Security and privacy news, 3/28/2021

Security


While no new revelations about Solarwinds emerged last week, the Hafnium hack seems to be reverberating. Microsoft Exchange Server attacks: 'They're being hacked faster than we can count', says security company including two types of ransomware The Peculiar Ransomware Piggybacking Off of China’s and Ransomware operators are piling on already hacked Exchange servers. Trying to leave the hack behind, Microsoft shares intelligence on post-compromise activities and says 92% of vulnerable Exchange servers are now patched, mitigated


As usual, there was news about ransomware attacks: Ransomwared Bank Tells Customers It Lost Their SSNs. While Ransomware attack halts production at IoT maker Sierra Wireless they managed to partially restore network following ransomware attack. And here’s a good news story: This company was hit by ransomware. Here's what they did next, and why they didn't pay up


In international news, Facebook says Chinese hackers used its platform in targeted campaign to infect, surveil user devices and Facebook caught a Chinese hacker group targeting Uyghur activists


New vulnerabilities are being discovered: A newly-wormable Windows botnet is ballooning in size and Purple Fox malware evolves to propagate across Windows machines


The phishing season never seems to end: Four out of five companies say they've spotted this cyberattack. Plenty still fall victim to it with Three billion phishing emails are sent every day. But one change could make life much harder for scammers


There are also several notable data exposures: Hobby Lobby Exposed 138GB of Data, Oil Giant Shell Hacked Thanks to Flaw-Ridden Accellion System, and Debt-chasing UK councils potentially expose private resident data. Trying to avoid embarrassment, FatFace tells customers to keep its data breach ‘strictly private’


The crypto technology of crypto-currencies appears less than perfect: Roll still doesn’t know how its hot wallet was hacked and Ahead of IPO, Coinbase users speak out about locked accounts and lost money


Systemic insecurity


Reviewing the breadth of the security problems in our infrastructure, there appears to be a systemic problem that is impossible to address. First, the unchecked networking of functions created The ‘Frankencloud’ model that is our biggest security risk One aspect is that API security becomes a ‘top’ priority for enterprise players which is now getting some attention: Cloudflare goes deep on API abuse detection. And for consumers, New Android Malware Poses as Security Update to Take Control of Devices. Some people claim that The United States has a major hole in its cyberdefense. Here’s how to fix it. The real issue that not enough is done for prevention, by much more careful software development! The emphasis on hoarding vulnerabilities can have interesting side effects: Google’s top security teams unilaterally shut down a counterterrorism operation


Chasing the never ending discovery of zero-days, the update frequency appears to accelerate:

Apple releases iPhone, iPad, and Watch security patches for zero-day bug under active attack


Privacy


While Musicians and Sex Workers Beat Facial Recognition in New Orleans, Amazon delivery drivers have to consent to AI surveillance in their vans or lose their jobs This kind of pressure is leading Civil Rights Groups Want Tech Sites to Stop Reviewing Amazon's Ring Cameras


After all the noise about Apple’s new IDFA posture, Zuckerberg: Facebook could be in “stronger position” after Apple tracking change


Regulation


With Facebook under pressure in the US Facebook didn't do enough to stop election misinformation, report says and overseas Facebook is being sued in France for alleged 'deceptive' safety claims , Mark Zuckerberg proposes limited 230 reforms ahead of congressional hearing

In interesting moves, China to ban apps from collecting excessive user data starting May 1 and Chinese Government Questions Voice Tech Companies About Security Measures This probably does not apply to government data collection, tho.


US privacy, consumer, competition and civil rights groups urge ban on ‘surveillance advertising’ and the EU Publishes Privacy Guidelines for Voice Assistants for Comment


To address the monopolistic practices of big tech, President Biden will nominate antitrust scholar Lina Khan to the FTC


In good news, New York’s Department of Financial Services says Apple Card program didn’t violate fair lending laws