Tik Tok returns, Noem's CISA plans, Avery labels breach - Cybersecurity Headlines

Summary

Cyber Security Headlines: January 20, 2025 Hosted by CISO Series

1. TikTok Makes a Comeback Amidst Regulatory Scrutiny

In a significant development for social media and cybersecurity, TikTok has resumed operations in the United States following its abrupt shutdown late Saturday night. Steve Prentiss reported at [00:00] that President Elect Trump announced a 90-day window for TikTok to secure a US-based purchaser through an executive order. As a result, the app is now accessible to existing users, although it remains unavailable on both Google and Apple’s app stores.

Trump, via a post on Truth Social, proposed that the US government take a “50% ownership of the company” ([00:00]). This move has stirred considerable debate among users and security experts. Over the weekend, millions of TikTok users migrated to another platform, RedNote, declaring themselves as TikTok refugees. Some users cited their migration as an act of defiance against the US government’s initial ban.

Dark Reading highlighted concerns regarding RedNote’s operations based in Shanghai, noting that its presence on both sides of the Great Firewall could facilitate increased surveillance of American users. The data handled by RedNote is governed by Chinese cybersecurity laws, which mandate companies to provide government access upon request. Prior to the 90-day deadline, experts warned that the migration to RedNote could exacerbate national security risks associated with TikTok.

2. Christy Noem’s Vision for Reforming CISA

Steve Prentiss continued with updates on federal cybersecurity initiatives, focusing on Department of Homeland Security Secretary nominee Christy Noem. In testimony before the Homeland Security and Governmental Affairs Committee on Friday, Noem outlined her plans to restructure the Cybersecurity and Infrastructure Security Agency (CISA).

Noem stated, “[If confirmed,] I would keep the department out of efforts to combat disinformation and misinformation and pledged to make CISA smaller and more nimble” ([00:00]). She criticized the current direction of CISA, asserting that the agency “has gone far off mission, which is to hunt and to help harden our nation's critical infrastructure” ([00:00]). Her proposed changes aim to streamline CISA’s operations, focusing on strengthening critical infrastructure while distancing the agency from broader information warfare efforts.

3. Avery Labels Suffers Significant Data Breach

The episode also covered a major cybersecurity incident involving Avery Labels, a prominent company known for its adhesive labels and office products. Steve Prentiss detailed that Avery discovered the data breach on December 9th of the previous year, though the malicious activity began on July 18, 2024.

A card skimmer was installed on Avery’s online shop domain, avery.com, allowing threat actors to exfiltrate sensitive payment information from customers. This breach compromised Personally Identifiable Information (PII) along with payment card details, including CVV codes and expiration dates. The company estimates that “more than 61,000 customers may have been affected” ([00:00]).

Avery has since taken measures to address the breach, but the incident underscores the persistent vulnerabilities in e-commerce platforms and the critical need for robust cybersecurity defenses to protect consumer data.

4. FTC Report Reveals Surveillance-Based Pricing Practices

According to a preliminary report released by the Federal Trade Commission (FTC) on Friday, businesses are increasingly engaging in “surveillance pricing”, where consumers are charged varying prices based on data-driven insights into their behaviors and characteristics.

Steve Prentiss highlighted that the report accuses companies like MasterCard, Accenture, and McKinsey of providing tools that enable other businesses to adjust pricing dynamically. Examples include profiling a consumer as a new parent to show higher prices for baby products. Although the report utilized hypothetical scenarios to protect company trade secrets, the allegations suggest a growing trend of discriminatory pricing practices based on comprehensive consumer data, including geolocation and online activity.

However, the companies involved have denied selling or developing such surveillance pricing software. The report is currently in the "staff perspective stage", indicating it is not yet final and could be subject to further investigation and revision. Notably, incoming FTC Chair Andrew Ferguson and Republican Melissa Holyoak opposed its premature release, advocating for the completion of the agency’s investigation first.

5. Costa Rica’s Largest Oil Refinery Targeted in Ransomware Attack

A significant cybersecurity event involved a ransomware attack on Costa Rica’s largest oil refinery, which also served as a testing ground for a new US State Department response program. Steve Prentiss relayed that this attack was the first real-world application of the Foreign Assistance Leveraged for Cybersecurity Operational Needs (OR Falcon) initiative, developed by the State Department’s Cyber Bureau.

Nate Fick, the US Ambassador at Large for Cyberspace and Digital Policy, explained that OR Falcon aims to enhance international cybersecurity by leveraging private sector incident response capabilities. In this case, the response was executed within approximately 36 hours of the initial incident, showcasing the program’s potential effectiveness in mitigating cyber threats swiftly.

The initiative reflects the US’s commitment to supporting allies and promoting global digital norms aligned with American values, using collaborative efforts between government and private entities to address cyber incidents.

6. OpenText Designated as Undesirable Organization by Russia

Steve Prentiss covered the recent addition of OpenText to Russia’s list of undesirable organizations. OpenText, a Canadian-based company specializing in enterprise information management software, is now the second company to receive this designation, following Recorded Future.

Russia accuses OpenText of “collaborating closely with US law enforcement and contributing to the West's anti-Russia propaganda efforts” ([00:00]). Additionally, Russia points to OpenText’s 2023 acquisition of the UK-based Micro Focus as evidence that the company aided Ukrainian law enforcement with cybersecurity tools necessary for data collection against Russian military targets.

This designation reflects the ongoing tensions between Russia and Western technology firms, with implications for international business operations and cybersecurity collaborations.

7. Survey Highlights Poor Router Security Among Consumers

A recent survey by Broadband Genie, an independent UK broadband comparison service, revealed alarming statistics about consumer router security. Steve Prentiss shared that of over 3,000 respondents:

52% have never changed their router’s factory settings.
86% have never updated the router’s administrator password.
72% have never altered their Wi-Fi password.

These figures, consistent over six years since previous surveys in 2018 and 2022, indicate a persistent neglect of basic security practices among residential users. The lack of password changes leaves routers vulnerable to unauthorized access and potential cyber threats, emphasizing the need for greater consumer education on cybersecurity hygiene.

A detailed report is available through the podcast’s show notes.

Conclusion

This episode of Cyber Security Headlines by CISO Series provided a comprehensive overview of critical cybersecurity issues ranging from major platform regulations and data breaches to federal agency reforms and international cyber tensions. The discussions underscore the evolving landscape of cybersecurity, highlighting both the challenges and the proactive measures being undertaken to safeguard information and infrastructure.

For more in-depth stories and daily updates, listeners are encouraged to visit CISOseries.com.

Transcript

Steve Prentiss (0:00)

From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Monday, January 20, 2025. I'm Steve Prentiss. TikTok is back, but with strings attached after shutting down in the US late Saturday night, TikTok appears to be back up and running after President Elect Trump announced on Sunday that he would offer a 90 day deadline for the company find a US purchaser. This would come in an executive order today. The app now works again for its existing users, although it is still unavailable on the Google and Apple app stores. In a post sent to Truth Social on Sunday morning, Trump suggested that the US take 50% ownership of the company. Meanwhile, over the weekend, millions of TikTok users headed over to RedNote declaring themselves as TikTok refugees. Some sent messages saying they were doing so to spite the US government for blocking TikTok in the first place. According to Dark Reading, RedNote is based in Shanghai and is one of the few social media platforms allowed to operate on both sides of the Great Firewall, making spying on Americans seemingly much easier. RedNote's servers are primarily located in China, meaning that user data is subject to Chinese cybersecurity laws that require companies to grant government access upon request. Prior to TikTok's 90 day lifeline, numerous experts had been stating that this resulting exodus to RedNote had made US national security over TikTok even more problematic. Noem Promises to curtail CISA as quoted in cyberscoop, Department of Homeland Security Secretary nominee Christy Noem stated in testimony before the Homeland Security and Governmental Affairs Committee on Friday that if confirmed, she would keep the department out of efforts to combat disinformation and misinformation and pledged to make CISA smaller and more nimble, end quote. She added that CISA has gone far off mission, which is to hunt and to help harden our nation's critical infrastructure, end quote Label company Avery Announces Data Breach the company, well known for its line of adhesive labels, printing services and other office products, stated that the attack was discovered on December 9th of last year, but the attack itself was the installation of a card skimmer on avery.com, the company's online shop domain. This installation occurred on July 18, 2024, and as a result, sensitive payment information that customers inputted on Avery's website between July 18 and December 9, 2024, was exfiltrated to the threat actors. This includes PII, of course, but also payment card numbers with CVV codes and expiration dates. The company estimates that more than 61,000 customers may have been affected, thanks to today's episode's sponsor, Vanta. Do you know the status of your compliance controls right now? Like right now, CISOs know that real time visibility is critical for security, but when it comes to GRC programs, they rely on point in time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get started at vanta.com headlines that is V A N T A dot com headlines surveillance pricing costs Consumers according to FTC Report the preliminary report, which was released on Friday, alleges that businesses charge customers more for products based on insights gleaned from their consumer data and behaviors, including geolocation, demographics, shopping habits and even how an individual moves their mouse on a webpage. End quote. This data was pulled from companies including MasterCard, Accenture and McKinsey, who allegedly sell the tools that other businesses use to tweak pricing. This report uses only hypothetical examples to avoid revealing company trade secrets. An example of this would be a consumer profiled as a new parent being shown higher prices for baby products. The companies involved have denied that they sell or develop surveillance pricing software. The report itself is at the staff perspective stage, meaning that it is not yet final. Incoming FTC Chair Andrew Ferguson and fellow Republican Melissa Holyoak objected to its publication, saying that it should not have been released before the agency's investigation had concluded. End quote Costa Rica Refinery Cyber attack was first deployment for new US Response program Following up on a story we covered on December 3, a ransomware attack on Costa Rica's largest oil refinery was the first real world test of the U.S. state Department's new rapid response tool for cybersecurity incidents. This is according to Nate Fick, the US Ambassador at large for Cyberspace and Digital Policy. The response program is a product of the State Department's Cyber Bureau and is called the Foreign Assistance Leveraged for Cybersecurity Operational Needs or OR falcon, a bit of a stretch in the acronym department there. It is described as one of several US Initiatives developed to bolster allies and infuse global digital norms with American values, End quote. Fick emphasized that the program is meant to use best in breed private sector incident response capabilities across a number of vendors, ideally within 48 hours of the initial request. In this inaugural case, it was around 36 hours OpenText added to Moscow's list of undesirable organizations. The company, headquartered near Toronto in Canada, specializes in enterprise information management software. It is now only the second company to have been named undesirable after a recorded future. Russia's official line says the OpenText Corporation collaborates closely with US law enforcement and contributes to the West's anti Russia propaganda efforts. But it is also worth noting that in 2023, OpenText acquired UK based Micro Focus, which Russia says provided Ukrainian law enforcement agencies with cybersecurity software and services needed for data collection to strike Russian troops and infrastructure. End Quote 86% of default router passwords have never been changed, says Survey this survey was conducted by the British company Broadband Genie, an independent UK comparison service for home broadband T landline and mobile home broadband service. This was the third on this topic conducted by the company, the first two done in 2018 and 2022. Of the more than 3,000 residential customers who responded, 52% say they have never adjusted any of their router factory settings, 86% said they have never changed the router administrator password, and 72% said they have never changed their WI fi password. These and similar numbers have shown very little change up or down over six years. A link to the report is available in the show. Notes to this Episode Just one quick announcement. The CISO series is hiring. We are looking for a production assistant to help out our team. If that sounds like something for you or for someone you know, please head ON over to cisoseries.com for more details. I'm Steve Prentiss reporting for the CISO Series. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.