Cyber Security Headlines: UK warns of Chinese security threat, Toyota data leak, CISOs at risk of being overworked

UK warns of Chinese global security threat 

On Tuesday, Jeremy Fleming, the director of Britain’s Government Communications Headquarters, gave a rare speech in London, stating that Beijing aims to use an array of existing and emerging technology that could threaten global security and freedom. Fleming noted China’s potential to use tech such as digital currency and satellites to control markets and people, and also to extend surveillance and censorship worldwide. Fleming said, “Without the collective action of like-minded allies, the divergent values of the Chinese state will be exported through technology.” 

(WSJ)

Toyota data leak impacts 300,000 customers

Toyota has warned that nearly 300,000 customers may have had their personal data exposed on GitHub for almost five years. Toyota said that email addresses and customer control numbers were exposed for anyone who has used their T-Connect vehicle network service since July 2017. The leak was caused by a website development contractor who mistakenly uploaded part of T-Connect’s source code to GitHub. Toyota indicated they have found no evidence of the data being accessed by a third party and also confirmed that names, telephone numbers, and credit cards were not exposed.

(Infosecurity Magazine)

CISOs at risk of being overworked

New research from Tessian reveals that 18 percent of UK and US security leaders work over 25 hours extra per week. On average, security leaders are working 16.5 extra hours each week, up from 11 hours in 2021. Additionally, three-quarters of security leaders say they aren’t able to always switch off from work, while 16 percent say they can rarely or never switch off. Size of the organization is a key factor as leaders in orgs with 1,000+ employees are working an average of seven hours more per week than those working at companies with fewer than 100 employees. 

(betanews)

Android leaks traffic even when ‘Always-on VPN’ is enabled

Mullvad VPN has discovered that Android leaks some traffic every time the device connects to a WiFi network, even with “Always-on VPN” features enabled. Data being leaked outside VPN tunnels includes source IP addresses, DNS lookups, HTTPS traffic, and also likely NTP traffic. The issue stems from a design choice in the Android operating system to allow special use cases such as identifying captive portals (like hotel WiFi) that must be checked before a user can log in or use split-tunnel features. Android users are likely unaware of the issue due to Android’s inaccurate documentation related to “VPN Lockdown” features. Mullvad has contacted Google, requesting them to add an option to disable connectivity checks.

(Bleeping Computer)

Thanks to today’s episode sponsor, Noname Security

Stop API vulnerabilities before production with Noname Security. Automatically run over 100 dynamic tests that simulate malicious traffic, including the OWASP API Top Ten. Integrate with your existing CI/CD pipelines and tools, such as Jenkins and Postman, as well as all your ticketing and workflow tools such as ServiceNow, Slack, and Jira. Learn more at nonamesecurity.com/active-testing

All Windows versions can now block admin brute-force attacks

Microsoft announced Tuesday that IT admins can now configure any Windows system still receiving security updates to automatically block brute force attacks targeting local administrator accounts. David Weston, Microsoft’s VP for Enterprise and OS Security, says that the control will help protect systems from RDP and other brute force password vectors which are commonly leveraged in ransomware attacks among others. Admins can enable this additional defense via the “Allow Administrator account lockout” policy. This policy will be enabled by default on all new machines running Windows 11 22H2.  

(Bleeping Computer)

Critical info being sent through Microsoft Teams 

New research from Hornetsecurity reveals that nearly half of users (45%) send confidential and critical information via Microsoft Teams. 51% of respondents said they often send business-critical documents and data while 48% admitted to sending messages on Teams they should not have. The research highlights the often-overlooked need for backup and security controls on the messaging platform. Hornetsecurity’s CEO Daniel Hofmann said, “Microsoft does not provide robust protection of data shared via Teams – so beyond the cybersecurity vulnerabilities, organizations must ensure information and files shared across the platform are backed up in a secure, responsible way.” 

(Infosecurity Magazine)

You should probably patch that (Patch Tuesday edition)

Yesterday was Microsoft’s October 2022 Patch Tuesday, which featured fixes for an actively exploited Windows zero-day vuln and a total of 84 flaws. Thirteen of the 84 vulnerabilities are classified as ‘Critical’ as they allow privilege elevation, spoofing, or remote code execution. The actively exploited zero-day bug allows for privilege elevation as a result of a flaw in Windows COM+ Event System Service. Unfortunately, Microsoft has not yet released security updates for two actively exploited Microsoft Exchange vulnerabilities dubbed to ProxyNotShell, which were spotted in late September by the Vietnamese cybersecurity firm GTSC.

(Bleeping Computer)

iPhones are pocket-dialing 911 from roller coasters

Apple’s iPhone 14, as well as newer Apple watches, includes a feature that detects the signs and vibrations of a serious car accident and automatically calls 911 if the owner does not respond to a prompt to cancel. The new devices are mistaking the bumps and jerks of roller coaster rides as car wrecks. Since the new model went on sale in September, the Warren County 911 Center in Ohio has received at least six calls from people on rides at Kings Island amusement park, which features a 91 mph thrill ride called Orion. Other alerts were triggered by the 12-storey Joker roller coaster at Six Flags Great America near Chicago, Illinois.

(The Guardian)

Sean Kelly is a cyber risk professional and leader who thrives on learning, collaborating and helping the business securely advance its mission. Sean is also a musician and outdoor enthusiast who loves spending time with his family and two cats.