1. FTC fines Twitter $150M for using 2FA info for targeted advertising by Sergiu Gatlan

After directly violating both the FTC Act and a 2011 Commission administrative order, Twitter has been fined $150 million for using users’ two-factor authentication information for targeted ads without their consent. Twitter has since agreed to the $150 million settlement along with additional compliance measures and provisions laid out in the FTC’s proposed order, which would:

• Prohibit Twitter from profiting from deceptively collected data
• Allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers
• Notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about Twitter’s privacy and security controls
• Implement and maintain a comprehensive privacy and information security program that requires the company, among other things, to examine and address the potential privacy and security risks of new products
• Limit employee access to users’ personal data
• Notify the FTC if the company experiences a data breach

Read more

2. The FDA's New Cybersecurity Guidance for Medical Devices Reminds Us That Safety & Security Go Hand in Hand by Roman Kesler

The Food and Drug Administration recently issued a 2022 version of their premarket cybersecurity draft guidance, marking the first update to their guidance since 2018. The newly-released guidance, which is over five times the length of its predecessor, establishes new cybersecurity requirements that medical device manufacturers must meet in order to gain FDA premarket approval. Here, you can read more about what prompted the FDA to update these requirements and what some of the biggest changes entail.

Read more

3. US, Australia, India and Japan announce cybersecurity initiatives on software, supply chains by Jonathan Grieg

President Joe Biden along with representatives from Australia, India, and Japan met this past week at the Quad Leaders’ Tokyo Summit 2022 where they announced a partnership on several cybersecurity initiatives. Read about what was discussed among the political leaders, what was agreed upon between the nations, and more in the official White House statement.

Read more

4. Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware by Pieter Arntz

According to the Google Threat Analysis Group (TAG), five of the nine reported zero-day vulnerabilities affecting Chrome, Android, Apple, and Microsoft in 2021 are being used by a commercial surveillance company known as Cytrox. Read this investigative piece from MalwareBytes Labs to learn more about Cytrox, what their spyware is capable of, and which vulnerabilities they’re exploiting.

Read more

5. Senate report criticizes feds' approach to ransomware investigations by Suzanne Smalley

A recent report by Senate Democrats on the Senate Homeland Security and Governmental Affairs Committee asserted that federal efforts against ransomware are not enough to keep up with the growing problem. Specifically, in the wake of a recent case study investigation on ransomware attacks, the group claims that ransomware incident response firms “question the effectiveness of [communication channels like the Department of Homeland Security’s Cybersecurity and Infrastructure Agency StopRansomware.gov website and the FBI’s IC3.gov website and their] impact on assisting victims of an attack." Read more here to learn about the Committee’s recommendations moving forward.

Read more