Prepare for upcoming privacy legislation
Welcome to Cyber Security Today. It’s Wednesday Janaury 3rd, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
 |
 |
 |
Happy New Year. And welcome to the first show of 2024.
This will be a busy year for privacy legislation in Canada and the U.S. In Canada committee hearings will resume this month on the proposed Consumer Privacy Protection Act and the accompanying Artificial Intelligence and Data Act. In the U.S., 10 states have consumer privacy legislation in various stages before their legislatures. In Massachusetts, legislators are dealing with three proposed bills. Here’s a link to the status of privacy legislation in all American states. Not all the proposed bills will pass and be signed into law this year. Remember, this is an election year in the U.S. Meanwhile privacy laws in Texas and Oregon will come into effect on July 1st, and in Montana on October 1st.
Cybercrooks marked the holiday week by celebrating “Leaksmas.” Researchers at Resecurity say on Christmas Eve several threat actors on the dark web dumped tens of millions of pieces of stolen data that could be used in phishing scams and fraud. The biggest chunk of data was 22 million records stolen from a telecommunications provider in Peru. The second biggest chunk involved data stolen from the U.S.
First American Title Insurance, which provides real estate title protection in the U.S., is recovering from a cyber attack last month. In its most recent post the company said several tools for title agents are back online. On December 20th the company disconnected all IT systems from the internet because of the attack. Although it doesn’t use the term ‘ransomware,’ the company says data on some non-production servers was stolen and encrypted.
Speaking of ransomware, researchers at Security Research Labs say they created a decryptor that may help victims hit by the BlackBasta strain of ransomware. However, according to the news site Bleeping Computer, the gang has fixed the bug that allowed the solution to be created so the decryptor may not work with newer attacks.
Researchers at a Singapore cybersecurity company called CloudSEK have figured out how threat actors are exploiting persistent cookies on Google’s platform. The problem is in an undocumented Google OAuth endpoint called MultiLogin. The exploit enables continuous access to Google services even after a user’s has reset their password. Word of the exploit spread after a developer publicly reported it in October and now several threat actors have included it in their information-stealing malware.
Here’s another warning to application developers looking for code to use from the NPM registry: Beware of a package named “everything” posted by a user named gdi2290. They also go by the name PatrickJS. Installing this package will create a mess of your code. Researchers at Checkmarx call this either a prank or digital mischief. Whatever the name, PatrickJS has apologized but so far the package can’t be uninstalled. Nor it be deleted from NPM.
Researchers at McAfee have identified 10 Android apps stuffed with malware. They include a so-called calorie counter, a numerology app and several games. As I’ve said before, just because an app is in the Google Play store or a well-known app store doesn’t mean its safe to download. Be suspicious of an app you take that demands access to Android’s accessibility services unless it’s really needed — and a game won’t need it. Accessibility services are for helping people with disabilities to use smartphones.
Finally, big-name digital camera manufacturers are trying to fight the risk of images being altered by mischief-makers or threat actors using artificial intelligence. PC Magazine reports that Nikon plans to start offering mirrorless cameras with digital authentication technology for professional photographers. Nikon and other camera makers are also backing a tool called Verify people can use to check the authenticity of an image with a digital signature that will show the real creation date, location and other credentials of the image.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.
