I had breakfast earlier this week with a former colleague who is now in her early 70’s. She warned me that “they” are using iPhones for spying. While her understanding of the issue was slightly inaccurate, I was happy to hear that Millie at least knew that she had to update the software on her iPhone. Why? Well, in case you haven’t heard, Apple released an emergency software update on Monday in order to fix a critical flaw that potentially allowed for invasive spyware to infect Apple products. “The discovery means that more than 1.65 billion Apple products in use worldwide have been vulnerable to NSO’s spyware since at least March,” New York Times reporter Nicole Perlroth wrote.
Though Millie’s misinterpretation of the Apple news is understandable, TikTok’s decision to remove videos intended to help educate hackers is a little more perplexing. In covering the story for Vice, Joseph Cox wrote, “The idea that all hacking is just done by nefarious people is antiquated at this point—the challenge for social networks is effectively and reliably enforcing against material that isn't designed to be educational, and harmful instead.”
Influencers in the industry seem dismayed by the move. Chris Wysopol tweeted, “Let's stop pretending learning about attacks is harmful,” a sentiment with which many agreed. Fortunately, RSA Conference has no plans to remove educational hacking content from our website, which means you can view Modern Identity Hacking, Next-Generation Tactics, Techniques and Procedures, and more all available On Demand in our Library.
Now let’s look at what else made cybersecurity headlines this week.
Sep. 17: “Telegram has exploded as a hub for cybercriminals looking to buy, sell and share stolen data and hacking tools, new research shows, as the messaging app emerges as an alternative to the dark web,” according to Financial Times.
Sep. 16: Former U.S. citizen and CIO of ExpressVPN, Daniel Gericke is one of the three former U.S. intelligence operatives facing federal charges for multiple violations related to his work for BlackMatter.
Sep. 16: Threatpost reported, “The FBI, CISA and the U.S. Coast Guard Cyber Command (CGCYBER) warned today that state-backed advanced persistent threat (APT) actors are likely among those who’ve been actively exploiting a newly identified bug in a Zoho single sign-on and password management tool since early last month.”
Sep. 15: Not all things cybersecurity are gloom and doom according to the ACSC Annual Cyber Threat Report, which showed a 28% decrease in the total number of cybersecurity incidents for the 2020-2021 fiscal year.
Sep. 15: Despite Apple having issued a fix for the security flaw discovered by researchers at Citizen Lab, cybersecurity analysts expect that “zero-click exploits” will be a persistent problem.
Sep. 15: In this week’s Patch Tuesday update, Microsoft “addressed a quartet of security flaws…that could be abused by adversaries to target Azure cloud customers and elevate privileges as well as allow for remote takeover of vulnerable systems.”
Sep. 14: CSO Online reported, “With internet blocks and high-profile arrests, Russia shows it can crack down on cybercrime when properly motivated. New analysis suggests the Biden administration’s sanctions may be providing some motivation.” However, The Hill reported that the FBI has seen no indication that Russia has taken any action to stop cybercriminals.
Sep. 14: An opinion piece penned by Brian Klass in The Washington Post warned, “The so-called Internet of Things, in which objects that used to be fully offline are now connected to the Internet, is a largely unregulated world. And because of that, it could easily become a source of immense tragedy if the government doesn’t pay more attention to this looming national security threat.
Sep. 13: Experts warn that the U.S. is vulnerable because so much of our vital infrastructure depends on 5G, which is linked to GPS—a system for which there is no backup.
Sep. 13: The Department of Justice announced, “On Sept. 7, U.S. citizens, Marc Baier, 49, and Ryan Adams, 34, and a former U.S. citizen, Daniel Gericke, 40, all former employees of the U.S. Intelligence Community (USIC) or the U.S. military, entered into a deferred prosecution agreement (DPA) that restricts their future activities and employment and requires the payment of $1,685,000 in penalties to resolve a Department of Justice investigation regarding violations of U.S. export control, computer fraud and access device fraud laws.”