This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Russ Ayres, SVP of Cyber & Deputy CISO, Equifax
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
GenAI Drives 1,760% Surge in Business Email Compromise Attacks
This number comes from a report published yesterday by PerceptionPoint in their 2024 Annual Report: Cybersecurity Trends & Insights. GenAI has fueled this growth in BEC attacks, by helping create well-crafted and targeted social engineering-based attacks that are difficult. The report states that whereas BEC attacks accounted for only 1% of all cyberattacks in 2022, their proportion of the total rose to 18.6% of all attacks in 2023. Additional points in the report include an increase in evasive tactics such as quishing (QR code phishing) two-step phishing that bypasses traditional security systems account takeover attacks and impersonation attacks. A link to the report is available in the show notes to this episode.
Vending machine crash reveals face recognition tech
Students at the University of Waterloo in Ontario, Canada are demanding answers after discovering that a M&Ms-branded smart vending machine had been apparently collecting facial recognition data. The discovery was made when the vending machine crashed and an error message on its screen stated, “Invenda.Vending.FacialRecognitionApp.exe” had failed to launch. According to Wired, one student noted that “Invenda sales brochures promised [that] the machines are capable of sending estimated ages and genders of every person who used the machines—without ever requesting consent.” The company responsible for installing and maintaining the vending machines on campus stated that the machines do not store photos, are not capable of facial recognition and are GDPR compliant. They add the technology “acts as a motion sensor that detects faces, so the machine knows when to activate the purchasing interface.”
(Wired)
NIST releases cybersecurity framework 2.0
A decade in the making, The National Institute of Standards and Technology (NIST) has released their updated framework for the first time since 2014. The agency says the framework now aims to help all organizations—not just those in critical infrastructure—manage and reduce risk. There is a large emphasis on the guidance helping all organizations meet their cybersecurity goals with additional resources. For those familiar with the original five core functions of the framework—identify, protect, detect, respond, and recover—you will notice the new addition of ‘govern’ to the group, with the purpose of broadening a security framework throughout the entire organization.
SolarWinds attackers changing tactics
Britain’s National Cyber Security Centre (NCSC) and other Five Eyes alliance members published an alert detailing new attack methods from this Russian SVR linked group. This sees the group focusing on stealing system-issued access tokens from compromised personal devices. These devices often connect to corporate resources, opening the door to further cloud-based platforms. Once accessing a cloud platform, the attackers register their own devices as legitimate to gain persistence. The NCSC also published mitigations for this approach, urging all organizations to familiarize themselves.
Thanks to today’s episode sponsor, Egress
OpenAI vs. the New York Times
The New York Times copyright lawsuit against OpenAI is up for contention as the artificial-intelligence company says the newspaper “hacked” ChatGPT to create misleading evidence. According to Reuters, The Times first sued OpenAI in December, accusing them of using millions of articles and near-verbatim excerpts without the newspaper’s permission. In OpenAI’s recent filing, they claim the Times paid someone to hack OpenAI’s products which caused the chatbot to reproduce copyrighted work using deceptive prompts. To further point fingers, a representative from the Times responded by saying this so-called hacking is actually the organization looking for evidence.
Biden signs order limiting the sale of personal data
This executive order limits mass-scale sales of American citizens’ data by data brokers “countries of concern,” such as China, Iran, Cuba, Venezuela, and Russia. Data covered by the order includes geolocation, genomic, financial, biometric, health, and PII. A Biden administration spokesperson framed this order as a matter of national security. The order does not address sales of American PII to other countries. The Justice Department said the executive order requires due diligence by data brokers to vet their customers, operating similar to sanctions.
(Engadget)
German applied sciences university suffers cyberattack
Another in a series of cyberattacks on German and Swiss schools, the Hochschule Kempten, a university of applied sciences in the city of Kempten in Germany, has had to take down its IT infrastructure, despite what it calls very high security precautions. The school cannot be accessed via email and other online portals have student portals have been shuttered. Classes remain ongoing and communications are being done via telephone. Representatives of the school do not have a current estimated time for restoration, nor has any group yet claimed responsibility.