Pitiful password enabled recent water treatment facility hack

The Florida water treatment facility that threat actors tried to poison a week ago had what you might call sewer-level security. According to an advisory published on Wednesday by the state of Massachusetts, unidentified hackers got at the facility’s industrial SCADA system via TeamViewer software installed on one of the plant’s control system computers. Those computers shared the same password for remote access, were exposed to the internet directly with no firewall in place, and were running Microsoft Windows 7, which reached end-of-life as of 13 months ago. 

(The Hacker News, Advisory)

Border patrol scans millions of faces, catches 0 imposters at airports

Last year, the U.S. Customs and Border Protection (CBP) scanned the faces of more than 23 million people in public places. According to a recent report from the CBP, it caught zero imposters traveling through airports. The facial recognition technology, which has been shown to be less accurate in identifying Black people and women, also identified fewer than 100 imposters attempting to cross at land-based border points. This is in keeping with the program’s history: in late 2020, the Government Accountability Office (GAO) lambasted CBP over lackluster accuracy audits, meager signage about the technology being in use, and not telling the public much about how the surveillance program works. 

(Medium: OneZero, CBP report)

India using a glitchy app to inoculate 300 million people by August

A doctor in Hyderabad got a text telling him to show up for a vaccination … but it had somebody else’s name on it. Other doctors were missing messages to get their vaccine. “Just get in line,” the hospital said: if we have a shot and you’re registered, you’ll get it. Because of these malfunctions, India Is turning to a new system linked to biometrics: namely, the country’s controversial 12-digit national ID, which is linked to people’s fingerprints and iris scans. Privacy experts point out that the Co-WIN app lacks a proper privacy policy, and the country lacks a data protection law that would appropriately cover the data it collects.

(MIT Technology Review)

RFK Jr. kicked off Instagram over anti-vaxxer fictions

Robert F. Kennedy Jr., the son of former senator and US Attorney General Robert F. Kennedy, got kicked off of Instagram for repeatedly posting debunked information related to the coronavirus and the COVID vaccine. The prominent anti-vaxxer and political scion had 800,000 followers before Instagram’s parent company, Facebook, yanked the rug out from under him on Wednesday. Although Kennedy has claimed he’s not opposed to safe vaccines, he also regularly endorses discredited links between vaccines and autism and has argued that it’s safer to contract the coronavirus than to be inoculated against it.

(New York Times)

Thanks to our episode sponsor Altitude Networks

Wouldn’t it be great if you could INSTANTLY KNOW if a file containing sensitive information was shared in the wrong way, anywhere in your company AND security had a real time slack notification with a magic “undo button”?! Altitude Networks solves these challenges and protects you from all data leak risks on G Suite and Office 365! Check it out at AltitudeNetworks.com and be sure your sensitive data isn’t shared with the wrong people!

Virginia on the brink of passing brawny data privacy act

Once the governor signs a proposed bill, hefty data privacy legislation will finally arrive on the East Coast of the US. Similar to privacy laws in California, the proposed law will allow Virginians to opt out of data targeting and data sale. And similar to the  EU’s GDPR, state residents will also be able to obtain the data that companies collect about them and have it corrected or deleted. Privacy advocates aren’t completely thrilled with it, given that the bill lacks provisions for suing companies. The bill also underscores an increasing patchwork of data privacy laws in the absense of Federal action from Congress.

(Washington Post)

Source code for ‘Cyberpunk’ & ‘Witcher’ games up for auction

Ransomware attackers who seized source code after attacking video game developer CD Projekt Red (CDPR) are auctioning it on an underground digital market. When the breach was first reported, CDPR said it wouldn’t pay the extortion, even if it led to stolen material being shared, or sold, online. Unfortunately, that’s happening now. Security firm KELA says the code appears legitimate. The starting price is $1 million, with bidding to rise in increments of $500,000 and a buy-it-now price of $7 million. The breach involved critical code related to high-profile game releases like The Witcher 3 and Cyberpunk 2077. 

(The Verge)

KeepChange thwarted theft of Bitcoin, but not exchange’s user data

KeepChange, a Bitcoin exchange portal, said it was hacked over the weekend but that security safeguards stopped the intruders from stealing user funds. “Bitcoin withdrawal requests were initiated from customer accounts to an address belonging to attackers,” the marketplace said in a blog post this week. But although control subsystems stopped fraudulent withdrawal requests of user funds, the attackers did get away with some of the exchange customers’ personal data. That included  names, email addresses, trade counts, total traded amounts, and hashed passwords.

(ZDNet)

Microsoft patches 12-year-old bug that gives hackers admin rights

Microsoft has fixed a privilege escalation vulnerability in Microsoft Defender Antivirus that’s gone undetected for over a decade. The bug enables attackers to gain admin rights on unpatched Windows systems. It affects Defender versions going back as far as 2009, and it affects client and server releases starting with Windows 7 and up. Threat actors with basic user privileges could exploit it locally, as part of low-complexity attacks that don’t require user interaction. The bug also affects Microsoft Endpoint Protection, Microsoft Security Essentials, and Microsoft System Center Endpoint Protection.

(Bleeping Computer)