Cyber Security Headlines – Week in Review is live every Thursday at 4pm PT/7pm ET. Join us each week by registering for the open discussion.
Suspected Russian hack extends far beyond SolarWinds software
Investigators say they have found concrete evidence that almost one third of the attack victims had no direct connection to SolarWinds software. The incident demonstrated how attackers could leapfrog from one cloud-computing account to another by taking advantage of little-known idiosyncrasies in the ways that software authenticates itself on the Microsoft service. Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, said in an interview that some victims were compromised before SolarWinds deployed the corrupted Orion software about a year ago. He stated the attackers “gained access to their targets in a variety of ways…it is absolutely correct that this campaign should not be thought of as the SolarWinds campaign.”
Section 230 emerges as Robinhood’s shield from lawsuits
Robinhood, the online brokerage that raised the ire of amateur investors by restricting trading of GameStop during last week’s market frenzy, is already protected from pending class action lawsuits by its user agreement, but will also find protection in Section 230 of the Communications Decency Act, the same one that became the centerpiece of President Trump’s veto of the 2021 defense spending bill as well as debate over COVID-19 relief payments. Under the act, social media companies are generally not liable for user activity.
Deloitte’s CDC vaccine system comes up short
The US vaccine distribution effort is being severely curtailed by inefficiencies in vaccine distribution and administration software, with the most prominent example being the Center for Disease Control’s new $44 million website called VAMS—the Vaccine Administration Management System. A report published in MIT Technology Review says VAMS has become a curse word in the healthcare sector, due to faulty design, browser incompatibility, randomly canceled appointments, unreliable registration, and problems that lock staff out of the dashboard they’re supposed to use to log records. VAMS was built by the consulting firm Deloitte, who obtained a no-bid contract that according to watchdogs is because government bidders must demonstrate a long history of federal contracts, which blocks smaller or newer companies that might be a better fit for the task.
Social media oversharing is a security problem
According to a survey by the email security company Tessian, over half of British and American office workers share names and photos of their children on public accounts, with 72% sharing birthdays and 81% sharing employment details. Less than half had restricted Facebook profiles and 32% said they used private Instagram profiles. 42% of respondents said they post content daily. While oversharing might seemingly only annoy your friends, it also provides ample fodder for social engineering attacks, with birthdays being commonly used in passwords and other authentication, and employment changes opening the door to phishing attacks. (InfoSecurity Magazine)
Thanks to our episode sponsor HID Global
Paying a ransom is not enough
The UK’s National Cyber Security Centre published a cautionary tale of how not to handle a ransomware attack. The post details an organization who agreed to pay millions in bitcoin to decrypt their data, but failed to analyse how cyber criminals infiltrated the network in the first place. To no one’s surprise, the ransomware operators re-deployed their attack using the exact same mechanisms. The NSCS points out that “the real problem is that ransomware is often just a visible symptom of a more serious network intrusion that may have persisted for days, and possibly longer.” It’s unclear how many resume-generating events this second attack caused in the organization.
Bad patching leads to more zero-days
“Patch all the things” is a pretty common security credo. But new research from Google’s Project Zero team finds that the devil is in the details. They found that one in four zero-day exploits it tracked throughout 2020 could have been avoided “if a more thorough investigation and patching effort were explored.” Many patches looked at by Project Zero didn’t identify the root cause of the problem, often just patching Proof of Concept code provided by security researchers, with attackers able to change just a line or two of code to create a new exploit.
Canada calls Clearview AI’s facial recognition ‘mass surveillance’
Canada’s privacy commissioners have told Clearview AI to stop offering its facial recognition services in the country, to stop scraping Canadians’ faces off social networking and other public sites, and to trash the images it’s already used to fatten its database. Clearview has already scraped more than three billion photos. Its app is used by over 2,400 law enforcement agencies in the US and by Canadian law enforcement agencies including the national Royal Canadian Mounted Police. Clearview stopped offering the app in Canada last July and says it’s eager to fight the Canadian orders in court.
Amazon pulls Big-Brother move, puts AI cameras in delivery vans
Amazon has begun rolling out always-on, AI-enabled surveillance cameras in its delivery vehicles. The cameras will flag safety infractions, including failure to stop at stop signs, speeding and distracted driving. The cameras, which are from Netradyne, will help the company improve safety in its delivery network, Amazon says. Prior investigations have, in fact, uncovered safety issues and poor working conditions reported by some drivers and former Amazon employees. But drivers are leery about the heightened employee surveillance and a lack of privacy, describing the cameras as “unnerving,” “Big Brother” and “a punishment system.”
Attackers use fake password expiration alerts to phish C-Suite executives
In a separate Office 365 story, security experts from Trend Micro have uncovered an ongoing phishing campaign spreading fake Office 365 password expiration reports to compromise email accounts of C-Suite executives. Emails attached with fake Office 365 password expiration reports prompts users to click on the “Keep Password” option if they want to continue using the same password. Once clicked, the option leads the user to the phishing page, which asks the user to enter login credentials. The campaign has been active since 2019, and ads selling account credentials of CEOs, CFOs, and other C-suite executives are already prevalent in multiple English- and Russian-speaking darknet forums.