Treasury Department’s senior leaders were targeted by SolarWinds hack

The SolarWinds hack continues to reveal its reach. The email system used by the Treasury Department’s most senior leadership suffered what it describes as “a serious breach, beginning in July, the full depth of which isn’t known.” Senator Ron Wyden of Oregon, speaking on behalf of the Senate Finance Committee said the hackers had gained access to the email system by manipulating internal software keys. He added the department learned of the breach not from any of the government agencies whose job it is to protect against cyberattacks, but from Microsoft, which runs much of Treasury’s communications software.

(New York Times)

Draft lawsuit alleges Google and Facebook agreed to team up against antitrust action

The Wall Street Journal reviewed an unredacted record of a lawsuit filed by 10 states against Google last week, alleging that the two companies cut a deal in September 2018 in which Facebook agreed not to compete with Google’s online advertising tools in return for special treatment when it used them. The deal was codenamed Jedi Blue. The lawsuit itself said Google and Facebook were aware that their agreement could trigger antitrust investigations and discussed how to deal with them. Representatives from both companies dismiss allegations of misconduct.

(Wall Street Journal)

Three VPN providers with criminal ties taken down

Law enforcement agencies from the US, Germany, France, Switzerland, and the Netherlands seized web domains and server infrastructure of three VPN services that provided a safe haven for cybercriminals to attack their victims. The three services were active at insorg.org, safe-inet.com, and safe-inet.net. They had been active for more than a decade, are believed to be operated by the same individual/group. According to the US Department of Justice and Europol, their servers were often used to mask the real identities of ransomware gangs, web skimmer (Magecart) groups, online phishers, and hackers involved in account takeovers, allowing them to operate from behind a proxy network up to five layers deep.

(ZDNet)

Ripple faces SEC lawsuit over cryptocurrency as unlicensed securities

The lawsuit will name Ripple CEO Brad Garlinghouse and cofounder Chris Larsen as defendants, and if it goes ahead it will follow years of debate between the Ripple and the SEC about whether XRP, a digital currency, is a security or a currency. XRP is currently the third most valuable cryptocurrency after Bitcoin and Ethereum, and currently has a market cap of $23 billion. Garlinghouse has suggested that because the incoming Biden administration is seen to be friendlier to the cryptocurrency industry, the action may have a current political component.

(Fortune)

Thanks to our episode sponsor, ReversingLabs

Ransomware is responsible for causing the most destructive amount of downtime – more than seventeen hours. Are you equipped to fight ransomware? Do you have the latest intelligence and indicators of compromise to block these attacks?

Learn more about how ReversingLabs can help your security teams today and watch an on-demand demo at
reversinglabs.com/demo

Congress COVID-19 stimulus bill has harsh words for illegal streaming

The US Congress has passed a COVID-19 stimulus bill that includes an anti-piracy proposal that would punish for-profit, illegal streaming services with felony penalties of up to 10 years in jail. Passed by Congress on Monday December 21), the US$900 billion stimulus package also includes unemployment benefits $600 stimulus payments. The streaming component includes include punishments “if the person knew or should have known that the work was being prepared for commercial public performance,” but will not apply to individuals who access pirated streams or “unwittingly” stream unauthorized copies of copyrighted work.

(NME)

Just 8% of UK firms offer regular security training

New research from cloud services company iomart surveyed 1167 UK workers at C-level, director, manager and employee level. It found that 28% of their employers offer no cybersecurity training for the distributed workforce, while a further 42% do but only to select employees. Of those who were offered training, 82% claimed that it was a short briefing rather than something more comprehensive. Less than a fifth (17%) said they had regular training sessions. 

(InfoSecurity Magazine)

Don’t delete Windows 10 root certificate expiring this month

Microsoft Root Authority certificate in Microsoft’s Trusted Root Certification Authorities is expiring at the end of this month, and Microsoft warns that removing it could cause problems with the operating system. Microsoft also warns that expired certificates are still used by Windows for backward compatibility and should never be removed. As long as expired certificates are not revoked, they can be used to validate anything that was signed before their expiration,” Microsoft stated on a support page.

(Bleeping Computer)

Hey, Alexa, what did I just type?

Your voice assistant can figure out what you are typing on your keyboard, or phone even if the keyboard is virtual. This, according to researchers Almos Zarandy, Ilia Shumailov, and Ross Anderson, in a paper published on the website of the Cryptography and Security department at Cornell University. The paper suggests that the multiple, always-on microphones in voice assistants makes it possible them to identify keystrokes and PIN passwords through triangulation, which the researchers call directional localization.

(Cornell University)