Friday Five 9/16
Twitter’s security scandal going from bad to worse and malware spreading through YouTube made headlines this week. Read about these stories and more in this week’s Friday Five!
1. WHAT WE LEARNED WHEN TWITTER WHISTLEBLOWER MUDGE TESTIFIED TO CONGRESS BY ZACK WHITTAKER
Peiter Zatko, former head of security at Twitter recently turned whistleblower, testified in front of the Senate Judiciary Committee this past Tuesday. In Zack Whittaker’s summary of the hearing on TechCrunch, he outlines some of the key takeaways from Zatko’s statements, including how the FBI warned the company of a Chinese spy on their payroll, his claim that thousands attempted to hack the site on a weekly basis, and that the company employs insufficient access controls to users’ information. According to Zatko, "[the] fundamental lack of logging inside Twitter is a remnant of being so far behind on their infrastructure, the engineering, and the engineers not being given the ability to put things in place to modernize.”
2. MARITIME CYBERSECURITY IS FRONT AND CENTER IN COAST GUARD REAUTHORIZATION BILL BY CHRIS RIOTTA
The Coast Guard Authorization Act of 2022, which was introduced by a bipartisan group of lawmakers this past week, seeks to address numerous gaps in federal laws surrounding maritime cybersecurity including directing the Comptroller General to study cyber threats impacting the U.S. Marine Transportation System, mandating the Coast Guard to coordinate with the Cybersecurity and Infrastructure Security Agency (CISA) and the Maritime Administration (MARAD) on cybersecurity efforts, and providing maritime operators with tools needed to respond to cyber incidents. Read the full story from FCW to learn more about the newly introduced bill.
3. CONGRESSIONAL INQUIRY REVEALS SECRET CUSTOMS AND BORDER PROTECTION DATABASE OF U.S. PHONE RECORDS BY TONYA RILEY
According to a letter from Senator Ron Wyden’s office to Customs and Border Protection, the agency is conducting warrantless searches of the phones and other electronic devices of up to 10,000 Americans each year and uploading information from those devices to a massive government database, which is said to retain that data for up to 15 years. According to Lawrence Payne, a spokesperson for the agency, “CBP is currently reviewing whether additional information specific to border searches of electronic devices, may be made publicly available without negative impacts to law enforcement operations and national security.” Read the full story from CyberScoop for more information on what kinds of data are collected and how CBP is legally getting away with their operation.
4. IRANIANS HACKED US COMPANIES, SENT RANSOM DEMANDS TO PRINTERS, INDICTMENT SAYS BY JON BRODKIN
According to a recently unsealed indictment, three Iranian nationals—all of whom remain at large—were charged with hacking and sending ransoms through US-based networks. Victims included a US-based domestic violence shelter, which was forced to pay roughly $13,000 to regain access to their systems. Per the indictment, "a member of the conspiracy gained unauthorized access to the Domestic Violence Shelter's computer system and launched an encryption attack by activating BitLocker, thereby denying the Domestic Violence Shelter access to some of its systems and data." Read the full story from Ars Technica for more details on how the criminals carried out the attacks and who else was affected.
5. NEW MALWARE BUNDLE SELF-SPREADS THROUGH YOUTUBE GAMING VIDEOS BY BILL TOULAS
Those that turn to YouTube for FIFA, Final Fantasy, Forza Horizon, Lego Star Wars, and Spider-Man gameplay videos may want to keep a lookout for a new self-spreading malware bundle being spread through such videos. The malware bundle reportedly uploads malicious video tutorials to compromised accounts advertising fake cheats and cracks for popular video games, which actually serve to spread the malicious package further. Read more from Bill Toulas at BleepingComputer to find out more about how the malware bundle works and why it may be challenging for YouTube to identify.