In today’s cybersecurity news…
Australian Parliament introduces standalone cybersecurity law
If passed, the Cyber Security Bill 2024 would represent the first standalone cybersecurity law for the country. The bill includes setting minimum cybersecurity standards for IoT, setting out ransomware payment reporting requirements for critical infrastructure, and establishing a Cyber Incident Review Board to review significant cybersecurity incidents. The bill would also revise Australia’s Security of Critical Infrastructure Act 2018 to simplify the information-sharing process between industry and government. Minister for Home Affairs of Australia Tony Burke said the bill would provide a clear framework to address whole-of-economy cybersecurity issues.
Qualcomm zero-day used to target Android devices
The high-volume chipmaker announced that a zero-day impacting 64 mobile chipsets “may be under limited, targeted exploitation.” The company received “indications” of exploitation from Google’s Threat Analysis group, and Amnesty International’s Security Lab confirmed those findings. Qualcomm released a fix for the flaw in September 2024 to Android OEMs. Those companies will need to distribute it to individual device models. We don’t know any details about who is targeted by the attack or the threat group behind it.
Russia and Turkey ban Discord
Russia’s internet regulator, Roskomnadzor, announced it blocked access to the popular communication platform Discord. The regulator justified the ban by saying extremist organizations used Discord for drug sales and saw users posting illegal information. The Washington Post reports that many Russian military bloggers also commonly see army commanders using it in the field, which is notable since Discord servers aren’t end-to-end encrypted. This is in line with other Roskomnadzor bans designed to discourage use of Western platforms in favor of a “sovereign internet” approach. Parliament member Vladislav Davankov said he would appeal the ban, saying there is no domestic alternative.
Turkey’s Information Technologies and Communication Authority also announced it began blocking access to Discord. The move was motivated by non-compliance with a court order requiring the platform to share information with Turkish authorities.
iPhone mirroring flaw puts privacy at risk
Researchers at Sevco discovered that using Apple’s iPhone mirroring feature on work computers can cause personal apps to be listed on a company’s software inventory. In contrast, the feature doesn’t transfer app data, it does expose app metadata. This could give organizations insights into protected employee information, like health-related services, dating apps, use of VPNs, or other personal details. Sevco recommended companies disable iPhone mirroring on work devices to avoid violating privacy laws. It reported the issue to Apple, who confirmed it began working on a fix.
Thanks to today’s episode sponsor, Vanta
European Commission gives US agencies a passing data grade
Various data-sharing frameworks between the US and EU have been struck down in court due to concerns about US intelligence agencies’ ability to access data held on EU citizens. The latest attempt was the EU-U.S. Data Privacy Framework, effective in July 2023. So it is somewhat of a surprise that the European Commission announced that US authorities “put in place all the constitutive elements of the framework,” including “the implementation of safeguards to limit access to personal data by U.S. intelligence authorities.” The next step is for EU and US authorities to develop “common guidance” on requirements for the framework over the next few months.
Police arrest dark web market admins
An international law enforcement operation arrested two of the three suspected admins for the “Bohemia/Cannabia dark web market. This market was known to host ads for narcotics and hacking services like DDoS attacks before its shutdown at the end of 2023 as part of an exit scam. Police used the funds obtained by the admins to track them down. One was arrested in Amsterdam in June, leading to another admin arrest in Ireland. Law enforcement agents seized over $8 million in crypto assets between the two. Police expect the seizure of the Bohemia infrastructure to lead to more arrests.
A new approach to QR code phishing
QR code phishing, or squishing, as the kids call it, isn’t new. But researchers at Barracuda discovered a new approach to circumventing defenses. Attackers sometimes try to get QR codes pointing to malicious sites in an email, but OCR detection can find them. The researchers found that threat actors responded by building QR codes from text-based ASCII characters instead of images using a 49×49 matrix of “full block” figures.
A look at consumer security behaviors
Consumer Reports published its “Consumer Cyber Readiness Report.” It found that 46% of respondents had personally experienced a cyberattack or digital scam, with 19% losing money. 75% of these scams and attacks came over email, social media, or messaging apps, with phishing being the most common method. On the plus side, 80% of respondents said they use some form of MFA on online accounts. 53% of respondents were confident that their data would not be distributed without their knowledge.
(Dark Reading, CR )