Flaw found in WiFi protocol
According to a technical paper published by researchers at Northeastern University, the IEEE 802.11 protocol contains a fundamental security flaw, opening the door to attackers tricking access points to leaking network frames in plaintext. This exploits a behaivor in access points when they enter a power saving mode, where they queue frames to send on wakeup. Attackers can spoof a device on the network to send a power-saving frame to an AP, forcing it to start queuing frames, which can then be transmitted back to the device on a forced wakeup. With this data in a shifted authentication context, the attackers can inject data into the TCP connection. Cisco acknowlefged the flaw but said any data obtained “would be of minimal value in a securely configured network.”
Environmental activists targeted by threat actors
Court records reveal that Aviram Azari, an Israeli private detective, operated a years-long cyber campaign targeting environmental activists, both individuals and organizations like the Rockefeller Family Fund and Green Peace. He hired out his operations, with court recording showing him hiring threat actors based in India. Authorities arrest Azari in 2019 and he pled guild to a hacking conspiracy, wire fraud, and identity theft last year. It’s unclear who hired Azari and his attorney said he isn’t cooperating with the investigation.
Open letter calls for AI “pause”
Over 1,000 people signed an open letter calling on “all AI labs to immediately pause for at least 6 months the training of AI systems more powerful than GPT-4.” Signees include Elon Musk, Steve Wozniak, Stability AI founder and CEO Emad Mostaque, and Tristan Harris of the Center for Humane Technology, as well as some engineers from Google and Meta. The letter argues a “level of planning and management” isn’t happening, with the industry instead “locked in an out-of-control race” to develop ever-more powerful models. No one from OpenAI or Anthropic signed the letter.
Debt servicing giant exposes financial data
The firm NCB Management Services sent out breach notification letters, disclosing a cyberattack it detected on February 4th. According to documents filed with Maine’s Attorney General, the attack exposed personal data on just under 495,000 people. This included names, addresses, phone numbers, driver’s license numbers, Social Security numbers, credit card numbers, and routing numbers. The company claims it “obtained assurances that the third party no longer has any of the information on its systems,” indicating it paid a ransom. This appeared to target closed credit cards originating with Bank of America. Bank of America will provide victims with two years of identity theft protection.
And now a word from our sponsor, Trend Micro
Navigating a new era of cyber risk demands evolved strategies, new frameworks, and integrated tools to equip security teams to anticipate and defend against even the most advanced attacks.
Trend Micro, the global leader in cybersecurity is bringing the cyber risk conversation to more than 120 cities around the world in their latest “Risk to Resilience World Tour” — The largest cybersecurity roadshow of its kind.
Find the closest city to you and register today to take a leap towards a more resilient future. Head to TrendMicro.com/cisoseries.
Google warns about spyware zero-days
In a blog post by Google’s Threat Analysis Group, researcher disclosed it began tracking over thirty spyware vendors working with government actors. The post says these countries would otherwise not be able to develop similar spyware tools on their own. The post also details two targeted campaigns uzing zero-day attacks agains tChrome, iOS, and Android. One used an iOS remote code execution flaw to send links over SMS that ultimately delivered a GPS location pingback to the attackers. Another targeted multiple flaws in Samsung’s Internet browsers to install a full spyware suite on the device. Google reported all vulnerabilities in the report to impacted vendors, who patched the issues.
Defender sending URL false positives
Microsoft confirmed on Twitter that Microsoft Defender began mistakenly flagging otherwise legitimate links as malicious. The company also said that some alerts in Defender do not show “content as expected.” Users can still access legitimate URLs despite the alerts, although anecdotally admins reports being inundated with dozens of alerts since early on the morning of March 29th. As of this recording, Microsoft seems to still be investigating the issue. It says it began reviewing service telemetry “to isolate the root cause and develop a remediation plan.”
API attacks up 400%
That finding comes from Salt Security’s State of API Security Q1 Report 2023, which found the increase over the last six months. Of these, 80% occurred over authenticated APIs. Digging into the report, 17% of survey respondents saw an API-related breach in the quarter, while 94% experienced security issues with APIs in production. This resulted in 59% of respondents saying they slowed new application rollout. Just under half of respondents said API security reached C-level discussions in their organization.
Cybersecurity education bill passes in North Dakota
The US State of North Dakota has passed a law requiring schools to teach cybersecurity in classes from Kindergarten to grade 12. A plan for the classes must be approved by July 1st, 2024. It is the first US state to require cybersecurity classes. Work on the bill began back in 2015. In addition, the state will offer all residents of North Dakota online classes in cybersecurity, networking, and programming.