Special Holiday Edition: Woman Arrested for Stealing Pelosi's Laptop and Allegedly Trying to Sell It to Russia, Other Top Infosec News

WhatsApp postpones new data-sharing policy, Rob Joyce named head of NSA's cybersecurity directorate, Trump sticks it to Huawei one last time, Scottish EPA hit by ransomware on Christmas Eve, more

This is a special holiday edition of Metacurity, published on the day we honor the great humanitarian and civil rights leader Rev. Martin Luther King Jr. We hope that all our readers will speak out against injustice. In the immortal words of Dr. King:

In the end, we will remember not the words of our enemies, but the silence of our friends.

The FBI is investigating evidence that one of the January 6 rioters on Capitol Hill, Riley June Williams, stole a laptop or hard drive from Speaker Nancy Pelosi's office and intended to sell it to Russians.

According to tweets from reliable sources, Williams has now been arrested after being turned into the FBI by her boyfriend. (Kyle Cheney / Politico)

Related: CourtListener

Facebook-owned WhatsApp said it wouldn’t enforce the planned update to its data-sharing policy until May 15, after tens of millions of its users flocked to rivals such as Signal.

The company said that no one would have their accounts suspended or deleted by failing to accept the new policy. It plans to clear up “the misinformation” around how privacy and security work on WhatsApp. (Manish Singh / TechCrunch)

Related: India Today Latest StoriesMotley FoolThe Hindu - NewsThe Next WebTechNaduWebProNewsTelecomlive.comAndroid CentralRT USATechDatorTechradarJapan TodayChannel News AsiaWashington PostThe Financial ExpressGSMArena.com - Latest articlesFrance 24BusinessLine - HomeSouth China Morning PostBusinessLine - HomeNDTV Gadgets360.comWCCFtechThe Register

In what is likely the last punitive action against Chinese telecom tech giant Huawei, the Trump Administration told the companies’ suppliers, including chipmaker Intel, that it is revoking certain licenses to tell to the company and plans to reject dozens of other applications.

The administration has argued that Chinese tech suppliers threaten U.S. national security by embedding surveillance technology into their kit. (Karen Freifeld, Alexandra Alper / Reuters)

Related:Gizchina.comBusiness InsiderTechNode, NeowinMarketwatchSilicon UKSlashGearBusiness InsiderLawfareIT WireSouth China Morning PostFudzillaCyberNews

The National Security Agency confirmed that longtime official Rob Joyce would become the agency’s cybersecurity directorate's new leader.

Joyce follows Anne Neuberger, appointed Deputy National Security Advisor for Cyber and Emerging Technology for the National Security Council (NSC) by the incoming Biden Administration. (Justin Katz / FCW)

Related: Cyberscoop, Washington Post, Dark Reading

Two kids found a security flaw, now fixed, in the LinuxMint project that could have allowed a threat actor to bypass the OS screensaver and its password and access locked desktops.

According to a bug report, the two kids pressed random keys on both the physical and on-screen keyboards, which eventually led to a Linux Mint screensaver crash, allowing the two access to the desktop.

Related: Reddit - cybersecuritySecurity AffairsE Hacking NewsSlashdot,
DataBreaches.net, HotHardware.com, Github

A ransomware attack hit the Scottish Environmental Protection Agency on Christmas Eve, affecting its contact center, internal systems, processes, and internal communications.

The agency said the attack was “likely to be by international serious and organized cyber-crime groups intent on disrupting public services and extorting public funds.” (Duncan Riley / SiliconAngle)

Related: Infosecurity MagazineTechTargetE Hacking News

The data regulator for the German state of Lower Saxony fined local laptop retailer notebooksbilliger.de AG (doing business as NBB) €10.4 million ($12.5 million) for keeping its employees under constant video surveillance at all times for the past two years without a legal basis.

Two years ago, the company installed a video monitoring system inside its warehouses, salesrooms, and common workspaces to prevent and investigate thefts and tracking product movements. (Catalin Cimpanu / ZDNet)

Related: Security Affairs

Police investigations were compromised by an error that resulted in the deletion of 230,000 records from the National Police Chief Council’s databases in the UK.

The lost entries were related to people who were arrested and then released without further action. (BBC News)

Related: TechTargetReddit - cybersecurityHackRead, The Times, Standard.co.ukSecurity - Computing, Reddit - cybersecurityTechTargetInfosecurity Magazine,  iNewsPublic Technology

The European Medicines Agency (EMA) said that some of the stolen Pfizer/BioNTech vaccine candidate data were doctored by threat actors to undermine the public’s trust in vaccines.

Sources say the leaked data archives included email screenshots, EMA peer review comments, Word, PDF, and PowerPoint documents. (Sergiu Gatlan / Bleeping Computer)

Related: HealthITSecurityRT NewsAssociated Press TechnologyTechCrunchRT NewsPOLITICO EU, European Medicines Agency, ibtimes.sg : Top News, Security News | Tech TimesSecurityWeek

Researchers at Positive Security disclosed a series of attacks by Chinese threat actor Winnti (or APT41) that has targeted organizations in Russia and Hong Kong with malware, including a previously undocumented backdoor.

The backdoor, called Crosswalk, is a modular backdoor capable of carrying out system reconnaissance and receiving additional modules from an attacker-controlled server as shellcode. (Ravie Lakshmanan / The Hacker News)

Related: Security Affairs, PT Security

Facebook has sued two Portuguese nationals for developing browser extensions that scraped user data from Facebook sites.

The extensions were developed by a software company named "Oink and Stuff," which specialized in creating Android apps and browser extensions for Chrome, Firefox, Opera, and Microsoft Edge. (Catalin Cimpanu / ZDNet)

Related: SecurityWeekTechradarHackReadTechradarInfosecurity Magazine, Facebook

According to a transcript provided by Gemini Advisory, the administrator of the notorious dark web carding site Joker’s Stash said it would shut down in 30 days.

The move follows recent law enforcement action against the site. (Jeff Stone / Cyberscoop)

Related: Infosecurity Magazine, Decrypt

Attackers can target government sites, including NASA and NOAA, using undisclosed Cross-Site Scripting (XSS) vulnerability in Apache Velocity Tools, Jackson Henry of the Sakura Samurai ethical hacking group discovered.

Although researchers reported the vulnerability more than 90 days ago, no public disclosure has been made by the Apache project. (Ax Sharma / Bleeping Computer)

Related: US-CERT Current Activity

Plug, Plug, Plug

Check out my latest CSO Online column, which discusses the changes wrought by SolarWinds on the congressional legislative agenda for cybersecurity.

Public Domain, https://commons.wikimedia.org/w/index.php?curid=92350637