Follina vulnerability under active exploitation
Following up on a story we brought to you yesterday on Cyber Security Headlines, Chinese-linked threat actors, known as TA413, are now actively exploiting a Microsoft Office zero-day (known as ‘Follina’) to remotely execute malicious code on Windows systems. Proofpoint researchers observed TA413 launching its exploits via the MSDT protocol when victims open or preview Word documents delivered in ZIP archives.The bug, tracked as CVE-2022-30190, impacts all installs later than Windows 7 client and Windows Server 2008. Though a patch is not yet available, admins and users are urged to disable the MSDT protocol.
Tension inside Google over conduct of fired researcher
Back in 2018, Google AI researchers Anna Goldie and Azalia Mirhoseini, garnered media attention for their work on project Morpheus, which tested whether an AI technique called reinforcement learning could improve upon Google’s new powerful TPU computer chips. According to reports from current and former Google employees, a senior researcher, Satrajit Chatterjee, used the cover of scientific debate to undermine the two women’s research. Despite multiple employee complaints about his treatment of women and a written warning from HR, Chatterjee continued his criticism. In March of this year, a committee of senior Google executives denied Chatterjee’s request to publish a public rebuttal to the research, shortly after which Chatterjee was fired. While Google continues to leverage the algorithms from project Morpheus in their chips, it is unclear whether Chatterjee’s paper will be formally published or peer reviewed outside Google.
(Wired)
IBM to pay $1.6 billion for poaching customer account
On Monday, a US District Judge in Houston ordered IBM to pay $1.6 billion to BMC Software for swapping in its own software while servicing their mutual client, AT&T. After a seven-day non-jury trial, the judge rejected IBM’s claim that it fairly acquired the business from AT&T, who was one of BMC’s core customers. The judge noted that IBM’s role in AT&T’s choice to dump BMC, “smacked of intentional wrongdoing.”
Clearview AI fined millions for data privacy violation
The UK Information Commissioner’s Office (ICO) has fined Clearview AI Inc. $8 million for violating the country’s data protection laws. According to the ICO, Clearview AI collected over 20 billion facial images and data of its citizens from publicly available internet sources and social media platforms without their consent. Clearview, who’s facial recognition database has been used by law enforcement and commercial organizations for investigative purposes, has also been ordered to purge the data of UK residents from its systems. The ICO’s fine adds to the list of similar fines and bans by several other countries and organizations.
Thanks to today’s episode sponsor, Feroot
Learn more at www.feroot.com.
Hackers can steal WhatsApp accounts using call forwarding
Rahul Sasi, founder and CEO of CloudSEK, has posted details of a trick that allows attackers to hijack a victim’s WhatsApp account. First, the attacker tricks the victim into calling a number that starts with a Man Machine Interface (MMI) code, which can be easily found on the Internet. This prompts the carrier to forward calls to the attacker’s number who can then begin the WhatsApp registration process. After choosing to receive the one-time password (OTP) via voice call, they can then enable two-factor authentication (2FA) and lock legitimate owners out of their accounts. The attack can be easily thwarted by enabling 2FA, which would prompt a would-be attacker for a PIN upon their attempt to register the account.
Turkish airline exposes flight and crew info
Back in February, researchers from SafetyDetectives discovered an unsecured AWS bucket containing sensitive data belonging to low-cost Turkish airline, Pegasus Airlines. Nearly 23 million files totalling around 6.5 TB were found on the leaky bucket including crew photos and signatures, flight charts, insurance documents, details of issues found during pre-flight checks, crew shift information, as well as plaintext passwords and secret keys. Some of the leaked information was traced back to the Electronic Flight Bag (EFB) software developed by the airline.
Access control may help address climate risk management efforts
Under a new rule proposed by the SEC, public companies would be required to disclose their greenhouse gas emissions annually to protect investors from negative earnings impacts caused by emissions issues. Modern security and building access systems are commonly used to inform smart building features that regulate energy use. As electricity accounts for the second-largest share of greenhouse gas emissions in the US (according to the EPA), access control data is expected to become a pivotal asset for proving compliance with the new rule.
Singapore to pilot digital asset trading with blockchain and tokenisation
On Tuesday, the Monetary Authority of Singapore (MAS) announced plans to pilot use cases of asset tokenisation and autonomous trading powered by blockchain technology. Called Project Guardian, the initiative will include an evaluation of regulations needed to safeguard against potential risks. Singapore’s financial authorities have noted a number of potential benefits of this model including greater liquidity, better price discovery, access to illiquid assets, and cost savings associated with removing the need for intermediaries.
(ZDNet)