Security News for the Week Ending January 13, 2023
What Could Possibly Go Wrong – Cali’s Digital License Plates Hacked
A team of security researchers managed to gain “super administrative access” into Reviver, the company behind California’s new digital license plates which launched last year. That access allowed them to track the physical GPS location of all Reviver customers and change a section of text at the bottom of the license plate designed for personalized messages to whatever they wished, according to a blog post from the researchers. Credit: Vice
The AICPA, Owner of the SOC 2 ‘Security’ Certification, Hacked
This is probably more embarrassing than anything else – maybe. Depending on whether accountants follow strong security practices like not reusing passwords and using multi-factor authentication – both probably unlikely. Also important is that the AICPA members certify other organizations security practices with their SOC2 assessment – and then got hacked themselves. Now 140,000 members of the American Institute of Certified Public Accountants have their credentials for sale on the dark web and a sample of that data already released. Credit: Cybernews
Norton Lifelock Warns of Password Manager Account Compromise
Gen Digital, the new owner of the Lifelock brand, is sending data breach notifications to some customers. The hacker activity lasted about 10 days and the investigation indicates that the problem was not a breach at Gen Digital, but rather a user problem in reusing passwords (called a password stuffing attack). Gen Digital says that if the user used the same password for their account and for their vault and/or used a weak password for their vault, their passwords may have been compromised. Password managers are under attack because that is where the cool data is. Use a very strong password for your vault. Do not reuse it anywhere. Use 2FA. Use the recommended vault parameters like many, many rounds of PBKDF2 and you should be good even if the vault itself is compromised. Credit: Dark Reading
Germany’s Cartel Watchdog Not Happy With Google
The watchdog says that the choices offered by Google are not sufficiently transparent and too general. As a Google user and an expert in the field of security, many times even I can’t understand what they are doing, so how can the average person understand? From Google’s standpoint, if they can’t steal your data, they go out of business, so it is an interesting juggling act for them. This means full employment for a lot of lawyers. And, it is not good for Google that this is happening in Germany, where the anti-surveillance laws are probably the strongest in all of Europe. Credit: The Register
Asian eCommerce Hacking Group is Netting Billions in Fraud
Fraud is easier than honesty. A Southeast Asian-based hacking group has been using its tech skills to steal billions in laptops, phones, chips and gaming devices, convincing mules to cross ship them to Asia where they are sold at inflated prices. Just in November, they targeted more than $3 billion in merchandise. Who pays for that is merchants, who in turn raise prices to you and me. Credit: Dark Reading