Cyber Security Headlines: LockBit hits Italy, Quantum bill heads to Senate, Windows adds brute force defense

LockBit hits Italy 

ANSA reports that authorities are investigating the theft of 78 gigabytes of data from Italy’s tax agency. The LockBit 3.0 ransomware group took credit for the attack on its leak site, saying it obtained 100 gigabytes of documents, scans, and financial reports from the agency, showing screenshots as evidence. According to Palo Alto Networks, LockBit accounted for 46% of all ransomware-related breaches in 2022 through May. 

(CyberScoop)

Quantum cybersecurity bill heads to the Senate

Earlier this month, the bipartisan Quantum Computing Cybersecurity Preparedness Act passed the US House. The bill mandates that the Office of Management and Budget supervise the migration process of federal agencies to post-quantum cryptography. OBM would work off of NIST’s recommended  post-quantum cryptography standards, and keep Congress informed of progress, as well any new risks and need for additional funding. The bill now heads to the Senate. It received support from Google, IBM, and other tech companies working in the nascent quantum computing field. 

(Security Week)

Windows adds brute force defense

Windows updated the defaults on Windows 11 Insider Preview builds to lock accounts for 10 minutes after 10 sign-in attempts. Vice president for OS security David Weston said this is meant to mitigated Remote Desktop Protocol and other brute-force password vectors. Microsoft does warn that this change may result in denial-of-service attacks on open RDP ports. If this setting sounds great to you, you can already use it in Windows 10, it’s just not on by default. 

(The Hacker News)

Google working on Chrome’s GDPR compliance 

The Dutch Ministry of Education imposed restrictions on the use of Chrome OS and the Chrome browser in schools, over concerns that how Google stores and processes student data violates GDPR. Schools can still use Chrome, but must implement additional measures to protect student data. In a letter to the Dutch Parliament, the Minister of Education said Google promised a new version of Chrome next year that would resolve GDPR concerns in education. This also comes after the Danish privacy watchdog banned the use of Google Workspace and Chromebooks in the municipality of Elsinore over concerns about data transfer rules. 

(Bleeping Computer)

Thanks to today’s episode sponsor, Snyk

Developers want to code fast and security wants to ship securely. And that’s why they both choose Snyk.
Backed by industry-leading security intelligence, Snyk provides real-time scanning with automated fixes and remediation advice right from the tools and workflows developers use.

Code, dependencies, containers, cloud infrastructure… all of it.

And while developers are building securely, Snyk gives security teams a bird’s eye view of all of their projects, so they can prioritize and focus their efforts in the right places.

Developer tested. Security approved. Start your free Snyk account at snyk.co/cybersecurity.

Google gets closer to acquiring Mandiant

According to a new regulatory filing from Maniant filed with the Security and Exchange Commission, the Department of Justice approved its acquisition by Google, and waived the mandatory merger waiting period. This waiver was apparently a condition of the sale. Google announced plans for the acquisition back in March and will put Mandiant under its Google Cloud business unit. At $5.4 billion, the deal marks Google’s second-largest acquisition, only behind its 2011 purchase of Motorola Mobility for $12.5 billion. Mandiant expects the deal to close by the end of 2022. It may be blocked by a shareholder lawsuit filed in April. 

(The Register)

Instant loan scams plague Mexico 

In Mexico, more than a hundred instant loan applications have emerged, which exfiltrate data from victims and used by Montadeudas, a form of organized crime, for extorsion. After requesting the loan, the Montadeudas demand advance payments. This is followed up with using networks like Facebook, Twitter, or WhatsApp to dox the person who requested the loan, as well as their relatives and contacts, publishing exfiltrated media from the victim, or even sending edited photos of pornographic content with the face of the victim. 35 of these applications are available in the Google Play store. The congress of Mexico City has requested the investigation of these applications by the local investigators.

(Rest of World)

Uber reaches final settlement on 2016 breach

Uber reached a settlement on a 2016 data breach that impacted 57 million passengers and drivers. As part of the settlement, Uber will not be prosecuted for the incident, and it admits it failed to report the incident to the Federal Trade Commission. Uber will also cooperate with the prosecution of its former security chief, Joseph Sullivan. In September 2018, the company paid $148 million to settle claims with all 50 US states over the incident, and agreed to maintain a comprehensive privacy program for 20 years. We’ll hear more as Sullivan’s case gets underway. 

(Reuters)

T-Mobile looks to settle 2021 data breach

T-Mobile agreed to make $350 million available as class-action settlements for it’s 2021 data breach that leaked data on over 75 million people. According to documents seen by Reuters, 30% of this will go to attorney’s fees. Impacted individuals will receive about $25. T-Mobile also committed to spending an additional $150 million to upgrade data security. As part of the settlement, T-Mobile does not admit to guilt. This settlement needs to be approved by the court, expected to happen by the end of the year. 

(Naked Security)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.