This week’s Cyber Security Headlines – Week in Review, March 27-31, is hosted by Rich Stroffolino with our guest, Brett Conlon, CISO, American Century Investments
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Supply-chain attack on business phone provider 3CX could impact thousands of companies
Hackers may have compromised the networks of thousands of businesses due to a supply-chain attack on the enterprise phone company 3CX, which confirmed on Thursday its desktop app had been bundled with malware. 3CX provides office phone systems to more than 12 million daily users at over 600,000 companies, as it claims on its website, including Mercedes-Benz, Coca-Cola, American Express and the United Kingdom’s National Health Service. The company’s chief information security officer, Pierre Jourdan, said the intrusion was the work of highly skilled hackers, stating, “this appears to have been a targeted attack from an Advanced Persistent Threat, perhaps even state sponsored.”
Open letter calls for AI “pause”
Over 1,000 people signed an open letter calling on “all AI labs to immediately pause for at least 6 months the training of AI systems more powerful than GPT-4.” Signees include Elon Musk, Steve Wozniak, Stability AI founder and CEO Emad Mostaque, and Tristan Harris of the Center for Humane Technology, as well as some engineers from Google and Meta. The letter argues a “level of planning and management” isn’t happening, with the industry instead “locked in an out-of-control race” to develop ever-more powerful models. No one from OpenAI or Anthropic signed the letter.
Over 70% of employees keep work passwords on personal devices
Roughly four out of five employees store sensitive work passwords on their personal phones, and 66% use their personal texting apps for work. This information comes from SlashNext’s latest mobile bring your own device (BYOD) security report, which also suggests 95% of security leaders are increasingly concerned about phishing attacks via private messaging apps. SlashNext CEO Patrick Harr suggests this is because threat actors know there are fewer security controls on personal mobile devices than on corporate ones. The report also highlights a mirrored trend with a majority (89%) of IT and security leaders acknowledging legal concerns about having access to employees’ private data.
17% of security leaders consider cybersecurity team fully-staffed
Security leaders’ perception of their own cyber resilience was analyzed in a recent study by Immersive Labs. Despite high confidence in overall resilience, the study found that teams are insufficiently prepared for threats, as 82% agree they could have mitigated some to all of the damage of their most significant cyber incident in the last year if they were better prepared, and more than 80% don’t think, or are unsure, their teams have the capabilities to respond to future attacks. Seventeen percent of respondents consider their cybersecurity team to be fully-staffed and almost half of respondents admit they aren’t able to measure cyber capabilities, further eroding confidence in the organization’s preparedness.
Inaudible ultrasound attack can stealthily control your phone, smart speaker
American university researchers have developed a novel attack called “Near-Ultrasound Inaudible Trojan” (NUIT) that can launch silent attacks against devices powered by voice assistants, like smartphones, smart speakers, and other IoTs. Professor Guenevere Chen of the University of Texas in San Antonio (UTSA), her doctoral student Qi Xia, and professor Shouhuai Xu of the University of Colorado (UCCS) demonstrated NUIT attacks against modern voice assistants found inside millions of devices, including Apple’s Siri, Google’s Assistant, Microsoft’s Cortana, and Amazon’s Alexa, showing the ability to send malicious commands to those devices. The main principle that makes NUIT effective and dangerous is that microphones in smart devices can respond to near-ultrasound waves that the human ear cannot, thus performing the attack with minimal risk of exposure while still using conventional speaker technology.
Thanks to today’s episode sponsor, Trend Micro
Panera Bread will use palm-scanning technology for its loyalty program
Panera Bread is rolling out palm scanners that will link customers’ handprints to their loyalty accounts — a move the company paints as convenient but that privacy advocates have decried. The biometric-gathering technology, developed by Amazon, will hit stores in the next few months, Panera said on Wednesday. The gadgets will help suggest menu items based on customers’ order histories and allow employees to greet customers by their names and share customers’ available rewards, the company said. Panera Bread CEO Niren Chaudhary described the move as a “frictionless, personalized, and convenient” evolution of Panera’s loyalty program, which boasts 52 million members. However, digital rights activists worry that information could be tapped by federal agencies or accessed by hackers.
(CBS News)
Debt servicing giant exposes financial data
The firm NCB Management Services sent out breach notification letters, disclosing a cyberattack it detected on February 4th. According to documents filed with Maine’s Attorney General, the attack exposed personal data on just under 495,000 people. This included names, addresses, phone numbers, driver’s license numbers, Social Security numbers, credit card numbers, and routing numbers. The company claims it “obtained assurances that the third party no longer has any of the information on its systems,” indicating it paid a ransom. This appeared to target closed credit cards originating with Bank of America. Bank of America will provide victims with two years of identity theft protection.
A million pen tests show companies’ security postures are getting worse
On Tuesday, analysis from 1 million pen tests revealed that data-exfiltration risk increased to an average score of 44 out of 100 in 2022, from an average risk score of 30 the prior year. This from a report from Cymulate, who said one key reason for the increased risk is attackers improving tactics to circumvent network and group policies. Additionally, the company found issues with patching hygiene, with four of the top-10 CVEs identified in customer environments being more than two years old. On a positive note, companies have improved malware detection across major platforms with many attacks being blocked by Web gateways.
Over 70% of employees keep work passwords on personal devices
Roughly four out of five employees store sensitive work passwords on their personal phones, and 66% use their personal texting apps for work. This information comes from SlashNext’s latest mobile bring your own device (BYOD) security report, which also suggests 95% of security leaders are increasingly concerned about phishing attacks via private messaging apps. SlashNext CEO Patrick Harr suggests this is because threat actors know there are fewer security controls on personal mobile devices than on corporate ones. The report also highlights a mirrored trend with a majority (89%) of IT and security leaders acknowledging legal concerns about having access to employees’ private data.