Security News for the Week Ending Feb. 11, 2022

Google Decreased Account Takeovers by 50% by Mandating 2FA

Late last year Google forced about a hundred fifty million users to start using multi-factor authentication. What results did they see? Account takeovers in that group were reduced by 50%. Google has previously said that only 10% of their users were using MFA. Now they are forcing the issue. Credit: Cybernews

Attacks on Crypto Continue – $320 Million in Ethereum Stolen

The Wormhole token bridge that allows users to send and receive cryptocurrency between Ethereum, Solana, BSC, Polygon, Avalanche, Oasis, and Terra without a centralized exchange experienced a security exploit resulting in the loss of 120,000 wETH tokens worth $321 million from the platform. Again, the hackers found a bug in the software that allowed them to hack the company. This is the root problem with decentralized finance – it is counting on software being bug free and that just does not exist. In their case, they are very lucky because the Jump Trading Group, which is an investor in Wormhole ponied up the $320 mil to make their customers whole. That doesn’t happen often. Credit: Metacurity and Decrypt.co

Apple Says It Won’t Do Biz With Companies that Use Conflict Minerals

According to a report that Apple filed with the SEC, they have terminated relationships with 163 smelters and refiners since 2009 for failing to pass human rights and mineral standards. This is the seventh year of requiring these firms to pass a third party audit. This year 12 companies got axed from the vendor list. Good for Apple. Credit: Vice

French Data Protection Authority Says Google Analytics Violates GDPR

The problem, the French privacy folks say, is that Google transfers your data to the U.S. and, after Shrems II, in which the EU high court struck down the US-EU Privacy agreement called Privacy Shield, the US was deemed to not have equivalent privacy protections. They would like you to forget that they are playing with a stacked deck because the European intelligence agencies do the same stuff the US does, but they don’t have to comply. They suggest anonymizing the data, which is okay for stats but not targeted ads or kicking Google to the curb, which was kind of the EU’s goal in the first place. I think Google could choose to leave EU data in the EU, which simplifies the privacy stuff, but it makes life more complicated for Google because the probably could not do a number of things with your data that they would like to. Credit: The Record

Senators Say CIA is Collecting Bulk Data on US Citizens

Executive Order 12333, issued by Reagan in 1981, covers, among many activities, the data collection practices of the intelligence agencies who operate outside the rules of the FISA court. There is a group that is supposed to watch over the CIA called the PCLOB, but many people think it has a pretty cozy relationship with the CIA and doesn’t have the same level of (very limited) transparency that the FISA Court does. Unlike the Patriot Act and USA Freedom Act, which have to be reauthorized, EO 12333 lives forever with no public discussion. Senators Wyden and Heinrich wrote the Director of National Intelligence asking for more transparency. Credit: Data Breach Today

Schools (And Others) Will Pay More for Cyber Insurance

As a result of the massive increase in cyberattacks against schools (and others), cyber insurance premiums will likely face major premium hikes this year, assuming that you can even get coverage. Hikes of from 100% to 300% are likely if you don’t have the best security controls. One California insurance executive said her school clients were declined for insurance 37 times, saw deductibles climb from $25,000 to a million dollars and premiums increase by up to ten times. This will force some organizations to become self insured, making cybersecurity practices even more important. Credit: The Journal

by