A Second, Zero-Day Bug Allowed Hackers to Wipe Out Western Digital My Books
Colombian officials bust Romanian hacker for spreading Gozi virus, CISA issues short list of bad practices, SolarWinds hackers penetrated Denmark's central bank, Cops seize DoubleVPN servers, more
Check out my latest column in CSO that walks through NIST’s definitions of what constitutes critical software, a key component in implementing President Biden’s cybersecurity executive order.
Last week’s mass-wiping of Western Digital My Book Live storage devices involved exploiting one vulnerability and a second, previously unknown critical security bug that allowed hackers to perform a factory reset without a password remotely. Moreover, a Western Digital developer actively removed code that required a valid user password before allowing factory resets to proceed.
The zero-day flaw resides in a file named system_factory_restore, which contains a PHP script that performs resets, allowing users to restore all default configurations and wipe all data stored on the devices. Western Digital said this reset vulnerability was introduced to the My Book Live in April of 2011 as part of a refactor of authentication logic in the device firmware. The company also said that somebody exploited the first vulnerability to install a malicious binary on the device and then later exploited the second vulnerability to reset the device. (Dan Goodin / Ars Technica)
Colombian officials arrested a Romanian hacker Mihai Ionut Paunescu who is wanted in the U.S. for spreading the “Gozi” virus and other forms of malware that were used to steal money from bank accounts that infected more than a million computers from 2007 to 2012.
Paunescu had been arrested in Romania in 2012 but was able to avoid extradition. Colombia’s Attorney General’s office said authorities detained him at Bogota’s international airport. (Manuel Rueda / Associated Press)
Danish technology publication Version2 obtained documents showing that as part of the SolarWinds espionage campaign, Russian hackers compromised Denmark’s central bank (Danmarks Nationalbank) and planted malware that gave them access to the network for more than half a year without being detected.
Despite the hackers’ access, the bank said that it found no evidence of compromise beyond the first stage of the attack. (Ionut Ilascu / Bleeping Computer)
Related: Security Affairs
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a list of two bad cybersecurity practices, using unsupported or “end-of-life” software, and using known/fixed/default passwords and credentials.
CISA said it released the simple list to ‘focus on the critical few’ elements of risk management because the sheer breadth of risk management recommendations can be daunting for risk managers. (Mariam Baksh / NextGov)
White House deputy national security adviser Anne Neuberger said that going on offense against ransomware attackers and penetrating the secrecy surrounding attacks are the two best ways the Biden administration can tackle ransomware.
Neuberger downplayed the idea of banning ransom payments altogether, calling such a move a “difficult policy position” that could harm companies who feel they have to pay up to decrypt their networks. (Tim Starks / Cyberscoop)
Law enforcement seized the servers and customer logs for DoubleVPN, a Russian-based VPN service that double-encrypts data sent through their service.
The splash screen on the former website for DoubleVPN said that the operation was conducted by Germany's BKA, Netherland's Politie, the FBI, the UK National Crime Agency, the United States Secret Service, the Royal Canadian Mounted Police, Eurojust, Switzerland's Polizia Cantonale, Europol, Bulgaria's GDBOP, and the Swedish National Police. (Lawrence Abrams / Bleeping Computer)
In May 2021, hackers breached a Spanish company called Everis with Latin American subsidiaries, compromising multiple datasets, including a NATO cloud computing platform, along with the associated source code and documentation. The platform is known as NATO’s Service-Oriented Architecture, and Identity Access Management (SOA & IdM) Project and is one of four core projects of NATO's IT modernization efforts.
According to bidding documents, the SOA & IdM Platform was intended to be installed on data centers up to the NATO SECRET level. It would be responsible for several critical functions, including logging, security, messaging, and integration with other services. (Emma Best / DDoS Secrets)
The House Oversight Committee sent a bill, the Federal Rotational Cyber Workforce Program, to the House floor as an identical bill makes its way through the Senate.
The bill creates a rotational program that would allow senior tech industry workers to ply their trade for the U.S. government for a set period before returning to their original or a similar role in the private sector. (Dave Nyczepir / FedScoop)
The National Security Agency (NSA) issued a statement on Twitter denying unfounded allegations by Fox News personality Tucker Carlson that the agency is spying on him to force him off the air.
“Tucker Carlson has never been an intelligence target of the Agency, and the NSA has never had any plans to force him off the air,” the statement reads. Moreover, NSA points out that under U.S. law, it may not target a U.S. citizen without a court order. (Rebecca Falconer / Axios)
Related: Mediaite, Forbes, Washington Examiner, Jerusalem Post, Newsweek, Gizmodo, New York Post, The Sun, Washington Examiner, Variety, AlterNet.org, Raw Story, protothemanews.com, Daily Mail, Daily Beast, Axios, Devdiscourse News Desk
Google messages now have a feature to organize text into different categories and the ability to auto-delete one-time passwords (OTPs) texts after twenty-four hours.
However, all of these advancements are currently limited to users in India. (Zachary Kew-Denniss / Android Police)
Google is updating its pledges surrounding its privacy commitment to users of its Google Nest surveillance products with specific references to multi-device setups, account security, vulnerability research, and future software releases.
Google says that all Nest devices released since 2019 are validated using third-party, industry-recognized security standards, including those developed by the Internet of Secure Things Alliance. Google also reiterated that it will pay bounties to research that discover vulnerabilities in Nest as part of its overall vulnerability award program. (S. Shah / Engadget)
Tesorion released a free application that can help victims of the new Lorenz ransomware recover encrypted files without paying the ransom.
The decryptor, which was added to the No More Ransom project, is not universal and will work only in some cases. In its most recent iteration, Lorenz has been used exclusively in attacks carried out against enterprise targets. (Catalin Cimpanu / The Record)
Sam Altman, CEO of OpenAI and former president of startup accelerator Y Combinator, co-founded a cryptocurrency called Worldcoin that will try to convince people to scan their retinas with a large silver orb to receive tokens.
The retinal scanning is necessary to allow as many people to have cryptocurrency as possible because so many people are unbanked and have no access to the financial system, according to another co-founder Alexander Blania. Worldcoin is currently testing 20 prototypes of the eye-scanning orb on a small scale in various cities. (Ellen Huet, Gillian Tan / Bloomberg)
The Royal Canadian Navy won Cyber Flag, a yearly cyber training exercise organized by US Cyber Command.
Seventeen teams with 430 professionals competed in the second virtual competition version of Cyber Flag, defending the same attack scenarios simultaneously across eight different time zones. (Catalin Cimpanu / The Record)
The U.S. Government Accountability Office (GAO) said that although the Department of Health and Human Services (HHS) has made progress in threat sharing efforts to support better cybersecurity, it also found areas where HHS could better coordinate its efforts to support department information sharing and overall health IT security.
The GAO’s audit found that the cybersecurity departments within HHS don’t routinely share threat data, partly because HHS doesn’t include the necessary coordination as part of the departments’ responsibilities. (Jessica Davis / SC Magazine)
The U.S. Government Accountability Office (GAO) said that federal law enforcement agencies should track their use of facial recognition technology from the private sector and local governments and assess potential threats to privacy and risks of bias.
The report found that 20 federal agencies own facial recognition systems or use outside parties' systems. Six agencies reported using the technology to help identify people suspected of violating the law during the civil unrest following the death of George Floyd in May 2020. Three agencies admitted using facial recognition systems on images of the U.S. Capitol attack on January 6. (Andrea Vittorio / Bloomberg)
Beginning in September, Google will tighten its advertising rules in the UK in a bid to crackdown on financial scams, and all financial services advertisers will have to prove they are authorized by the Financial Conduct Authority (FCA).
The move comes after the FCA vowed to use post-Brexit powers to crack down on tech companies such as Google, warning that platforms were not doing enough to tackle online fraud. (James Warrington / City AM)
Accenture announced it will acquire Sweden-based Sentor, a provider of cyberdefense and managed security services. The terms of the deal were not disclosed.
Sentor’s 80 cybersecurity experts will immediately join the Accenture cybersecurity team. (Mark Haranas / CRN)
Related: Help Net Security
The House Appropriations Committee voted to give the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) a budget of $2.42 billion for CISA in fiscal 2022, around $400 million above CISA’s budget in 2021 and more than $288 million above what the agency requested earlier this year.
Lawmakers on both sides of the aisle have pushed for an additional $400 million in light of CISA’s critical involvement in addressing the recent spree of high-profile cyberattacks facing the Biden administration. (Maggie Miller / The Hill)
Related: Defense Daily Network
Cybersecurity company SentinelOne is going public today with some momentum behind it that may propel it to meet its expectations of raising over $1 billion in its initial public offering, giving the company a total value of $10 billion.
Israel-hatched, Mountain View-based SentinelOne relies heavily on artificial intelligence to combat cyber threats, specifically a machine-learning-based solution that it sells under the brand Singularity that focuses on endpoint security. (Ingrid Lunden / TechCrunch)
Image by FASTILY, CC BY-SA 4.0 via Wikimedia Commons