MOVEit hacker tries to squeeze victims harder, an apology for a data leak from VirusTotal, and more.
Welcome to Cyber Security Today. It’s Monday, July 24th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
 |
 |
 |
The ransomware gang behind the huge data thefts from the MOVEit file transfer application data has created a new way of pressuring victims to pay to get their data back. According to Bleeping Computer, the Clop ransomware gang is creating open websites for giving away data. Usually threat actors who steal data offer it for sale or to show evidence of theft to victims on a dark web site. The first publicly posted alleged stolen data were from consulting firms PwC, EY, Aon and financial firm TDAmeritrade. Soon after they were publicly posted the websites were unavailable. It isn’t clear why. They could have been taken down by court orders.
How respected are chief information and security officers? Not much, according to a survey of Fortune 100 companies. It was done by security reporter Brian Krebs, who looked at the executive pages published last year of leading companies. Only four — Best Buy, Cigna, Coca-Cola and Walmart — listed a CISO or CSO in the top management. By comparison about 66 firms listed a CTO, while 40 listed a CIO. One reason why: The CISO or the equivalent reports to more senior people. Another reason is that CISOs aren’t covered by directors’ and officers liability insurance. Of course, if they don’t report directly to the CEO they don’t get that protection.
Google’s VirusTotal service, which scans uploaded files so infosec pros can determine what’s dangerous, has apologized for an employee’s data leak mistake. On June 29th the staffer accidentally uploaded a database file to the platform with information on Premium account customers. That file, which was only available to partners and corporate clients, was open for about an hour. But it had names and addresses of subscribers. These would likely be IT employees. Configuration mistakes lead to a lot of leaked data, according to many research reports.
Last week Microsoft startled the security world by admitting a threat actor was able steal a private encryption key and forge access tokens for Outlook.com. Now it’s objecting to a report that the attack may have been worse than described. Researchers at Wiz say the comprised private key could have allowed the hacker to forge access tokens to multiple Microsoft apps including SharePoint, Teams, OneDrive and any application that supports the ‘login with Microsoft’ capability. Asked for comment, Microsoft told the security news site The Record that many of the claims are speculative and not evidence-based. For its part the Wiz says Microsoft’s Security Response Center team reviewed and validated its blog. Microsoft has revoked the stolen private key so it can’t be used again. It hasn’t said publicly how that key was stolen.
Administrators with employees using Adobe’s OpenMeetings web conferencing app are urged to install the latest version. That’s version 7.1.0. It closes three vulnerabilities discovered by researchers at SonarSource of Switzerland. All an attacker needs to do is register for an account and, with some knowledge, get administrator access. The problem is a logical flaw and a weak hash comparison.
Every website ought to have trackers like Meta’s Pixel and Google Analytics to help the organization understand what their visitors want, right? No, says the U.S. Federal Trade Commission and the U.S. Department of Health. They have jointly warned American hospitals and telehealth providers that website trackers have privacy risks. It’s not the first time the FTC has issued this warning. It comes after the journal HealthAffairs published a report in April finding that almost 99 per cent of hospital websites it looked at had third-party trackers. Why are they bad? Because they help marketers profile patients if they can access sensitive health information. Marketers should have those profiles. Or hackers who steal data from marketers.
Many administrators of Zyxel USG firewalls don’t seem to have installed a patch issued in April. That’s the implication of a report by researchers at Fortinet. They say last month activity was up by several denial of service botnets leveraging Zyxel devices that haven’t installed the latest firmware. Do you have one of these devices on your network? Is it patched? Why not?
Finally, in Britain, Apple has warned it will stop offering its encrypted iMessage and FaceTime services in the U.K. rather than weaken security if proposed amendments to the existing security law are passed. The law already gives the government the power to order security features of applications to be disabled after a closed-door review of the order. Under the amendments, application owners would have to immediately follow an order to disable or block a security feature. The government says the changes would protect the public from criminals, child sex abusers and terrorists. Before the proposals become law the U.K. government is conducting a public consultation.
UPDATE: After this podcast was recorded I came across an article with more news: Reacting to complaints the U.K. government has proposed an amendment that will require the telecommunications regulator, Ofcom, to conduct extra scrutiny before requiring technology companies to scan encrypted messages for illegal content.
Meanwhile, the Canadian government is expected to announce its proposed online safety legislation soon. It already held a consultation to hear what the public thinks of some proposals. There’s a link to a government summary of what it heard in the text version of this podcast. One proposal: A digital safety commissioner would be created to help enforce a new regime that requires social media companies to find and delete child pornography, terrorist content, hate speech and other harmful posts.
That’s it for now. You can find links to the stories mentioned here in the text version of this podcast at ITWorldCanada.com. That’s where you’ll find other stories of mine. Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.
