Welcome to Cyber Security Today. It’s Monday, December 12th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Just shy of US$1 million in prize money was awarded to security researchers at the end of the four-day Pwn2Own hacking contest in Toronto. In this edition of the event, sponsored by Trend Micro, participants demonstrated 63 unique zero-day exploits by breaking into home and small office routers and printers. The biggest bundle of cash went to a team from Devcore Security Consulting of Taiwan, which won US$142,500. As a result it was named the event’s Master of Pwn. The total amount awarded to all participants was $989,750. The biggest payout of the series was at the 2021 event in Vancouver, where participants won US$1.2 million. The next competition will be in Miami in February.
A week after suffering a ransomware attack Rackspace Technology is facing a legal attack. A California law firm is proposing a class action lawsuit against the hosting provider over the incident. The suit still has to be certified by a state court. On Friday Rackspace said it is still investigating the cause of the attack. It says the attack was contained to its hosted Microsoft Exchange service. Rackspace is also still helping customers recover their data. It hasn’t said how much, if any, data was encrypted, or copied by the hackers
After a few days of reflection, experts have had an opportunity to size up the security and privacy announcements made last week by Apple. It’s expanding the range of data users can protect with end-to-end encryption in iCloud. Currently, health information, passwords and payment card data can be protected this way. Soon photos, notes and iCloud backups can also get extra protection. In a commentary William Murrary, a member of the SANS Institute’s editorial board, noted this is device-to-device encryption, not true end-to-end encryption. Another SANS commentator predicts it won’t be long before U.S. intelligence agencies and police forces protest Apple’s latest move will impair investigations.
Texas and Maryland have joined South Dakota, South Carolina and Nebraska in forbidding state employees from using the Chinese-owned TikTok app on government-issued computing devices. This comes after the FBI called the video-sharing app a U.S. national security concern. Earlier this year TikTok’s chief operating officer told the U.S. Senate that the company complies with U.S. laws and has strict company rules over what data employees can access.
Air-gapped computers are isolated from the internet for the best IT security. However, an Israeli university researcher argues that if compromised in the right way a hacker can transmit supposedly protected data from an air-gapped computer to a very nearby smartphone. How? Over the electromagnetic signals emitted from a PC’s power supply. However, first, an attacker would have to physically plant malware on the computer. But that’s been done before, by someone in 2008 to a U.S. military classified computer. So it’s not Mission Impossible. Government, banking and research organizations depending on air-gapped computers have to continue to limit access to areas with these machines — and be suspicious of anyone hanging around them.
Software supply chain security is one of the most critical risk to any organization, says Google. Which is why it has launched a new research report detailing how developers should make open-source software more secure. One is by using a framework called supply-chain levels for software artifacts, or SLSA. It includes a checklist of controls and practices to prevent the tampering of code.
Australian police are now publicizing the arrest there of four Chinese nationals who are charged with being part of the $100 million investment scam. Most of the victims were people in the U.S. It is alleged the operation found victims on dating employment and messaging sites, where, after gaining the confidence of people, investment opportunities in things like cryptocurrency were raised. The U.S. Secret Service tipped off the Australians about the link to their country. Two men were arrested in October. The other two were arrested last month just before trying to board planes to Hong Kong. Police allege the gang behind the scam used the four accused to register Australian companies and to open bank accounts so money could be laundered.
Finally, a month ago I told listeners that this is the time of year when crooks try to trick employees in many ways, including with email-delivered gift card scams. The crook impersonates a corporate executive and asks a staff member to buy gift cards — with their own money — to reward employees for work well done during the year. The scam is asking the victim to send the so-called executive the numbers on the back of the cards. Then the crook can cash them in. A new report from Trustwave warns employees that crooks are increasingly trying this type of scam in text messages. Again, the sender pretends to be a corporate executive who comes up with some excuse why they can’t do the card-buying themself. Sometimes the request starts with an email, then the crook asks the messaging to switch to text. So, be aware of text and email messages like this.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.