Interesting day in the feeds. Google is providing a service to check for compromised passwords, something I really think is going to do a lot of good. Both the FTC and FCC have updated their breach notification rules, but not without some blowback. Moreover, we’ve got data breaches, malware, and easily cracked passwords.
FCC and FTC Enhance Data Breach Notification Requirements
Sources: Perkins Coie, Arnold & Porter
The Federal Communications Commission (FCC) and the Federal Trade Commission (FTC) have both updated their data breach notification rules. The FCC’s revision expands breach notifications to include all personally identifiable information (PII) and eliminates the need to assess harm likelihood before notifying customers.
The scope of the FTC’s recent changes to the Safeguards Rule specifically targets non-bank financial institutions under the FTC’s oversight. This includes a broad range of entities, such as non-bank mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies connected to financial services, debt collection agencies, credit counselors, tax preparation firms, non-federally insured credit unions, certain investment advisors, and entities acting as intermediary finders. These institutions are now required to report data breaches involving unencrypted, personally identifiable, nonpublic financial information affecting at least 500 customers.
The FCC has revised its data breach notification rules, significantly expanding their scope and obligations for telecommunications and VoIP providers. The new rules, targeting consumer protection, now encompass all personally identifiable information (PII), extend to inadvertent disclosures, and introduce differentiated reporting requirements based on breach severity. These updates also include a harm-based notification trigger and remove the previous seven-day waiting period for customer notifications, marking a substantial shift from the agency’s prior data breach regulations.
Observations:
It’s good to see some progress from both agencies. However, it isn’t going to be a clean change.
The FCC was politically divided, passing with a 3-2 margin. Additionally, the FCC’s approach to revising these rules, particularly in light of the Congressional Review Act (CRA), has drawn criticism from Republican commissioners and some Republican senators. They argue procedural grounds, focusing on the extent to which the FCC can implement new rules that are similar to those overturned by Congress and the Trump administration under the CRA.
As for the changes by the FTC, the amendments were passed with a 3-2 vote, reflecting a partisan divide within the Commission. The dissenting commissioners criticized the updated rule for adopting a “one-size-fits-all” approach. They emphasized the importance of recognizing the continuously evolving nature of threats and standards in data security, and noted that the FTC had traditionally not demanded ‘perfect’ security, understanding that data security involves trade-offs and is neither cost- nor consequence-free.
On the other hand, the statement from Chair Lina M. Khan and Commissioner Rebecca Kelly Slaughter, who supported the amendments, highlighted the increased complexity of information security and the significant impact of data breaches on Americans.
Google Chrome Now Scans for Compromised Passwords in the Background
Sources: BleepingComputer, SamMobile
Google Chrome has enhanced user security with its latest update, featuring a proactive background scan for compromised passwords. This new functionality in Chrome’s Safety Check will automatically alert users of any security issues found with saved passwords. Additionally, the update brings expanded features such as automatically revoking permissions for sites that users have not visited in a long time, and an option to quickly disable excessive notifications from less-engaged websites. The aim is to prompt users to take immediate action against security threats, improve privacy, and ensure a smoother browsing experience. Google Chrome’s Safety Check tool, first unveiled in December 2020, compares login credentials against those exposed in data leaks and checks for weak passwords.
Observations:
As long as this doesn’t crunch more ram than normal, I think this is a wise automatic security add-on. While using browser-based password management is still a bit of a risk, the development of such features has come a long way over the years.
In my opinion, password managers outside of the browser are still better, but I won’t discourage someone from using unique, randomly generated passwords for each website, and then storing them within the browser, if that is the only option available, or their preference. As long as the risks are known, and accepted, then to each their own.
The real win here is the attack on credential stuffing and password spraying. By eliminating the usage of previously compromised passwords, users are getting an additional layer of protection and assessment that was previously available to them.
The Most Popular Passwords of 2023 Are Easy to Guess and Crack
Source: gHacks Tech News
A recent analysis, including NordPass’s top 200 common passwords list, highlights the continued use of easily guessable passwords, many of which have been common for the past two decades. Examples include simple numerical sequences and default passwords like “admin” and “password.” These passwords are vulnerable to brute force attacks, with most being crackable in less than 12 seconds. The study suggests that many users still prefer passwords that are easy to remember and type, often reusing them across multiple accounts, thereby increasing their susceptibility to cyber threats.
Observations:
Weak passwords are often a sign of authentication friction. If the service or account isn’t seen as valuable, or it is viewed as temporary, then users will generate a password that meets the requirements, but not really put any thought into it. They’ll do this, because the password process (in their eyes at least) only gets in the way.
Sadly, this leads to a situation where criminals can easily guess or crack the passwords used. This is compounded by the fact that users tend to recycle passwords, and augment them in a way the feels more secure, but poses no challenge to a machine.
This is why I am such a fan of password managers. They offer the user a lengthy, completely random, unique password for each website or account. Further, they are harder to phish, because the auto-fill aspect of a password manager will only work on legitimate websites, so scam URLs used in phishing attacks are easily defeated.
Over 15 Cyber Attack Groups Affiliated with Iran, Hezbollah, or Hamas Are Operating Against Israel
Source: Ctech
A report from Israel’s National Cyber Directorate reveals that over 15 cyber attack groups linked to Iran, Hezbollah, and Hamas have been conducting cyber attacks against Israel. These groups, sharing intelligence, methods, and tools, have targeted critical sectors such as healthcare, water, academia, energy, fuel supply, transportation, and maritime shipping. The attacks have evolved from espionage and information theft to inflicting damage, mirroring tactics seen in other conflicts like the Russia-Ukraine war. Notably, ransomware has been a key tool, blocking access to stolen data until a ransom is paid.
The report also highlights efforts to disrupt Hamas’ cryptocurrency-based fundraising, which has become a significant source of income for the organization. Israeli security agencies have identified and seized crypto wallets containing substantial amounts of currencies like Bitcoin, Ethereum, and Tron, underscoring the broadening scope and complexity of the cyber conflict.
Observations:
Nation state aligned threat actors are a serious problem to both the public and private sector, as well as governments. They seem to target anything, and their goal is to create as much chaos as possible. Then there are the targeted attacks, seeking information, access, or disruption of core services or civil functions.
We’ve seen examples of digital attacks resulting in a kinetic response or result, and that is only going to keep happening. There is no single answer or protection in these cases - no one-size fits all. This is a case of proactive posture, and layered defenses.
Android Banking Trojan Chameleon Can Now Bypass Any Biometric Authentication
Source: ThreatFabric
In early 2023, the Chameleon Banking Trojan emerged as a significant threat to the Android ecosystem, initially focusing on users in Australia and Poland. This malware, known for its adaptability, primarily targets mobile banking applications and is distributed through phishing pages that mimic legitimate apps. The Trojan has evolved to manipulate victims’ devices, enabling account and device takeover attacks, especially targeting banking and cryptocurrency services by exploiting Accessibility Service privileges.
The latest iteration of Chameleon has expanded its target region to include the UK and Italy. This refined version, distributed through Zombinder, carries over characteristics from its predecessor while introducing new features. Notable among these is the ability to bypass biometric prompts and to display an HTML page for enabling accessibility service in devices with Android 13’s “Restricted Settings.”
The Trojan employs the KeyguardManager API and AccessibilityEvent to assess screen and keyguard status, transitioning from biometric to PIN authentication, thereby bypassing biometric protection. It also features task scheduling using the AlarmManager API and switches between “a11y” (accessibility) and “usagestats” (user app usage data) for overlay attacks or injection activity, depending on the accessibility service status.
Observations:
The development and release of a new Chameleon variant underscores the adaptive nature of threats within the Android ecosystem. Its ability to evolve and incorporate advanced functionalities like disrupting biometric operations and manipulating accessibility settings marks it as a significant threat.
This is another example of criminals innovating in order to deal with the emerging security defenses that have been embedded across Android over the years.
Data Stolen from Europe’s Largest Parking App Operator
Source: IScanInfo, Born’s Tech and Windows World, Finland Today
EasyPark Group, Europe’s largest parking app operator and owner of brands like RingGo and ParkMobile, reported a breach on December 10, 2023. This breach led to the theft of customer data, including names, phone numbers, addresses, email addresses, and partial credit card numbers. While specific figures weren’t disclosed, at least 950 RingGo users in the UK were affected, suggesting thousands of European customers may be compromised.
The incident sheds light on the increasing centralization of parking services worldwide, as apps and websites replace physical meters and parking attendants. This centralization and the collection of location data carry inherent risks, as they could potentially be used to track individuals physically.
EasyPark, acknowledged as Europe’s largest app in terms of coverage, is among several companies such as Volkswagen’s PayByPhone and JustPark in Europe, as well as ParkWhiz and SpotHero in the US, expanding their global footprint.
Observations:
This news underscores the need for targeted security measures in an era where digital services are replacing many traditional services. While the move to digital processes is a good one, security needs to be implemented from the start of a given app’s development, and strengthened over time or as usage develops.