This week’s Cyber Security Headlines – Week in Review, June 21-25, 2021, is hosted by Steve Prentice (@stevenprentice) with our guest, Ira Winkler, CISO, Skyline Technology Solutions and author of You Can Stop Stupid, (available at Amazon and other retailers)

Cyber Security Headlines – Week in Review is live every Thursday at 4pm PT/7pm ET. Join us each week by registering for the open discussion.

Antivirus pioneer John McAfee found dead in Spanish prison

John McAfee, the creator of McAfee antivirus software, was found dead in his jail cell near Barcelona in an apparent suicide Wednesday, hours after a Spanish court approved his extradition to the United States to face tax charges punishable by decades in prison, authorities said. The eccentric cryptocurrency promoter and tax opponent whose history of legal troubles spanned from Tennessee to Central America to the Caribbean was discovered at the Brians 2 penitentiary in northeastern Spain. Security personnel tried to revive him, but the jail’s medical team finally certified his death, a statement from the regional Catalan government said.

(AP)

Chris Inglis confirmed as first national cyber director

Inglis will be tasked with making sure all the federal agencies operate from a coherent cyber policy. Introducing Inglis at his confirmation hearing last week, Maine Senator Angus King called the national cyber director and the head of the CISA “the equivalent of the Secretary of Defense and the head of the Joint Chiefs of Staff.” One key challenge for Inglis will be defining the role of his office in practice. There are a growing number of agencies with offensive and defensive interests in cyberspace.

(SCMagazine)

New iPhone bug can permanently break WiFi simply by connecting to a rogue hotspot

Researcher Carl Schou discovered the vulnerability when connecting to his own personal WiFi whose ID included a percent sign (%) as every second character. On connecting, his iPhone’s WiFi would then be disabled, and only a full reset of its network settings allowed restoration. Schou and other Independent security researchers speculate that the flaw could be caused by a parsing issue in the Wi-Fi settings in which Apple iOS misinterprets the letters following the percent sign as string-format specifiers instead of considering it as part of the name of the specific hotspot. This kind of bug, he says, could have a severe impact in a real attack scenario that sees a threat actor setting up an open rogue WiFi hotspot in a crowded area such as a hotel hall or a station.

(Security Affairs)

Thanks to our episode sponsor, RevCult

On average, 18% of all your Salesforce data fields are highly sensitive and 89% of users have access to that data. RevCult is the only solution that helps you understand the data you have in Salesforce, and if you’re protecting it. Get a free Salesforce Security Self-Assessment at RevCult.com to understand your Salesforce security weaknesses.

Bay Area water treatment plant targeted in cyber attack

In February, a malicious actor attempted to raise the levels of lye allowed at a Oldsmar, Florida water plant to toxic levels. Now NBC News reports that earlier in the year, on January 15th, another threat actor attempted to impact the water being processed at a San Francisco Bay Area water treatment plant. The system was accessed through a former employee’s TeamViewer account credentials, and used to delete a program used to treat drinking water. The access was detected the next day, with the program restored. No one reported being sick from the incident and according to the Northern California Regional Intelligence Center, tampering with the program would not have resulted in poisoning the water. 

(Silicon Angle)

Ransomware payments might be tax deductible 

According to tax experts interviewed by the Associated Press, ransomware payments made directly by an organization could be tax deductible, as funds lost through more traditional crimes of robbery and embezzlement meet the criteria of being “ordinary and necessary” to be deductible. Payments made by ransomware insurance would not be deductible. The IRS has issued no formal guidance on ransomware payments, although the US FBI and other law enforcement agencies have issued guidance urging organizations not to meet ransomware demands.

(AP News)

Six Flags to pay $36m over collection of fingerprints

The theme park operator has agreed to settle a class-action lawsuit over its acquisition of the fingerprint data of visitors to its theme parks. The Illinois Supreme Court ruled in a recent case that collecting biometric data at premises’ gates by scanning fingerprints of people who enter the company’s theme park violates Illinois Biometric Information Privacy Act (BIPA). The court’s decision sets a precedent for how the BIPA can be used legally in the future, clearly setting limits on companies’ collection of biometric data and seeming to side in favor of private citizens’ rights.

(ThreatPost)

SASE: 64% of businesses are adopting or plan to adopt in the next year

Global research commissioned by Versa Networks examining the adoption of Secure Access Service Edge (SASE) by businesses during the lockdown revealed that the adoption of SASE has skyrocketed during the pandemic. The technology, which involves the convergence of networking and security services like CASB, (Cloud access security broker), FWaaS (Firewall as-a-service) and Zero Trust into a single cloud-native service model is being used increasingly to improve the security of devices and applications used by remote users.

(Security Magazine)

(WIRED)