Missouri Governor vows to prosecute St. Louis Post-Dispatch for reporting security vulnerability
Missouri Governor Mike Parson is threatening legal action against a reporter and newspaper that found and disclosed a security vulnerability that left educational staffs’ social security numbers exposed and accessible. The St. Louis Post-Dispatch reports that it notified the Missouri Department of Elementary and Secondary Education that one of its tools was returning HTML pages that contained employee SSNs, potentially putting the information of over 100,000 employees at risk. Despite the fact that the outlet waited until the tool was taken down by the state to publish its story,Governor Parson says he’ll be getting the county prosecutor and investigators involved. In a press conference last week he said fixing the flaw could cost the state $50 million, and vowed his administration would seek to prosecute and investigate the “hackers” and anyone who aided the publication in its “attempt to embarrass the state and sell headlines for their news outlet.”
NFTs now come with wallet-emptying malware
An investigation conducted by security firm Check Point has revealed that a number of cryptowallets belonging to customers of OpenSea, the world’s largest NFT exchange got mysteriously emptied. The researchers found a nasty form of NFT in circulation, one that came with its own malware package. Victims were sent free NFTs from an unknown source, but when they accepted the gift the attackers got access to their wallet information in OpenSea’s storage systems. The code generated a pop-up, that if clicked, allowed wallets to be emptied. After disclosure of the issue, OpenSea fixed the vulnerability within an hour.
Experts hack a fully patched iOS 15 running on iPhone 13 at China’s Tianfu Cup hacking contest
This year’s edition of China’s most important hacking contest took place this past weekend in the city of Chengdu, and participants had three attempts of 5 minutes to demonstrate their exploits. The achievement that received the most media attention is a zero-click remote code execution exploit against a fully patched iOS 15 running on the latest iPhone 13. This won the Chian Pangu team $300,000 – the highest single bonus in the history of the competition.
Canon sued for disabling scanner when printers run out of ink
David Leacraft, a customer, filed the class action lawsuit on Tuesday alleging deceptive marketing and unjust enrichment by the printer manufacturer. While using his Pixma MG6320 printer, he was surprised to discover that the “all-in-one” machine would refuse to scan or fax documents if the printer ran out of ink. “As opposed to the ‘single function’ printers it sells, Canon calls these multifunction devices a “3-in-1” or “4-in-1” for the fact they purportedly provide three or four functions,” reads the class action complaint against Canon USA. Canon, by contrast, says the printer needs all ink tanks installed, and that there is no workaround. The lawsuit seeks $5 million in damages.
Thanks to our episode sponsor, Tessian and the Human Layer Security Summit
Want to get the latest security insights from Cisco, Forrester, Intercontinental Exchange and Knowbe4? At Tessian’s Human Layer Security Summit you’ll get fresh insights and actionable advice to help you build an effective, future proof security strategy. Hear from top CISOs and InfoSec Leaders who will speak on the HOTTEST topics in cyber today. Join thousands of your peers by registering now at tessian.com/summit
Ransomware attacks aren’t just becoming more frequent, they’re getting more expensive
Scammers demanded an average payment of $5.3 million from hacking victims through the first six months of 2021, according to a new report from the insurer Allianz. The $5.3 million average represents a 518% increase from the 2020 figure, driven in part by demands to pay up to $50 million after a data breach. The highest demand last year was for $30 million, according to the latest report, which did not identify affected organizations by name. Victims paid an average of $570,000 during the first six months, compared to $312,000 in 2020.
Ransomware hackers reportedly targeted 3 different US water facilities this year alone
A joint advisory, published Thursday by CISA, the FBI, the NSA, and the EPA, reveals three previously unknown incidents involving malware attacks on water systems throughout the country. Unbeknownst to the public, most of the incidents have taken place over the past several months, the advisory states. The attacks occurred in Nevada, Maine, and California, and in all cases targeted the facilities’ supervisory control and data acquisition system, or SCADA—the pivotal operational IT commonly used by large organizations to remotely monitor and manipulate industrial systems.
(Gizmodo)
Google gives away 10,000 free security keys to high-risk users
10,000 high-risk users are being provided with free hardware security keys by Google, with the aim of better protecting their accounts from hackers. Google says it is sending out the free Titan two-factor authentication (2FA) security keys – that provide a phishing-resistant layer of protection – to groups such as politicians, journalists, and human rights activists, who are considered to be particularly at risk from state-sponsored attackers. Users who enable Google Advanced Protection (APP) and use a hardware security key, will need both their password and the physical key to log into their account. Meanwhile, existing Google authentication services which are less secure than a hardware key will no longer work. Google’s announcement comes in the wake of the technology giant displaying alerts to approximately 14,000 users that their accounts had been targeted by Russia-backed hackers.
Bank manager tricked into handing $35m to scammers using fake ‘deep voice’ tech
Authorities in the United Arab Emirates have requested the help of the US Department of Justice in probing a case involving a bank manager who was swindled into transferring $35m to criminals by someone using a fake AI-generated “deep voice.” The employee received a call to move the company-owned funds by someone purporting to be a director from the business. He had previously received emails that showed the company was planning to use the money for an acquisition, and had hired a lawyer to coordinate the process. When the sham director instructed him to transfer the money, he did so thinking it was a legitimate request. The criminals used “deep voice technology to simulate the voice of the director,” it said. Investigators believe there are at least 17 people involved in the heist.
