At a glance.
- Office selfies aren't really necessary, kids.
- Opt-out ad-tracking.
- Cars need privacy, too.
- Trickbot rising.
- Update on the Arson Cats' hacktivism.
Office selfies bring data theft close to home.
The pandemic has led to a work-from-home revolution, meaning our offices are often steps away from our bedrooms. The sudden shift makes it easy to forget that sharing a glimpse of that office or a screenshot of a virtual meeting could give cybercriminals a dangerous peek into our private lives. Human Resources Director warns, researchers at security firm Sophos have found that seemingly harmless photos of home offices shared on social media platforms can reveal private data: home addresses, names of family members, or clues about our social groups and interests. User passwords are often derived from these everyday details, and these images can even give away sensitive corporate data, names of coworkers, company software, or device identification numbers. The experts’ advice: sticks to cat pics.
T-Mobile launches opt-out ad tracking program.
Next month, US cell phone carrier T-Mobile will be automatically enrolling its customers in an advertising program sharing their web activity with outside parties, the Wall Street Journal reports. Though customers can opt-out by changing their settings, the update will make participation the default. Due to T-Mobile’s 2020 merger with Sprint, the new policy will cover Sprint customers who in the past were excluded from ad tracking unless they opted in. “We've heard many say they prefer more relevant ads so we're defaulting to this setting,” a T-Mobile spokesperson stated. The data will be shared anonymously, and businesses and children will be exempt from the program. As Light Reading reports, other carriers like AT&T and Verizon also recently dabbled in online ad tracking by purchasing online platforms, hoping to gain a cut of the profits enjoyed by tech giants like Google and Facebook. But the sale of user data has met with much adverse criticism, and AT&T and Verizon have since minimized the practice.
Volvo focuses on data protection compliance.
The Wall Street Journal reports that, in an effort to improve its data protection policies, Swedish automaker Volvo has appointed Augusta Speiser as its new chief compliance and ethics officer. Speiser brings with her a background in data protection, valuable experience as the carmaker, as so many others, aims to increase smart features and mobile device integration in its vehicles. “Managing data and operating in a compliant manner from a data protection perspective have always been important to Volvo Cars, but with the transformation of the industry and our business, data protection has become a strategic priority for Volvo Cars,” stated Maria Hemberg, Volvo’s head of legal and corporate governance.
Trickbot becomes leading global threat.
Check Point Research’s Global Threat Index for February shows that Trickbot has become the most used threat among cybercriminals, rising from third place in January. Trickbot has become a malware of choice due to its versatility and its success in past campaigns, last year’s attack on leading US healthcare provider Universal Health Services. The international police takedown of Emotet botnet has led attackers to focus on other threats, and this past month Trickbot was used in a spam operation targeting the legal and insurance sectors. Other threats worth noting: “Web Server Exposed Git Repository Information Disclosure” is the top exploited vulnerability, affecting 48% of organizations, and Android malware Hiddad maintains its position as the most used mobile threat.
Update on the Verkada surveillance camera breach.
As the CyberWire noted yesterday, a hacktivist group breached the systems of security camera management provider Verkada, gaining access to 150,000 surveillance cameras used by Verkada clients including hospitals, schools, police stations and even car giant Tesla. Bloomberg now reports that Verkada has informed the US Federal Bureau of Investigation about the massive hack. In a statement on their website, Verkada confirmed this, “In gaining access to the server, the attackers obtained credentials that allowed them to bypass our authorization system, including two-factor authentication.” They also disclosed that the hackers accessed a tool that allowed them to execute shell commands on some cameras, though it is unclear whether they used that capability. The company also says that their systems were secured by mid-day Tuesday: the Arson Cat hacktivists were in for about two days before being ejected.
We've continued to receive industry reaction to the hacktivist compromise of Verkada security cameras. Josh Bohls, Founder of Inkscreen, hopes people get the word on the importance of security multimedia content generally: "While this breach is related to IOT security cameras, it underscores the importance of protecting and managing multimedia content (photos, videos, audio recordings) that employees capture. This is especially critical when it comes to mobile devices; the photos and videos captured on the job are often left unprotected and outside the sphere of IT control."
And Bryan Embrey, Product Marketing at Zentry Security, points out that a hack doesn't have to be all that artistic to succeed: "In this case, hackers used relatively unsophisticated methods to penetrate Verkada’s systems. However, it illustrates that this attack could have been prevented by using zero trust techniques like multi-factor authentication, which requires more than a simple username and password to gain access. Moreover, this attack spotlights the extent of resources that can be exfiltrated if an attack is successful – not only nearly 150,000 camera feeds, but records of 24,000 Verkada customers, and Verkada company records and financial statements. It is imperative that organizations deploy zero trust mechanisms today to reduce the chance of unauthorized network access."