Biden orders review of supply chain security
The president’s executive order has a few goals: to address shortages of critical imported components such as batteries and pharmaceuticals, to wean the country off semiconductors manufactured overseas, and to review the security of the information and communications sector. After signing the order, Biden said that “we need to make sure these supply chains are secure and reliable.” It’s an issue of national security, he said. The SolarWinds hack is one example of cyber-espionage targeting important supply chains, and the attempted hack of the vaccination supply chain is another.
China uses malicious Firefox Extension to spy on Tibetans
Chinese hackers are using a malicious Firefox extension named “Flash update components” to spy on Tibetan communities globally, security researchers have found. Enterprise security firm Proofpoint says that the rogue extension is based on an open-source tool named “Gmail Notifier (restartless)” that’s been altered to include malicious capabilities. The extension lets the hackers hijack their targets’ Gmail accounts. The infection chain starts with a phishing email impersonating the “Tibetan Women’s Association”. It comes from a Gmail account that’s been known to masquerade as the Bureau of His Holiness the Dalai Lama in India.
Attackers scan for unpatched VMware servers after PoC exploit release
Just one day after VMware patched a critical remote code execution (RCE) server vulnerability, threat intelligence company Bad Packets detected attackers scanning for unpatched systems. Positive Technologies, which discovered the vulnerability, had delayed its release of vulnerability details in order to give companies time to patch vCenter servers or to block public access. In spite of that delay, however, there are still thousands of vulnerable servers that can be accessed over the Internet: BinaryEdge says it found over 14,000, while the Shodan search engine reveals over 6,700. Positive Technologies decided to publish details on Wednesday after hackers started mass scanning for unpatched servers.
Millions of COVID test results leaked
Over 8 million COVID-19 test reports have been leaked online due to flawed online system implementation. The spill includes the name, age, gender, partial home address, test result, test date, report identifier, and lab location of patients handled by the Health and Welfare Department of West Bengal, India.This isn’t the first time: last month, BleepingComputer reported that multiple Indian government websites were leaking COVID test reports. The latest spill was discovered by security researcher Sourajeet Majumder, who says that poor system implementation led to the leaking of test reports “of EVERYONE who took a COVID-19 test in a particular state.”
Thanks to our episode sponsor, PlexTrac
Holes found in security for ‘Skills’ code in Amazon Alexa
Researchers have analyzed the security measures protecting Amazon’s Alexa voice assistant ecosystem and found them lacking. In research presented at the Network and Distributed System Security Symposium (NDSS) conference, they described flaws in the process Amazon uses to review third-party Alexa applications known as Skills. The researchers found that they can swap malware for Amazon code and bypass security measures to do things like publish Skills that use the names of well-known companies, making it easier to concoct convincing phishing attacks. They also found they could make backend code changes even after code had been approved, in order to coax users into revealing unwanted information.
Facebook bans Myanmar military
Weeks after the military coup in Myanmar, Facebook has come down squarely on the side of the pro-democracy movement. On Wednesday, it banned Myanmar’s military from the platform. The ban will also block military-owned businesses from advertising. The move comes after years of the military using the site to incite hatred against the country’s Muslims. Since seizing power, the military has repeatedly shut off the internet and cut access to major social media sites. But that information throttle hasn’t kept the country’s generals from using Facebook to distribute propaganda, including immediately posting about the takeover on the military’s official Facebook page.
VC giant Sequoia Capital ties breach to BEC attack
Sequoia Capital, the venture-capital giant that’s invested in the likes of cybersecurity companies SentinelOne, FireEye and Palo Alto Networks, says a recently disclosed data breach was apparently caused by a business email compromise (BEC) attack. The company suspects the breach was part of a wire diversion scam, where hackers pose as an executive or a trusted vendor and try to trick an employee into wiring money to a bank account they control. Sequoia says that it has been monitoring the dark web, but so far it hasn’t seen evidence of data being sold or traded or otherwise exploited.
Facebook, Twitter, WhatsApp face tough new takedown rules
It’s going to be a lot tougher for Internet powerhouses such as Facebook, Twitter, Google and Netflix to make money in India, the third-largest economy in Asia. On Thursday, the country imposed tough, sweeping new rules on social media and digital news outlets. Ravi Shankar Prasad, India’s IT, Law, and Justice minister, said that from hereon in, social media companies will be required to acknowledge takedown requests of misinformation and unlawful or violent content within 24 hours and to deliver a complete redressal within 15 days. In sensitive cases such as those surrounding explicit sexual content, firms will be required to take down the content within 24 hours.