US government calls for better information sharing in wake of SolarWinds, Exchange attacks
The Biden administration is seeking new methods for better early threat detection of sophisticated intrusions, such as SolarWinds and the exploits of the Microsoft Exchange server vulnerabilities. Both of these were uncovered by private firms, specifically FireEye and Microsoft. Both attacks originated on servers within the US, placing them out of reach of the National Security Agency’s (NSA’s) powerful detection capabilities, which US law restricts to international activities. The proposed new initiative is destined to meet substantial opposition especially among private sector firms, which fear damage to reputation and potential data loss in working closely with the government.
Hospitals hide pricing data from search results
Hospitals that have published their previously confidential prices to comply with a new federal rule have also blocked that information from web searches with special coding embedded on their websites, according to a Wall Street Journal examination. The information must be disclosed under a federal rule aimed at making the $1 trillion sector more consumer friendly. But hundreds of hospitals have embedded code in their websites to prevent Google and other search engines from displaying pages with the price lists, according to the Journal examination of more than 3,100 sites. When confronted, some hospitals claimed the coding to have been a legacy issue and quickly removed it.
New Android zero-day vulnerability is under active attack
Google has disclosed that a now-patched vulnerability affecting Android devices that use Qualcomm chipsets is being weaponized by adversaries to launch targeted attacks. Tracked as CVE-2020-11261 (CVSS score 8.4), the flaw concerns an “improper input validation” issue in Qualcomm’s Graphics component that could be exploited to trigger memory corruption when an attacker-engineered app requests access to a huge chunk of the device’s memory. The access vector for the vulnerability is “local,” meaning that exploitation requires local access to the device to deliver malicious code and set off the attack chain.
Ransomwared bank tells customers it lost their SSNs
Flagstar, a bank based in Michigan that was hacked in January of this year, has now revealed that customers, as well as people who never had an account with the bank, had their social security numbers and other personal information stolen. This is a correction to their initial statement in which they said only employees’ information had been stolen. One victim of the breach, said he has never been a Flagstar customer, but had taken a mortgage with a different bank who then sold it to Flagstar without his consent in 2019.
Thanks to our episode sponsor, Trend Micro
Federal Reserve’s push for digital dollar worries Wall Street
Banks, credit card companies and digital payments processors are nervously watching the Fed’s push to create an electronic alternative to the paper bills Americans carry in their wallets, or what some call a digital dollar and others call a Fedcoin. Officials at the Federal Reserve Bank of Boston and the Massachusetts Institute of Technology, which have been developing prototypes for a digital dollar platform, plan to unveil their research in July. This has led financial firms are to lobby the Fed and Congress to slow its creation — or at least ensure they’re not cut out.
Critical flaws affecting GE’s Universal Relay pose threat to electric utilities
CISA has warned of critical security shortcomings in GE’s Universal Relay (UR) family of power management devices. These relays enable integrated monitoring and metering, high-speed communications, and offer simplified power management for the protection of critical assets such as power management devices used by consumers and organizations as well as the electrical grid itself. “Successful exploitation of these vulnerabilities could allow an attacker to access sensitive information, reboot the UR, gain privileged access, or cause a denial-of-service condition,” the agency said in an advisory published on March 16.
Disgruntled IT admin sent to prison for wiping Microsoft user accounts
Deepanshu Kher was sentenced to two years in prison for breaking into the network of a Carlsbad, California-based consulting firm that had hired him to help with a migration to a Microsoft Office 365 environment. The client was not pleased with Kher’s, which resulted in him being fired. Three months afterwards, in June 2018, the 32-year-old infiltrated the firm’s servers from outside of the US and deleted over 80% of employee Microsoft Office 365 accounts, with over 1,200 out of 1,500 wiped in total. Kher will face two years behind bars and three years of supervised release, and must also pay $567,084 in damages.
Twitch star develops AI solution to battle phone scammers
Twitch streamer and YouTube star Kitboga, has teamed up with some software developers to produce an artificial intelligence driven app that can interact directly with phone scammers. The tool responds to the scammers’ vocal questions or statements with further questions or comment designed to waste the scammers’ time by actually keeping them on the line. The tool currently works for periods of up to 30 minutes before the scammers clue in and hang up, but observers suggest this might be a way to finally put an end to the phone scamming practice.