Security and privacy news, 3/7/2021
Security
Hacks
The big news last week: Move over, SolarWinds: 30,000 orgs’ email hacked via Microsoft Exchange Server flaws with Thousands of Microsoft Customers May Have Been Victims of Hack Tied to China; in particular Microsoft Exchange zero-day vulnerabilities exploited in attacks against US local governments. This has led CISA to issue emergency directive to agencies: Deal with Microsoft Exchange zero-days now, with suggestions to Check to see if you’re vulnerable to Microsoft Exchange Server zero-days using this tool as Microsoft patches Exchange software flaws targeted by Chinese hackers
And Solarwind is still creating news: SolarWinds security fiasco may have started with simple password blunders and Breached software firm SolarWinds faces SEC inquiry after insider stock sales
Leading experts to tell us that China’s and Russia’s Spying Sprees Will Take Years to Unpack
In another development, Gab blames reported hack of 40 million posts on ‘demon hackers’ with Trump’s is one of 15,000 Gab accounts that just got hacked and to top it off, Gab's CTO Introduced a Critical Vulnerability to the Site
Illustrating the dismal state of software security, the good guys get hacked: Accellion zero-day claims a new victim in cybersecurity company Qualys as well as the bad guys: Maza Russian cybercriminal forum suffers data breach
Technology
In the security arms race, while some are improving security;
Google patches actively exploited Chrome browser zero-day vulnerability
Microsoft account hijack vulnerability earns bug bounty hunter $50,000
Samsung and Mastercard are working on a fingerprint payment card
others keep undermining it
Hackers release a new jailbreak tool for almost every iPhone
These two unusual versions of ransomware tell us a lot about how attacks are evolving
Security environment
It’s not just security technology, but the continuous changes of its use that create never ending risks:
There are business model changes: Ransomware as a service is the new big problem for business
government support: Why some governments are getting cybercrime gangs to do their hacking for them
changes in the work environment: Trend Micro: Remote work drove high-risk email threats up 32% in 2020
and use of standard marketing techniques: Hackers exploit websites to give them excellent SEO before deploying malware
What hacking attacks can teach us about defending networks
Data losses
If Data is the world’s most valuable (and vulnerable) resource, why is it so poorly protected?
Russian, Chinese hackers may have stolen European vaccine data
Russia is using online disinformation to trash rival COVID-19 vaccines
Singapore Airlines’ frequent flyer members hit in third-party data security breach
Hackers Just Looted Passenger Data From Some of the World's Biggest Airlines
Privacy
Google plans to stop targeting ads based on your browsing history and promises Google says it won’t adopt new tracking tech after phasing out cookies A common reaction appears to be that Google is policing itself on privacy because it knows it has to and not everyone is convinced Stop Letting Google Get Away With It
To counter one way of privacy invasion, Brave Is Building a Privacy-Focused Search Engine to Counter Google but there are still other ways that are hard to avoid:
In happy developments: New Apple iOS 14.5 Beta Feature Notifies Users if They're Being Tracked and LinkedIn stops collecting tracking data ahead of iOS 14 changes
And finally to deter a completely different type of privacy invasion: A hip-fired electromagnetic anti-drone rifle!
Regulation
FTC Shuts Down Massive Robocall Charity Scam and senators are proposing a set of additional actions
Senators: Broadband Speed Minimum Should Be 100Mbps for Downloads and Uploads
Proposed law could force ISPs to stop hiding true size of monthly bills
Senators ask FTC to fight stalkers exploiting people search sites
Finally, we should expect more regulatory moves from the new administration