The original post: /r/cybersecurity by /u/CISO_Series_Producer on 2024-10-04 14:48:50.
Below are some of the stories we’ve been reporting this week on Cyber Security Headlines.
If you’d like to watch and participate in a discussion about them, the CISO Series does a live 20-minute show every Friday at 12:30pm PT/3:30pm ET. Each week we welcome a different cyber practitioner to offer some color to the week's stories. Our guest this week is Jonathan Waldrop, CISO, The Weather Company.
To get involved you can watch live and participate in the discussion on YouTube Live https://youtube.com/live/A2vRb64UPxU?feature=share or you can subscribe to the Cyber Security Headlines podcast and get it into your feed.
Here are the stories we plan to cover:
T-Mobile data breaches cost company $31.5 million
In a settlement with the Federal Communications Commission (FCC), T-Mobile has agreed to pay a total of $31.5 million following a series of data breaches over the last few years. The settlement includes $15.75 million in civil fines and and the other half of the money is to be spent on bolstering the companies cybersecurity measures, including adopting zero trust architectures and multi-factor authentication. The breaches which started in 2021, involving millions of current, former, and prospective customers, exposed personal details like Social Security numbers, driver’s license numbers, and other personal information.
Deepfake scam hits U.S. senate
U.S. Senator Ben Cardin says he was the victim of an elaborate deepfake operation that impersonated a former Ukrainian Foreign Minister. The operation, which nearly duped the high-ranking government official, involved a fake Zoom call with what appeared to be a live audio-video connection, which seemed normal based on previous conversations the senator’s office had had with this Ukrainian official. It wasn’t until the imposter started asking specific questions such as demanding an answer on the senator’s stance on long-range missiles into Russian territory that Cardin’s staff ended the call. At which point staff confirmed the call was indeed fake. There is currently an open investigation into the situation.
Public records systems riddled with security flaws
Security researcher Jason Parker disclosed dozens of critical vulnerabilities found across 19 commercial platforms for US public records used by courts, government agencies, and law enforcement. Some we’ve already covered on this show, like the Georgia voter registration database with a voter cancellation vulnerability. Other systems allow attackers to elevate user status to administrators, reset passwords, or access admin dashboards. Many required no advanced access, which could be done by anyone registering an account. Parker began researching these systems last year, eventually working with the Electronic Frontier Foundation to contact vendors. All disclosed issues have been fixed, and no signs of active exploitation exist.
Rackspace breach sparks vendor blame game
Following up on the story we brought to youyesterday on Cyber Security Headlines, after the enterprise cloud host, Rackspace, was hacked on September 24, a vendor blame game has kicked off. Initially the Rackspace incident was attributed to a zero-day flaw in ScienceLogic’s SL1 monitoring app. However, ScienceLogic is now shifting the blame to an undocumented vulnerability in a different bundled third-party utility. While ScienceLogic declined to identify the responsible third-party, the company indicated that, upon identifying the flaw, they “rapidly developed a patch to remediate the incident and have made it available to all customers globally.” Attackers were able to pivot from the monitoring software to other internal Rackspace servers to compromise sensitive data of users who have now received breach notices.
California privacy legislation now includes neural data
The law passed last Saturday and part of it focuses on human neural data which is now in danger of being sold and traded by data brokers. The backstory here is about neurobiologist Rafael Yuste who discovered he could take over the minds of mice by turning on certain neurons in their brains with a laser. This led to an awareness that human neural data could be manipulated and sold in similar ways. As Yuste stated, “If you can decode your mental activity, then you can decode everything that you are — your thoughts, your memories, your imagination, your personality, your emotions, your consciousness, even your unconsciousness.” This new law allows people to “request, erase, correct, and limit what neural data companies collect from them.”
Sellafield nuclear site fined £330,000 for cybersecurity failings
Updating a story we covered in June, the company managing the Sellafield site, the largest nuclear site in the UK, with the world’s largest store of plutonium, pled guilty to three criminal charges over cybersecurity failings and “alleged information technology security offenses” during a four year period between 2019 and early 2023. “Sector-wide difficulties recruiting suitably qualified staff” led to the failure to carry out annual security checks, despite assuring Britain’s Office of Nuclear Regulation it had done so.” Sellafield and the British government continue to deny claims by The Guardian newspaper that the site may have been compromised by hacking groups linked to both China and Russia.
Recall redesign: reinforced and removable
Responding to customer reaction to the release of its new AI-powered feature, Microsoft has now announced improvements to Recall including stronger default protection and the ability for it to be removed, and that it will be an opt-in feature by default. Microsoft’s vice president for Enterprise and OS Security, David Weston, revealed on Friday that the revised release will also automatically filter sensitive content, and will allow users to exclude specific apps, websites, or private browsing sessions.
NordVPN begins post-quantum support rollout
The popular VPN provider joined the smattering of companies getting ready for the advent of quantum computing. NordVPN rolled out upgraded protocols that comply with the new NIST standards for post-quantum encryption. This isn’t a full rollout; the post-quantum encryption is only available on its Linux client. The company said it will use data from its Linux rollout “as a stepping stone” to a broader transition but only committed that it will “strive” to bring it to all of its applications. Nord said this feature came in response to an uptick of “harvest now, decrypt later” attacks, even if practical quantum computing isn’t on the horizon yet.
(ZDNet)