This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Howard Holton, COO and industry analyst, GigaOm
Missed the live show? Check it out on YouTube
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Beware the SMS 2FA middleman
An anonymous whistleblower provided Bloomberg Businessweek and Lighthouse Reports with autogenerated login codes related to roughly 1 million SMS messages with two-factor authentication codes sent in June 2023. All these messages passed through the Swiss company Fink Telecom Services, which cybersecurity researchers have previously found worked with government and private surveillance contracts to track user locations and spy on phones. Fink Telecom is one of the many intermediaries that process SMS factors for other platforms. Fink CEO Andreas Fink told Bloomberg that legal restrictions prevent them from seeing message content and that it no longer works in surveillance. Fink generally operates as a subcontractor for other SMS processors, so the platforms sending the codes have no direct business relationship or oversight of them.
NIST publishes new ZTA guidance
This new guidance is meant to serve as a foundational starting point for organizations building their own zero-trust architecture, although it cautions that all of these need to be custom-built for a given context. NIST includes 19 examples of zero-trust architectures built by organizations using commercial, off-the-shelf tools and technologies. The guidance is meant to augment NIST’s previous conceptual-level ZTA documentation, released in 2020. It emphasizes a phased deployment that starts by identifying and cataloging assets, building out access policies, and eventually achieving continuous monitoring and improvement.
Washington Post investigates hacking incident on journalists’ emails
A source speaking with Reuters has stated that there has been a “possible unauthorized targeted intrusion affecting a few journalists,” which The Wall Street Journal has said was “potentially the work of a foreign government.” Specifically, the reporters whose emails were targeted included “members of the national security and economic policy teams, including some who write about China,” the report added. Staffers at The Washington Post have been told “the intrusions compromised journalists’ Microsoft accounts and could have granted the intruder access to work emails.” Graham Cluley, posting on LinkedIn, stated that “in recent years, reporters at the Post have reportedly stopped using email for their most sensitive conversations and use encrypted messaging apps like Signal instead. Nonetheless, the Wash Post has wisely decided to force all employees to reset their login credentials.”
(Reuters and Graham Cluley via LinkedIn)
Huge thanks to our sponsor, Adaptive Security
Trusted by Fortune 500s and backed by Andreessen Horowitz and OpenAI, Adaptive helps you stay ahead of AI-driven threats.
Learn more at adaptivesecurity.com.
State healthcare exchanges share data with Big Tech
An investigation by The Markup and CalMatters found that four state-run insurance marketplace sites share sensitive information through embedded advertising trackers on their sites. The investigation looked at exchanges operated by 20 states. Nevada’s exchange shared prescription and dosage information with LinkedIn and Snapchat, Maine’s and Rhode Island’s exchanges shared the same information, as doctors visited with Google. Massachusetts shared some disability and pregnancy information with Google. Part of the issue is that some exchanges used a separate site to connect users with insurance plans, and those services use embedded trackers. All exchanges removed the trackers when alerted by the investigators, maintaining that they do not store any personally identifiable information.
Community organizations need more cybersecurity help says report
More needs to be done to protect, “target-rich but resource poor community organizations like hospitals, schools, utilities and municipal governments,” according to a new report from the Cyber Resilience Corps. The authors of the report, Sarah Powazek and Grace Menna, state, “community organizations as a whole are falling through the cracks, and current efforts are not enough to help them protect themselves online.” As Derek Johnson writes in Cyberscoop, “experts have long identified these types of [community] organizations as the soft underbelly of America’s cybersecurity problem: important enough that their disruption could cause real world harms, making them attractive targets for profit-minded hackers or foreign intelligence services, but too small and under-resourced to do anything meaningful about it.”
(Cyberscoop and Berkely Center for Long-Term Cybersecurity)
North Korea’s tricky ClickFake deepfake scam
A cautionary tale from the crypto world, but equally applicable to regular businesses and organizations. Security firm Huntress reports on a deepfake/social engineering scam in which an employee of a cryptocurrency foundation was invited to talk with a collection of executives of an external company, via Zoom. The short version of this story: upon accepting the Calendly invite, the employee “joined a group Zoom meeting that included several deepfakes of known members of the senior leadership of their company, along with other external contacts.” The employee found that his microphone was not being heard on the call, at which point the deepfake personas sent him a Zoom extension which had been altered to stealthily download a next-stage payload from a remote server. This is now being referred to as a ClickFake interview since it has a similar “I can fix it” vibe as the better-known ClickFix campaigns. The longer version of this story is available through the show notes to this episode.
Krispy Kreme discusses November breach impact
The donut company has now released information on the cyberattack that it suffered last November. Its filing with Maine’s Attorney General shows that cybercriminals accessed data belonging to more than 160,000 people. Along with standard PII, the haul also included financial account information including credit or debit card information along with access information, as well as: email addresses and passwords. biometric data, USCIS or Alien Registration Numbers, U.S. military ID numbers, medical or health information and health insurance information. Some experts question the company’s need to collect this much data as well as the quality of their pre-breach security.