Pitiful password enabled recent water treatment facility hack
The Florida water treatment facility that threat actors tried to poison a week ago had what you might call sewer-level security. According to an advisory published on Wednesday by the state of Massachusetts, unidentified hackers got at the facility’s industrial SCADA system via TeamViewer software installed on one of the plant’s control system computers. Those computers shared the same password for remote access, were exposed to the internet directly with no firewall in place, and were running Microsoft Windows 7, which reached end-of-life as of 13 months ago.
Border patrol scans millions of faces, catches 0 imposters at airports
Last year, the U.S. Customs and Border Protection (CBP) scanned the faces of more than 23 million people in public places. According to a recent report from the CBP, it caught zero imposters traveling through airports. The facial recognition technology, which has been shown to be less accurate in identifying Black people and women, also identified fewer than 100 imposters attempting to cross at land-based border points. This is in keeping with the program’s history: in late 2020, the Government Accountability Office (GAO) lambasted CBP over lackluster accuracy audits, meager signage about the technology being in use, and not telling the public much about how the surveillance program works.
India using a glitchy app to inoculate 300 million people by August
A doctor in Hyderabad got a text telling him to show up for a vaccination … but it had somebody else’s name on it. Other doctors were missing messages to get their vaccine. “Just get in line,” the hospital said: if we have a shot and you’re registered, you’ll get it. Because of these malfunctions, India Is turning to a new system linked to biometrics: namely, the country’s controversial 12-digit national ID, which is linked to people’s fingerprints and iris scans. Privacy experts point out that the Co-WIN app lacks a proper privacy policy, and the country lacks a data protection law that would appropriately cover the data it collects.
RFK Jr. kicked off Instagram over anti-vaxxer fictions
Robert F. Kennedy Jr., the son of former senator and US Attorney General Robert F. Kennedy, got kicked off of Instagram for repeatedly posting debunked information related to the coronavirus and the COVID vaccine. The prominent anti-vaxxer and political scion had 800,000 followers before Instagram’s parent company, Facebook, yanked the rug out from under him on Wednesday. Although Kennedy has claimed he’s not opposed to safe vaccines, he also regularly endorses discredited links between vaccines and autism and has argued that it’s safer to contract the coronavirus than to be inoculated against it.
Thanks to our episode sponsor Altitude Networks
Virginia on the brink of passing brawny data privacy act
Once the governor signs a proposed bill, hefty data privacy legislation will finally arrive on the East Coast of the US. Similar to privacy laws in California, the proposed law will allow Virginians to opt out of data targeting and data sale. And similar to the EU’s GDPR, state residents will also be able to obtain the data that companies collect about them and have it corrected or deleted. Privacy advocates aren’t completely thrilled with it, given that the bill lacks provisions for suing companies. The bill also underscores an increasing patchwork of data privacy laws in the absense of Federal action from Congress.
Source code for ‘Cyberpunk’ & ‘Witcher’ games up for auction
Ransomware attackers who seized source code after attacking video game developer CD Projekt Red (CDPR) are auctioning it on an underground digital market. When the breach was first reported, CDPR said it wouldn’t pay the extortion, even if it led to stolen material being shared, or sold, online. Unfortunately, that’s happening now. Security firm KELA says the code appears legitimate. The starting price is $1 million, with bidding to rise in increments of $500,000 and a buy-it-now price of $7 million. The breach involved critical code related to high-profile game releases like The Witcher 3 and Cyberpunk 2077.
KeepChange thwarted theft of Bitcoin, but not exchange’s user data
KeepChange, a Bitcoin exchange portal, said it was hacked over the weekend but that security safeguards stopped the intruders from stealing user funds. “Bitcoin withdrawal requests were initiated from customer accounts to an address belonging to attackers,” the marketplace said in a blog post this week. But although control subsystems stopped fraudulent withdrawal requests of user funds, the attackers did get away with some of the exchange customers’ personal data. That included names, email addresses, trade counts, total traded amounts, and hashed passwords.
(ZDNet)
Microsoft patches 12-year-old bug that gives hackers admin rights
Microsoft has fixed a privilege escalation vulnerability in Microsoft Defender Antivirus that’s gone undetected for over a decade. The bug enables attackers to gain admin rights on unpatched Windows systems. It affects Defender versions going back as far as 2009, and it affects client and server releases starting with Windows 7 and up. Threat actors with basic user privileges could exploit it locally, as part of low-complexity attacks that don’t require user interaction. The bug also affects Microsoft Endpoint Protection, Microsoft Security Essentials, and Microsoft System Center Endpoint Protection.