This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Andrew Wilder, CISO, Community Veterinary Partners, also cybersecurityintheboardroom.com.
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com.
Experts say new Windows AI feature could be a security ‘disaster’
Microsoft is about to launch a new AI-powered Recall feature that screenshots everything a user does on their PC and allows them to search and retrieve anything in seconds. Recall is part of the new Copilot Plus PCs that are debuting on June 18. Security researcher, Kevin Beaumont, who helped test the feature, discovered that the feature stores data locally in plain text which could allow an attacker to use malware to easily extract the database and its contents. Further, Recall doesn’t hide sensitive info like passwords or financial account numbers in its screenshots. Microsoft points out that stored Recall information is encrypted using Bitlocker while stored locally. But that would only protect the data from theft from a physically stolen device. Beaumont said he’s withholding technical details to give Microsoft time to take action. The UK’s Information Commissioner’s Office has also stepped in to make inquiries with Microsoft over its use of the AI-powered feature.
Ticketmaster hack affects 560 million customers, third-party denies liability
The attack, which occurred on May 20, has been confirmed by its parent company, Live Nation, as having been the result of “unauthorized activity within a third-party cloud database environment containing company data.” A week later the threat actor ShinyHunters offered the data, which is alleged to contain PII and partial payment details of up to 560 million customers up for sale if a ransom payment of over $500,000 is not made. This is the same threat actor group who breached the Spanish bank Santander around the same time.
Meanwhile, the third-party vendor in question, cloud storage provider Snowflake has denied that its products were to blame for the Ticketmaster breach, or the Santander Bank, for that matter. According to a since- removed post on the website of security firm Hudson Rock, “the intruders were able to sign into a Snowflake employee’s ServiceNow account using stolen credentials, and from there were able to generate session tokens,” however Snowflake, while acknowledging that a former employee’s demo account was accessed through stolen credentials, said it did not contain sensitive data, and that there was “no pathway for customers’ credentials to be accessed and exfiltrated from the Snowflake production environment.”
(The Guardian and The Record)
HHS changes tack, allows Change Healthcare to file breach notifications for others
This reversal from the Department of Health and Human Services is an update from an April 19 FAQ page that stated every organization affected by the Change Healthcare hack would have to file their own breach notices with federal and state regulators. This had apparently angered the staff of thousands of hospitals, clinics and doctor’s offices who are still working through the damage caused by the attack. The new statement, sent by Melanie Fontes Rainer, director of HHS’s Office for Civil Rights says, “affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare. All of the required HIPAA breach notifications may be performed by Change Healthcare.”(The Record)
FBI says it has 7,000 LockBit ransomware decryption keys
Speaking at the 2024 Boston Conference on Cyber Security, Bryan Vorndran, assistant director of the FBI’s Cyber Division, said the agency is offering help to victims whose data was encrypted by the LockBit ransomware. The victims are encouraged to contact the FBI’s Internet Crime Complaint Center. There have been more than 1,800 LockBit encryption attacks in the United States.
Thanks to today’s episode sponsor, Conveyor
Utah student floods hackers with false info to thwart Phishing
A Davis County high school junior, Charles Mortensen, developed a program dubbed VEGA (Victims’ Empowerment Guard against Attacks), which aims to take down phishing sites by flooding them with fake usernames and passwords. Mortensen said the program can send about half a million requests to a hacker site within a night, typically taking the site offline by the morning. Mortensen was motivated to create VEGA when a friend residing in foster care fell victim to an Instagram phishing attempt, jeopardizing her only means of contacting her mom. Mortensen said VEGA has enabled him to take down thirty phishing sites within a month. He is seeking a sponsor to help him to scale the operation to potentially dismantle much larger volumes of phishing sites.
US research using psychology against threat actors
The Intelligence Advanced Research Projects Activity, IARPA, picked five research teams to look into threat actor behavior, hoping to boost cybersecurity measures by better understanding motives and possibly predict future actions. Roughly 150 people will work on the research, with teams from Raytheon, Peraton Labs, Charles River Analytics, SRI International, and GrammaTech. The teams will take different approaches, like monitoring security researchers for biases that could apply to threat actors and designing fake networks to waste threat actors’ time. Program manager Kimberly Ferguson-Walter said threat actors routinely take advantage of known human biases, and defenders should attempt to do the same.
EU Probes Microsoft 365 Education Over Privacy Concerns
The European Union is investigating Microsoft’s education-focused suite after a non-profit privacy rights group filed two complaints over concerns about how the data from the Microsoft 365 Education platform was being used. The privacy campaign group, noyb, alleges that minors’ data is being processed unlawfully and the company is being “consistently vague” about how the children’s information is being used. Noyb also claims Microsoft installs cookies without consent to track user behavior, affecting thousands of EU and EEA students. Noyb argues schools are not in a position to comply with EU law’s transparency requirements or data access rights. In a statement to TechCrunch, Microsoft said, “M365 for E ducation complies with GDPR and other applicable privacy laws.”