Cyber Security Headlines – Week in Review is live every Thursday at 4pm PT/7pm ET. Join us each week by registering for the the open discussion.
SuperMicro supply chain hack used for counterintelligence for a decade
The California-based manufacturer of computer hardware finds itself embroiled in a controversy involving Chinese infiltration of its products, that resulted, for example, in Department of Defense data being sent to China, a malware driven breach at Intel, and numerous other instances of backdoor and startup codes infiltrating US companies. This, according to a report by Bloomberg. Rather than stop the hack, the FBI chose to use the manipulated products to learn more about China’s capabilities in this area. Neither Supermicro nor any of its employees have been accused of wrongdoing, and China refutes the allegations. But the FBI and in cybersecurity experts point out how much this story amplifies the risks of penetration that exist within global technology supply chains.
Jack Dorsey and Jay Z invest 500 BTC to make Bitcoin ‘internet’s currency’
The duo is putting 500 bitcoin, which is currently worth $23.6 million, in the endowment called ₿trust, to fund bitcoin development initially in Africa and India. The mission of the fund is to “make bitcoin the internet’s currency.” Twitter CEO Jack Dorsey has long supported the adoption of cryptocurrency. Square already supports bitcoin and last year acquired about $50 million worth of bitcoin for its corporate treasury, and Twitter is studying the potential use of bitcoin to pay its employees and vendors.
Microsoft estimates thousands of developers touched SolarWinds malware
This comes from Microsoft president Brad Smith from the company’s initial analysis on the malware, placing the level of effort needed for the attack at over 1000 developers. Smith further said the malware was “the largest and most sophisticated attack the world has ever seen,” further comparing the approach and scale to the tactics the Russian government used against Ukraine. (The Register)
Thanks to our episode sponsor, Kenna Security
LastPass will restrict free users to only one type of device starting next month
Starting on March 16, 2021, the popular password manager app will restrict its free service to only one device type, meaning those who sign up will be required to pick between their computer or their smartphone. For current free users, the first device type they log in to after March 16 will set their active type. They will have three chances to pick between device types before the choice is locked in. After that, they – and everyone else will need to sign up for LastPass Premium to access the service on any additional platforms.(9to5Google)
Privacy problems with Azure and Canonical
Security analyst Luca Bongiorni found that soon after he spun up a Ubuntu Linux instance on Azure for sandbox testing, he received a message on LinkedIn from a Canonical sales rep. Microsoft said it does not share Azure data with third-parties, but does share customer information with Azure Marketplace publishers when customers deploy their product for tech support, but not for marketing. Microsoft further clarified it shares contact information and transaction specifics with publishers, but not “customer data” without permission. Canonical says the employee contacting Luca used a poor choice of words framing the contact for further sales. (ZDNet)
Misconfigured baby monitors allow unauthorized viewing
Potentially hundreds of thousands of live devices have been affected by a misconfiguration of the Real-Time Streaming Protocol (RTSP), meaning no authentication is needed for unknown parties to connect, allowing images of children in their own bedrooms or in daycare centers to be streamed to the internet. According to the SafetyDetectives cybersecurity team, in addition to video being redirected to the internet, IP webcams that are repackaged as baby monitors. It is vital, they said to ensure that any video baby monitor or other RTSP device be password protected.