Virginia’s Consumer Data Protection Act signed into law
Virginia governor Ralph Northam signed the act into law, set to take effect Jan. 1, 2023. Companies with data on 100,000 Virginia consumers or that make at least 50% of income on the sale of data on 25,000 Virginians are required to let consumers receive copies, amend, or delete personal data, as well as letting consumers opt-out of using data for marketing purposes. The law follows California’s CCPA as the second consumer data protection law among US states, with Utah expected to pass an identical law later this week.
Exchange Server zero-days exploited in the wild
Microsoft warned that a group it calls Hafnium is exploiting four previously undisclosed security flaws in Exchange Server in order to steal information from US-based organizations like infectious disease researchers, defense contractors and law firms. The vulnerabilities can be exploited to access email accounts and address books. Microsoft said limited successful attacks have been executed and patches are available now, a week ahead of the usual patch Tuesday.
Facebook to lift political ad ban
The company announced it would end the ban as of March 4th. The ban was originally put in place following the closing of polls for the US Presidential election on November 3rd, although it did provide an exemption for ads targeting Georgia voters for the state’s runoff election. Going forward Facebook said it will require authorization and transparency on political and social issues ads, and that new and existing ads will include a “Paid for by” disclaimer even after completing that process.
China crowdsources surveillance with Sharp Eyes program
Medium’s OneZero publication details China’s Sharp Eyes program, one of a series of overlapping surveillance programs that has driven the use of more than 200 million public and private security cameras across the country. This program was started in 2015 and targeted remote and rural towns, with each town divided into a grid, with residents in that grid provided with a special TV box to watch security footage, with a button to summon police. Sharp Eyes has been used to report crime, but also report infrastructure issues or public nuisances. A 2016 state plan set a goal of having 100% coverage of public spaces using Sharp Eyes by 2020, although it’s unclear if China has reached this goal.
Thanks to our episode sponsor, TrustMAPP
Gab’s CTO introduced critical vulnerability to site
We reported earlier this week about 70GB of user data from the social network Gab leaked by the group Distributed Denial of Secrets, evidently obtained from a SQL injection vulnerability. It now appears that Gab’s CTO was responsible for opening up this vulnerability. A git commit by CTO Fosco Marotto in February stripped code from the site around “reject” and “filter” API functions that ordinarily protect against a SQL injection. Gab subsequently removed its list of git commits from its website, replacing it with a ZIP file download of its source code, which may violate an open source license used for its backend infrastructure.
US government expects recovery from SolarWinds attack by 2022
Acting CISA director Brandon Wales said it may take up to 18 months for the US government to recover from the SolarWinds Orion supply chain attack. Wales said there are two phases to respond to the incident, short-term remediation efforts to remove the software and eliminate access points, followed by strategic recovery to rebuild secure systems. Wales made the case that CISA needed more resources to deploy and manage endpoint detection systems on computers throughout the federal government, and will need further tools to push visibility into cloud environments to prevent future attacks.
Flock security cameras used by over 500 US police departments
Internal police emails obtained by Motherboard show that the security company Flock provides camera access to 500 police departments in more than 1,000 cities, with a program called TALON that can track vehicles by license plates. Flock offers up to 500 million scans of vehicles a month through TALON. The company’s cameras are sold to law enforcement, but also homeowners associations, and businesses, with systems to automatically detect a “non-resident” vehicle and alert police to any vehicles on a hotlist. Flock actively contacts local police departments to alert them when communities install their cameras, advising them to seek access to the footage. Flock itself holds onto camera data for 30 days, but third-parties can download the data to keep indefinitely.
Work from home photos are a security risk
Associate Professor in Cyber Security at the University of Kent, Jason Nurse, published a post on the topic on Sophos’ Naked Security blog. He argues that as phishing attacks get increasingly sophisticated and personal, sharing photos of work from home setups, even with backgrounds in video conferencing calls, opens the door to more convincing scams. This can include details about birthdays, number of family members, pet names, and even home addresses through delivered packages. And of course taking pictures with a computer screen potentially leaks company data directly. He recommends using virtual or blurred backgrounds, and avoiding using popular work from home hashtags that are easily indexed. (Naked Security)