Global Cyber News Digest

Events

Cyber Insider Podcast

Press Room

Daily News Digest

Stay current on the global cyber threat landscape and industry developments with CCOE’s daily digest and library of cybersecurity news and articles.

  • Rail Firm Staff Fail ‘Bonus’ Phishing Test, Chaos Ensues

    • “Click here to claim your bonus pay,” said email from a British train company, signed by the firm’s chief. Hundreds of West Midlands Trains employees did exactly that. Because of course they did.
    • But it was a phishing test—designed by IT. And now the staff are hopping mad. Not only will they not get the bonus they’d been expecting, but the email itself was in poor taste (according to the union, at least).
    - Richi Jennings | May 12, 2021
    hak-iq.us20.list-manage.comMay 12, 2021

  • University Cancels Exams After Cyber-Attack

    • Final examinations at the oldest technological research university in America have been canceled following a cyber-attack.
    • Much of the computer network of Rensselaer Polytechnic Institute (RPI) was forced to shut down after unauthorized access was detected on Friday. Student assessments, research, and other academic activities have been impacted.
    • RPI did not share any further details of the incident such as what information may have been accessed.
    • Rensselaer Polytechnic Institute, which has around 7,900 students, is a private university sited in the city of Troy, New York. Information Technology and Web Science are among the academic disciplines taught at the Institute.
    - Sarah Coble | May 10, 2021
    hak-iq.us20.list-manage.comMay 10, 2021

  • Peloton's Data Breach Is a Reminder to Lie Whenever You Can

    • Peloton has suffered a data breach.
    • A handful of APIs the company uses previously could have been queried by anyone—authenticated and unauthenticated users alike.
    • As for what an attacker could scoop up, the available data included:
      • User IDs
      • Instructor IDs
      • Group Membership
      • Location
      • Workout stats
      • Gender and age
      • If a person was in the studio or not
    • There’s not much an attacker can do if they know how much you work out. But it is possible that they could use this information (standalone or in combination with other information provided by other data breaches) to send you a clever phishing attempt.
    • While Peloton claims that it was taking action ever since the initial vulnerability submission, it’s just oddly coincidental that the vulnerabilities remained exploitable—scrapeable, really—until one of the biggest publications in tech exposed the problem.
    - David Murphy | May 10, 2021
    hak-iq.us20.list-manage.comMay 10, 2021

  • Ransomware gangs get more aggressive against law enforcement

    • Police Chief Will Cunningham came to work four years ago to find that his six-officer department was the victim of a crime.
    • Hackers had taken advantage of a weak password to break in and encrypt the files of the department in Roxana, a small town in Illinois near St. Louis, and were demanding $6,000 of bitcoin.
    • Police Chief Will Cunningham came to work four years ago to find that his six-officer department was the victim of a crime.
    • Hackers had taken advantage of a weak password to break in and encrypt the files of the department in Roxana, a small town in Illinois near St. Louis, and were demanding $6,000 of bitcoin.
    • In Washington, D.C., a Russian-speaking ransomware syndicate called Babuk hacked into the network of the city's police department and threatened to leak the identities of confidential informants unless an unspecified ransom was paid.
    • A day after the initial threat was posted in late April, the gang tried to spur payment by leaking personal information of some police officers taken from background checks, including details of officers' past drug use, finances and — in at least one incident — of past sexual abuse.
    • The police chief said he didn't have to pay the hackers because the files were backed up and the department bought new computer equipment for roughly the same amount as the ransom demand.
    - Alan Suderman | May 9, 2021
    hak-iq.us20.list-manage.comMay 9, 2021

  • Major US pipeline halts operations after ransomware attack

    • The operator of a major pipeline system that transports fuel across the East Coast said Saturday it had been victimized by a ransomware attack and had halted all pipeline operations to deal with the threat. The attack is unlikely to affect gasoline supply and prices unless it leads to a prolonged shutdown of the pipeline, experts said.
    • The attack on the company, which says it delivers roughly 45% of fuel consumed on the East Coast, underscores again the vulnerabilities of critical infrastructure to damaging cyberattacks that threaten to impede operations.
    • The White House said President Joe Biden was briefed Saturday morning and the federal government was working with the company to assess the implications of the attack, restore operations and avoid disruptions to the supply.
    • An outage of one day or two would be minimal, he said, but an outage of five or six days could cause shortages and price hikes, particularly in an area stretching from central Alabama to the Washington, D.C., region.
    • Average ransoms paid in the United States jumped nearly threefold to more than $310,000 last year. The average downtime for victims of ransomware attacks is 21 days, according to the firm Coveware, which helps victims respond.
    - ALAN SUDERMAN and ERIC TUCKER | May 8, 2021
    hak-iq.us20.list-manage.comMay 8, 2021

  • How to Delete Old AOL and Yahoo Accounts

    • With AOL and Yahoo changing owners for the second time in a half-dozen years, now is a good time to delete any old and unused accounts. 
    • Verizon has agreed to sell AOL and Yahoo to the private-equity firm Apollo Global Management for $5 billion, significantly less than the combined purchase price of $9 billion for the two media companies in 2015 and 2017.
    • One of the most significant assets being sold to Apollo is the mountain of consumer data compiled by AOL and Yahoo over the decades. Yahoo still has about 900 million monthly users, and there are probably millions of additional people who set up AOL or Yahoo accounts years ago and then let them languish.
    • Apollo is likely to go to work trying to make more money off that data.
    • If your accounts have been idle, you're letting corporations trade your data and make money from it with no benefit to you. And if there's ever a data breach—such as a Yahoo data breach that began in 2013 and affected 500 million users—it just means hackers will get more of your information, which could be used for scams or identity theft.
    • It's easy to transfer old emails to most other email services. For instance, if you want to move Yahoo emails to a Gmail account, open your Gmail settings, then click on the Accounts & Import tab, and follow the directions.
    - Allen St. John | May 6, 2021
    hak-iq.us20.list-manage.comMay 6, 2021

  • The Feds Can Access The Private Data On Your Phone Through Your Car

    • One of the largest law enforcement agencies in the U.S., the Customs And Border Protection, has now found a convenient back door to siphon much of the information from the fortress of your smartphone: your car.
    • All the CBP needed was a few hardware kits from a Swedish IT firm called MSAB:
    • MSAB marketing materials promise cops access to a vast array of sensitive personal information quietly stored in the infotainment consoles and various other computers used by modern vehicles — a tapestry of personal details akin to what CBP might get when cracking into one’s personal phone.
    • Using MSAB’s hardware, the CBP can access data as broad as the following, as The Intercept details:
    • MSAB claims that this data can include “Recent destinations, favorite locations, call logs, contact lists, SMS messages, emails, pictures, videos, social media feeds, and the navigation history of everywhere the vehicle has been.
    - José Rodríguez Jr. | May 5, 2021
    hak-iq.us20.list-manage.comMay 5, 2021

  • Peloton’s leaky API let anyone grab riders’ private account data

    • My Peloton profile is set to private and my friend’s list is deliberately zero, so nobody can view my profile, age, city, or workout history. But a bug allowed anyone to pull users’ private account data directly from Peloton’s servers, even with their profile set to private.
    • As Biden was inaugurated (and his Peloton moved to the White House — assuming the Secret Service let him), Jan Masters, a security researcher at Pen Test Partners, found he could make unauthenticated requests to Peloton’s API for user account data without it checking to make sure the person was allowed to request it.
      • An API allows two things to talk to each other over the internet, like a Peloton bike and the company’s servers storing user data.
    • The exposed API let him — and anyone else on the internet — access a Peloton user’s age, gender, city, weight, workout statistics and, if it was the user’s birthday, details that are hidden when users’ profile pages are set to private.
    • Peloton had a bit of a fail in responding to a vulnerability report, but after a nudge in the right direction, took appropriate action. A vulnerability disclosure program isn’t just a page on a website; it requires coordinated action across the organisation.
    - Zack Whittaker | May 5, 2021
    hak-iq.us20.list-manage.comMay 5, 2021

  • Cybersecurity can reassure consumers in an era of data anxiety

    • Although increasingly stringent consumer privacy and security laws are becoming the norm, companies should always be ahead of these changes when it comes to cybersecurity. They need to be transparent about how they collect and use consumer data, clear about their cybersecurity policies and protocols in the event of an attack, and most importantly, committed to educating employees on how to keep themselves, the company, and customers safe.
    • According to a 2021 PwC survey, 55 percent of companies say they’re planning to increase their cybersecurity budget and 72 percent say they’re capable of strengthening their cybersecurity platform while containing costs. One of the most cost-effective ways companies can become more secure is through employee education.
    • Cybersecurity (or a lack thereof) has drastic implications for consumer behavior – 85 percent of consumers say they won’t do business with a company if they have concerns about its security practices, while 81 percent will stop engaging with a brand online after a data breach.
    • An educated workforce is the most powerful element of any successful cybersecurity platform. The vast majority of cyberattacks rely on the manipulation of human beings – from phishing emails that convince employees to click on a corrupt link or download malware to business email compromise (BEC) schemes in which threat actors impersonate company leaders to coerce people into disclosing sensitive information.
    - Zack Shuler | May 4, 2021
    hak-iq.us20.list-manage.comMay 4, 2021

  • 3 Ways to Find If Your Phone Number and Email Have Leaked in a Data Breach

    • Earlier this month, Facebook faced a huge data breach in which data of more than 533 million users from 106 countries had leaked online. This data included phone numbers, Facebook IDs, birthdates, etc. So, if you too are worried about this data breach or any other data breach online, you must want to check whether your data is secure or not.
    • Have I Been Pwned?
      • Go to ‘https://haveibeenpwned.com/’ on any device or search the website on Google.
      • Once the web page like the above screenshot appears, enter your email or phone number in the international format and click on the ‘pwned’ tab next to it.
      • The web page will show up a list of how many times your data was leaked.
    • Avast Hack Check
      • Visit Avast’s Hack Check tool page and enter your email address in the given box.
      • Click on ‘Check Now’ and it will show the results if your data have been leaked.
    • The News Each Day
      • Another tool for checking if your phone number was leaked in the Facebook data breach is a website called The News Each Day. Here, you can input your phone number to find if it was part of the breach.
    - Satyendra Pal Singh | May 4, 2021
    hak-iq.us20.list-manage.comMay 4, 2021

451 A Street, Suite 500
San Diego, CA 92101

[email protected]

CONNECT WITH US

Linkedin Twitter

Cyber Center of Excellence is a San Diego-based nonprofit dedicated to growing the regional cyber economy and creating a more secure digital community for all.

JOIN US
Linkedin Twitter
Cyber Center of Excellence | Privacy Policy  |  Terms & Conditions
Linkedin Twitter
Privacy Policy  |  Terms & Conditions
© 2024 Cyber Center of Excellence