SEC Fines Three Firms for Inadequate Cybersecurity Practices That Allowed Email Account Takeovers
Ontario police dept. hit with ransomware, Threat actors stole $18.8 million from Cream Finance, LockBit gang poised to release stolen Bangkok Airways files, Indonesian COVID-19 app exposed data, more
The U.S. Securities and Exchange Commission announced that the units of three broker-dealer and investment advisory firms agreed to pay hundreds of thousands of dollars in penalties to settle charges over cybersecurity failures.
The Commission charged KMS Financial Services, five units of financial firm Cetera, and two units of Cambridge Investment Research for failures to adopt and implement cybersecurity policies and procedures that resulted in email account takeovers exposing thousands of customers’ personal information at each firm. The Cetera entities agreed to pay $300,000, Cambridge agreed to pay $250,000 and KMS $200,000. (Chris Prentice / Reuters)
Microsoft issued guidance on securing Azure accounts that may be impacted by a recently addressed Cosmos DB critical vulnerability, dubbed Chaos DB, which gives attackers full admin rights to users' data without authorization.
To mitigate the risk and block attackers who might have stolen Cosmos DB primary read-write keys before Microsoft disabled the vulnerable feature, the company advises regenerating the Cosmos DB keys. Microsoft also issued best practices recommendations to generally secure Azure Cosmos DB accounts. (Sergiu Gatlan / Bleeping Computer)
Related: Spyware news, Cybersecurity Insiders, Windows Central, Silicon Republic, Reddit - cybersecurity, Industrial Cybersecurity Pulse, IT World Canada, Security Affairs, SecurityWeek, Heimdal Security Blog, E Hacking News
Sault Ste. Marie police in Northern Ontario said that in the wake of a ransomware attack last week, its 911 service was not affected, nor was its online reporting system for less urgent crimes. However, its email service has been disrupted.
The attack occurred on August 26th, and the police force said in a statement that “Information Technology staff are working through the attack to regain access to affected systems.” (Howard Solomon / IT World Canada)
A malicious actor stole $18.8 million from decentralized finance (DeFi) lending protocol Cream Finance by exploiting an $AMP token contract weakness to level a flash loan attack.
Blockchain analysis firm PeckShield said the $AMP contract introduced a reentrancy bug allowing for a flash loan attack, allowing threat actors to continue to borrow assets with minimal collateral since they can continue to re-borrow funds so long as they are returned within one transaction block. (Aislinn Keely / The Block)
As part of its “bad practices” series launched in June, the Cybersecurity and Infrastructure Security Agency (CISA) added single-factor authentication as a bad practice that organizations should avoid.
“Single-factor authentication is a common low-security method of authentication,” the agency said in a statement. “It only requires matching one factor—such as a password—to a username to gain access to a system.” (Catalin Cimpanu / The Record)
Darkweb intelligence firm DarkTracer said in a tweet that the LockBit ransomware gang stole 103GB worth of files from Bangkok Airways and is threatening to release them.
The threat came a day after Bangkok Airways admitted it had been the victim of a cyberattack and is taking all relevant measures to bolster its IT system. The data stolen from the airline seemingly includes passenger name, family name, nationality, gender, phone number, email address, other contact information, passport information. historical travel information, partial credit card information, and special meal information. (Lisa Vaas / Threatpost)
Researchers from vpnMentor say that personal information in the Indonesia Health Alert Card (eHAC) app, used by travelers and others, exposed the health status of 1.3 million people "due to the lack of protocols put in place by the app's developers."
The Indonesian government said it is investigating the breach. (Stanley Widianto / Reuters)
Facebook-owned Instagram said it would require users to confirm their birthdays as part of an effort to create new safety features for young people.
Instagram said that it is developing technology to block users from entering fake birthdates. (Sheila Dang / Reuters)
Despite its public stance in favor of user privacy, employees inside Apple say that the company isn’t doing enough to protect their personal privacy and, at times, actively seeks to invade it for security reasons.
They have been asked to use their personal phones to test out features before launch and use personal email addresses to sign up for iCloud accounts they use for work, thereby exposing their personal information and messages to their employer. (Zoe Schiffer / The Verge)
Related: The Mac Observer
Cryptocurrency exchange Coinbase mistakenly sent an automated message to a large number of its customers on Friday, saying, "Your 2-step verification settings have been changed,” alarming some users to the point where they sold off their holdings in a panic.
Coinbase says that the erroneous 2FA messages were the result of an internal error, not hacker activity. (Jim Salter / Ars Technica)
Check Point Software Technologies has agreed to buy email security company Avanan for a reported $250 million to $300 million.
Check Point says the acquisition will allow it to deliver best-of-breed cloud email malware protection and expand security to SaaS collaboration suites. (Michael Novinson / CRN)
Related: Startups News | Tech News, MSSP Alert, GlobeNewswire, Channel Futures, The Times of Israel, iTnews - Security, SecurityWeek, Silicon Angle, Dark Reading, ETTelecom.com, Gadgets Now, Tech Observer, Help Net Security
The Government Technology Agency (GovTech) in Singapore has launched a new Vulnerability Rewards Program that will pay white hat hackers bug bounties of up to $5,000 to uncover vulnerabilities in systems used by the public sector.
The country’s previous bug bounty programs were "seasonal," focusing on five to 10 critical and "high-profile" systems during each run. The new program runs year-round. (Eileen Yu / ZDNet)
The nation’s first-ever cyber director, NSA veteran Chris Inglis, says he plans to use his new White House role to protect critical infrastructure better, strengthen long-term resilience and prioritize cybersecurity in budgets.
After a series of high-profile attacks on U.S. infrastructure, Inglis says he sees his job to“hold [bad actors] at bay and ensure that they don't succeed in ways that, far too often in the past, they have.” (Eric Geller / Politico)
Eric Geller @ericgellerExclusive: In his first in-depth interview, National Cyber Director Chris Inglis tells me how he'll accomplish his major priorities (federal coherence, public-private partnerships, long-term resilience, and budget alignment) w/o many formal authorities. https://t.co/0PxtMwvvBM