should. Source: CISA’s Known Exploited Vulnerabilities List

NSO Group Has an Evil Twin

While everyone has been focused on the NSO and its ability to hack iPhones, lurking in the darkness is another Israeli security company, QuaDream. A competitor, they seem to, up until now, stay under the radar, even though they used the same iPhone vulnerability, called ForcedEntry. When Apple patched it last year, it broke both NSO’s and QuaDream’s hacking software. QuaDream’s software, like NSO’s can take over the iPhone camera and microphone, record phone calls and other fun stuff. Just to point out that the problem is bigger than NSO. Credit: Metacurity

DoJ Charges 6 Indian Call Centers With Scamming U.S. Citizens

You know all those calls you get pretending to be Microsoft or the IRS or Social Security? A lot of them come from India and now the feds have gone after them. The feds have indicted 6 companies and their owners personally. It is much more likely that they will be extradited to the U.S. since we are on reasonably friendly terms with India. Credit: The Hacker News

Stalkers Are Silencing Apple AirTags Used to Stalk Victims

AirTags were, ostensibly, designed to help people find their keys, but stalkers have figured out that it is a great way to find out where victims, typically young and female, live, work and go. In theory, Airtags make a quiet beep after it has been separated from its owner for 8-24 hours. The idea is that if it is being used to stalk someone, they might hear the quiet beep. But stalkers didn’t like that so they have figured out how to physically disable the speaker without damaging its tracking ability. There is no software fix for this and likely even if the design is changed, that won’t stop the stalkers either. Since these things are so tiny, it is unlikely that a hidden one would be detected. Credit: Gizmodo