Tonya Riley – Page 25 – WindowsTechs.com

FTC warns of potential penalties for firms that fail to fix Log4j software flaws

Posted on January 4, 2022 by Tonya Riley

The Federal Trade Commission Tuesday warned companies that if they fail to take action to remedy a major recent software vulnerability in open-source software tool Log4j, there could be legal repercussions. “When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms,” the agency warned. “It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.” Log4j is ubiquitous in software used throughout the technology industry, and is found in products built by companies including Amazon, Google and Microsoft. The widespread use of such technology has made it difficult to identify potential victims. At the same time, the popularity has made it an easy target for a range of cybercriminals to exploit. The warning shot from the top consumer protection agency comes […]

The post FTC warns of potential penalties for firms that fail to fix Log4j software flaws appeared first on CyberScoop.

Continue reading FTC warns of potential penalties for firms that fail to fix Log4j software flaws→

Chinese hackers use Log4j exploit to go after academic institution

Posted on December 29, 2021 by Tonya Riley

A Chinese hacking group known for industrial espionage and intelligence collection used a vulnerability in Log4j to go after a large academic institution, researchers at CrowdStrike revealed Wednesday. Threat analysts observed the group attempting to install malware after gaining access using a modified version of a Log4j exploit for VMWare Horizon, a virtual workspace technology. CrowdStrike also observed the Chinese hackers trying to harvest credentials for further exploitation. CrowdStrike analysts believe that the group behind the attack, which it is calling “Aquatic Panda,” has likely been active since at least May 2020. Its operations have primarily focused on targets in the telecommunications, technology and government sectors. “Because OverWatch disrupted the attack before AQUATIC PANDA could take action on their objectives, their exact intent is unknown,” Param Singh, vice president of CrowdStrike OverWatch, wrote to CyberScoop in an email. “This adversary, however, is known to use tools to maintain persistence in environments […]

The post Chinese hackers use Log4j exploit to go after academic institution appeared first on CyberScoop.

Continue reading Chinese hackers use Log4j exploit to go after academic institution→

Photography site Shutterfly is dealing with a ransomware attack

Posted on December 27, 2021 by Tonya Riley

American photography company Shutterfly has experienced a ransomware attack on parts of its networks, the company confirmed in a statement late Sunday night. “We engaged third-party cybersecurity experts, informed law enforcement, and have been working around the clock to address the incident,” the company said in a statement shared with CyberScoop. The incident interrupted portions of the company’s Lifetouch and BorrowLenses business, Groovebook, manufacturing and some internal corporate systems. The Daily Beast first confirmed the attack. The company declined to comment on whether it was actively negotiating with the cybercriminals behind the ransomware attack. The company says that credit card, financial account information and Social Security numbers were not affected. “However, understanding the nature of the data that may have been affected is a key priority and that investigation is ongoing,” the company said. The attack appears to be the work of the Conti ransomware group, according to screenshots of […]

The post Photography site Shutterfly is dealing with a ransomware attack appeared first on CyberScoop.

Continue reading Photography site Shutterfly is dealing with a ransomware attack→

‘Abundance of caution’ pushes RSA Conference to June

Posted on December 23, 2021 by Tonya Riley

The RSA Conference has been delayed until June out of “an abundance of caution,” given the recent surge in COVID-19 cases across the country caused by the omicron variant, organizers say. The annual cybersecurity industry gathering, usually held in February, will begin June 6 in San Francisco. “The health and safety of our community remains our highest priority,” said Linda Gray Martin, vice president, RSA Conference. “With the surge in cases of the Omicron variant in the U.S. and around the world, we believe the best decision we can make is to delay the event until later in the year when we can bring the industry safely together in-person.” RSAC was last held in person in 2020. Despite rising concerns about the coronavirus and several vendors pulling out, 36,000 participants attended in person that year. The organization reported afterward that two Exabeam employees who attended tested positive for the coronavirus. […]

The post ‘Abundance of caution’ pushes RSA Conference to June appeared first on CyberScoop.

Continue reading ‘Abundance of caution’ pushes RSA Conference to June→

CISA, Five Eyes issue guidance meant to slow Log4Shell attacks

Posted on December 22, 2021 by Tonya Riley

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency released Wednesday an advisory offering vendors and affected organizations a detailed guide on how to deal with potential risks to IT and cloud services posed by an exploit in Apache Log4j’s software library. “This joint CSA expands on the previously published guidance by detailing steps that vendors and organizations with IT and/or cloud assets should take to reduce the risk posed by these vulnerabilities,” the advisory states. The warning was issued alongside the FBI and National Security Agency and the security agencies of Five Eyes intelligence partners, Australia, Canada, New Zealand, the United Kingdom. “Log4j vulnerabilities present a severe and ongoing threat to organizations and governments around the world; we implore all entities to take immediate action to implement the latest mitigation guidance to protect their networks,” CISA Director Jen Easterly said in a statement. The alert follows previous guidance […]

The post CISA, Five Eyes issue guidance meant to slow Log4Shell attacks appeared first on CyberScoop.

Continue reading CISA, Five Eyes issue guidance meant to slow Log4Shell attacks→

Report: Research ties Pegasus spyware on phone Jamal Khashoggi’s wife to UAE agents

Posted on December 21, 2021 by Tonya Riley

United Arab Emirates agents loaded Pegasus spyware on the phone of journalist Jamal Khashoggi’s wife months before his death, the Washington Post first reported Tuesday. The software was discovered by Citizen Lab, which examined the device at the request of the newspaper and Khashoggi’s wife, Hanan Elatr. Agents placed the spyware on her phone after seizing her from the Dubai airport in April 2018 and interrogating her, the researchers said. During the interrogations, they seized her two Android phones. Agents typed in a web address that researchers have tied to a network used to spread the spyware. The Post first reported in July that Elatr was targeted by Pegasus spyware via text messages, but researchers couldn’t tell if the hack was successful. It’s unclear if the spyware launched by UAE agents finished installing on the phone, Citizen Lab researcher Bill Marczak told the Post. However, the new findings are the […]

The post Report: Research ties Pegasus spyware on phone Jamal Khashoggi’s wife to UAE agents appeared first on CyberScoop.

Continue reading Report: Research ties Pegasus spyware on phone Jamal Khashoggi’s wife to UAE agents→

Advertisers are sucking up student data, even after legal action, researchers say

Posted on December 20, 2021 by Tonya Riley

Hundreds of advertisers are collecting valuable student data from a service that allows schools to add sports data to their informational app for students, researchers at the Me2Be Alliance found. The new findings build on previous research from the nonprofit that found the majority of sampled school apps were sharing data with advertising software kits. This time researchers examined web traffic originating from links embedded directly into the customized school apps using a utility called WebView. “These are taxpayer-funded school utility apps that have integrated some of the most aggressive advertising chains you can think of,” said Zach Edwards, one of the report’s researchers. The WebView software gives developers a way to allow users to open links within an app, instead of a separate web browser. The process makes it easier for developers to include content in their apps but harder for users to control privacy settings. WebView itself doesn’t expose […]

The post Advertisers are sucking up student data, even after legal action, researchers say appeared first on CyberScoop.

Continue reading Advertisers are sucking up student data, even after legal action, researchers say→

Intruders leverage Log4j flaw to breach Belgian Defense Department

Posted on December 20, 2021 by Tonya Riley

Parts of the Belgian Defense Ministry’s computer networks have been down since Thursday after a cyber incident in which attackers exploited the Apache Log4j vulnerability, government officials said. “All weekend our teams have been mobilized to control the problem, continue our activities and warn our partners,” spokesperson Olivier Séverin told news publication VRT. “The priority is to keep the network operational. We will continue to monitor the situation.” Log4j is a widely used logging software present in hundreds of millions of devices. Hackers associated with the governments of China, Iran, North Korea and Turkey have all raced to take advantage of the exploit, according to Microsoft and Mandiant researchers. Ransomware groups have also sought to exploit the vulnerability. The Belgian Defense Ministry is the first reported high-profile government victim of the vulnerability, but unlikely to be the last given the ubiquity of Log4j in a host of enterprise software popular […]

The post Intruders leverage Log4j flaw to breach Belgian Defense Department appeared first on CyberScoop.

Continue reading Intruders leverage Log4j flaw to breach Belgian Defense Department→

Meta takes down 7 hacking-for-hire operations that targeted 50,000 users

Posted on December 16, 2021 by Tonya Riley

Meta removed seven “surveillance-for-hire” organizations that used Facebook to target at least 50,000 individuals across 100 countries for surveillance operations, some of which included the deployment of spyware, the company announced in a report Thursday. The operation marked a major step in efforts by the social media company against a sprawling surveillance industry that Facebook security experts warn is becoming more “democratized” and easily accessible to spy on not just high-profile targets, but ordinary users. The company removed hundreds of accounts belonging to firms known as Israeli Cobwebs Technologies, Cognyte, Black Cube, Bluehawk CI, India-based BellTroX, Macedonia-based Cytrox, and an unknown entity in China. Of the seven firms, only Cobwebs and Cognyte did not engage in what it called “exploitation” phase activities, or actually delivering malware to hack victims. Facebook sent cease and desist letters to the six named companies. Facebook has clashed with the growing spyware market for years. […]

The post Meta takes down 7 hacking-for-hire operations that targeted 50,000 users appeared first on CyberScoop.

Continue reading Meta takes down 7 hacking-for-hire operations that targeted 50,000 users→

FTC settles with OpenX Technologies for $2 million for allegedly violating children’s privacy law

Posted on December 16, 2021 by Tonya Riley

Advertising platform OpenX Technologies will pay the Federal Trade Commission $2 million over allegations that it failed to comply with a federal rule requiring online services to obtain parents’ consent before collecting data about children under the age of 13. OpenX offers automated ad buying that allows companies to reach a precise audience in real-time. The settlement effectively serves as a warning to digital advertising platforms, which funnel massive amounts of data through real-time advertising bids, often with little transparency. “OpenX secretly collected location data and opened the door to privacy violations on a massive scale, including against children,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “Digital advertising gatekeepers may operate behind the scenes, but they are not above the law.” A complaint from the Department of Justice filed on behalf of the FTC alleges that the company knowingly collected information from hundreds of apps that […]

The post FTC settles with OpenX Technologies for $2 million for allegedly violating children’s privacy law appeared first on CyberScoop.

Continue reading FTC settles with OpenX Technologies for $2 million for allegedly violating children’s privacy law→