Huawei failed to address network security flaws
This comes from the UK’s National Cyber Security Centre (NCSC), which believes Huawei has failed to tackle security flaws in equipment used in the UK’s telecoms networks, despite previous complaints. It also said a vulnerability “of national significance” had happened in 2019 but had been fixed before it could be exploited. The agency said that while some improvements had been made by Huawei, it didn’t have confidence they were sustainable, and the board could only provide “limited assurance that all risks to UK national security” could be mitigated in the long-term.
US Treasury Department warns about fines for ransomware payments
In a new advisory from the department’s Office of Foreign Assets Control, the government warns that victims of ransomware and their representatives could be subject to fines if they transact with organizations currently under sanctions from the US. The government has imposed sanctions on several cyber criminal groups, including the North Korean Lazarus Group, the developers of Cryptolocker, and the Evil Corp Russian criminal syndicate. The FBI has warned ransomware victims not to pay ransoms as they only encourage further attacks. Violation of OFAC regulations and sanctions can result in fines up to $20 million.
H&M fined for GDPR violations
A fine of over 35 million Euros was handed down by the Hamburg Data Protection Authority, regarding excessive use of employee data. The regulator launched an investigation after a 2019 data breach showed how much data the company was collecting on employees. Since 2014, H&M collected data on employees’ holiday experiences, family issues, religious beliefs, and symptoms of illness and diagnoses, with the data accessible by dozens of managers. The investigation found this to be an “intensive encroachment on employees’ civil rights.” This is believed to be the largest GDPR fine levied for how companies handle employee data.
Cryptojacking is a heavily underreported threat in security
Matt Honea makes the case for this in an op-ed at Dark Reading, arguing that while reported cryptomining malware infection rates closely mirror the rise and fall of cryptocurrency prices, the actual scale of the problem is underestimated. He notes that mining malware is incredibly lightweight, elegant, and easily changed, tasked with calculating numbers on a CPU that’s inherently hard to identify by malware scanners. With IoT devices doubling since 2017, the practice can be lucrative for malicious actors by using automation to find exploitable software. And since cryptojacking doesn’t steal data, organizations don’t face regulatory pressure to identify infections. He suggests DNS/IP alerting for known mining pools, temperature baseline monitoring for devices, and identifying mining algorithms at runtime as part of a multipronged approach to detect the malware.
Thanks to this week’s sponsor, ReversingLabs
Small businesses don’t realize the threats of cyberattacks
This comes from a new study by Nationwide, which found that while small businesses account for just under half of cyberattacks, only 37% believe they are at risk, with 33% saying they were not confident they could recover if attacked. Overall 53% of small businesses asked did not offer cybersecurity training to employees. In comparison 70% of middle market companies listed cyberattacks as a concern, with 80% reporting confident that they could recover from an attack.
A new service checks if your email is part of Emotet
The service comes from the Italian cybersecurity company TG Soft and is called Have I Been Emotet. The firm checks emails against a database of outgoing Emotet emails collected between August and September 23rd, 2020, with over 2.1 million email addresses. The tool will break out if your email address was the actual sender of Emotet spam, if it was used as a spoofed address, or if the address was the recipient of malicious emails.
LastPass survey looks at the hurdles of passwordless authentication
The survey received answers from 705 security professionals, and found that 85% said organizations should reduce the number of passwords used on a daily basis, with 95% saying using passwords contributes to threats against an organization. Overall, 72% said end users prefer using passwords due to familiarity, with implementation of passwordless authentication impeded by cost, data storage, and migration time as the top three challenges. 69% of respondents said a better security posture was the main benefit of passwordless authentication.
Malware group defrauds Facebook users for $4 million
The group had been dubbed SilentFade by Facebook’s internal security team. The group primarily operated by infecting users with a Windows trojan, hijacking the users’ browsers, and stealing passwords and browser cookies to access Facebook accounts. The group would then look for any payment method linked to the account, and use it to buy Facebook ads for shady products, while also disabling a users notifications so they wouldn’t be notified when the ads ran. SilentFade was active from late 2018 to February 2019, but Facebook’s investigation traced the group back to 2016, when they operated a malware strain called SuperCPA that targeted Chinese users. SilentFade spread its malware by linking its trojan within legitimate software downloads. Facebook patched a bug that allowed SilentFade to operate and refunded all defrauded users.
Section 230 scrutiny unites the US Senate
The US Senate Commerce Committee voted unanimously to subpoena the CEOs of Facebook, Google and Twitter to answer questions about Section 230 of the US Communications Decency Act, AKA Safe Harbor. It wasn’t without some political wrangling. Ranking Senate Democrat Maria Cantwell of Washington opposed the subpoenas until language about “media domination” and privacy was added to the agenda.