This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Jason Elrod, CISO, Multicare Health System
Missed the live show? Watch it on YouTube. And make sure to check out Jason’s book (coming soon) at CyberCISOmarksmanship.com, as well as his newsletter at LimitlessCyber.com.
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com.
CrowdStrike exec apologizes in Congress for global IT outage
In testimony before the House Subcommittee on Cybersecurity, CrowdStrike vice president Adam Meyers issued an apology for the faulty sensor update that caused a widespread Windows meltdown in July. Meyers said, “We let our customers down. On behalf of everyone at CrowdStrike I want to apologize. We are deeply sorry and we are determined to prevent this from ever happening again.” Meyers outlined measures the company is taking to avoid a repeat incident, including carefully controlled rollouts of software updates, improved code input validation, and testing procedures that cover a broader array of problematic scenarios. CrowdStrike has also provided customers more control over the deployment of system configuration updates. Microsoft also plans to help by providing “new platform capabilities” in Windows 11 to allow security vendors to operate “outside of kernel mode.”
(SecurityWeek and CyberScoop)
NIST drops password complexity, mandatory reset rules
In the second public draft version of its password guidelines, the National Institute of Standards and Technology is making two changes. The first is that credential service providers stop requiring that users set passwords that use specific types or characters, and the second is to stop mandating periodic password changes (commonly every 60 or 90 days). This first suggestion actually paves the way for longer passwords of between 15 and 64 characters and that they include ASCII and Unicode characters. The second supports the idea that password resets should only occur in the case of a credential breach. Making people change passwords frequently was resulting in people choosing weaker passwords.
Airline executive’s lawsuit exposes hack-for-hire practice
According to The Record, aviation executive Farhad Azima “settled litigation this week against the law firm Dechert and two of its former attorneys who he alleged were involved in the hacking of his personal accounts in order to smear his reputation.” This case is drawing attention to a practice conducted by some law firms, private investigators, and mercenary companies to steal information through cyberattacks. Azima is based in Missouri. The law firm Dechert practices globally, with a head office in Philadelphia. The Record states that on behalf of their United Arab Emirates-based client, the firm allegedly hired a private investigator in North Carolina, who then hired India-based hacking firms. Dechert representatives told Reuters the case had been settled “without admission of liability.”
Huge thanks to our sponsor, Vanta
With Vanta Questionnaire Automation, security & compliance teams can complete security reviews up to 5 times faster, giving you time back to focus on running your security & compliance programs.
Over 8,000 global companies like ZoomInfo, SmartRecruiters and Noibu use Vanta to save time on security reviews.
Visit vanta.com to learn more about Questionnaire Automation.
Dismissed German cyber chief falsely accused of associating with Russian spies
Arne Schönbohm was the head of Germany’s federal cybersecurity office until he was dismissed two years ago, following a scandal that suggested he had connections to Russian spies. The allegations were made on a late-night satirical program, ZDF Magazin Royale. The Munich Regional Court has now made a preliminary assessment against the program. Schönbohm is suing ZDF as well as pursuing a separate case against his former employer, the Federal Office for Information Security (BSI) for unfair dismissal.
Public Wi-Fi hacked at some of the UK’s busiest train stations
Train passengers connecting to free WiFi at many major rail stations in England were greeted by an Islamophobic message on their devices when logging on and connecting to the WiFi network’s landing page. The incident is now being investigated by Network Rail, the UK non-departmental public body responsible for repairing and developing train infrastructure, along with the network’s operator, a company called Telent, also UK based. Muhammad Yahya Patel, lead security engineer at Check Point Software, pointed out how public Wi-Fi is often unencrypted and easily accessible, and provides an ideal entry point for attackers. He further pointed out how “outdated hardware and software create exploitable vulnerabilities, which is a growing concern for systems as vital as public transport.”
Critical ATG bugs threaten critical infrastructure
Automatic tank gauge (ATG) systems are commonly found in gas stations and airports but also at other critical facilities (like hospitals and military installations) that require large backup generators. Researchers have discovered 11 new vulnerabilities across six ATG systems from five different vendors. The vulnerabilities could allow an attacker to gain full control of an ATG to make fuel unavailable or wreak environmental havoc. The bugs were discovered six months ago, with Bitsight, the US Cybersecurity and Infrastructure Security Agency (CISA) working with some of the affected vendors to mitigate the problems. However two vendors (Proteus and Alisonic) have yet to engage with CISA in remediation efforts. Experts recommend disconnecting ATGs from the public Internet, even if they’ve been patched.
(Dark Reading and SecurityWeek)