Security News Update for Week Ending July 19, 2024
AT&T is First Company To Evade SEC’s 4 Day Breach Disclosure
No, they are not badasses, they asked for permission. The SEC rules that went into effect last year have a carve out from the disclosure rule – actually it is not an exception, just a delay. It is not clear who asked whom, but AT&T did not disclose the breach until now and the FBI has arrested at least one suspect in the case. They actually delayed the breach announcement twice and now that the FBI has a suspect in custody, AT&T had to file the breach notice. Credit: CSO Online
There is a Silver Lining in Everything – to Some People
Gee Wiz. This has got a little bit of everything in it. Criminals are using the attempted assassination of Trump to lure victims into a crypto doubling scam using deepfake Elon Musk videos on highjacked YouTube channels. The YouTube channel is broadcasting deepfake videos of Musk promising to reveal insights into the attack. The channels boast subscriber counts in the millions and were renamed to include references to Elon and Junior. The videos have a QR code (what could go wrong) pointing to fake Tesla and Trump domains promising a $100 million crypto givaway. Wow. Credit: Hackread
Britain’s New Gov to Introduce Watered-Down Mandatory Breach Reporting
Reports are that the brand, shiny, new British government wants to enact a new breach law. This law may only apply to ‘regulated entities’. It is reported that those regulated entities will include IT service providers and may also include regulated entity’s other supply chain partners. It would empower sector-specific regulators to ensure cyber safety measures are in place, mandatory reporting and, apparently, giving these regulators investigatory and “cost recovery” mechanisms (i.e. fines). Credit: The Record
FBI Takes 40 Minutes to Crack Trump Shooter’s Phone
The FBI contacted Israeli hacking firm Cellebrite who gave them some new, unreleased software. With that it took the FBI 40 minutes to crack the phone. The phone was a Samsung Android phone, but before you read too much into this, we don’t know the age of the phone or operating system version, how it was configured or how it was protected. Cellebrite does have a good reputation for hacking phones. What we don’t know is whether they are like another Israeli hacking firm, NSO Group, makers of Pegasus, who, it is claimed, never met a check they didn’t cash, no matter who signed it. Credit: Cybernews
Was Your Friday as Bad as Crowdstrike’s? Or its Customers?
If it was, I feel sorry for you. A simple errant software update (we believe) brought large chucks of the world to a standstill. Add to that an apparently unrelated outage at Microsoft (maybe) and we had – have – a grade A dumpster fire. The Crowdstrike update brought millions of Windows systems to a complete halt with no easy way to fix them. It will likely be days – or more – before they are all fixed. Airlines and financial institutions have tens of thousands of PCs each, which need to be manually fixed one at a time – and which are scattered around the globe. Kind of points to how brittle our IT systems are. More on this next week, but there are going to be a lot of people asking a lot of questions – which is probably not altogether bad. And a lot of lawyers cashing large retainer checks. Highly uncomfortable, for sure. Credit: Brian Krebs