This week’s Cyber Security Headlines – Week in Review, May 29-June 2, is hosted by Sean Kelly with our guest, Howard Holton, CTO, GigaOm
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Amazon Ring, Alexa accused of privacy violations by FTC
America’s Federal Trade Commission on Wednesday charged, via the US Dept of Justice, two Amazon outfits with various privacy snafus. The Ring home security cam subsidiary was accused of “compromising its customers’ privacy by allowing any employee or contractor to access consumers’ private videos and by failing to implement basic privacy and security protections.” The FTC also took on Amazon over its Alexa devices’ data-retention policies, stating, “Amazon retained children’s recordings indefinitely—unless a parent requested that this information be deleted,” adding “even when a parent sought to delete that information, Amazon failed to delete transcripts of what kids said from all its databases.”
Gigabyte firmware update system insecure
Researchers at the security firm Eclypsium published finding that 271 motherboards from the computer OEM Gigabyte include a UEFI firmware update utility that runs on bootup. This system can go online and download updates without any user notification or authorization. However the researchers say this update system doesn’t properly authenticate code, often sending over an unencrypted HTTP connection, letting it be easily spoofed by a malicious actor. It also looks for updates available from network attached storage, which could easily be intercepted by an attacker on the same network. Eclypsium said it notified Gigabyte and the company plans to fix the issues.
(Wired)
Leading experts warn of a risk of extinction from AI
On Tuesday, AI experts issued a dire warning saying, “Mitigating the risk of extinction from AI should be a global priority alongside other societal-scale risks such as pandemics and nuclear war.” Sam Altman, CEO of OpenAI and Geoffrey Hinton, also known as the godfather of AI who recently left Google, were among the hundreds who signed the statement posted on the Center for AI Safety’s website. The call for AI guardrails has intensified as companies have rushed to adopt new tech. This point was underscored Tuesday when chipmaker Nvidia briefly became worth over $1 trillion dollars after share prices surged due to its AI advances.
Attackers use encrypted RPMSG messages in Microsoft 365 targeted phishing attacks
Researchers at Trustwave have observed threat actors using encrypted RPMSG attachments sent via compromised Microsoft 365 accounts in a phishing campaign aimed at stealing Microsoft credentials. RPMSG files are used to deliver emails with Rights-Managed Email Object Protocol enabled. This protocol controls e-mail access and usage permissions. Instead of a plain text, e-mails via RPMSG files are sent with content encrypted and stored as encrypted file attachment. The recipients can read the encrypted messages only after being authenticated with their Microsoft account or obtaining a one-time passcode. The message attempts to trick recipients into clicking the “Read the message” button to decrypt the protected message. Upon clicking the link, the recipients are redirected to an Office 365 webpage with a request to sign into their Microsoft account. Once authenticated with the Microsoft service, the recipients are redirected to a page displaying the attackers’ phishing email. The message contains a “Click here to continue” button that points to a fake SharePoint document hosted on Adobe’s InDesign service.
Thanks to today’s episode sponsor, Barricade Cyber
Lender OneMain fined $4.25 million for cybersecurity lapses
OneMain Financial Group, which specializes in issuing loans to people with “non-prime” credit histories, will pay a $4.25 million penalty in New York state for cybersecurity lapses found during a government investigation. The DFS investigation found, for example, that the company allowed local administrative users to share accounts and permitted those accounts to use the default password that users got when they were onboarded. The department also noted, it used a non-formalized project administration framework developed in-house that failed to address certain key software development life cycle phases, it did not assess third-party vendors properly, despite having a risk policy in place, and further failed to appropriately adjust several vendors’ risk scores even after the occurrence of multiple cybersecurity events. OneMain has responded by saying it has “long since addressed” problems found in the investigation, which examined its policies from 2017 to early 2020.
The human factor fuels industrial APT attacks
Kaspersky has issued a report identifying the primary factors contributing to advanced persistent threat (APT) attacks in industrial sectors. The first is the absence of isolation in operational technology (OT) networks which can allow attackers to better manage malware traffic. The report also highlights disgruntled employees and contractors as well as those accessing OT networks without adequate attention to information security measures as a significant driver of cyber-criminal activities in industrial settings. Finally, the report asserts that outdated, misconfigured and unpatched systems contribute to exacerbating the spread of security threats. (Pair with Kaspersky iOT APT discovery)
The dangers of Salesforce “ghost sites”
Researchers at Varonis sounded the alarm on these so-called “ghost sites.” These can occur when an organization sets up a Salesforce “Communities” service, where customers, vendors, and other partners can collaborate within an organizations Salesforce environment. If an organization migrates from Salesforce, often these Communities remain online. This can occur when organizations point DNS records to a short convenient URL, and then migrate that to a new service. Since Salesforce also supports autonomous dataflows into Communities, these can continue to receive fresh data, potentially exposed to anyone with the internal domain. Varonis warns that organizations should delete these sites entirely, not simply ending URL redirects.