Turnabout: It looks like phone-cracking company Cellebrite had its own vulnerabilities exposed

“Snoop onto them… as they’d snoop onto us.” Moxie Marlinspike, founder of the encrypted messaging app Signal, revealed on Wednesday what he said were vulnerabilities in software that the company Cellebrite uses to break into encrypted phones. To accompany a blog post on what Marlinspike and his team of researchers learned, Signal produced a demonstration video featuring the above line of dialogue from the movie “Hackers.” In a blog post evidently dripping with sarcasm, Marlinspike detailed how he obtained the latest version of the company’s software, named UFED and Physical Analyzer, when he saw a small package fall off the back of a truck, prompting some digital probing. The vulnerabilities would amount to an ironic turn for Cellebrite, which makes its money hacking into smartphones. Its customer base includes the U.S. government and some authoritarian regimes, although the Israeli company recently announced it would stop doing business with Russia or […]

The post Turnabout: It looks like phone-cracking company Cellebrite had its own vulnerabilities exposed appeared first on CyberScoop.

Continue reading Turnabout: It looks like phone-cracking company Cellebrite had its own vulnerabilities exposed

Geico data breach opens door to unemployment scams

Over the course of six weeks earlier this year, fraudsters repeatedly stole driver’s license numbers from a database maintained by Geico. Now, the motor vehicle insurer is warning customers that the scammers could apply for unemployment benefits using the pilfered data. “If you receive any mailings from your state’s unemployment agency/department, please review them carefully and contact that agency/department if there is any chance fraud is being committed,” Sheila King, a manager for data privacy at Geico, wrote in a breach notice letter posted to the website of California’s attorney general on April 15. The perpetrators of the breach used personal information on Geico customers that they acquired elsewhere to access Geico’s sales system and steal the driver’s license numbers, according to King. Geico has taken “additional security enhancements” to guard against fraud on its website in light of the incident, King added. It was unclear how many people were […]

The post Geico data breach opens door to unemployment scams appeared first on CyberScoop.

Continue reading Geico data breach opens door to unemployment scams

A push for cybersecurity philanthropic giving launches

Over nearly a decade, cybersecurity-related philanthropic giving has constituted a fraction of one percent of the billions of dollars devoted to peace and security causes. An open letter Friday signed by trade associations, non-profits, charitable foundations, think tanks and well-known cybersecurity professionals aims to change that trend as part of what could be a series of future steps. “We believe that private philanthropy is ideally suited to support the development of an emerging field of theorists and practitioners across cybersecurity domains,” reads the letter. “Anyone who cares about national security, innovation, economic development, personal privacy, or civil liberties should care about cybersecurity. Private philanthropy is a critical missing piece to meet this urgent need.” The William Flora and Hewlett Foundation, Craig Newmark Philanthropies, and Gula Tech Foundation led the effort to organize the letter, signed by 30 different organizations and individuals. They include former White House cyber coordinator and current […]

The post A push for cybersecurity philanthropic giving launches appeared first on CyberScoop.

Continue reading A push for cybersecurity philanthropic giving launches

Banking organizations dub proposed US cyber notification regulation ‘burdensome’

Banking groups have objected to elements of a proposed U.S. cyber incident notification rule, saying that its threshold for mandatory disclosure of such events to regulators is overly broad and would lead to over-reporting of incidents. Under the proposed regulation from the Treasury Department and other regulators, banks would have to notify their regulators within 36 hours of certain kinds of attacks, and bank service providers would have to notify their customers of particularly damaging incidents as well. “While we support the policy goals of the proposed rule, we believe that, as currently drafted, the proposed rule calls for notification of incidents well below the intended threshold of critical cybersecurity incidents,” wrote the American Bankers Association, Bank Policy Institute, Institute of International Bankers, and the Securities Industry and Financial Markets Association. “As a result, the proposed rule would lead to significant and burdensome over-reporting to the Agencies, contrary to its […]

The post Banking organizations dub proposed US cyber notification regulation ‘burdensome’ appeared first on CyberScoop.

Continue reading Banking organizations dub proposed US cyber notification regulation ‘burdensome’

Banking organizations dub proposed US cyber notification regulation ‘burdensome’

Banking groups have objected to elements of a proposed U.S. cyber incident notification rule, saying that its threshold for mandatory disclosure of such events to regulators is overly broad and would lead to over-reporting of incidents. Under the proposed regulation from the Treasury Department and other regulators, banks would have to notify their regulators within 36 hours of certain kinds of attacks, and bank service providers would have to notify their customers of particularly damaging incidents as well. “While we support the policy goals of the proposed rule, we believe that, as currently drafted, the proposed rule calls for notification of incidents well below the intended threshold of critical cybersecurity incidents,” wrote the American Bankers Association, Bank Policy Institute, Institute of International Bankers, and the Securities Industry and Financial Markets Association. “As a result, the proposed rule would lead to significant and burdensome over-reporting to the Agencies, contrary to its […]

The post Banking organizations dub proposed US cyber notification regulation ‘burdensome’ appeared first on CyberScoop.

Continue reading Banking organizations dub proposed US cyber notification regulation ‘burdensome’

Fed chair deems cyber threat top risk to financial sector

Federal Reserve Chairman Jerome Powell said he is on alert for cyberattacks against U.S. financial systems and companies, above and beyond any other risks to the economy. “The world evolves. And the risks change as well,” Powell said during an interview aired Sunday on CBS 60 Minutes, noting he is far more concerned about a cyber incident than he is about encountering a collapse akin to the global financial crisis of 2008. “And I would say that the risk that we keep our eyes on the most now is cyber risk.” Other government agencies and major companies — in particular financial companies — are also on alert, Powell said. Particularly of concern to Powell are scenarios in which cyberattacks cripple financial institutions to the point that they can’t track payments or to the point that payment systems don’t function. “There are scenarios in which a large payment utility, for example, breaks […]

The post Fed chair deems cyber threat top risk to financial sector appeared first on CyberScoop.

Continue reading Fed chair deems cyber threat top risk to financial sector

Financial industry preps for proposal that would require 36-hour breach notification

A milestone date for an ambitious federal banking industry cybersecurity regulation that debuted at the tail end of the Trump administration has nearly arrived. Monday, April 12 marks the deadline for comments on an initial proposal that would mandate how a wide range of financial firms would need to report more kinds of cyber incidents to regulators within 36 hours. That’s a more stringent timeline that many comparable regulations; Europe’s General Data Protection Regulation notification window is twice as long, at 72 hours. The relatively quick notification requirement generated most of the attention when the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Treasury’s Office of the Comptroller of the Currency announced the rule in December. It’s expected to receive significant blowback from the financial services industry as an overly aggressive demand. Some analysts, though, cite the types of incident reports that need to be […]

The post Financial industry preps for proposal that would require 36-hour breach notification appeared first on CyberScoop.

Continue reading Financial industry preps for proposal that would require 36-hour breach notification

Wine scams spiked during COVID-19 lockdown

Absolute monsters. Wine-themed domain registrations rose once COVID-19 lockdowns took hold, some of them malicious and used in phishing campaigns, Recorded Future and Area 1 Security said in a joint report out Wednesday. “As the interest in virtual happy hours and get-togethers increased so did the increase in wine-themed domain registrations,” the report states. Amid the COVID outbreak, alcohol has proven itself a target for hackers — but it hasn’t been clear before that scammers were trying to exploit people who were staying home and imbibing more. Alcohol delivery service Drizly, for instance, suffered a breach in July, while ransomware hit liquor and wine maker Brown-Forman around the same time. Recorded Future observed a mild jump in wine domain registrations in March of 2020, from the usual 3,000 to 4,000 per month up to nearly 5,500. April saw a bigger leap, to almost 7,200, and the numbers took off in […]

The post Wine scams spiked during COVID-19 lockdown appeared first on CyberScoop.

Continue reading Wine scams spiked during COVID-19 lockdown

Crooks are getting smarter about exploiting SAP software, study finds

Security researchers on Tuesday warned of the unrelenting interest that cybercriminals have in exploiting applications made by software giant SAP to defraud or disrupt big businesses that rely on SAP products. A months-long study by Boston-based security firm Onapsis found that malicious hackers are growing more knowledgeable of SAP software and the potential impact that compromises could have on customers. In one case, an unidentified attacker managed to chain together multiple software exploits to target an SAP “credential store,” which stores login details for an organization’s high-value SAP users. Access to the credential store could give a hacker the ability to exploit other applications that interact with those credentials. SAP has 400,000 customers worldwide, including more than half of NATO members. A big swath of the world’ largest public companies use the software to manage their business processes. A critical bug in SAP software could be a ticket for a […]

The post Crooks are getting smarter about exploiting SAP software, study finds appeared first on CyberScoop.

Continue reading Crooks are getting smarter about exploiting SAP software, study finds

CNA shares details about ransomware attack, recovery effort

Major U.S. insurer CNA confirmed this week that it was the victim of a ransomware attack and that it has taken several steps on the road to recovery. The company, one of the biggest players in cybersecurity insurance specifically, had previously acknowledged an attack, but stopped short of specifying exactly what kind. In an update on Thursday, the company said it had restored normal email operations after a ransomware attack, adding that it instituted multi-factor authentication and a security platform for detecting and blocking threats. “Our team deployed additional endpoint detection and monitoring tools for an added layer of security and visibility across our network,” the update reads. “We expect that there will be a number of other remediation and infrastructure enhancements.” The attack has proven a source of misery for the company since hackers hit on March 21. Like other insurers, CNA would represent a tempting target for hackers […]

The post CNA shares details about ransomware attack, recovery effort appeared first on CyberScoop.

Continue reading CNA shares details about ransomware attack, recovery effort