Dateline the Internet: the Log4j vulnerability (Log4shell).
Log4j update: risk assessed, denial-of-service bug fixed, and advice for boards. (The CyberWire) As Apache issues another upgrade, security firms evaluate the current state of play with respect to Log4j, and Britain's NCSC summarizes what boards need to know about their risk. And a large-scale, familiar ransomware operation begins exploiting Log4shell.
Log4j – Apache Log4j Security Vulnerabilities (Apache Logging Services) This page lists all the security vulnerabilities fixed in released versions of Apache Log4j 2. Each vulnerability is given a security impact rating by the Apache Logging security team. please note that this rating may vary from platform to platform. We also list the versions of Apache Log4j the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.
Apache Issues 3rd Patch to Fix New High-Severity Log4j Vulnerability (The Hacker News) Apache Issues 3rd Patch to Fix New High-Severity Log4j Vulnerability | Read latest news headlines on latest news and technical coverage on cybersecurity, infosec and hacking.
Upgraded to log4j 2.16? Surprise, there's a 2.17 fixing DoS (BleepingComputer) Yesterday, BleepingComputer summed up all the log4j and logback CVEs known thus far. Ever since the critical log4j zero-day saga began last week, security experts have time and time again recommended version 2.16 as the safest release to be on. That changes today with version 2.17.0 out that fixes CVE-2021-45105, a DoS vulnerability.
Log4j vulnerability: what should boards be asking? (NCSC) Advice for board members of medium to large organisations that are at risk from the Apache Log4j vulnerability.
Log4j Vulnerability Resource Center (Sonatype) The wave of security vulnerabilities and exploitation affecting Log4shell continues to be a serious concern. Here is a one stop shop of Log4j resources.
Understanding the Impact of Apache Log4j Vulnerability (Google Online Security Blog) Posted by James Wetter and Nicky Ringland, Open Source Insights Team More than 35,000 Java packages, amounting to over 8% of the Maven Cent...
Google: More than 35,000 Java packages impacted by Log4j vulnerabilities (The Record by Recorded Future) Google's open-source team said they scanned Maven Central, today's largest Java package repository, and found that 35,863 Java packages use vulnerable versions of the Apache Log4j library.
Log4Shell By The Numbers | Log4Shell Vulnerability Data (Contrast Security) Monitoring thousands of applications, Contrast Security has a unique data set. Read about our really interesting takeaways about Log4Shell vulnerability.
Threat Alert: Tracking Real-World Log4j Attacks (Aqua) Due to CVE-2021-44228, Log4j is vulnerable to arbitrary code execution. Team Nautilus analyzed real-world Log4j attacks exploiting Log4j vulnerability
Germany and US are top two countries of origin for Log4j attacks (SC Media) Bitdefender reported Friday that the U.S. still stands as the leading target, with the United Kingdom and Canada next at 8% each.
Log4Shell – The call is coming from inside the house (Bitdefender) Dive deeper into the Log4j vulnerability to learn more about the honeypot and telemetry detections that are part of this rapidly evolving cyber threat.
Log4J vulnerability: What happened this week and what comes next? (Tech Monitor) Securing systems against the Log4J vulnerability is "going to be a marathon, not a sprint," experts warn.
Log4j vulnerability: cyberworld still in turmoil 10 days on (Israel Defense) From ransomware to nation-state sponsored cyberattacks, everyone seems to have jumped on the Log4Shell bandwagon, while Apache rolls out yet another patch
Microsoft Windows users told to update NOW as hackers exploit security loophole (The US Sun) MICROSOFT is warning users to update their systems after a vulnerability has allegedly is being exploited by foreign hackers. Experts are warning Windows users to update their computers after the &…
S2W noted Log4j-related vulnerability attacks are already underway on the dark web in recently released report. (PRNewswire) Data intelligence company S2W (https://s2w.inc/) recently released an analysis report on Logs of Log4shell (CVE-2021-44228) and introduced countermeasures. Malwares that have already exploited vulnerabilities are actively distributed in the Dark Web from December 10.
Logs of Log4shell (CVE-2021-44228): log4j is ubiquitous [EN] (Medium) Vulnerability information discovered in log4j, a library used for Java logging, was disclosed and we analyzed it. This report contains contents such as vulnerability-related posts on the darkweb and domestic and international current responses, and the S2W’s vulnerability analysis report was delivered exclusively to our customers through the Xarvis solution.
DHS issues emergency directive ordering all federal civilian agencies to address Log4j flaw (CyberScoop) U.S. cyber officials issued an emergency directive Friday giving all federal civilian agencies until Dec. 23 to assess their internet-facing networks for the Apache Log4j vulnerability and immediately patch the systems, or take other measures to mitigate the software flaw.
Log4j software bug: CISA issues emergency directive to federal agencies (CNET) Casual computer users have probably never heard of this logging software, but it's used across the entire internet.
CISA Issues Emergency Directive For Log4j Flaw (Decipher) Federal agencies have until Dec. 23 to track down systems vulnerable to Log4j and apply patches or mitigations.
Log4j: Major IT vendors rush out fixes for this flaw and more ahead of Christmas (ZDNet) IBM and Cisco release Log4j fixes as VMware patches critical non-Log4j flaw.
Protecting Against the Log4j (Log4Shell) Vulnerability - What is it & What Actions Can You Take? (Morphisec) A new zero-day vulnerability, Log4j poses a significant risk to networks everywhere. Learn what you need to know about Log4j and what to do about it.
How Risky Is the Log4J Vulnerability? (Dark Reading) Security teams around the world are on high alert dealing with the Log4j vulnerability, but how risky is it, really?
Log4Shell Active Exploitation Continues… (Fidelis Cybersecurity) Multiple high-fidelity sources continue to report that cyber threat actors of various skill and motivation are leveraging this vulnerability to either deliver their primary payload (e.g., cryptocurrency mining malware) or establish initial access into the victim environment (e.g., Cobalt Strike), which will almost certainly lead to more intrusion chains of various sophistication. While we have yet to directly observe Cobalt Strike use, Fidelis Threat Research Team (TRT) has observed an exorbitant amount of Linux/Unix command shell injection in the week since the disclosure of the Log4Shell vulnerability.
The Week in Ransomware - December 17th 2021 - Enter Log4j (BleepingComputer) A critical Apache Log4j vulnerability took the world by storm this week, and now it is being used by threat actors as part of their ransomware attacks.
The Next Wave of Log4J Attacks Will Be Brutal (Wired) So far, Log4Shell has resulted mostly in cryptomining and a little espionage. The really bad stuff is just around the corner.
Log4Shell Vulnerability Poses Massive Cybersecurity Threat (JD Supra) A widely reported flaw in popular software known as Log4j poses a severe cybersecurity threat to organizations around the globe, with hundreds of...
Huge Log4Shell computer flaw is even worse than previously thought (HiTech Wiki) We must no longer speak of the Log4Shell flaw in the singular, but OF Log4Shell flaws in the plural. The infrastructure manager Cloudflare has just revealed that hackers are exploiting a second bug in the Log4j module which is part of Apache, the most used web server in the world in 2021, all platforms combined. […]
Conti ransomware uses Log4j bug to hack VMware vCenter servers (BleepingComputer) Conti ransomware operation is using the critical Log4Shell exploit to gain rapid access to internal VMware vCenter Server instances and encrypt virtual machines.
Conti Ransomware Group Exploiting Log4j Vulnerability (HackRead) These attacks started on December 13 in which the group focused on targeting VMWare vCenter servers.
MobileIron Users Targeted in Log4Shell Attacks as Exploit Activity Surges (SecurityWeek) MobileIron users have been targeted in Log4Shell attacks as Cloudflare reports surge in exploit activity.
Apache Log4j Vulnerability – Why It’s Dangerous and How to Prevent a B (PRWeb) A NYC area cybersecurity expert identifies the cyber risks posed by the Apache Log4j vulnerability and what to do about it in a new article on the eMazzant
Media Alert: Qualys Offers Free Access to Its Web Application Scanning App to Help Organizations Quickly Find Log4Shell Vulnerabilities (PR Newswire) Qualys, Inc. (NASDAQ: QLYS), a pioneer and leading provider of disruptive cloud-based IT, security and compliance solutions, today announced it...
Log4j Vulnerability and Cloud Guard AppSec Machine Learning based Approach for Preemptive Prevention (Check Point Software) To get immediate support from our incident response team on Log4j CLICK HERE Check Point’s Infinity Platform is the only security platform that offered
Attacks, Threats, and Vulnerabilities
Officials warn of increased hacking threat during holiday season (TheHill) Senior Biden administration cybersecurity officials warned business leaders Thursday to be on guard against cyberattacks during the upcoming holiday season, noting that hackers are often more active when Americans are taking time away fr
Key details of Huawei security breach in Australia revealed (News.com.au) Details of a key security breach reportedly involving Huawei in Australia — which ignited US concerns about the Chinese telco — have been revealed.
Australia Telecom Hack: Huawei Documents Point Out to Chinese Spies' 'Secret Activities' (Tech Times) The recent investigation from the authorities pointed out the potential spying activities of Chinese hackers on an Australian telecom firm using Huawei. Read more about this report by clicking here.
US distrust of Huawei linked in part to malicious software update in 2012 (Register) Report claims Huawei techs working for Chinese intelligence compromised Australian telco
US government has "warned for years" Huawei products could pose security risk (Sky News) Sky News host Caleb Bond says the US government has "openly warned for years" Huawei telecommunication products from China could pose a national security risk.
Mr Bond said Australian intelligence officials had informed their US counterparts about a detected telecommunication intrusion, which began with a software update from Huawei which was loaded with malicious code.
"And the update appeared legitimate, but secretly reprogrammed the equipment to record all communications passing through it."
Electronic Weapons: Huawei Network Spyware (Strategy Page) Chinese smartphone and telecommunications giant Huawei has long been accused of secretly equipping its phones with software and hardware features that can be used to send user information back to China Recently Western Internet security researchers dis
Trend Micro Spots Chinese Hackers Targeting Transportation Sector (SecurityWeek) Trend Micro warns that a state-sponsored APT has been hitting government, healthcare, high-tech, and transportation sectors in Hong Kong, the Philippines, and Taiwan.
US federal agency compromised in suspected APT attack (The Record by Recorded Future) A sophisticated threat actor has gained access and has backdoored the internal network of a US federal government agency, antivirus maker Avast reported this week.
Spyware Find Highlights Depth of Hacker-for-Hire Industry (SecurityWeek) Security researchers said Thursday they found two kinds of commercial spyware on the phone of a leading exiled Egyptian dissident, providing new evidence of the depth and diversity of the abusive hacker-for-hire industry.
Even if the NSO Group shuts down, it won't stop paid iPhone attacks (AppleInsider) Security researchers have discovered a new type of sophisticated iPhone spyware, signaling that Apple's devices are still threatened even if NSO Group shuts down its surveillance tools.
Oxeye Identifies Exploit Exposing PII in Online Payment Services (EIN News) Exploit Leverages Jaegar to Access Sensitive User Data
Cyberattack on Payroll Provider Sets Off Scramble Ahead of Holidays (Wall Street Journal) A cyberattack on a popular payroll software provider sent work-tracking systems offline this week, forcing companies to resort to manual methods to pay workers.
Fresh Phish: Phishers Impersonate Pfizer in Request for Quotation Scam (INKY) Between Aug. 15 and Dec. 13, INKY detected 410 phishing emails that impersonated pharmaceutical and biotechnology giant Pfizer’s brand in a run of request-for-quotation (RFQ) scams.
Fraudsters conning fans via 'Spider-Man: No Way Home' web links (The Siasat Daily) New Delhi: Cyber-security researchers on Friday warned that fraudsters are tricking people and stealing their bank details via phishing links based on the
39 Ransomware Groups Targeted Healthcare in the Past 18 Months (Health IT Security) A dozen ransomware groups targeted healthcare despite making promises to not go after the sector, CyberPeace Institute data revealed.
Logistics giant warns of BEC emails following ransomware attack (BleepingComputer) Hellmann Worldwide is warning customers of an increase in fraudulent calls and emails regarding payment transfer and bank account changes after a recent ransomware attack.
B&K Issues Cyber-attack Notice (Infosecurity Magazine) Chicago accountancy company’s data exposed in ransomware attack
A cyber attack may have exposed information of thousands of Suffolk County first responders (WSHU) Suffolk IT workers don’t know if the county’s payroll information was exposed in the attack on UKG, the maker of the popular HR system Kronos.
Russian hackers leak confidential UK police data on the 'dark web' (Mail Online) The cyber-criminal gang Clop has released some of the material it plundered from an IT firm that handles access to the police national computer (PNC) on the so-called 'dark web'.
Report: Ghana Government Agency Exposes 100,000s of Citizens in Massive Data Breach (vpnMentor) Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a data breach related to Ghana’s National Service Secretariate (NSS).
Privacy Commissioner Notified After Data Breach At Five Counties Children's Centre (Kawartha 411) The Privacy commissioner has been notified after a large data breach at Five Counties Children's Centre.A privacy breach occurs when Ontario's Personal Health Information Protection Act (PHIPA) has been contravened, for example, where personal health information is stolen, lost or
Hackers attack Israeli hiking websites, leak personal information (Jerusalemn Post) The information of 200 users was leaked by the Sharp Boys hacker group, with a threat to leak the data of three million people.
Lewis and Clark ransomware story goes global (Alton Telegraph) In the months since President Joe Biden warned Russia's Vladimir Putin...
AWS blames 'network congestion' for this month's second outage (Computing) It was the second outage of the month, affecting many sites and services
City has spent $2 million recovering from ransomware attack, city officials say (Tulsa World) The computer system is essential back to the way it was before the April attack, according to the city.
Security Patches, Mitigations, and Software Updates
Serious Security: OpenSSL fixes “error conflation” bugs – how mixing up mistakes can lead to trouble (Naked Security) Have you ever seen the message “An error occurred”? Even worse, the message “This error cannot occur”? Facts matter!
Windows 11 latest update fixes a bug slowing down PCs or crashing apps (Windows Latest) Microsoft recently acknowledged two bugs in Windows 11 that could crash apps or slow down your entire system. With the latest security update (KB5008215), Microsoft has fixed the two known issues, underlining just how serious this problem is. In its changelog for the Patch Tuesday update, Microsoft confirmed the fix now applies to all configurations. …
Forget year-end predictions, let’s address three long-standing security problems (SC Magazine) The great Yogi Berra said it best: “It's tough to make predictions, especially about the future.” I agree.
The State of Security in the UK: Lessons from the NCSC Report (The State of Security) The National Cyber Security Centre (NCSC) recently released its fifth annual review of the state of cybersecurity in the United Kingdom.
Welcome To 2032: A Merged Physical/Digital World (Forbes) By 2032, it will be logical to assume that the world will be amid a digital and physical transformation beyond our expectations. It is no exaggeration to say we are on the cusp of scientific and technological advancements that will change how we live and interact.
Anser buys Fairfax intelligence firm with deep technology offerings (Washington Business Journal) The purchase provides the Falls Church nonprofit with a range of IT, intelligence and systems engineering capabilities.
Cerner could be acquired by Oracle, says WSJ (Healthcare IT News) The two companies are "in talks" for a deal that could be worth as much as $30 billion, according to the report.
Cybercrimes are inevitable, businesses must prepare (Gulf Business) Cyber insurance is just as essential to a business as health insurance is to individuals and their families.
Jefferies Resigns as Loan Agent for Spyware Maker NSO Group (1) (Bloomberg Law) Jefferies Financial Group Inc., one of Wall Street’s closest allies of spyware firm NSO Group, is resigning from a key administrative role for the Israeli company’s debt, according to a person with knowledge of the matter.
NSO Lender Group Taps Banker as Spyware Firm Consider Options (Bloomberg Law) Some first lien lenders to spyware company NSO Group have selected PJT Partners to assist with debt talks, according to people with knowledge of the matter.
Palantir to reshore UK data processing from US amid regulatory storm (CityAM) Technology company Palantir will reportedly relocate its data processing for UK clients as it seeks to avoid tightening regulation.
Tenable names Nigel Ng APAC vice president (iTWire) Security vendor Tenable has appointed Nigel Ng to the role of vice president for the Asia Pacific region. "Ng's appointment comes at a time when organisations in APAC continue to migrate business-critical functions to the cloud to support a remote and hybrid workforce, exposing a vast majori...
Products, Services, and Solutions
CYREBRO Announces Serverless Universal SIEM Plugins (PRWeb) CYREBRO, the first interactive SOC platform solution for businesses of all sizes, today announced the immediate availability of dedicated APIs that secu
'Dashlane' Password Manager Updates With New Menu, Quick Actions (The Mac Observer) Dashlane has moved the notifications to the bottom menu of the app, right next to the home button.
Technologies, Techniques, and Standards
Ukraine hosts large-scale simulation of cyber-attack against energy grid (The Daily Swig) SANS Institute’s latest Grid NetWars competition involved 250 security pros from Ukraine
ESF, NSA, and CISA Release Fourth Installment 5G Cyber Guidance (MeriTalk) The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) published the fourth installment on securing the integrity of 5G cloud infrastructures.
Hack-a-Sat Organizers Pledge to Improve Scoring Transparency (Air Force Magazine) Space Force's Hack-a-Sat 2 ended in frustration for participants, who complained of changing rules on the fly and poor communication by organizers.
Executive Partnerships Are Critical for Cybersecurity Success (Dark Reading) One leader alone can't protect an organization from cyber threats, C-suite leaders agree.
Time to Reset the Idea of Zero Trust (Dark Reading) CISOs are increasingly drawn to the zero trust security model, but implementing a frictionless experience is still a challenge.
Design and Innovation
It’s Not Too Soon to Start Talking About 6G (Security Intelligence) 6G technology may be used by bots and devices more than humans. What implications does it have for cybersecurity professionals?
NIST Post Quantum Crypto timelines: avoiding the dangerous misconception (TechNative) In response to the threat to RSA and ECC encryption algorithms imposed by Quantum Computers, the National Institute of Science and Technology (NIST) has been leading an effort to define replacement cryptographic algorithms
State, Local Govt Can Prepare Now for Post-Quantum Security (GovTech) Quantum computing strong enough to break traditional encryption methods is looming on the horizon — and federal officials want state and local governments to start planning for that future now.
What Does It Mean for AI to Understand? (Quanta Magazine) It’s simple enough for AI to seem to comprehend data, but devising a true test of a machine’s knowledge has proved difficult.
Best cybersecurity schools and programs (ZDNet) Explore the best cybersecurity schools and programs that outrank the competition with acceptance rates, graduation rate performance, and graduation and retention rates.
Purdue president vows action against Chinese exchange students harassing CCP critic (Washington Examiner) The president of Purdue University offered support to a Chinese student who had been subjected to harassment from other Chinese students for speaking against the Chinese Communist Party.
Legislation, Policy, and Regulation
Finding a way out of the dead-end cyber wars (VentureBeat) If states shift cyber resources from offense to defense, they reduce exposure to foreign attacks and degrade offensive capabilities overall.
Russia demands talks on US, NATO containment amid Ukraine showdown (Yahoo) Russia on Friday unveiled proposals to contain the United States and NATO in the former Soviet Union and Eastern Europe, calling for urgent negotiations with Washington as it amasses forces near Ukraine.
Russia unveils draft treaty with U.S. on security guarantees (Xinhua News Agency via Macau Business) The Russian Foreign Ministry on Friday published a draft treaty it has proposed to the United States on security guarantees.
European security: Putin ups the ante with NATO (Lowy Institute) Why is Moscow making proposals it must know are unacceptable?
Moscow demands: No NATO troops in Estonia without Russia’s explicit permission (Estonian World) The Russian foreign ministry has published two documents of its vision on how Moscow’s relationship with NATO should look like; one of the demands to the alliance is that no NATO troops can be deployed in countries that weren’t NATO members before 1997 – including Estonia – without Russia’s explicit permission.
NATO will not let Russia dictate its military posture, Germany says (Reuters) NATO will discuss Russia's security proposals but it will not let Moscow dictate the alliance's military posture, German Defence Minister Christine Lambrecht said on Sunday on a visit to German troops based in Lithuania to deter a Russian attack.
A Surprise Russian Ultimatum: New Draft Treaties To Roll Back NATO (Antiwar.com) The release a couple of days ago on the RF Ministry of Foreign Affairs website of its draft treaties to totally revise the European security architecture - Gilbert Doctorow for Antiwar.com Original
The Quad Should Speak Out Against Russia’s Aggression Toward Ukraine (Foreign Policy) It’s time for the Indo-Pacific democracies to address the crisis.
Exclusive: Russian ambassador talks "red lines" on Ukraine, ties with China and more (Newsweek) Russian ambassador Anatoly Antonov spoke with Newsweek and warned the U.S. and Western allies against steps "beyond the red lines of our national interests."
Russia envoy: Moscow may up the ante if West ignores demands (AP NEWS) Russia may take unspecified new measures to ensure its security if the U.S. and its allies continue to take provocative action and ignore Moscow's demand for guarantees precluding NATO's expansion to Ukraine, a senior diplomat said Saturday.
Zelensky, Johnson coordinate steps to de-escalate situation around Ukraine (Ukrinform) President of Ukraine Volodymyr Zelensky and Prime Minister of the United Kingdom Boris Johnson discussed energy security issues and coordinated steps to de-escalate the situation around Ukraine. — Ukrinform.
Memo to the international media: Putin has already invaded Ukraine (Atlantic Council) One depressing aspect of Russia's latest military build-up on the Ukrainian border has been the flurry of headlines posing the same question: will Putin invade Ukraine? In reality, Russia has already invaded Ukraine and the war is now in its eighth year.
U.S. and Russia want to talk, but still see "unacceptable" positions on Ukraine (Newsweek) "We are prepared to discuss them. That said, there are some things in those documents that the Russians know will be unacceptable, and they know that," a senior Biden administration official said.
Why Ukraine’s Fight Against Corruption Scares Russia (Foreign Policy) The country’s democratization and its ongoing efforts to fight entrenched graft and cronyism are a threat to Russian President Vladimir Putin’s model of governance.
Joe Biden and NATO ally don't want their own troops reining in Russia on Ukraine (Newsweek) British Defense Secretary Ben Wallace said it was "highly unlikely" anyone would send troops in the event of a Russian invasion.
How Long Could Ukraine Hold Out Against A New Russian Invasion? (RadioFreeEurope/RadioLiberty) How would Ukraine's military fare in the event of a major offensive by the Russian forces massing across the border?
Tech Roundup: Brazil joins international cybercrime convention (The Brazilian Report) Brazil joins the Budapest Convention on cybercrime after last week's government hacks. Will Open Finance ever take off in Brazil?
The UK’s Cyber Strategy Is No Longer Just About Security (Carnegie Endowment for International Peace) The latest report signals a far more assertive approach to cyberspace.
Britain's New National Cyber Strategy Includes Support for Training, Businesses and Law Enforcement (HS Today) The new strategy will bolster law enforcement with significant funding so that they can ramp up their targeting of criminals.
What UK/US cyberthreat cooperation means for global cybersecurity (Intelligent CIO Europe) To tackle today’s sophisticated cyberthreats, organisations must take a proactive approach to cybersecurity – an essential aspect of a rounded and effective strategy. Danny Lopez, CEO at Glasswall, discusses what this means and explores how the UK/US cybersecurity partnership is a testament to the strength of the transatlantic security and intelligence alliance. Meeting at the […]
From Cybercrime To National Security Priority: Biden’s War On Ransomware – Analysis (Eurasia Review) By Pieter-Jan Dockx* When President Biden took office in January 2021, the US was in the midst of one of the largest government breaches in its history. The Russian cyberespionage campaign, known a…
Cyber Challenges for the New National Defense Strategy (War on the Rocks) A major moment for America’s approach for cyberspace might be just around the corner. It’s hard to make a new national defense strategy an exciting
Unified cyber security task force by March: Source (ETCIO.com) The move comes at a time when the government is also finalising a “trusted sources” list for procuring telecom gear as the country moves towards 5..
Treasury Blacklists Eight Chinese Tech Firms for their Role in Uyghur Surveillance (The Record by Recorded Future) The U.S. Treasury Department added eight Chinese technology firms, including drone maker DJI Technology Co Ltd, to an investment blacklist that blocks Americans from investing in securities related to the companies.
The cybersecurity executive order is not all it's cracked up to be (Help Net Security) 72% of federal cybersecurity leaders say the White House’s EO addresses only a fraction of today’s cybersecurity challenges.
CPRA Countdown: It's time to brush up on California's latest data privacy law (The National Law Review) On November 3, 2020, California voters approved Proposition 24, a ballot initiative which enacted the California Privacy Rights Act ("CPRA"). The CPRA amends the California Consu
Can we regulate social media without breaking the First Amendment? (The Verge) Jameel Jaffer on a huge challenge in tech and policy.
‘The Corpse Bride Diet’: How TikTok Inundates Teens With Eating-Disorder Videos (Wall Street Journal) The app’s algorithm can send users down rabbit holes of narrow interest, resulting in potentially dangerous content such as emaciated images, purging techniques, hazardous diets and body shaming.
Air Force Names New Chief Information Security Officer to Lead Cyber Innovation (Air Force Magazine) James “Aaron” Bishop is the Department of the Air Force's new chief information security officer and will drive and highlight cybersecurity innovation.
Litigation, Investigation, and Law Enforcement
The NCA shares 585 million passwords with Have I Been Pwned (The Record by Recorded Future) The UK National Crime Agency has shared a collection of more than 585 million compromised passwords it found during an investigation with Have I Been Pwned, a website that indexes data from security breaches.
How Russia tries to censor Western social media (BBC News) Western social media companies face huge fines as Russia pressures them to remove content it objects to.
Arsenal Consulting says Pegasus software used to hack into Rona Wilson’s phone as well (Frontline) Arsenal Consulting, a forensics organisation based in the United States, has revealed that the jailed human rights activist Rona Wilson’s phone was attacked with Pegasus, a spyware software, 49 times
SEC gives JPMorgan Chase record fine for using WhatsApp to conduct business (UPI) JPMorgan Chase has agreed to pay a $125 million penalty for allowing employees on Wall Street to use smartphone apps to get around federal record-keeping laws, regulators announced Friday.
JPMorgan Fined $200 Million Over Employees’ Use of WhatsApp and Other Messaging Apps (Wall Street Journal) The brokerage admitted that it failed to keep track of employees’ use of personal messaging apps such as WhatsApp that circumvented record-keeping requirements.
Amazon Off Hook For Daily EU Privacy Fines (Law360) A Luxembourg judge ruled Friday that the country's data protection regulator can't require Amazon to revise its privacy measures by next month or face daily fines of nearly €750,000, finding that the agency had failed to give the e-commerce giant clear instructions on how to comply with its directive.
USPS keeps ‘extraordinary measures’ for mail-in ballots in place through 2028 under lawsuit settlement (Federal News Network) The Postal Service has agreed to continue with those practices for federal elections through at least 2028.
CBP Didn't Fully Document Response To Breach, GAO Says (Law360) U.S. Customs and Border Protection didn't properly document all the steps it took in response to security breaches that exposed people's identifying information, according to a report from the U.S. Government Accountability Office.