TikTok plans to sue Trump administration over U.S. ban

TikTok has confirmed plans to sue the Trump administration as early as this week over the executive order that bans U.S. transactions with the app and its owner, ByteDance. The executive order states that transactions with ByteDance in U.S. jurisdictions will face prohibition in 45 days, although the full extent of the ban is unclear. TikTok, which has 100 million monthly users in the U.S. is still in talks with Microsoft and Oracle regarding a partnership or sale.

(CNBC)

Former Uber security chief faces criminal charges for hiding 2016 breach

Federal prosecutors have charged former Uber security chief Joe Sullivan with obstruction of justice for hiding a 2016 data breach from Federal Trade Commission investigators. The criminal complaint suggests that Uber’s then-CEO Travis Kalanick as well as their legal counsel were aware of the breach and of Sullivan’s efforts to cover it up. The 2016 breach, the second major breach for Uber, involved code found on GitHub containing around 600,000 names and drivers’ license numbers. Uber is alleged to have paid off the hackers under its bug bounty program that included having the hackers sign a strict non-disclosure agreement.

(ArsTechnica)

Major wave of vishing attacks targets teleworkers

Employees who work from home are being warned by the FBI and Cybersecurity and Infrastructure Security Agency to watch out for sophisticated vishing campaigns. Vishing is a form of social engineering in which cybercriminals call workers by phone, usually impersonating a member of their company’s IT department and seeking login credentials. These callers use spoofed web pages that resemble a company’s internal VPN login page, and which are also capable of capturing two-factor authentication and one-time password data. CISA recommends employees verify these types of requests independently and note all details about the caller and the web pages used.

(ZNet)

Delays in the GDPR-Twitter breach inquiry highlight clash between technology, cybercrime, and data protection

A data breach suffered by Twitter in 2018 has become the focal point of a logistical challenge for regulators of data protection legislation like GDPR. Although an investigation of this breach was completed and recommendations submitted to Europe’s numerous data protection bodies in May of this year, disagreements between Ireland’s Data Protection Commission (DPC) and other regional watchdogs regarding due process have led to a significant backlog with cases looming for all major social media platforms including Facebook, LinkedIn and WhatsApp, combined with the threat of multi-year delays.

(TechCrunch)

Thanks to our sponsor Trend Micro

Automate security and compliance checks with Trend Micro’s Cloud One Conformity. Run reports on an endless combination of filters to exhaustively audit your entire multi-cloud infrastructure. Through hundreds of automated checks against industry compliance standards and cloud security best practice rules, you can continuously improve your security and compliance posture. Leverage detailed resolution steps to quickly rectify security vulnerabilities and reliability risks.

The cybersecurity skills shortage is getting worse

New research from analyst group ESG along with the Information Systems Security Association illustrates a lack of advancement in bridging the cybersecurity skill shortage gap. Their research points out that 70% of cybersecurity professionals claim their organization is impacted by the cybersecurity skills shortage, with shortages most acute among application security specialists, cloud security specialists, and security analysts, with no discernible improvement over the past four years. This is leading to increasing workloads, long-standing open jobs, and the inability to learn how to use security technologies to their full potential. 

(CISOOnline)

GandCrab ransomware hacker arrested in Belarus

Police in Belarus have arrested a 31-year-old man they alleged to be behind the GandCrab ransomware attacks of 2017 and 2018. Based on phishing emails, his victims were from India, the U.S., Europe, and Russia. This individual neither created the malware himself nor collected the bitcoin ransomware but acted as a distributor in the ransomware-as-a-service market. As an affiliate network GandCrab raked in hundreds of millions for the senior partners, who then folded the company and allegedly re-emerged with REvil ransomware, which was responsible for attacks on Carnival Cruise Lines and the makers of Jack Daniel’s whiskey in just the past few weeks.

(NakedSecurity

Feds warn election officials of potentially malicious typosquatting websites

In the lead-up to the November U.S. election, the Department of Homeland Security has told election officials to be wary of suspicious websites that impersonate federal and state election domains by setting up a spoofed website using a domain that closely mimics the original. Their Aug. 11 bulletin distributed by DHS’s Office of Intelligence and Analysis listed roughly 50 suspicious domains that were purporting to offer information related to voting and elections.

(CyberScoop)

Researchers find a way to copy keys using the sounds they make inside a lock

Researchers at the National University of Singapore have found a way to create a working duplicate of a physical door key by recording the sound it makes in a lock with just a smartphone. The technology listens for the sound of the key passing over pin tumblers that are opened using a key with a unique ridge pattern on its edge, allowing for a duplicate key to be created with a 3D printer.

Although this form of crime has limitations in needing to have a smartphone very physically close to the lock, and low background noise for a successful recording, the researchers suggest that malware installed on the victim’s own smartphone, or a hacked smart doorbell, could be used to record the sounds of the lock being opened.

(Gizmodo)