Wow! It’s been a crazy week for cybersecurity among all of the heavy-hitters in the tech sphere. It can be hard to keep up with all of these updates and headlines, right? Good thing Byte Sized News is here to catch you up on a few of the MOST important headlines.
We have a great installment of Byte Sized News for all of you this week. This week, hands down, has got to be the biggest news week from the most large companies we’ve had since we started this series a couple of months ago. It is not every week you have stories from all of the giants, including Twitter, Microsoft, Zoom, Amazon, AND more!
As always, this series isn’t intended to provide readers with details on every story and topic, but rather to fill busy professionals in on the most compelling developments in the field.
Without further ado, let’s get to this week’s top news stories!
Our first article from the week comes from Threatpost. This article discusses the massive breach of Twitter that occurred on July 15, 2020. The accounts of elite celebrities and companies like Bill Gates, Elon Musk, Joe Biden, Apple, and Uber were all hijacked by an unknown attacker. These accounts then began to push a cryptocurrency scam on the millions of people who follow them. This development led Twitter to lock down thousands of verified accounts that were at risk of compromise. The scam was led by a tagline that promised to “double the value of Bitcoin” for those who sent them to one specific wallet. Twitter responded to the incident, saying, “We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.” They continued by stating, “We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf.” The news agency Bloomberg reported at 4:45 p.m. (ET) that the Bitcoin address had amassed 12 Bitcoins, worth approximately $110,000.
Our next article from the week also comes from Threatpost. This article discusses a previously undisclosed bug in Zoom’s customizable URL feature. This bug allowed attackers to pose as a company employee, invite customers or partners to meetings, and then use social engineering through conversation to extract sensitive information from unknowing victims. This bug, which has now been resolved, was acknowledged by Zoom and Check Point on Thursday, saying that the bug existed in the “Vanity URL” feature on Zoom. The vanity URL allowed customers to set up personalized URLs for their Zoom calls and events (ex: plextrac.zoom.us). Attackers could take advantage of this feature by buying domains similar to the vanity URL decided on by the company and then trick employees into getting into meetings while posing as legitimate employees. Once in the meeting the attacker, disguised as a legitimate employee, could then extract credentials and other vital information from other users who were duped.
Our next story this week comes from Info Security Magazine. This article discusses mega-corporations like Amazon, Microsoft, and Google who have been sued for allegedly violating a biometric privacy law in the state of Illinois. This case was brought on by two residents of Illinois: Steven Vance and Tim Janecyk. The pair claim that the three companies obtained an IBM database that contained 100 million faceprint pictures that were scrapped from Flickr. For those who are unaware, Flickr is a photo-hosted website. Apparently these images were extracted from Flickr without obtaining consent from individuals whose faces were photographed. In the state of Illinois, storing scans of a consumer’s facial geometry without their consent is illegal under the 2008 Biometric Information Privacy Act. An excerpt from the lawsuit claims that the defendants “chose to use and profit from biometric identifiers and information scanned from photographs that were uploaded from Illinois; managed via Illinois-based user accounts, computers, and mobile devices, and/or created in Illinois.” Additionally, the suit claims that “in doing so, [the defendants] exposed Illinois residents and citizens to ongoing privacy risks within Illinois, knowing that [their] conduct would injure those residents and citizens within Illinois.”
Our second to last article of the week also comes from Info Security Magazine. This article discusses the giant increase in cyber attacks on media services like Netflix, Hulu, and YouTube. This article claims that 17 billion credential stuffing attacks have been conducted in the media and video industry over the past two years. This is a MASSIVE increase in this specific sector. Additionally, according to research by Akamai, between the timeframe of January 2018 and December 2019 over 20% of the 88 billion total attacks were against media companies. Additionally, Akamai reported a 630% and 208% year over year increase in attacks against broadcast television and video sites. The honest truth is “as long as we have usernames and passwords, we’re going to have criminals trying to compromise them and exploit valuable information,” Steve Ragan, a security researcher at Akamai stated. However, video sites are not the only focus of credential stuffing attacks within the media sector. The report from Akamai also stated an insane 7000% increase in attacks on published content, like newspapers, articles, magazines, and more. These numbers show that media formats of all types are fair game to attackers, and that they don’t discriminate when it comes to the opportunity for data compromise.
Our last story from the week comes from Krebs on Security. This article discusses Microsoft’s monthly updates to a massive 123 security holes across their Windows operating system and related software. These fixes include a critical, ‘wormable’ flaw in Windows Server versions that Microsoft says is likely to be exploited in the near future. While this particular vulnerability is related mainly to the enterprises on Windows platforms, there are fixes for all types of users included in this massive update from the tech giant. One of the scarier bugs patched in this update was CVE-2020-1350, which concerned a removably exploitable bug. This bug, which was largely exploitable in all versions of Windows Server, allowed attackers to use or install malicious software by simply sending a unique and expertly crafted DNS request. Microsoft reported that this vulnerability had not been exploited yet. However, the vulnerability was reported on the CVSS scale as a 10 (out of 10), meaning that the vulnerability is both “easy to attack” and “likely to be exploited.” You can read more on CVE-2020-1350 and the other critical bugs that were patched at the link below.