Below are some of the stories we’ve been reporting this week on Cyber Security Headlines.
If you’d like to watch and participate in a discussion about them, the CISO Series does a live 20-minute show every Friday at 12:30pm PT/3:30pm ET. Each week we welcome a different cyber practitioner to offer some color to the week's stories. Our guest this week is Jason Shockey, CISO, Cenlar FSB.
To get involved you can watch live and participate in the discussion on YouTube Live https://youtube.com/live/--QBs5C8qIs?feature=share or you can subscribe to the Cyber Security Headlines podcast and get it into your feed.
Here are the stories we plan to cover:
Insurers should stop funding ransomware payments, says Neuberger
An opinion piece written by U.S. deputy national security adviser for cyber and emerging technologies, Anne Neuberger and published in the Financial Times called for the practice to end, stating that “some insurance company policies, for example covering reimbursement of ransomware payments, incentivize payment of ransoms that fuel cybercrime ecosystems.” She added that the insurance industry “could play a constructive role by “requiring and verifying implementation of effective cyber security measures as a condition of underwriting its policies, akin to the way fire alarm systems are required for home insurance.” Her message followed the fourth annual International Counter Ransomware Initiative (CRI) summit that was held in in Washington D.C. this past week.
(The Record)
Harvard students create Meta Ray-Ban mod that IDs people in seconds
The creation, built by two students at the school, AnhPhu Nguyen and Caine Ardayfio, potentially allows a wearer of Meta’s new smart glasses to identify anyone they see. Their tool, which they have named I-Xray, uses the glasses to stream video images to Instagram. Faces captured in the images are then sent to a facial recognition app such as PimEyes, which matches images to its publicly available database of faces, names and PII. This provides enough information to cross-reference the data using people-search sites to find addresses and more details – potentially even partial Social Security numbers. All in about a minute. To make this even more intriguing, all the data that I-XRAY pulls itself becomes publicly available, thus creating a potential privacy nightmare for pretty much everyone.
(The Register)
Salt Typhoon attack potentially exposes wiretap data
The Chinese state-sponsored hacking group known as Salt Typhoon has reportedly compromised U.S. broadband providers, including AT&T, Verizon, and Lumen Technologies, through systems used for court-authorized wiretapping. According to sources, the hackers gained access not only to these wiretapping systems but also to general internet traffic flowing through the networks, raising significant national security concerns. The breach is believed to be part of a larger intelligence-gathering campaign by China, potentially compromising sensitive data. The FBI, along with private security analysts are currently investigating the extent of the intrusion and data theft.
(The Wall Street Journal),(Security Week),(The Register),(Dark Reading)
Salt Typhoon and the dangers of backdoors
Yesterday, we covered the compromise of wiretap systems across several US telcos by the China-linked threat actors Salt Typhoon. TechCrunch’s Zack Whittaker published a piece illustrating this as the consequence of including legally required backdoors in communication channels. The 1994 Communications Assistance for Law Enforcement Act, or CALEA requires “communications providers” to provide all necessary assistance to lawful government requests for customer information. In the piece, Georgetown Law professor Matt Blaze described this kind of attack as “inevitable” and said “CALEA should be regarded as a cautionary tale, not a success story, for backdoors.”
(TechCrunch)
White House prioritizes secure internet routing, using memory safe languages
Speaking at a Recorded Future event Wednesday in Washington, D.C., National Cyber Director Harry Coker said that “the White House is focused on securing two foundational aspects of the tech landscape: how information packets are routed across the internet and computer programming languages that can be susceptible to memory-related errors. Specifically he pointed out how the White House is looking at “next steps to secure Border Gateway Protocol, including the adoption of security mechanisms known as Resource Public Key Infrastructure (RPKI), which it plans to have in place in more than 60% of the federal government’s advertised IP space by the end of the year. Coker also spoke of “shifting from languages, like C or C++ to memory-safe ones like Go or Rust.” He identified this as a key priority of the Biden administration and a way to avoid known bugs. This correlates to a Microsoft report from July 2019 that found that more than 70% of the vulnerabilities that are assigned a CVE in any given year are related to memory safety.
(Cyberscoop andMicrosoft)
Cyberattack hits major U.S. water utility
American Water Works, which serves over 14 million people, disclosed a cyberattack that impacted its billing systems, though the company says water and wastewater services remain unaffected. The attack was first detected on October 3, and the company has assured customers that there will be no late fees or service interruptions as they work to restore normal operations. In response to the growing number of threats aimed at the water sector, the EPA announced plans to ramp up security inspections and require the government to provide yearly risk mitigation updates.
(Cyber Scoop),(Bleeping Computer),(American Water Statement)
A look at consumer security behaviors
Consumer Reports published its "Consumer Cyber Readiness Report.” It found that 46% of respondents had personally experienced a cyberattack or digital scam, with 19% losing money. 75% of these scams and attacks came over email, social media, or messaging apps, with phishing being the most common method. On the plus side, 80% of respondents said they use some form of MFA on online accounts. 53% of respondents were confident that their data would not be distributed without their knowledge.
(Dark Reading, CR )