Customer contact info stolen from MongoDB, more stringent American cyber attack reporting rules start today.
Welcome to Cyber Security Today. It’s Monday, December 18th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
This is a notable day if you’re a publicly traded company in the U.S. Most companies now have to file a notice of a data breach to the Securities and Exchange Commission within four business days of determining the attack many have a material impact on the company. Smaller companies have to start filing next June 15th. Firms can ask the FBI for a delay in filing if disclosure poses a substantial risk to national security or public safety.
Companies that operate in Utah should note that the state’s new data privacy law comes into effect on December 31st. The law requires businesses to implement data security practices to protect users’ confidentiality. It gives consumers the right to tell firms to stop using their data in advertising. It’s also the first U.S. state to give social media privacy rights to children. Utah is the fourth state to enact a comprehensive consumer data protection law.
Meanwhile, in California browser makers like Google, Microsoft and Apple and firms that do business online may see their personal data collection limited. The California Privacy Protection Agency has voted to ask the legislature for a new law. It would require browser vendors to give California residents the ability to forbid any business from selling or sharing the personal data they collect. That’s right: Instead of having to find an option on every website a user goes to, every browser would have a button or setting to check that limits personal data collection by anyone. Any firm the user connects to by a browser would have to obey the opt-out preference. That opt-out data collection option for firms came into effect under California’s new Consumer Privacy Act. However, so far only a limited number of browsers including Firefox, DuckDuckGo and Brave have a browser opt-out preference. The proposed new law would broaden that.
Administrators who oversee a MongoDB database are being warned to watch for signs of attack. This comes after the developer last week spotted an unauthorized access to MongoDB’s corporate IT systems. What the hacker might have seen is customer account metatdata and related contact information. The access had been going on for some time. So far there’s no evidence that any customer data stored in the Atlas developer platform has been copied. However, to be on the safe side users and administrators should watch for social engineering and phishing attacks that may appear to come from MongoDB. If they haven’t done so by now administrators should activate phishing-resistant multifactor authentication.
The PyPI website for publishing open-source Python projects continues to be abused by threat actors. The latest example comes from security researchers at ESET, who recently discovered 116 malicious packages with malware aimed at Windows and Linux systems. The final payload is data-stealing malware. I’ve said this several times before: Developers have to be careful before downloading anything from open-source project repositories like PyPI, NPM, GitHub and others. Often malicious projects have similar names to legitimate packages to fool victims.
The U.S. Cybersecurity and Infrastructure Security Agency has again urged hardware and software manufacturers to stop putting default passwords in their products. This comes after recent warnings that an Iranian-backed group is compromising critical infrastructure providers by learning of devices with default passwords on IT networks. Any default password that can be found in an instruction manual is gold for a threat actor. Stupid default passwords like ‘1234’, ‘default’ and ‘password’ are the first thing attackers will try even if they haven’t seen a manual. What makes things worse is if the product is used in operational technology networks in utilities or manufacturing plants. Hoping IT or OT administrators will change default passwords when a new product is installed isn’t working. Only action by product manufacturers will solve this problem.
Including a software bill of materials in applications is a smart way of helping IT managers understand what’s in their software and whether components — particularly open-source modules — need to be updated. Components like, for example Apache Log4j. As I reported last week, North Korea’s Lazarus group is hunting for and finding applications whose Log4j components haven’t been patched. But how do you create a software bill of goods? Well, last week guidance on how to do that was released by the U.S. National Security Agency. It’s not only developers that need to create a list of what’s inside their applications. Software buyers should pressure their vendors to do it. Knowing what’s in the applications you use helps mitigate cyber risk.
Finally, someone is stocking YouTube with pro-China and anti-U.S. videos propaganda. That’s according to the Australian Strategic Policy Institute. In a paper the institute says the videos have attracted an unusually large audience with themes such as how China is trying to win what video narrators says is the ‘U.S.-China technology war. Those narrators are voice-overs generated by artificial intelligence. The institute calls this campaign Shadow Play, and says it started in the middle of last year. The campaign includes a network of at least 30 YouTube channels that have produced more than 4,500 videos. So far they have had 120 million views. The report says that since being advised Google has taken down 19 of the YouTube channels because they were either created by phony people or were spam.
Follow Cybersecurity Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.