This week’s Cyber Security Headlines – Week in Review, May 31- Jun 4, 2021, is hosted by Steve Prentice (@stevenprentice) with our guest, Bryan Zimmer, Head of Security, Humu

Cyber Security Headlines – Week in Review is live every Thursday at 4pm PT/7pm ET. Join us each week by registering for the open discussion.

Lawsuit reveals Google made it nearly impossible for users to keep their locations private

Newly unredacted documents in a lawsuit against Google reveal that the company’s own executives and engineers knew just how difficult the company had made it for smartphone users to keep their location data private. Google continued collecting location data even when users turned off various location-sharing settings, and even pressured LG and other phone makers into hiding these settings. The documents are part of a lawsuit brought against Google by the Arizona Attorney General’s office last year.

(Business Insider)

US soldiers expose nuclear weapons secrets via flashcard apps

Flashcard learning apps, used by US soldiers tasked with the custody of nuclear weapons in Europe have inadvertently revealed not just the bases, but even identified the exact shelters with “hot” vaults that likely contain nuclear weapons as well as intricate security details and protocols such as the positions of cameras, the frequency of patrols around the vaults, secret duress words that signal when a guard is being threatened and the unique identifiers that a restricted area badge needs to have. Some of these have been findable since 2013. All were taken down after the researchers at Bellingcat contacted NATO and the US military.

(Bellingcat)

Have I Been Pwned goes open source

Security researcher Troy Hunt announced that the popular breach database service is now open source, with code hosted on GitHub. Hunt initially announced his intention to make the service’s code open source in August 2020. The non-profit .NET Foundation assisted in moving the site to an open source model. Hunt also announced Have I Been Pwned will receive compromised passwords discovered during investigations from the US FBI.

(Troy Hunt)

Cyberattack forces meat producer to shut down operations in U.S., Australia – Russia suspected

Global food distributor JBS Foods suffered a cyberattack over the weekend that disrupted several servers supporting IT systems and could affect the supply chain for some time. Attackers targeted several servers supporting North American and Australian IT systems of JBS Foods on Sunday, according to a statement by JBS USA. JBS is a global provider of beef, chicken, and pork with 245,000 employees operating on several continents and serving brands such as Country Pride, Swift, Certified Angus Beef, Clear River Farms and Pilgrim’s. JBS notified the White House that the ransom demand came from a criminal organization likely based in Russia. The White House is engaging directly with the Russian government on this matter. 

(ThreatPost and The Guardian)

Thanks to our episode sponsor, ReversingLabs

Recent supply chain attacks and executive orders have left 1000’s scrambling for guidance. Join ReversingLabs as they take their exclusive supply chain roadshow to your local region virtually. Hear from app sec specialists and security execs, as they discuss lessons learned, and innovative approaches, that will move your supply chain security and compliance program forward. For more information, visit reversinglabs.com.

LinkedIn data shows Austin is biggest winner in tech migration

The Texas capital captured a net inflow of 217 software and information technology company workers per 10,000 existing ones, according to data from May 2020 to April 2021 provided by LinkedIn. That’s the best net migration rate among 35 metropolitan areas with gross tech migration of at least 2,000 LinkedIn users in the past 12 months. There’s no telling whether this will last, with many tech companies eyeing large scale return to the office policies, but for now, Austin, Nashville, Charlotte, Jacksonville and Denver are proving the most attractive places to work.

(Bloomberg)

The back-to-work spearfishing campaigns have begun

Researchers from Cofense Phishing Defense Center (PDC) have uncovered a phishing campaign aimed at gathering login credentials from employees by posing as the Chief Information Officer (CIO). The messages pretend to provide information about changes to business operations the company is taking relative to the COVID-19 pandemic. The emails were crafted to steal company and personal credentials, they include a link to a fake Microsoft SharePoint page with two documents that outline new business operations. Upon clicking on the documents, victims have displayed a login panel that prompts them to provide login credentials to access the files. There will likely be many be many stories to this in coming weeks.

(Security Affairs)

DJI drones are good enough for government work

According to a Pentagon report summary seen by The Hill, two DJI drones built for government use have been cleared for use by the Pentagon, with an audit finding “no malicious code or intent.” In January 2020, the Interior Department grounded its fleet of over 500 DJI drones over security concerns that drones were sharing data with the Chinese government. A prior analysis by Booz Allen Hamilton last year found no evidence of data transfers.

(The Hill

Norton 360 antivirus now lets you mine crypto because reasons

In a noble effort to somehow make its antivirus solution even more of a resource hog, Norton will roll out a Norton Crypto feature to Norton 360 users enrolled in its early adopter program. When activated, Norton Crypto will use a host machine’s GPU to mine Ethereum, which will be stored in a cloud-hosted Norton wallet. It’s not clear if this mining will be done individually or as part of a larger Norton pool, although if part of a pool, Norton could potentially open a new revenue stream through management fees. Norton said that since cryptojacking and other miners are often flagged by antivirus software, this feature will let users participate in the crypto economy without sacrificing security. 

(Bleeping Computer)