Cyber Security Headlines: Iowa schools closed by cyberattack, TikTok CEO questioned by EU, OIG cracks fed agency passwords

Iowa school district cancels classes due to cyberattack

On Monday, Des Moines Public Schools, which serves 30,000 students, said its operations were affected by “unusual activity on the network.” IT staff along with outside cybersecurity consultants investigated the issue as the district cut off access to WiFi, and various networked systems. The district was forced to cancel classes Tuesday, and now Wednesday, due to its reliance on technology to support classroom learning and district operations. 

(The Record)

TikTok CEO questioned by EU about its data practices

On Tuesday, TikTok’s chief executive Shou Zi Chew was questioned by the European Union’s top antitrust official, about recent reports in the US about the company’s aggressive data harvesting and surveillance practices. The meeting focused on how TikTok plans to comply with new obligations introduced by the EU’s Digital Services Act (DSA) and Digital Markets Act (DMA) as well as by GDPR. Chew is scheduled to meet with several other EU officials in the coming days and TikTok claims the meetings are routine and showcase its cooperation with policymakers.

(The Record)

Government watchdog cracks federal agency’s passwords

The Office of the Inspector General (OIG) has published a scathing rebuke of security practices employed by the Department of the Interior, which manages the country’s federal land, national parks and multi-billion dollar budget. After the department claimed that it would require more than 100 years to recover its passwords using off-the-shelf password cracking software, the OIG used a rig costing just under $15,000 to crack nearly 14,000 employee passwords (16%) within 90 minutes. The OIG also found that some critical systems and user accounts failed to comply with the government’s own two-factor authentication mandate. The report concluded that poor password practices put the department at risk of a breach that could pose a “high probability” of massive disruption to its operations. The Department of the Interior agreed with most of the OIG’s findings and said it’s “committed” to improving its cybersecurity defenses.

(TechCrunch)

GitHub adds features to automate vulnerability code scanning

Hosting service GitHub has added a new feature that automates code scanning of repositories using Python, JavaScript and Ruby. The new feature is now available in the ‘Code security and analysis’ section under the ‘Security’ heading in the ‘Settings’ tab of repositories. The company says, “Once enabled, you’ll immediately start getting insights from code scanning in your code to help you find and fix vulnerabilities quickly without disrupting your workflow.” The company also clarified that manual, customized scanning is still possible as an ‘Advanced’ option.

(Infosecurity Magazine)

And now a word from our sponsor, AppOmni 

Can you name all the third party apps connected to your major SaaS platforms like Salseforce and Microsoft? What about the data these apps can access? After all, one compromised 3rd party app could put your entire SaaS ecosystem at risk. 
With AppOmni, you get visibility to all third party apps and SaaS-to-SaaS connections — including which end users have enabled them, and the level of data access they’ve been granted. Visit AppOmni.com to request a free risk assessment.

‘Trojan Puzzle’ trains AI assistants to suggest malicious code

Researchers have devised a new poisoning attack, dubbed ‘Trojan Puzzle,’ that trains AI models to learn how to reproduce dangerous payloads. The researchers poisoned an AI training data set of nearly 6 GB of Python code which mimics datasets that AI models pull right from the Internet. Trojan Puzzle avoids detection by actively hiding part of its malicious payload during the training process. The attack relies on the ML to substitute random words until it finally suggests the entire attacker-chosen payload code. After running three training epochs on the AI model, researchers were able to obtain a 21% insecure suggestion rate. Given the rise of coding assistants like GitHub’s Copilot and OpenAI’s ChatGPT, AI training exploits could potentially lead to large-scale supply-chain attacks.

(Bleeping Computer)

You should probably patch that (January 2023 Patch Tuesday edition)

Microsoft’s first Patch Tuesday of 2023 includes 97 software fixes, including a zero-day under active exploit. The zero-day flaw (CVE-2023-21674) relates to the Windows Advanced Local Procedure Call (ALPC) component and is being exploited to elevate privileges and escape a browser’s sandbox. While Microsoft fixed the issue, it did not release any info to help defenders hunt for signs of compromise.Microsoft’s January patches also address code execution, denial-of-service and other elevation of privilege flaws in a range of WIndows OS and system components.

Tuesday also saw Adobe roll out fixes for 29 security vulnerabilities in a range of products. Most notably, Adobe fixed critical flaws in Adobe Acrobat and Reader that expose Windows and macOS users to code execution attacks. 

Video messaging giant Zoom also released patches for vulns in Zoom Rooms that expose Windows and macOS users to privilege escalation attacks.

And finally, researchers warned that a vulnerability in the JsonWebToken open source JavaScript package could be exploited to achieve remote code execution (RCE). JsonWebToken is used in many applications for authentication and authorization, and has more than 9 million weekly downloads. The issue has been addressed with the release of JsonWebToken version 9.0.0.

(SecurityWeek [1][2][3] and Bleeping Computer)

Digital license platemaker exploited to track equipped cars

Researchers have figured out a way to reverse engineer California’s new digital E Ink license plates. The E Ink plates, produced by Reviver, were designed to help owners track down stolen vehicles. However, the researchers discovered an editable JSON object that allowed them to add sub-users to accounts. Further, they were able to leverage flaws in Reviver’s password reset site to administer vehicles, fleets, and user accounts and eventually gain admin privileges. Reviver plates are also currently street legal in Arizona, Michigan, and Texas with several other states conducting a pilot.

(The Register)

Dating apps to offer in-app tips on avoiding romance scams

Match Group, the parent company to dating apps Tinder, Hinge, Match, Plenty of Fish, Meetic and OurTime, announced Tuesday that it will introduce in-app messages and email notifications to give users tips on how to prevent being scammed online. Suggestions include how to verify profile pictures, video chatting with matches before meeting in person and learning how to recognize other scammer red flags. The awareness campaign will run through the end of January in more than 15 countries. Match Group plans to continue pushing reminders to users periodically. In 2021, the FTC reported that consumers lost a staggering $547 million due to romance scams.

(TechCrunch)

Sean Kelly is a cyber risk professional and leader who thrives on learning, collaborating and helping the business securely advance its mission. Sean is also a musician and outdoor enthusiast who loves spending time with his family and two cats.