Friday Five 9/3
How not to get hacked, a $9 million ransomware attack, and the FTC cracks down on a spyware app - catch up on the infosec news of the week with the Friday Five!
1. 6 Things You Need to Do to Prevent Getting Hacked by Matt Burgess
Not a prescriptive list or a silver bullet - what is be these days - but Wired has a helpful guide here for the everyday person on how to prevent getting hacked. It's a lot of the same tips you've no doubt heard before; use multi-factor (or two factor) authentication, use a password manager, encrypt all the things, etc. While you may use Signal, have a recurring annual 1Password plan and a VPN at the ready, not everyone may. Wired's list is a fine primer for anyone who may just be familiarizing themselves with cybersecurity or maybe just want to use the internet more safely.
2. FBI warns of ransomware gangs targeting food, agriculture orgs by Sergiu Gatlan
Another fairly straight forward alert here via the FBI. This one warning that companies in the food and agriculture sector should be weary of ransomware attacks; but there's more than meets the eyes here. Lost in the warning is news that earlier this year a ransomware attack at one US-based farm cost them a whopping $9 million. While the loss wasn't tied to the farm paying a ransom - it stemmed from the farm having to temporarily shutdown their farming operations - it's still a pretty penny to pay. According to the FBI's warning, attackers were able to infiltrate their servers by gaining admin level access after using compromised credentials. We're constantly reminded to change our passwords; unfortunately it cost these victims $9 million.
3. FTC bans spyware app SpyFone, orders it to delete illegally harvested data by Kim Lyons
The Federal Trade Commission took a big step towards cracking down on spyware this week when it made an example of SpyFone, a company that billed itself as an app created to monitor children, employees, or other consenting adults. In reality, SpyFone was spyware - software designed to carry out surveillance on unsuspecting users, including their movements, phone use, and online activity. The FTC banned the company and its CEO from doing business on Wednesday, asked it to delete any illegally harvested data it may have in its possession, and asked it to notify device owners who may have had the app installed and not known it. Many privacy experts, who have been beating the drum against stalkerware and spyware like this for years, applauded the move. Eva Galperin, Director of Cybersecurity at the Electronic Frontier Foundation, who warned of the threat years ago was pleased by the FTC's move but said there's "so many companies left."
4. SEC fines three companies over hacked employee email accounts by Catalin Cimpanu
The Record recaps fines handed down by the US Securities and Exchange Commission to three different brokerage firms earlier this week for failing to adequately secure employee accounts, a lack of action that apparently led to multiple incidents that led to data loss. The SEC said the three companies - KMS, Cambridge, and Cetera - broke Rule 30(a) of Regulation S-P, also known as the Safeguards Rule. If the hacks and the data loss weren't bad enough, the companies also either hid or downplayed the hacks or took long to improve their security.
5. Bangkok Airways Admits Attackers Stole Passenger Data by Phil Muncaster
Another day, another data breach, this one impacting anyone who may have flown on Bangkok Airways lately. The company came clean about the breach in a notice to customers on its site clarifying the issue affected customers' personally identifiable information, or PII. Siobhán Robbins Sky, a journalist with Sky News, said earlier this week that breached data could include passenger name, family name, nationality, gender, phone number, email, address, contact info, passport, historical travel information, partial credit card information. Details on the breach are scant although many signs point to ransomware, LockBit 2.0, as the culprit. Victims will want to exercise caution opening any suspicious emails that may ultimately use the stolen data as lures.