Friday Five 5/27
Learn why Twitter owes the Federal Trade Commission $150 million, how spyware is taking advantage of zero-day vulnerabilities, and more in this week's Friday Five!
1. FTC fines Twitter $150M for using 2FA info for targeted advertising by Sergiu Gatlan
After directly violating both the FTC Act and a 2011 Commission administrative order, Twitter has been fined $150 million for using users’ two-factor authentication information for targeted ads without their consent. Twitter has since agreed to the $150 million settlement along with additional compliance measures and provisions laid out in the FTC’s proposed order, which would:
- Prohibit Twitter from profiting from deceptively collected data
- Allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers
- Notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about Twitter’s privacy and security controls
- Implement and maintain a comprehensive privacy and information security program that requires the company, among other things, to examine and address the potential privacy and security risks of new products
- Limit employee access to users’ personal data
- Notify the FTC if the company experiences a data breach
2. The FDA's New Cybersecurity Guidance for Medical Devices Reminds Us That Safety & Security Go Hand in Hand by Roman Kesler
The Food and Drug Administration recently issued a 2022 version of their premarket cybersecurity draft guidance, marking the first update to their guidance since 2018. The newly-released guidance, which is over five times the length of its predecessor, establishes new cybersecurity requirements that medical device manufacturers must meet in order to gain FDA premarket approval. Here, you can read more about what prompted the FDA to update these requirements and what some of the biggest changes entail.
3. US, Australia, India and Japan announce cybersecurity initiatives on software, supply chains by Jonathan Grieg
President Joe Biden along with representatives from Australia, India, and Japan met this past week at the Quad Leaders’ Tokyo Summit 2022 where they announced a partnership on several cybersecurity initiatives. Read about what was discussed among the political leaders, what was agreed upon between the nations, and more in the official White House statement.
4. Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware by Pieter Arntz
According to the Google Threat Analysis Group (TAG), five of the nine reported zero-day vulnerabilities affecting Chrome, Android, Apple, and Microsoft in 2021 are being used by a commercial surveillance company known as Cytrox. Read this investigative piece from MalwareBytes Labs to learn more about Cytrox, what their spyware is capable of, and which vulnerabilities they’re exploiting.
5. Senate report criticizes feds' approach to ransomware investigations by Suzanne Smalley
A recent report by Senate Democrats on the Senate Homeland Security and Governmental Affairs Committee asserted that federal efforts against ransomware are not enough to keep up with the growing problem. Specifically, in the wake of a recent case study investigation on ransomware attacks, the group claims that ransomware incident response firms “question the effectiveness of [communication channels like the Department of Homeland Security’s Cybersecurity and Infrastructure Agency StopRansomware.gov website and the FBI’s IC3.gov website and their] impact on assisting victims of an attack." Read more here to learn about the Committee’s recommendations moving forward.