This week’s Cyber Security Headlines – Week in Review, Mar 14-18, is hosted by David Spark with our guest, Eric Hussey, CISO, Aptiv
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Cyber Command chief tells Congress chip shortage has national security implications
China’s increasing progress toward producing enough semiconductor chips domestically to avoid relying on foreign trade is an issue of great concern for us in terms of broader impacts, U.S. Cyber Command and National Security Agency head Gen. Paul Nakasone told House Intelligence Committee members this week. He added, China’s progress toward chip independence would give the Chinese more leverage to act as they please without fear of sanctions. He added the United States is lagging in domestic semiconductor chip production, and noted that Ukraine and Russia produce 90% of America’s neon gas, which is critical for the lasers used to make chips.
Zero-click flaws in widely used UPS devices threaten critical infrastructure
Three critical security vulnerabilities in widely used smart uninterruptible power supply (UPS) devices could allow for remote takeover, meaning that malicious actors could cause business disruptions, data loss and even physical harm to critical infrastructure, researchers at Armis have found. The flaws, which Armis has dubbed TLStorm, are in APC Smart-UPS devices, which number about 20 million in deployment worldwide. APC is a subsidiary of Schneider Electric. Being controlled through a cloud connection means a bad actor could remotely take over devices without the user ever knowing about it,” The researchers warned. Furthermore, an attacker could gain code execution on a device, forcing it to physically damage itself or other assets connected to it, they said.
Biden set to sign bill with cyber disclosure provision
Last week both the US House and Senate passed a bill which includes a provision that critical infrastructure operators must report cyberattacks within 72 hours. It now goes to President Biden’s desk to sign into law. Disclosure would be required for “substantial” cybersecurity incidents. Any ransomware payment would also have to be disclosed within 24 hours. The law also gives CISA the authority to subpoena for failure to disclose within those timelines.
Mobile endpoints see a lot of malicious apps
A new report by the security firm Zimperium found that in 2021 25% of mobile endpoints have encountered a malicious app. The report also found a 466% increase in exploited zero-day vulnerabilities on mobile endpoints in the year, with iOS devices accounting for 60% of victims. With phishing on the rise, it’s unsurprising that 75% of phishing websites seen in the study were specifically targeting mobile devices.. Overall 42% of enterprises reported either mobile devices or web apps led to security incidents in 2021.
FTC to fine CafePress for cover up of massive data breach
The U.S. Federal Trade Commission (FTC) announced plans to slap CafePress custom t-shirt and merchandise site, with a $500,000 fine for a breach that affected over 23 million of its users. Instead of responsibly informing customers about the breach, CafePress instead closed the users’ accounts and charged them each a $25 account closure fee. The FTC explained that CafePress stored customer Social Security numbers and password reset answers in plain text, and retained user data for longer than necessary. As part of the proposed settlement, CafePress will be required to implement multi-factor authentication, minimize data collection and retention, and encrypt Social Security numbers stored on its servers.
Thanks to our episode sponsor, Varonis
Report uncovers alarming level of alert fatigue in Cloud environments
Orca Security commissioned a global, cross-industry study among IT decision makers to examine the current state of cloud security alert fatigue. The report revealed that security teams are inundated with cloud security alerts with 59% of respondents receiving more than 500 cloud security alerts per day. The survey showed that monitoring alerts is causing burnout with roughly 60% respondents indicating that alert fatigue has contributed to staff turnover and also has created internal friction. The report also shows a false sense of confidence with more than 95% responding that they feel confident or very confident in their tooling, despite 43% of respondents indicating that more than 40% of their alerts are false positives, roughly half saying more than 40% of alerts are low priority, and more than half of respondents indicated that critical alerts are being missed.
Phony Instagram ‘support staff’ emails hit insurance company
A phishing campaign disguised as originating from Instagram technical support was used to steal login credentials from employees of a prominent U.S. life insurance company headquartered in New York. According to a report published by Armorblox on Wednesday, the attack bypassed Google’s email security by using a valid domain name. Although the email had grammar, spelling and capitalization errors, including spelling “Instagram Support” with a capital “L,” and the email itself coming from membershipform@outlook.com.tr, which is based in Turkey. The researchers said that despite these misspellings, it clearly demonstrates that people are not seeing anything more than the word ‘membershipform’ before clicking on the link.
Hacker breaches key Russian ministry using VNC
The hacker, who goes by the handle Spielerkid89, did not intend to harm the organization and left its systems intact. However, his experiment is a perfect example of how poor cyber hygiene can leave organizations vulnerable. Using Shodan, he was investigating whether he could find Russian IPs with disabled authentication. He soon discovered an open virtual network computing port with disabled authentication. This connected to a computer belonging to the Ministry of Health in the Omsk region of Russia. He did not need any password or authentication, and stated he was able to access people’s names, other IP addresses pointing to other computers on the network, and financial documents. The hack was independently confirmed by Cybernews.com.
Russia faces IT crisis with just two months of data storage left
Russia faces a critical IT storage crisis after Western cloud providers pulled out of the country, leaving Russia with only two more months before they run out of data storage. The Russian government is exploring various solutions to resolve this IT storage problem, ranging from leasing all available domestic data storage to seizing IT resources left behind by businesses that pulled out of the country. Last week, the Ministry of Digital Development amended the 2016 Yarovaya Law to suspend a yearly requirement for telecom operators to increase storage capacity allocations by 15% for anti-terrorist surveillance purposes. Another move that could free up space would be to demand ISPs abandon media streaming services and other online entertainment platforms that eat up precious resources.