This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Jonathan Waldrop, CISO, The Weather Company. Here’s a link to CISA’s Cybersecurity Awareness Month announcement, sent to us by Jonathan.
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Missed the live show? Watch it on YouTube below guest announcement.
T-Mobile data breaches cost company $31.5 million
In a settlement with the Federal Communications Commission (FCC), T-Mobile has agreed to pay a total of $31.5 million following a series of data breaches over the last few years. The settlement includes $15.75 million in civil fines and and the other half of the money is to be spent on bolstering the companies cybersecurity measures, including adopting zero trust architectures and multi-factor authentication. The breaches which started in 2021, involving millions of current, former, and prospective customers, exposed personal details like Social Security numbers, driver’s license numbers, and other personal information.
Deepfake scam hits U.S. senate
U.S. Senator Ben Cardin says he was the victim of an elaborate deepfake operation that impersonated a former Ukrainian Foreign Minister. The operation, which nearly duped the high-ranking government official, involved a fake Zoom call with what appeared to be a live audio-video connection, which seemed normal based on previous conversations the senator’s office had had with this Ukrainian official. It wasn’t until the imposter started asking specific questions such as demanding an answer on the senator’s stance on long-range missiles into Russian territory that Cardin’s staff ended the call. At which point staff confirmed the call was indeed fake. There is currently an open investigation into the situation.
Public records systems riddled with security flaws
Security researcher Jason Parker disclosed dozens of critical vulnerabilities found across 19 commercial platforms for US public records used by courts, government agencies, and law enforcement. Some we’ve already covered on this show, like the Georgia voter registration database with a voter cancellation vulnerability. Other systems allow attackers to elevate user status to administrators, reset passwords, or access admin dashboards. Many required no advanced access, which could be done by anyone registering an account. Parker began researching these systems last year, eventually working with the Electronic Frontier Foundation to contact vendors. All disclosed issues have been fixed, and no signs of active exploitation exist.
Huge thanks to our sponsor, SpyCloud
Rackspace breach sparks vendor blame game
Following up on the story we brought to you yesterday on Cyber Security Headlines, after the enterprise cloud host, Rackspace, was hacked on September 24, a vendor blame game has kicked off. Initially the Rackspace incident was attributed to a zero-day flaw in ScienceLogic’s SL1 monitoring app. However, ScienceLogic is now shifting the blame to an undocumented vulnerability in a different bundled third-party utility. While ScienceLogic declined to identify the responsible third-party, the company indicated that, upon identifying the flaw, they “rapidly developed a patch to remediate the incident and have made it available to all customers globally.” Attackers were able to pivot from the monitoring software to other internal Rackspace servers to compromise sensitive data of users who have now received breach notices.
FCC offering $200 million to protect schools and libraries from hackers
The Federal Communications Commission is offering up to $200 million through the Schools and Libraries Cybersecurity Pilot Program. K-12 schools and libraries will be able to reimburse things like advanced firewalls, identity protection and authentication services, malware protection, and VPNs. The FCC says it expects to open the application process this fall and will select a mix of schools with added emphasis placed on funding projects from low-income and Tribal applicants. The pilot program will be used to evaluate whether to fund this kind of program on a more permanent basis.
NordVPN begins post-quantum support rollout
The popular VPN provider joined the smattering of companies getting ready for the advent of quantum computing. NordVPN rolled out upgraded protocols that comply with the new NIST standards for post-quantum encryption. This isn’t a full rollout; the post-quantum encryption is only available on its Linux client. The company said it will use data from its Linux rollout “as a stepping stone” to a broader transition but only committed that it will “strive” to bring it to all of its applications. Nord said this feature came in response to an uptick of “harvest now, decrypt later” attacks, even if practical quantum computing isn’t on the horizon yet.
(ZDNet)