Microsoft source code accessed by SolarWinds attackers

As part of its ongoing investigation into the SolarWinds supply chain attack, Microsoft discovered  its systems were infiltrated “beyond just the presence of malicious SolarWinds code,” with the attackers able to view source code in a number of repositories. While able to view the code, the attackers did not gain permission to modify any code or systems. The company said it did not see any production systems or customer data accessed, or found any indication its systems were used to attack other organizations. 

(ZDNet)

Slack suffers massive outage

Looks like Slack had a case of the Mondays, because the team messaging service was down for several hours on January 4th. Users began reporting issues around 10AM Eastern, with Slack acknowledging the issue on its support page at 10:14AM, saying there were issues connecting to the service and messaging, before classifying it as a full blown outage at 11:20AM. By 1PM Slack Support advised that users should be able to reconnect with degraded performance, but that calendar integrations and email notifications for DMs were still having issues. Slack did not specify the reason for the outage. 

(The Verge)

UK judge denies Assange extradition to US

The judge ruled that WikiLeaks founder Julian Assange cannot be extradited to the United States to face trial on charges of violating the Espionage Act. The judge ruled that extradition would be “unjust and oppressive,” citing Assange’s mental health would put him at extreme risk of suicide if extradited to the US. The judge rejected Assange’s defense that the charges were an attack on press freedom, saying that the US brought the case in “good faith.” In 2019, Assange was charged with 17 counts of violating the Espionage Act resulting from the publication of documents provided by former U.S. Army intelligence analyst Chelsea Manning. 

(New York Times)

Singapore police can use contact tracing data in criminal investigations

Singapore’s Minister of State for Home Affairs, Desmond Tan, confirmed that law enforcement can use data from the country’s TraceTogether contact tracing app and wearable token as part of the country’s Criminal Procedure Code. When the app and token were introduced, the government said data would never be accessed unless there was a positive test, insisted the token was not a tracking device, and that all data would be encrypted for 25 days before being automatically deleted. Tan also said that misuse of contact tracing data by unauthorized users was still subject to fines and up to two years in jail.

(ZDNet)

Thanks to our episode sponsor, Omada

Well-tested process frameworks are great starting points. No need to reinvent. Just tweak processes that have already proven effective such as automating identity management, access requests, cross-application segregation of duties, and least privilege access. Head over to omada.net to see how Omada can help you get two steps ahead with your identity management.

Apple’s privacy labels shows what metadata WhatsApp gathers

Zak Doffman at Forbes took a look at the new iOS privacy labels for the popular messaging services WhatsApp, Facebook Messenger, iMessage, and Signal to look at what metadata was collected by each app. In terms of data collected that’s linked back to a user, Signal collected none while iMessage gathered email, phone number and device ID. WhatsApp gathered considerably more, including Coarse Location, Contacts, Device Analytics, Product Interaction, and Advertising Data. Unsurprisingly Facebook Messenger gathers the most information including a suite of info for third-party advertising, Precise Location, Health and Fitness Data, Browsing History, Sensitive Info, and User Content. 

(Forbes)

Italian court rules against “discriminatory” algorithm

A Bologna court ruled that a reputational-ranking algorithm used by the food delivery platform Deliveroo violated local labor laws and discriminated against couriers. The algorithm was found in violation because it did not differentiate between legally protected reasons for withholding labor, like being sick or striking, from unprotected reasons when selecting couriers for gigs. The court ordered a fine of €50,000 for each impacted worker. Deliveroo said it no longer is using the algorithm and disputes the court’s ruling, as it presented no real world instances of discrimination, rather hypotheticals at trial.

(TechCrunch)

Netwrix and Stealthbits announce merger

Terms of the deal were not disclosed. The merged company will continue to operate under the Netwrix name, and maintain the same executive leadership. In the press release announcing the merger, Stealthbits said the new company would help its customers avoid fragmented cybersecurity deployments, combining Stealthbits credential and data security solutions with Netwrix’s security monitoring, prevention, and recovery portfolio. 

(InfoSecurity Magazine)

APTs getting in on ransomware now

Security researchers from Profero and Security Joes found evidence that APT27, which usually operates cyber espionage campaigns, was behind a recent set of ransomware incidents involving online gambling companies. The researchers found the attackers breached the targets through a third-party service provider, which in turn was compromised by another third-party service provider. These attacks showed malware samples linked back to the DRBControl campaign orchestrated by APT27 and another hacking group, Winnti. The researchers said both the malware and tactics used were hallmarks of APT27. This isn’t the first time the group has been linked to ransomware attacks seemingly for financial gain. Positive Technologies attributed a Polar ransomware attack to the group in April 2020.  

(Bleeping Computer)