Hackers waltzed past MFA used by CISA on cloud accounts
Multifactor authentication is one of the strongest security protocols we have, but it’s not infallible. On Wednesday, the US Cybersecurity and Infrastructure Security Agency (CISA) revealed that malicious actors bypassed its MFA to get into its cloud service accounts. CISA said that the threat actors had tried multiple times to breach its systems by various tactics, including phishing, brute force login attempts, and possibly a “pass-the-cookie” attack, which involves the theft of authentication cookies from browsers and related processes. That’s how the attackers were able to hijack an authenticated session: by using stolen session cookies to access CISA’s online services.
Social media convulses after Capitol attack
A widespread shakeup is underway: Facebook’s yanking posts of fliers promoting events leading up to Biden’s inauguration, as terrorism and cyber experts help the platform to ferret out images calling for harm. The walkie-talkie app Zello, which hasn’t proactively moderated content, has deleted over 2,000 militia-related channels after finding it was used by insurrectionists. And Parler, the social media app favored by Trump supporters, may never come back after having been scraped off the app stores, kicked out by Slack and cut by Amazon, CEO John Matze told Reuters. Parler filed charges on Wednesday, asking for Amazon to be forced to restore its service.
(Reuters Bloomberg The Guardian)
Google fixes bug that delayed COVID contact-tracing apps
The API bug affected contact-tracing apps worldwide, delaying notifications sent to Android users. The apps are built on top of the Exposure Notifications System, an API that Google released jointly with Apple to help health services develop contact-tracing apps. It looks like the problem only manifested on Android devices, not on iOS. The API lets developers create contact-tracing tools that protect privacy by relying on Bluetooth to exchange anonymous keys between smartphones: an easy way to warn users if they’ve been in contact with someone who later tested positive.
(ZDNet)
Apple yanks feature that let apps bypass macOS firewalls and VPNs
Apple has removed the ContentFilterExclusionList from macOS 11.2 beta 2k, known as Big Sur. The controversial feature had allowed 53 of Apple’s own apps to bypass third-party firewalls, security tools, and VPN apps that users themselves had installed for their own protection. The list included some of Apple’s biggest apps, such as the App Store, Maps, and iCloud. Security researchers had discovered the problem this past October and had called it a security nightmare waiting to happen. (ZDNet)
Thanks to our episode sponsor, IT Asset Management Group
Google finishes digestion of Fitbit, says deal isn’t about sucking up data
Google has finally finished its year-long acquisition of Fitbit. In announcing the news, it emphasized that the deal is about “devices, not data,” and vowed to protect user privacy. Google won’t use Fitbit users’ health and wellness data for advertising, it promised, and will instead separate it from other Google ads data. This commitment, which it says is binding, suggests that Fitbit may help Google expand its wearable hardware offerings as opposed to feeding into any kind of market for people’s personal health information.
Jersey City still reeling 3 months after ransomware attack on water, sewer
Three months after a ransomware attack that blocked access to Jersey City’s water and sewer system data, threatening what the Jersey City Municipal Utilities Authority (MUA) said could have been a “public health crisis,” systems still aren’t fully restored. Officials haven’t disclosed many details. Documents do show, however, that nearly half a million dollars has been spent on remediation so far. “Despite repeated efforts … problems continued to be encountered with restoring all of the JCMUA’s internet technology network to full operation,” according to a resolution filed last month that also called out a need for “advanced technical assistance.”
(NJ.com)
Windows 10 zero-day corrupts hard drives just by seeing a file icon
The zero-day allows attackers to corrupt an NTFS-formatted hard drive with a one-line command. That one line can be tucked inside a Windows shortcut file, a ZIP archive, or batch files, among other means, to trigger hard drive errors that corrupt the filesystem index “instantly.” The bug was first discovered by infosec researcher Jonas L in August, and as of this week, it’s still there. The researcher found that a Windows shortcut file with an icon location set in a particular way will trigger the vulnerability, even if the user has only viewed the folder it’s in but never actually opened the file.
How to tweak Signal to boost your security and privacy
In spite of WhatsApp’s recent clarifications about what it shares with Facebook, users have been flocking to Signal for more secure, more private messaging. ZDNet’s Adrian Kingsley-Hughes has published some tips on a few settings to tweak in order to boost Signal security even more. For example, the Enable Screen Security setting on the iOS version, which is called Screen Security on the Android version, enables you to prevent data previews from being shown in the app switcher on iPhones, while on Android it prevents recipients from taking screenshots.
(ZDNet)