Cyber Security Headlines – June 17, 2021

Biden gives Putin a no-hacking list

During a meeting between the two leaders in Geneva, US President Joe Biden said he gave his Russian counterpart a list of 16 critical infrastructure sectors that should not be subject to malicious cyber activity. It’s not clear if these sectors are the same as CISA’s recently published 16 critical infrastructure sectors, which includes communications, dams, energy, emergency services, and financial services. Biden also reiterated that Russia had a responsibility to curb malicious cyber activity in the country. The two also agreed to create a task force of cyber security experts to each “work on specific understandings about what’s off limits.”

(CyberScoop)

Facebook’s Oversight Board accepts policy opinion

Facebook’s Oversight Board received and accepted its first policy advisory opinion from Facebook, asking the board for guidance on what should render private information ‘publicly available,” and therefore sharable by users. Facebook’s current policy forbids sharing “personally identifiable information about yourself or others.” According to the board’s post on the advisory, Facebook “requested the Board’s opinion on sources that are ‘not easily accessible or trustworthy,’ and if and why it should exclude any sources to determine if information has become public.” The board will take public feedback on the policy advisory through July 9th. 

(Yahoo News)

Researchers reverse engineer deepfakes

AI researchers from Facebook and the Michigan State University created a method to effectively reverse engineer AI-generated imagery, often called deepfakes when applied to existing footage of someone’s face. This can determine the characteristics of the machine learning model that created it. Previous research has been able to identify specific known AI models used to generate images, but this new research can identify characteristics of previously unknown models. Since deepfake software is easily customized, this can potentially help Facebook and other social networks identify AI imagery across networks coming from the same source. The reverse engineering is still in the research phase and not production ready. 

(The Verge)

Taobao scraped for user data

A Chinese software developer began scraping data from Alibaba’s popular shopping site Taobao in November 2019. Over the course of eight-months, the developer collected over 1.1 billion pieces of user information, including user IDs, mobile-phone numbers and customer comments, although it’s unclear how many actual users this impacted. No encrypted data was collected, but phone numbers and usernames were not publicly visible on the site. The developer used the information to target Taobao sellers with promotions. Alibaba informed Chinese police when the incident was discovered, and in a recently published court decision, a Henan district court sentenced the developer and his employer to three-years in prison. It’s unclear if Alibaba would face administrative penalties under China’s 2017 cybersecurity law.

(WSJ)

Thanks to our episode sponsor, Keyavi

Worried about being the next ransomware victim, like Colonial Pipeline? Cyber criminals stole gigabytes of data before their first extortion attempt, demanding payment to decrypt Colonial’s information. Despite a multi-million-dollar ransom payment, the pipeline’s stolen data is in the hands of these attackers forever. Head to www.keyavi.com/sessions to learn more about protecting data from extortion attempts.

Peloton flaw opens the door to cyber attacks

McAfee’s Advanced Threat Research discovered a flaw in Peloton bikes and tread devices that would allow an attacker to gain root access to the “tablet” that controls the machine. This could give the attacker access to the device’s mic and camera, let them install malicious apps, intercept data, and more. The bug requires physical access to the USB port on the Peloton, which critically does not verify that the device’s bootloader was unlocked before attempting to boot a custom image. Peloton has released a patch to resolve the issue, and McAfee warns that Peloton equipment in gyms and other public places are most at risk.

(ThreatPost)

Ransomware victims hit again after paying

We’ve seen a number of high profile ransomware attacks recently where organizations opt to pay a ransom in the hopes of avoiding business and service disruptions. But according to a new study from Cybereason, paying doesn’t guarantee any protection from future attacks. The study found that 80% of organizations that pay ransoms experienced another cyberattack, with 46% of respondents saying they believed the same organization they paid was behind the subsequent attack. The study also found that 46% of the time, data received back after payment was partially or entirely corrupted. Ransomware also led to existential business crises, with about a quarter of organizations having to eliminate jobs or closing entirely in the wake of an attack. 

(InfoSecurity Magazine)

Android Messages gets end-to-end encryption, mostly

Google updated Messages on Android to now use end-to-end encryption on all one-on-one RCS chats, previously available in beta. Group RCS messages are still not end-to-end encrypted, and messages sent to devices that don’t support RCS will also not be encrypted. If this sounds as confusing as every other Google messaging product, just look for a lock icon on the send button in Android Messages, if you see it, the message is encrypted. 

(The Verge)

The cost of ransomware recovery

According to a spreadsheet obtained by a Baltimore TV station, the Baltimore County Public Schools system has spent over $8.1 million recovering from a Ryuk ransomware attack over the past seven months. The line items show that ransomware insurance cover $2 million of these costs, $2 million was spent on “ERP cloud transition and recovery”, with ransomware negotiation services costing $11,500. According to a Sophos report from April, the average cost of recovering from a ransomware attack sits at around $2 million, which has more than doubled over the last year. 

(The Register)


Rich Stroffolino
Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. Since 2015, he's worked in technology news podcasting and media. He dreams of someday writing the oral history of Transmeta.