Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security. We’re starting off with some good news for a change! California’s landmark Consumer Privacy Act (CCPA) is now in effect — although, it won’t actually kick in for another six months. CCPA is somewhat similar to the General Data Protection Regulation (GDPR) in the EU. What the law effectively means is that it allows anyone in California to now ask that companies don’t sell their data, and also request a copy of the data that companies have on them and hopefully even delete them. Sounds good, right? But nothing is simple when it comes to the current exceedingly complex online data economy. What’s more, it raises some interesting questions about who exactly owns the data and whether we can ever have our data deleted completely. It’s not just that. Protecting data when it’s at rest, in transit, and in use is becoming increasingly crucial for companies with whom we entrust our personal information. What that means is honoring the principles of CCPA won’t be that easy. Companies readying to comply with CCPA in the state of California alone, never mind deciding to expand compliance nationally like Microsoft did, must now be able to detect phishing attacks quickly and work towards prevent data breaches. This doesn’t consider another aspect of these regulations, as The New York Times’ Kashmir Hill wrote yesterday: “To get your personal data, you may have to give up more personal data.” All of this only goes to show that regulations need to carefully assess the unintended consequences of giving individuals more control over their data.


Do you have a burning cybersecurity question, or a privacy problem you need help with? Drop them in an email to me, and I’ll discuss it in the next newsletter! Now, onto more security news.

Windows 7 reached its end of life, card skimmer malware hit Australian bushfire donation website, the United Nationsand Ukranian oil firm Burisma were the targets of a phishing attack, and the baddies behind Sodinokibi ransomware followed Maze’s footsteps by publishing data stolen from Artech Information Systems for not choosing to pay ransom. In other news, North Korean state-backed hacker group Lazarus is using Telegram to steal cryptocurrency, Google tackled Joker malware by booting 1,700 apps from the Play Store, while a new Android “Shopper” Trojan camouflages itself as a system app to disable the Google Play Protect service, generate fake reviews, install malicious apps, and show ads.

Fleeceware continues to be a major problem on Android. [Sophos] You can now use an iPhone as a security key for Google accounts. [Google] Microsoft fixed a bug in various versions of Windows after the National Security Agency (NSA) found that it could allow malicious code to masquerade as legitimate software. [Microsoft] Israeli forensics firm Cellebrite, which offers tools to help law-enforcement unlock and extract data from mobile devices, has acquired BlackBag Technologies for $33 million to expand its capabilities to computer forensics. [Reuters] SIM-swappers are escalating their attacks by targeting telecom companies run through remote software that grants them direct access to internal systems of telcos like AT&T, T-Mobile, and Sprint to take over customer cell phone numbers. [Motherboard] We all knew that SMS-based authentication is not secure. Here’s more proof: telcos use insecure authentication challenges that can easily be defeated by attackers. [Is SMS 2FA Secure?] Iranian state-backed hackers dubbed “Magnallium” are carrying out password-spraying attacks, which guess a set of common passwords for hundreds or even thousands of different accounts, targeting US electric utilities as well as oil and gas firms. [WIRED / Dragos] 200 million cable modems from Broadcom are impacted by a “Cable Haunt” flaw that allows hackers to trick users into accessing a malicious page via their browser and execute malicious commands on the device. [ZDNet]

The controversial Emirati messaging app ToTok made a quiet return to Google Play Store after being pulled for claims that it was being used for government espionage. [Threatpost] Citrix is racing to release a patch for a severe flaw disclosed in its Gateway products that could allow hackers to execute malicious code. The Cybersecurity and Infrastructure Security Agency (CISA) has now released a test to check for the vulnerability. [Positive Technologies / CERT] The UK’s top intelligence agency, GCHQ, is investigating the possibility that the London Stock Exchange outage in August may have been a cyberattack. [The Wall Street Journal] A cybercriminal group dubbed “SideWinder” is actively exploiting three Android apps Camero, FileCrypt Manager, and callCam to steal sensitive data stored on the device. [Trend Micro] London-based international foreign currency exchange Travelex is recovering from a ransomware attack last month that exploited a bug in Pulse Secure corporate VPN software. It allowed remote hackers to gain access without a username or password but also to turn off multi-factor authentication and view logs, usernames, and passwords cached by the VPN server in plain text. [TNW / CyberScoop]

Data Point

The Society for Information Management’s (SIM) recently released IT Issues and Trends Study for 2019 — which polled 1,033 IT executives who hail from 618 organizations — showed that only 45.5% of organizations have a Chief Information Security Officer (CISO). But in a positive development, 89% of them with revenue greater than $5 billion have a CISO in place. But having a CISO in place alone isn’t enough — the average readiness of companies hovered around 3.06 mark on a 0-5 scale, 1 being “Not Ready at All” and 5 for “Extremely Ready”. Takeaway: Irrespective of a CISO, the stats are depressing sign that there’s still room for improvement in the average organization’s readiness to handle the risks and threats associated with cybersecurity. If the recent wave of ransomware attacks are any indication, the sooner a company is equipped to recover from security incidents, the better.

Tweet of the week

Another showdown — Apple has reignited the encryption debate after it refused to help break into two phones used by a gunman in a deadly shooting last month at a naval air station in Pensacola, Florida.

— Donald J. Trump (@realDonaldTrump) January 14, 2020 That’s it. See you all in 2 weeks. Stay safe! Ravie x TNW (ravie[at]thenextweb[dot]com)

Pardon the Intrusion  9  Privacy or security  - 92