Pete Recommends – Weekly highlights on cybersecurity issues – October 15, 2022

Subject: The Uber Data Breach Conviction Shows Security Execs What Not to Do
Source: WIRED
https://www.wired.com/story/uber-joe-sullivan-conviction/

Former Uber security chief Joe Sullivan’s conviction is a rare criminal consequence for an executive’s handling of a hack.

Uber’s Former chief security officer, Joe Sullivan, was found guilty this week of actively hiding a data breach from the US Federal Trade Commission (FTC) and concealing a felony. The case has reverberated through the security and tech worlds because it is seemingly the first time that an individual executive has faced criminal prosecution for charges related to a data breach against the executive’s company. As alarming as Sullivan’s conviction may be to some, gauging the fallout for security executives is anything but straightforward.

Chief security officers are sometimes wryly referred to as “chief scapegoat officers” or “chief sacrificial officers,” because the practical challenges of securing massive organizations are so great. It is all but inevitable that companies will suffer hacks and breaches, and CSOs preside over the aftermath. Many now worry that Sullivan’s conviction will make the already daunting role even less appealing to top talent. But the United States Department of Justice is positioning the case as an opportunity to set guardrails around what behavior is—and isn’t—acceptable in the fraught balancing act of corporate breach response.


Subject: Google Chrome Is the Least Secure Browser, Report Shows
Source: tech.co
https://tech.co/news/google-chrome-least-secure-browser

With a staggering 2.65 billion global users, Google Chrome is by far the most popular web browser. However, with the search engine amassing a total of 303 vulnerabilities in 2022, a recent report reveals that it might be the least secure, too.While details of these vulnerabilities have not been disclosed, Atlas VPN revealed that Chrome was found with 2.5 times more vulnerabilities than Mozilla Firefox, the second least secure browser. Here’s what we know about Google Chrome’s security issues, as well as some advice on how to surf the internet safely.

Notable vulnerabilities found in Chrome include CVE-2022-3318, CVE-2022-3314, and CVE-2022-3311, but according to the report, all bugs are capable of leading to memory corruption.

But what about other popular browsers? Well, AtlasVPN revealed that Mozilla Firefox is the second least secure search engine, with the site collecting a total of 177 vulnerabilities this year and 2,361 overall. This is closely followed by Microsoft Edge, which was found with 103 bugs in 2022, and 806 overall.


Subject: Flock’s License Plates Readers Are a Post-Roe Privacy Nightmare
Source: Gizmodo
https://gizmodo.com/flock-license-plates-readers-roe-wade-abortion-privacy-1849633583

Privacy advocates are raising alarms over another rapidly propagating police surveillance tool.There can be no silver lining to the gutting of women’s rights this year, but we also can’t escape the outcome. The consequences (foreseen by many but treated as urgent by few) have plenty to teach us; particularly those who, for whatever reason, couldn’t see it coming. For instance: Anyone who also doubts that surveillance technology deployed for public safety can be turned on people exercising their reproductive rights on a dime — welcome to that future you didn’t plan for.

A lot of work is still being done to try and preserve what little privacy Americans have left. This week, for example, advocates raised a red flag over the rapidly expanding use of license plate readers blanketing U.S. cities ostensibly to curb crime. The reality is that decisions which might have seemed trivial even a year ago, like informing someone about the miracle of birth control, or offering a friend a ride to a medical clinic, are now potentially those crimes, actions today that can scrutinized by thousand electronic eyes.v

The Guardian reported on Thursday that Flock Safety, a police contractor with over 1,200 law enforcement clients, has expanded its vehicle surveillance network to more than 2,000 neighborhoods in over 40 states. The company’s breakneck expansion — nary a week goes by without some local police force announcing a “partnership” — is giving rise to fears about the consequences in jurisdictions with oppressive reproductive policies.

License plate readers and the surveillance nets they cast over a city are but one of many police tools falling under loud scrutiny since Roe’s repeal. U.S. lawmakers, many of them explicitly citing the June decision, have begun openly pressuring the federal government to disclose long-rumored use of and support for new surveillance tools secretively used and effectively unregulated.

Filed: Privacy and Security


Subject: Security News abstracts
Source: WIRED
https://www.wired.com/story/binance-hackers-minted-569-million/

1st Headline + others w/ abstractsSecurity News This Week: Binance Hackers Minted $569M in Crypto—Then It Got Complicated


Subject: NSA, FBI warning: Beware these 20 software flaws most used by hackers
Source: ZDNET
https://www.zdnet.com/article/nsa-fbi-warning-beware-these-20-software-flaws-most-used-by-hackers/

China-backed hackers like to use these flaws, so you need to make sure they are patched, says FBI, NSA and CISA.
The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have listed the top 20 software flaws that China-funded hackers have been using to compromise networks since 2020.

The advisory emphasizes that China-backed hackers actively target not just the networks of the US government and its allies but also software and hardware companies in the supply chain to steal intellectual property and gain access to sensitive networks. These hackers are an active threat to the IT and telecoms sector, the defense industrial base, and critical infrastructure owners and operators.
“NSA, CISA, and FBI continue to assess [People’s Republic of China] PRC state-sponsored cyber activities as being one of the largest and most dynamic threats to U.S. government and civilian networks,” they note.

“These state-sponsored actors continue to use virtual private networks (VPNs) to obfuscate their activities and target web-facing applications to establish initial access,” CISA notes.

The top flaws used since 2020 are listed in the table below.

Topics:


Subject: Complex Impersonation Story
Source: Schneier on Security
https://www.schneier.com/blog/archives/2022/10/complex-impersonation-story.html

Complex Impersonation StoryThis is a story of one piece of what is probably a complex employment scam. Basically, real programmers are having their resumes copied and co-opted by scammers, who apply for jobs (or, I suppose, get recruited from various job sites), then hire other people with Western looks and language skills are to impersonate those first people on Zoom job interviews. Presumably, sometimes the scammers get hired and…I suppose…collect paychecks for a while until they get found out and fired. But that requires a bunch of banking fraud as well, so I don’t know.

Tags: fraud, impersonation, scams


Subject: Mastercard moves to protect ‘risky and frisky’ transactions
Source: The Register
https://www.theregister.com/2022/10/10/mastercard_crypto_secure/

Supposedly ingenious schemes to revolutionize the finance industry with crypto are not hard to find – nor are their failures. And scarcely a day passes on which a cryptocurrency venture’s infosec is not found wanting. That sad situation is causing financial institutions sufficient pain that Mastercard thinks the time is ripe for a service that helps lenders to understand if their customers’ crypto purchases are dangerous.MasterCard has named its effort Crypto Secure and says it “allows [card issuers] to better assess the risk profile of crypto exchanges or other providers.”

Card issuers are nearly always banks, and laws around the world mean issuers are often on the hook for fraudulent transactions made with credit cards.


Subject: ‘BidenCash’ Hands Out 1.2 Million Stolen Credit Cards
Source: Gizmodo
https://gizmodo.com/bidencash-dark-web-hackers-1849637608

The dark web marketplace wrote over the weekend they were giving away 1.2 million credit card details, mostly from American Express users and those in the U.S.There’s a remaining question on how many payment card details from a latest leak were active or current, but the prevalence of such sites point to how effective simple tactics like web skimming have become.

Now, even hackers are taking a page out of big advertising’s playbook to promote their ill-gotten personal financial details. Over the weekend, the stolen credit card marketplace called BidenCash announced they were offering a free giveaway of 1,221,551 credit cards, promoting the leak on multiple other sites.

As the local dealers say, the first hit is free, though in this case such a leak could have meant free money for any user who managed to snag a card. Researchers are still looking into the leak, but early reports show many of the cards could have already been reported to the card issuers.

As detailed in a Saturday report from Bleeping Computer, BidenCash first came onto the scene in June this year when they leaked several thousand credit card details for free online. If the number of credit cards from this latest release are still active, it would point to the site blossoming over the course of just a few months, as well as just how prolific online credit card theft has become. This also isn’t even the first massive credit card leak of its kind. Last year, another hacker credit card shop All World Cards released over 1 million card details online.

Filed: Privacy and Security


Subject: BleepingComputer
Source: US airports taken down in DDoS attacks by pro-Russian hackers
https://www.bleepingcomputer.com/news/security/us-airports-taken-down-in-ddos-attacks-by-pro-russian-hackers/

The pro-Russian hacktivist group ‘KillNet’ is claiming large-scale distributed denial-of-service (DDoS) attacks against websites of several major airports in the U.S., making them unaccessible.The DDoS attacks have overwhelmed the servers hosting these sites with garbage requests, making it impossible for travelers to connect and get updates about their scheduled flights or book airport services. Notable examples of airport websites that are currently unavailable include the Hartsfield-Jackson Atlanta International Airport (ATL), one of the country’s larger air traffic hubs, and the Los Angeles International Airport (LAX), which is intermittently offline or very slow to respond….

Subject: Pro-Russian hackers take credit for cyberattacks on U.S. airport websites
Source: NPR
https://www.npr.org/2022/10/10/1127902795/airport-killnet-cyberattack-hacker-russia

A pro-Russian hacker group is taking credit for temporarily taking down several U.S. airport websites on Monday, though there appeared to be no impact on flight operations.The cyberattacks claimed by Killnet impacted the websites for Los Angeles International, Chicago O’Hare, and Hartsfield-Jackson International in Atlanta, among others.

The group posted a list of airports on Telegram, urging hackers to participate in what’s known as a DDoS attack — a distributed denial-of-service caused when a computer network is flooded by simultaneous data transmissions.

The group’s call to action included airports across the country, including Alabama, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, and Missouri.

It was not immediately clear how many of the airports were actually hit and whether all victims’ sites suffered any disruptions.

Tagged:


Subject: Protect your privacy and your phone number with Firefox Relay
Source: Mozilla Distilled via beSpacific
https://www.bespacific.com/protect-your-privacy-and-your-phone-number-with-firefox-relay/Mozilla Distilled: “When you share your personal phone number with anyone outside your circle of family and friends, it essentially gives them permission to call you anytime of the day. This can mean robocallers at lunch and dinner, not to mention spam text messages throughout the day. …The new Firefox Relay phone number masking feature is available to Firefox Relay subscribers and can be accessed via the Firefox Relay website. Once you upgrade your subscription to the phone number masking plan, we will generate a phone number for you to use. Each month you will receive up to 50 minutes for incoming calls and 75 text messages. All phone number masking plans will include unlimited email masking. The cost is $3.99 per month on an annual basis…”


Abstracted from beSpacific
Copyright © 2022 beSpacific, All rights reserved.
Posted in: Blockchain, Cryptocurrency, Cybersecurity, Privacy, Search Engines, Telecommuting, Travel