Regulator limits phone use, Hacked police emails, UK seniors scammed - Cybersecurity Headlines

Summary6 min read

Cyber Security Headlines – Episode Summary

Podcast Information:

Title: Cyber Security Headlines
Host/Author: CISO Series
Description: Daily stories from the world of information security. To delve into any daily story, head to CISOseries.com.
Episode: Regulator limits phone use, Hacked police emails, UK seniors scammed
Release Date: November 11, 2024

Host: Sean Kelly

U.S. Financial Regulator Limits Cell Phone Use at Work

Timestamp: [00:15]

The episode opens with Sean Kelly discussing a significant directive from the Consumer Financial Protection Bureau (CFPB). Due to the escalating threat from the China-linked Advanced Persistent Threat (APT) Group SALT Typhoon, the CFPB has instructed its employees to minimize cell phone usage during work hours. This move comes in response to SALT Typhoon's recent breaches of major telecom providers.

Instead of relying on personal cell phones, the CFPB is encouraging the use of secure platforms like Microsoft Teams and Cisco WebEx for meetings and any communications involving non-public data. Sean Kelly emphasizes, “The CFPB clarified that the directive is a risk mitigation measure and that there is no evidence that the agency has been impacted by the Telecom incidents” (00:45).

Established in 2011, the CFPB plays a crucial role in protecting consumers within the financial sector, ensuring fair, transparent, and competitive financial markets.

FBI Warns of Spike in Hacked Police Emails and Fake Subpoenas

Timestamp: [02:10]

Sean Kelly highlights an urgent warning from the FBI regarding a surge in hacked police email accounts. These compromised accounts are being used to send unauthorized subpoenas and Emergency Data Requests (EDRs) to U.S.-based technology companies. EDRs aim to obtain various user account information, such as email addresses and browsing history, without requiring official review or court-approved documents.

The FBI has observed an increase in government and law enforcement credentials appearing on cybercrime forums, alongside information about the EDR request process. A notable cybercriminal, known by the aliases Pwnestar and Ponipotent, is reportedly selling fake EDR scam packages ranging from $1,000 to $3,000 per successful request. This hacker even offers a full refund if the EDR requests fail.

Addressing this issue, Matt Donahue, founder of the startup Codex and a former FBI agent, stated, “Far too many police departments in the US and other countries often do not enforce basic account security precautions such as requiring phishing-resistant multi-factor authentication” (05:30). Codex is actively working to combat fake EDRs by collaborating with data providers to aggregate information about EDR submitters, facilitating the identification of unauthorized requests.

Scammers Target UK Seniors with Winter Fuel Payment Texts

Timestamp: [07:20]

As winter approaches, senior citizens in the UK are falling victim to sophisticated scam texts related to winter fuel payments and cost-of-living support. These fraudulent messages exploit the recent controversial decisions by the UK government to cut winter fuel payments for approximately 10 million pensioners.

Victims receiving these bogus texts are directed to malicious websites designed to harvest personal and payment information. To date, researchers have identified 597 domains associated with this campaign. Sean Kelly advises UK residents to refrain from clicking on such links and to forward any suspected scam texts to 7726. Additionally, phishing emails should be reported to reportishing.gov.uk.

New iPhone Reboot Feature May Hinder Police Unlock Efforts

Timestamp: [09:50]

A notable development in mobile security was discussed, where Sean Kelly reports on a new feature in iOS 18.1 that causes iPhones stored for forensic examination to reboot themselves after four days in a locked state. Post-reboot, these iPhones become significantly harder to unlock using password-cracking tools.

Security experts have lauded this feature as a substantial enhancement in device security. However, law enforcement authorities may view it as a potential obstacle to their investigative processes. The balance between user security and law enforcement needs continues to be a topic of debate within the cybersecurity community.

Malicious PyPi Package 'Fabrice' Steals AWS Credentials

Timestamp: [12:30]

Sean Kelly brings attention to a troubling issue within the Python development community. The application security firm Socket has identified a malicious Python package named Fabrice (F-A-B-R-I-C-E) that has been present in the Python Package Index (PyPi) since 2021. This package is designed to steal Amazon Web Services (AWS) credentials from unsuspecting developers.

With over 37,000 downloads, Fabrice leverages typosquatting, mimicking the legitimate and widely-used Fabric package, which boasts more than 200 million downloads. This tactic increases the likelihood of inadvertent installations by developers.

To mitigate the risks posed by typosquatting, Sean Kelly suggests implementing both manual and automated checks of PyPi downloads and restricting permissions through AWS Identity and Access Management (IAM).

Windows 11 Updates Disrupt SSH Connections

Timestamp: [15:00]

Recent security updates released by Microsoft for Windows 11 have inadvertently caused disruptions in SSH (Secure Shell) connections. Users operating on Windows 11 versions 2022 H2 and 23 H2 have reported that SSH services fail without generating detailed logs, necessitating manual intervention to restart the SSHD.EXE process.

Microsoft acknowledges that only a limited number of devices are affected and is actively investigating whether the issue impacts both Home and Pro editions of Windows 11. In the interim, a temporary fix has been provided, which involves updating the Access Control List (ACL) permissions on the affected directories to restore SSH functionality.

Google Enhances Chrome’s Protection with AI-Powered Features

Timestamp: [17:45]

In an update to Google Chrome's Safe Browsing feature, the Enhanced Protection mode now incorporates AI-powered protection, previously referred to as proactive protection. Sean Kelly explains that this advancement allows Chrome to detect and alert users about potentially harmful websites, even those that have not been previously identified in Google's databases.

With Enhanced Protection enabled, Chrome conducts more thorough scans on downloads and strengthens protection across all of Google's services when users are signed in. Currently, Google is retesting this AI feature in Chrome Canary, with no official timeline announced for a broader rollout to all users.

Mazda Connect Vulnerabilities Allow Vehicle Hacking

Timestamp: [20:15]

The episode concludes with a report on vulnerabilities discovered in the Mazda Connect infotainment system. Trend Micro's Zero Day Initiative has identified multiple flaws that could permit attackers to execute code with root privileges. These vulnerabilities stem from improper input sanitization within the Mazda Connect CMU.

Exploiting these vulnerabilities requires physical access to the vehicle, where an attacker would need to connect a specially crafted USB device, such as an iPod or mass storage device, to the target system. The affected models include the Mazda 3 from 2014 through 2021. Currently, these issues remain unpatched, and there are no known vulnerabilities in the latest firmware versions.

Sean Kelly underscores the importance of addressing these vulnerabilities promptly to prevent potential exploitation and ensure the security of vehicle infotainment systems.

Conclusion

Sean Kelly wraps up the episode by reminding listeners that more in-depth stories behind these headlines are available at CISOseries.com. For those who enjoy the daily cybersecurity news, additional content, including the Week in Review and live stream demos, can be found on the CISO Series YouTube channel.

Notable Quotes:

Sean Kelly: “The CFPB clarified that the directive is a risk mitigation measure and that there is no evidence that the agency has been impacted by the Telecom incidents.” (00:45)
Matt Donahue (Codex Founder & Former FBI Agent): “Far too many police departments in the US and other countries often do not enforce basic account security precautions such as requiring phishing-resistant multi-factor authentication.” (05:30)

For More Information: Visit CISOseries.com to explore detailed stories and stay updated with the latest in cybersecurity news.

Loading summary

Transcript1 lines

[00:00]
Sean Kelly
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Monday, November 11, 2024. I'm Sean Kelly. U.S. financial regulator calls for reduced cell phone use at work A US Regulator, the Consumer Financial Protection Bureau, or cfpb, has issued a directive to employees to reduce the use of their phones at work due to the growing threat of China linked APT Group SALT Typhoon. The threat actor is alleged to have recently breached several major telecom providers. Instead, CFPB is asking its workforce to use Microsoft Teams and Cisco WebEx for meetings and conversations involving non public data. The CFPB clarified that the directive is a risk mitigation measure and that there is no evidence that the agency has been impacted by the Telcom incidents. The CFPB was created in 2011 to protect consumers in the financial sector, ensuring fair, transparent and competitive financial markets. FBI warns of spike in hacked police emails and fake subpoenas the FBI is urging police departments and governments worldwide to bolster email safeguards, citing a recent rash of hacked police email accounts to send unauthorized subpoenas and customer data requests to US Based technology companies. Authorities make these requests, known as emergency Data requests or EDRs, to obtain an array of user account information such as email addresses and what sites users have visited. EDRs largely bypass any official review and do not require the requester to supply any court approved documents. The FBI says it's seen an uptick of government and law enforcement credentials as well as EDR request process info emerging on cybercrime forums. One cybercriminal who uses the nicknames Pwnestar and Ponipotent is selling fake EDR scam packages for between 1,000 and $3,000 per successful request. The hacker is even offering a full refund if the EDR requests are unsuccessful. A startup called Codex is trying to tackle the fake EDR problem by working with data providers to pool information about EDR submitters to make it easier to spot an unauthorized edr. Codex founder and former FBI agent Matt Donahue said far too many police departments in the US and other countries often do not enforce basic account security precautions such as requiring phishing resistant multi factor authentication. Cyber scoundrels target UK senior citizens with winter fuel payment texts as the winter season kicks in, scammers are targeting senior British residents with bogus winter heating allowance and cost of living support scam texts. The scheme attempts to capitalize on the UK government's recent controversial stance on cutting winter fuel payments for approximately 10 million pensioners across Britain. The dubious texts prompt victims to visit illicit domains that collect personal and payment information. Researchers have identified 597 domains related to this campaign so far. UK citizens should refrain from clicking such links and forward suspected scam texts to 7726. Phishing emails can be forwarded to reportishing.gov.uk New iPhone reboot feature may make it harder for police to unlock them On Thursday, reports surfaced that law enforcement officials were warning one another that iPhones being stored for forensic examination seemed to be rebooting themselves. These reports were subsequently corroborated by security experts. The reboots appear to take place on iPhones running iOS 18.1 after their fourth day in a locked state. After the reboot, it's harder for phones to be unlocked using password cracking tools. Some security experts are hailing the new feature as a huge security improvement, while authorities may find it to be a hindrance to their investigations and now we'd like to thank Today's episode's sponsor ThreatLocker do zero day exploits and supply chain attacks keep you up at night? Worry no more. You can harden your security with threat locker. ThreatLocker helps you take a proactive default deny approach to cybersecurity and provide a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation are fully supported by their US based support team. To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit threatlocker.com that's T H R E A T L O c k e r.com malicious PyPi package steals AWS keys According to the application security firm Socket, a malicious Python package named Fabrice, spelled F A B R I C E, has been present in the Python package index since 2021 and steals Amazon Web Services credentials from unsuspecting developers. The package has been downloaded more than 37,000 times and executes platform specific scripts on both Windows and Linux. The large number of downloads is likely due to the package using typo squatting to mimic the legitimate S Remote Server Management package fabric, which has more than 200 million downloads. Typosquatting risks can be mitigated through performing both manual and automated checks of PYPI downloads and by limiting permissions to download resources through AWS identity and access management. Recent Windows 11 updates break SSH connections Microsoft has confirmed that last month's Windows security updates are breaking SSH connections on some Windows 11, 2022 H2 and 23 H2 systems. The services are failing with no detailed logging and require manual intervention to run the SSHD EXE process. Microsoft said just a limited number of devices are impacted, but they are still Investigating whether Windows 11 Home or Pro editions are affected until a fix is available. Microsoft has provided customers a temporary fix that updates Access Control list permissions on affected directories. Google says Chrome Enhanced Protection feature now uses AI Google has quietly updated the description for its enhanced protection mode in Chrome's Safe Browsing feature to include AI powered protection, previously referred to as proactive protection. The AI powered protection could allow Google to detect and warn users about potentially harmful sites, even those that Google hasn't previously identified. With enhanced protection turned on, Chrome performs deeper scans on downloads and improves protection across Google's services when users are signed in. Google is currently retesting the AI feature in Chrome Canary with no known timeline for rollout to all Chrome users. Mazda Connect flaw allows some Mazda vehicles to be hacked Trend Micro's Zero Day initiative warned of multiple vulnerabilities in the Mazda Connect infotainment system that could allow attackers to execute code with root privileges. This occurs due to improper input sanitization in the Mazda Connect cmu. The researchers clarified that a threat actor would need to be physically present to connect a specially crafted USB device, such as an ipod or mass storage device to the target system. The vulnerabilities impact systems installed in multiple car models, including the Mazda 3 model year 2014 through 2021. These issues currently remain unpatched and there are no publicly known vulnerabilities in the latest firmware version. And that does it for today's cybersecurity headlines. But if you enjoy listening to our daily news show, you might also enjoy the CISO Series YouTube channel. You can watch our Week in Review video, live stream demo video, original content and clips from our other shows like Defense in Depth. Just head over to YouTube and search for the CISO series. Thank you for listening to the podcast that brings you more of the top cyber news stories and more cowbell. I'm Sean Kelly. Cybersecurity headlines are available every weekday. Head to csoseries.com for the full stories behind the headlines.