Cyber Security Headlines: FTC anonymization crackdown, TikTok privacy change, gov’t contractor pays $9 million

FTC is cracking down on false claims of anonymizing data

On Tuesday, the FTC warned tech companies against making deceptive data-anonymization claims. The FTC is especially focused on companies collecting user location information and passing it off to third parties. Acting associate director for the commission’s privacy division, Kristin Cohen, said, “Significant research has shown that ‘anonymized’ data can often be re-identified, especially in the context of location data.” The FTC’s warning follows President Biden’s executive order which urges the FTC to protect the privacy of consumers’ seeking out reproductive health services. The FTC is prepared to sue offenders, which could result in a US court imposing civil penalties.

(PC Mag)

TikTok halts privacy policy change in Europe 

TikTok has paused a controversial privacy policy update in Europe, which was due to be rolled out today, and would have stopped asking for user consent to be tracked for targeted advertising purposes. The Irish Data Protection Commission (DPC) induced TikTok to pause roll-out of the new feature so it could perform further analysis. The move follows Italian regulators raising concerns this week that the planned switch potentially breaches their ePrivacy Directive in addition to GDPR. TikTok said, “We believe that personalised advertising provides the best in-app experience for our community and brings us in line with industry practices, and we look forward to engaging with stakeholders and addressing their concerns.”

(TechCrunch)

Government contractor pays $9 million over whistleblower allegations

Aerojet Rocketdyne, who is a rocket contractor for the likes of the DoD and NASA, has paid a $9 million settlement for misrepresenting its compliance with US government security requirements. Brian Markus, former senior director of cybersecurity at Aerojet, alleged the company lied about its cybersecurity policies to win more contracts, adding that the company experienced data breaches in 2014 and 2015. Markus filed the claim under the DoJ’s False Claims Act Civil Cyber Defense Initiative, launched in October last year. This was the first case in which a former employee attempted to bring action on a government’s behalf for alleged cybersecurity fraud. Under the False Claims Act’s whistleblower provisions, Markus will receive $2.1 million of the settlement.

(Infosecurity Magazine)

Cloud-based crypto mining attacks abuse GitHub and Azure services

Researchers from Trend Micro have detailed how attackers are leveraging GitHub Actions (GHAs) and Azure virtual machines (VMs) to mine crypto. The researchers highlighted significant resource consumption costs which they demonstrated using monero miner XMRig which spiked average system CPU utilization from 13% to 100%. In addition to slowing infrastructure performance, the spike increased electricity costs from $20 up to $130 per month (+600%) for a single cloud instance. These costs quickly multiply for many organizations that use multiple cloud instances.

(Security Affairs)

Thanks to today’s episode sponsor, Edgescan

Edgescan combines full-stack coverage with integrated reporting and business-level prioritization to deliver a single source of truth for your entire vulnerability management program with zero false positives.

Cyber insurers are seeking new risk assessment models

The 2022 Cyber Insurance Market Trends Report from Panaseer found cyber insurers lack confidence in underwriting processes. With respect to their cyber risk evaluation processes, only 44% of insurers said they were very confident, while 46.5% said they were somewhat confident and nearly 10% admitting that they were ‘not that confident.’ Nearly 90% of insurers called for a consistent industry approach to evaluate client cyber risk. US-based insurers indicated that they plan to request more detailed evidence of a client’s security posture over the next two years and that they are also likely to reduce their number of customers.

(Infosecurity Magazine)

You should probably patch that (Wednesday edition)

AWS fixed three years-old authentication bugs in its IAM Authenticator for Kubernetes that could allow an attacker to escalate privileges within a Kubernetes cluster. AWS issued a fix on June 28th for the bugs which were present since October 2017. Customers who do not use the AccessKeyID parameter are not affected.

Meanwhile, Microsoft’s July 2022 Patch Tuesday included fixes for 84 CVEs in various Microsoft products, including an actively exploited zero-day, CVE-2022-22047, an elevation of privilege bug in Windows’ Client/Server Runtime Subsystem (CSRSS).

(The Register and Help Net Security)

Hackers claim they caused a fire at an Iranian factory

A hacking group called Predatory Sparrow said it is behind a cyber attack on an Iranian steel maker two weeks back, causing a serious fire. To back up its claim, the group released a video that appears to be CCTV footage of the incident, showing factory workers fleeing the plant before a machine starts spewing molten steel and fire. The video ends with people pouring water on the fire with hoses. Predatory Sparrow says this was one of three attacks it carried out against Iranian steel makers on June 27, in response to acts of “aggression” carried out by the Islamic Republic. The group has also started leaking data, including confidential emails, it claims to have stolen from the companies.

(BBC)

Flaws in the ExpressLRS allow drone takeover

Researchers found that an attacker can leverage the high-performance open-source radio control link, called ExpressLRS, to hijack drone receivers. Using only a standard compatible transmitter, an attacker can use a combination of analysis and a brute force attack to discover the identifier. This is due to a security flaw in the ‘binding phrase,’ which is built into the firmware at compile time to bind a transmitter to a receiver. To help counter the weakness, the researchers recommend avoiding sending the UID over the control link and avoiding transmitting sequence generation data over the air, and upgrading built-in MD5 to a more secure algorithm.

(Security Affairs)

Sean Kelly
Sean Kelly is a cyber risk professional and leader who thrives on learning, collaborating and helping the business securely advance its mission. Sean is also a musician and outdoor enthusiast who loves spending time with his family and two cats.