In all the months we’ve been doing these, few months have shocked the way this one has. Sure, we’ve seen information security news headlines like the Target and Marriott breaches, Russians meddling in elections, and people hacking airplanes from the ground. But it wasn’t the magnitude of information security news stories that was so shocking in September—it was the volume. On one hand, it’ great to see information security and its importance gaining steam in mainstream media, but it also means we’re finding more and more attacks to write about. The combination of these produced a one-of-a-kind information security news roundup. Here are just a few of the many stories that broke this month.
- We say all the time that no one can avoid all compromise and information security incidents. They’re inevitable. In yet another example of this, Twitter CEO Jack Dorsey’s Twitter account was compromised at the beginning of the month. Attackers used the account access to tweet racial slurs after gaining access through SIM swapping.
- Cities and schools are still being compromised at an alarming rate. Recently, a ransomware attack in Flagstaff, AZ, caused the school district to shut down for two days. While it doesn’t seem as though student or staff data was stolen, canceling classes for two days is far from ideal.
- The city of New Bedford, MA, was hit with ransomware this month, too, but refused to pay the $5.3M requested by the attackers. The city would have been willing to pay the $400,000 that their insurance would have covered, but thankfully decided to stop negotiations and restore from backups.
- A first-of-its-kind attack on the U.S. power grid serves a stark reminder that as our utilities become more internet-connected, they also become more vulnerable to attacks. Thankfully, this attack did not seem targeted and was likely a bot scanning a high volume of internet-facing devices for weaknesses. It is a concerning discovery, though.
Fixing the Broken Industry
- Facebook and Microsoft are planning to spend $10M on a contest to stop widespread “deepfakes.” The contest is meant to entice people to create an algorithm that can detect deepfakes so that they can be pulled from the hosting sites. This could have its drawbacks though, as algorithms bring the possibility of improving the deepfakes’ ability to avoid detection.
- As we connect more and more devices to the internet, people are hoping we can get ahead of the curve with their security. Recently, a former FCC chairman called for an increased effort in protecting 5G networks. While no companies were specifically called out, much of this push seems to stem from the increase in internet-connected devices as well as an involvement with companies tied to the Chinese government.
- QR codes are extremely useful tools, but they can also be easily manipulated. The state of Colorado has recognized this and will no longer count ballots using printed QR codes. Particularly given concerns with Russian meddling of elections, the difficulty for voters to prove validity of the codes could pose security threats.
Social engineering and fraud
- Lost in the glamour of movie-like hacking is the element of human trust that can impact your bottom line. Social engineers are “hackers of human trust” and can cause just as much damage to your business. This month, a New York Payroll company’s CEO abruptly closed doors of the business, taking $35M of employee money and tax payments with him. Employees can either be your biggest security strength or weakness.
- A Toyota subsidiary lost $37M this month in a business email compromise (BEC) scam. Attacks like this are made possible through social engineering techniques—convincing the victim that a bank transfer is required for an important business reason.
- The DOJ reportedly arrested nearly 300 BEC scammers this month. To date, this is the biggest effort against this type of digital scammer, and it shows law enforcement’s sense of urgency in trying to contain the rapidly growing threat.
- Why is social engineering still so effective? Many employees simply don’t know or don’t care about protecting their company’s data. A recent report shows that nearly 70% of financial companies have experienced a compromise—and employees are the biggest reason.
- The California Consumer Privacy Act (CCPA) goes into effect on January 1, but it’s getting pushback from local tech giants. The act, which gives web users the right to see the personal information that companies collect about them and stop it from being sold, is likely to face a final push from tech lobbyists to weaken the law.
- Chances are good your phone number was stored in a server that was somehow not even password protected. An exposed server contained more than 419 million Facebook users’ phone number records over several databases on users across geographies, including 133 million records from U.S. users, 18 million records of users in the U.K., and another with more than 50 million records on users in Vietnam.
- Would it even surprise you if we told you that your sensitive data is sitting online somewhere? That’s unfortunately the state of information security right now. ProPublica released study results this month, showing that nearly 5 million patients’ medical records could be accessed on the web using a simple coding strategy.
- “I’m sorry, Dave. I’m afraid I can’t do that.” Once a distant warning on technology, the premise of 2001: A Space Odyssey seems pretty familiar these days. Yeah, your smart TVs are watching you. A recent study shows that these devices have access to microphone input, viewing history, and personal information. Until required disclosure, privacy, and opt-out requirements are mandated, there aren’t many options for avoiding this, either.
- DoorDash announced a massive breach at the end of September that affected nearly 5 million people. Users’ names, emails, delivery addresses, and passwords were all revealed, and some customers had the last four digits of their credit card numbers revealed. Some employees had the last four digits of their bank account numbers revealed as well as their license plate numbers.
Following information security news and trends is important. It gives you an idea of what’s going on in the industry so you can continue to protect yourself and your business. Follow FRSecure on Twitter and LinkedIn for consistent updates on information security news like this, and visit our site to learn how your organization can continue to make improvements to its security measures.