Connect with us

Cyber Security

Cyber Security Headlines – January 26, 2021

Google’s cookie replacement performs well in tests In tests, the Federated Learning of Cohorts or FLoC API, a proposed replacement for third-party cookies, showed that advertisers can expect to see at least 95% of the conversions per dollar spent on ads, compared to cookie-based advertising. FLoC is a Chrome browser extension right now, which uses …

Published

on

Google’s cookie replacement performs well in tests

In tests, the Federated Learning of Cohorts or FLoC API, a proposed replacement for third-party cookies, showed that advertisers can expect to see at least 95% of the conversions per dollar spent on ads, compared to cookie-based advertising. FLoC is a Chrome browser extension right now, which uses machine learning to group people into cohorts of thousands of similar users that advertisers can target, rather than targeting individuals. Google’s “Privacy Sandbox” effort has other third-party cookie alternatives in development, so this may not be its ultimate third-party cookie replacement.

(Axios)

Twitter Birdwatch pilot launches

Birdwatch was previously confirmed by Twitter last year, and is a system that lets users flag and discuss tweets believed to be misleading or false. Birdwatch is a standalone section of Twitter, initially rolling out to a small group of users with accounts tied to real phone numbers and email addresses. Tweets get flagged in Twitter’s main interface, then notes can be added to the Birdwatch section for context. Users can also rate others’ notes to prevent bad-faith usage. Twitter says eventually it wants notes to appear on Tweets themselves for its global audience with Birdwatchers acting as moderators. A sample UI and waitlist are available at birdwatch.twitter.com.

(TechCrunch)

WhatsApp wormable malware found on Android

Security researchers at ESET discovered the malware, which looks like an adware campaign sending links to download a fake Huawei Mobile app. The link takes users to a lookalike Google Play Store to spur a further software download. Once completed, the malware asks users for notification access, which will allow it to spam a user’s WhatsApp contacts with similar links thanks to the app’s quick reply feature that allows replies directly from a notification. The ultimate aim is to have users fall for a subscription scam, but the researchers warn the app asks for permission to draw over other apps and to run in the background, opening the door to other types of exploits down the line. While currently limited to WhatsApp messages, the researchers warn updates could abuse quick reply access to spread to other apps as well.

(Hacker News)

Short sellers allege hacking after a subreddit squeezes a stock

Investors on the subreddit WallStreetBets had propped up the stock of Gamestop from $20 on January 11 to $73 on the 15th. This came as more traditional investors, like Citron Research founder Andrew Left established short positions, effectively betting that the stock would fall back below $20 in the near future, with plans to hold a Twitter livestreaming explaining why the stock would fall. Later in the week, Left established a second Twitter account, claiming people had tried to hack his primary account, with the same group harassing a minor, ordering pizzas to his home, and signing him up for Tinder in the past 48 hours. Moderators for the subreddit said they were not aware of these activities, “and if they did, it’s not something we condone or promoted.”

(Wired)

And now our sponsor Nucleus Security brings you “The Top 5 Antipatterns in Vulnerability Management”:Antipattern #2: “CVSS prioritization”: CVSS scores are useful, but you need much more than scores to determine what to fix and when to fix it; Business context and vulnerability intelligence are key to prioritizing vulnerabilities in large enterprises. Learn how Nucleus can help with intelligent vulnerability prioritization at nucleussec.com/demoScotland’s EPA won’t use public funds on ransomware

The agency has been dealing with the fallout of a ransomware attack that began on December 24th, 2020. Since the attack, the agency confirmed that about 1.2GB of data, about 4000 files, were exfiltrated in the attack, including staff and business records. SEPA confirmed it will not engage with the attackers in addition to withholding paying ransoms with public funds. The investigation is still ongoing, so no details about what ransomware operator was behind the attack has been revealed.

(Security Magazine)

Australian Securities and Investments Commission reports unauthorized server access

The financial services regulator ASIC became aware of the access on January 15th, and was “related to Accellion software used by ASIC to transfer files and attachments.” The accessed server contained documents related to Australian credit applications, with the regulator warning that limited information may have been viewed by the threat actor, although there is no current evidence that any files were opened or downloaded. As a precaution ASIC has disabled the server and is working on an alternative system to submit credit application attachments. This is the second major state server managed by Accellion to be accessed this month, with the Reserve Bank of New Zealand reporting a breach in a third-party sharing service on January 11th. Both incidents seem to be the result of an exploit in a twenty year old File Transfer Appliance, with Accellion having already issued a patch.

(The Register)

ADT tech hacked customer cameras

A former technician for the home security company ADT admitted to accessing customer home security camera more than 9,600 times over four years, particularly spying on women. As part of a guilt plea on charges of computer fraud, the technician said he often added his personal email address to customers’ “ADT Pulse” accounts, which provided real-time access to the video feeds from their homes. This was done either without a customer’s knowledge or disclosed to customers as a temporary short-term test of the system. The FBI agents investigating the case recommends anyone with connected devices regularly check who are listed as authorized users, and regularly change passwords.

(Security Magazine)

The case for standalone password managers

PCWorld Senior Editor Brad Chacos makes the case that while password managers integrated into modern browsers have come a long way, users would be better off, and more secure, using a discrete third-party solution. He notes that additions like two-factor authentication and strong password generators have made browser-based solutions certainly a better password manager than nothing, they also lock you into just one browser. This results in either fragmented password vaults across multiple ecosystems, or requires cumbersome logins to different accounts to access passwords, especially kludgy on mobile. Third-party password managers usually have secure tools to share passwords, are built to work on the OS level rather than in one particular app, and are broadly now supported on iOS and Android.

(PCWorld)

Security researchers at ESET discovered the malware, which looks like an adware campaign sending links to download a fake Huawei Mobile app. The link takes users to a lookalike Google Play Store to spur a further software download. Once completed, the malware asks users for notification access, which will allow it to spam a user’s WhatsApp contacts with similar links thanks to the app’s quick reply feature that allows replies directly from a notification. The ultimate aim is to have users fall for a subscription scam, but the researchers warn the app asks for permission to draw over other apps and to run in the background, opening the door to other types of exploits down the line. While currently limited to WhatsApp messages, the researchers warn updates could abuse quick reply access to spread to other apps as well.

Source: https://cisoseries.com/cyber-security-headlines-january-26-2021/

Cyber Security

U.S. to work with Big Tech, finance sector on new cybersecurity guidelines

Market News

Published

on

WASHINGTON, Aug 25 (Reuters) – The U.S. government on Wednesday said it would work with industry to hammer out new guidelines to improve the security of the technology supply chain, as President Joe Biden appealed to private sector executives to “raise the bar on cybersecurity.”

At White House meetings with Biden and members of his Cabinet, executives from Big Tech, the finance industry and infrastructure companies said they would do more about the growing threat of cyber attacks to the U.S. economy.

“The federal government can’t meet this challenge alone,” Biden told the masked executives in the East Room, telling them, “You have the power, the capacity and the responsibility, I believe, to raise the bar on cybersecurity.”

After the meeting, the White House said the National Institute of Standards and Technology (NIST) would work with industry and other partners on new guidelines for building secure technology and assessing the security of technology, including open source software.

Microsoft (MSFT.O), Google (GOOGL.O), Travelers (TRV.N), and Coalition, a cyber insurance provider, among others, committed to participating in the new NIST-led initiative.

Cybersecurity has risen to the top of the agenda for the Biden administration after a series of high-profile attacks on network management company SolarWinds Corp (SWI.N), the Colonial Pipeline company, meat processing company JBS (JBSS3.SA) and software firm Kaseya. The attacks hurt the United States far beyond just the companies hacked, affecting fuel and food supplies. read more

“We have a lot of work to do,” Biden said, citing both ransomware attacks and his push to get Russian President Vladimir Putin to hold Russian-based cyber gangs responsible, and the need to fill nearly half a million public and private cybersecurity jobs.

The guest list included Amazon.com Inc (AMZN.O) CEO Andy Jassy, Apple Inc (AAPL.O) CEO Tim Cook, Microsoft CEO Satya Nadella, Google’s parent Alphabet Inc CEO Sundar Pichai and IBM (IBM.N) Chief Executive Arvind Krishna.

After the meeting, Amazon said it would make its cybersecurity training available to the public for free, and it would give multi-factor authentication devices to some cloud computing customers, starting in October.

Microsoft said it will invest $20 billion over five years, a four-fold increase from current rates, to speed up its cyber security work, and make available $150 million in technical services to help federal, state and local governments to help keep their security systems up to date.

IBM said it will train more than 150,000 people in cybersecurity skills over three years and will partner with historically black colleges and universities to create a more diverse cyber workforce.

Google said it was devoting $10 billion to cybersecurity over the next five years, but it was not immediately clear what if any of the figure represented new spending. It also said it would help 100,000 Americans earn industry-recognized digital skills certificates that could lead to high-paying jobs.

Vishaal Hariprasad, CEO of Resilience Cyber Insurance Solutions, told Reuters his company would work with the government on setting clear standards for cybersecurity, and would require policy holders to meet those standards.

“So, if a company is willing to adhere to the minimum standards, they’ll have insurance, and if not, they’ll have to identify those gaps so they can get to that baseline,” he said.

“It’s not just about getting our companies safer, but also ensuring that we’re doing something to address the bad guys.”

Congress is weighing legislation on data breach notification laws and cybersecurity insurance industry regulation, historically viewed as two of the most consequential policy areas within the field.

Executives for energy utility firm Southern Co (SO.N) and JPMorgan Chase & Co (JPM.N) also attended the event.

The event featured top cybersecurity officials from the Biden administration, including National Cybersecurity Director Chris Inglis and Secretary of Homeland Security Alejandro Mayorkas.

Reporting by Andrea Shalal and Christopher Bing; additional reporting by Jeffrey Dastin and Stephen Nellis in San Francisco; Editing by Lisa Shumaker and Grant McCool

Disclaimer: The views expressed in this article are those of the author and may not reflect those of Kitco Metals Inc. The author has made every effort to ensure accuracy of information provided; however, neither Kitco Metals Inc. nor the author can guarantee such accuracy. This article is strictly for informational purposes only. It is not a solicitation to make any exchange in commodities, securities or other financial instruments. Kitco Metals Inc. and the author of this article do not accept culpability for losses and/ or damages arising from the use of this publication.

Source: https://www.kitco.com/news/2021-08-26/U-S-to-work-with-Big-Tech-finance-sector-on-new-cybersecurity-guidelines.html

Continue Reading

Cyber Security

HIMSSCast: Cybersecurity, patient experience and public health dominate HIMSS conversation

HIMSS Media editors sat down in Las Vegas to discuss key takeaways from HIMSS21.

Published

on

This week the HIMSS global conference was back in person after the COVID-19 pandemic sidelined last year’s event. After a week packed with hundreds of educational sessions, scores of vendor demonstrations and new meet and greets, the HIMSS Media editors sat down for a debrief.

Cybersecurity, patient experience and public health were some of the top themes running throughout the conference.

With data breaches and ransomware attacks on the rise, health systems are looking for ways to secure their data from the get-go.

“It needs to be baked in. It can’t be an afterthought, because the stakes are just too high. It’s not just an issue of data breaches anymore. It’s not just an issue of bad press. It is an issue of patient safety, truly,” said Mike Milliard, executive editor of Healthcare IT News.

Speakers also discussed the importance of listening to patients when it comes to innovating new tools.

“What I heard again and again is that healthcare wants to know what the patient wants,” Sue Morse, managing editor of Healthcare Finance News, said. “They don’t want to give them something they don’t want, and they are trying to find out what they want through technology, and reaching them how they want to be reached.”

Discussions of the COVID-19 pandemic ran throughout the show. There were several discussions about the role of digital in public health.

“The pandemic has shown us how hugely important social media, and texting and WhatsApp are to how governments communicate with people, how people communicate with each other,” said Jonah Comstock, editor-and-chief of HIMSS Media.

Talking points:

  • The mood and feel at HIMSS21.
  • New cyberattacks require innovations in cybersecurity.
  • More attention paid to the voice of the patient.
  • Public health infrastructure gaps exposed by the pandemic.
  • More work still needed on interoperability.
  • Incorporating health equity and clinical trial diversity into the conversation.
  • AI/ML in a low-key, but foundational role.
  • Star Trek and the Jetsons – models for healthcare
  • Some keynote highlights
  • COVID lessons, positive and negative
  • The telehealth explosion and its aftermath

Show notes:

ONC, CDC want to fix the fragmented public health system COVID-19 exposed

HIMSS21 tech news: cloud, analytics and interoperability developments

Updates and lessons learned from AstraZeneca, MGH’s AMAZE platform

Govs. Chris Christie and Terry McAuliffe trade jabs at HIMSS21

COVID-19 shined light on new opportunities for public health on social media

AI is the new paradigm in forecasting infectious disease risk

Former ONC head Rucker: APIs will ‘empower totally new business models’

Rainn Wilson makes us grateful for being number two

DHA director: Information and technology drive effective pandemic response

Speakers also discussed the importance of listening to patients when it comes to innovating new tools.

Source: https://www.healthcareitnews.com/news/himsscast-cybersecurity-patient-experience-and-public-health-dominate-himss-conversation

Continue Reading

Cyber Security

Cybersecurity CEO recovers stolen electric scooter thanks to Apple AirTags

Cybersecurity CEO Dan Guido hid two Apple AirTags inside his black electric scooter, concealed with black tape, just in case it was stolen …

Published

on

Cybersecurity CEO Dan Guido, who’s located in Brooklyn, New York, hid two Apple AirTags inside his black electric scooter, concealed with black duct tape, just in case it was stolen. Smart idea!

Dan Guido shows where he hid an Apple AirTag in his electric scooter. (Photo: @dguido via Twitter)Dan Guido shows where he hid an Apple AirTag in his electric scooter. (Photo: @dguido via Twitter)

Apple’s AirTag is a small and elegantly designed accessory that helps keep track of and find the items that matter most with Apple’s Find My app. Whether attached to a handbag, keys, backpack, or other items, AirTag taps into the vast, global Find My network and can help locate a lost item, all while keeping location data private and anonymous with end-to-end encryption.

The Washington Post bemoans that Apple's AirTags may be used for stalkingApple’s AirTag

Meara Isenberg for CNET:

Guido works at the New York City-based Trail of Bits, a cybersecurity research and consulting firm that serves clients in the defense, tech, finance and blockchain industries. He chronicled his hunt for the scooter in a series of tweets Monday, sharing both the challenges and successes of his wild journey.

“My scooter was stolen last week,” Guido tweeted. “Unknown to the thief, I hid two Airtags inside it. I was able to use the Apple Find My network and UWB direction finding to recover the scooter today.”

At the end of his thread, Guido left tips for AirTag users, so they too can be prepared in case someone decides to snatch their Bluetooth-equipped belongings.

Here are a few lessons learned if you’re using Airtags for theft recovery:
1) Use an Airtag adhesive that blends in and muffles noise. It’s clear my thief was looking for them.
2) Do not turn on Lost Mode. It immediately alerts the thief they’re being tracked.

— Dan Guido (@dguido) August 10, 2021

3) Act quickly, before the anti-stalking feature kicks in. Damage done to my handlebars was likely in response to the regular noises from the Airtag.
4) Limit your in-person interactions and always involve the police. Don’t try to retrieve your stolen goods until you have backup.

— Dan Guido (@dguido) August 10, 2021

MacDailyNews Take: Finding a stolen electric scooter is yet another success story for Apple’s AirTags!

The Washington Post bemoans that Apple's AirTags may be used for stalking

Source: https://macdailynews.com/2021/08/12/cybersecurity-ceo-recovers-stolen-electric-scooter-thanks-to-apple-airtags/

Continue Reading

Trending