Cyber Security Headlines: Meta FTC troubles, CISA urges Covered List, malicious HTML attachments

FTC comes down on Meta monetizing minors

In a release from the US Federal Trade Commission, the agency alleges Meta “repeatedly violated” privacy rules put in place by a 2020 order it entered into with the FTC as part of a settlement. It also alleged violations of the Children’s Online Privacy Protection Act. That 2020 order put in place an independent third-party assessor to evaluate how Meta performed on privacy rules. In a recent report, the assessor found “that the breadth and significance of these deficiencies pose substantial risks to the public.” 

Violations include not cutting off a developer’s app access to a user if they hadn’t used the app in 90 days. The FTC also alleges that Meta misrepresented controls available to parents with its Messenger Kids product. The FTC proposed completely prohibiting Meta from monetizing data of anyone under 18 and preventing from launching or modifying products without an independent privacy assessment. Meta must respond to these allegations within 30 days. 


CISA urges adoption of Covered List

The US Federal Communications Commission maintains the Covered List. This list includes communications equipment and providers that the government believes could pose a risk to national security. It includes a “who’s who” of companies on the US government’s bad side, including Huawei, ZTE, Dahua, and China Unicom. CISA recently urged private companies to include equipment from these named companies into their risk management plans. The agency also advised all critical infrastructure companies to use its free scanning tool to detect high-risk equipment included in the Covered List.

(InfoSecurity Magazine)

Almost half of HTML attachments found malicious

A new report from Barracude Networks found that attackers increasingly use malicious HTML attachments in emails. In March 2023, it found 45.7% of scanned HTML files were malicious, compared to 21% in May 2022. Because of legitimate HTML usage, these can’t be blanket blocked by admins, but can contain a number of attack methods. Researchers also found that spikes malicious HTML traffic didn’t seemed linked to large scale campaigns, rather an increase of unique attacks across the board. 

(CSO Online, Barracuda Networks)

Meta sees a rise in AI scams

The social media company released a report finding that since March 2023, it discovered ten malware families using themes around generative AI to compromise accounts. Generally these types of scams offer some sort of access to ChatGPT or another AI tool, but instead install software to steal credentials. Meta sees the threat that personal account takeovers then lead to compromised business accounts, which often contain credit card information. 

To combat this, Meta introduced new “Meta Work” accounts. Users can set these up without a linked personal account, but still access Facebook’s Business Manager tools. The company also announced a new tool to walk businesses through detecting and removing potential malware from their systems. 

(Engadget, Meta)

And now a word from our sponsor, TrendMicro

Cybersecurity is not just about protection, it’s about foresight, agility, and resilience. 

Navigating a new era of cyber risk demands evolved strategies, new frameworks, and integrated tools to equip security teams to anticipate and defend against even the most advanced attacks. Trend Micro, the global leader in cybersecurity is bringing the cyber risk conversation to more than 120 cities around the world in their latest “Risk to Resilience World Tour” — The largest cybersecurity roadshow of its kind. Find the closest city to you and register today to take a leap towards a more resilient future. Head to

Google rolls out passkeys

The passwordless future is a little bit closer. Google rolled out support for switching to passkeys on Google accounts. Google will prompt users for a passkey when detecting suspicious activity, and users can request a one-time sign-in when using a different device. Passkeys can be revoked in Google account settings. Google accounts will also support existing password-based logins for the foreseeable future. 

In related news, while not an actual passkey, the password manager Dashlane plans to rollout a a new device-based “Passwordless Login” using similar cryptographic keys. The company says it plans to open-source part of the tech for auditing and bug fixing. While Dashlane won’t use a proper passkey for logins, it will support storing passkeys in its vault. 

(Ars Technica, The Verge)

Microsoft plans to offer private ChatGPT servers

Earlier this week, Samsung banned employees from using ChatGPT on company devices, citing concerns about leaking data. This came after it accidentally leaked sources code to the AI chatbot. It seems like there might be quite a few companies that want to use generative AI tech in a more constrained environment because the Information’s sources say Microsoft plans to offer a version of ChatGPT that will run on private servers. This seems tailored for organizations concerned about data leaks or compliance issues. The report says the service “could cost as much as 10 times what customers currently pay to use the regular version of ChatGPT.” 

(Ars Technica)

Police take down Try2Check 

The dark web service Try2Check came online back in 2005, offering both a market for stolen credit cards as well as a way to check if cards remained active. A joint operation with law enforcement in the US, Germany and Austria took down Try2Check this week. Authorities also issued an indictment against Russian citizen Denis Gennadievich Kulkov, suspected of operating the site. He’s suspected of making at least $18 million in cryptocurrency from Try2Check. The US Justice Department offered a $10 million reward for anyone that can provide information leading to Kulkov’s arrest. 

(Bleeping Computer)

Apple deploys Rapid Security Response

Last year at its Worldwide Developer Conference, Apple introduced Rapid Security Responses. The company designed these to offer quicker patching to urgent threats, particularly around WebKit, with much smaller downloads and faster installs than a full iOS or macOS update. Apple released its first such update this week, for iOS 16.4.1 and macOS 13.3.1. Security researchers notes the complete lack of details in the release. The update include no specifics whether the flaw was under active exploitation, as well as no CVEs or descriptions. Apple’s press release with the update only states generalities that the company may release Rapid Security Responses for actively exploited flaws.  

(The Register)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.