A work from home warning, students are victims of ransomware, and more.
Welcome to Cyber Security Today. It’s Monday May 23rd, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. It’s a long holiday weekend in Canada, so thanks for tuning in.
 |
 |
 |
COVID-19 has forced many employees to work from home. But that can pose tremendous risks if IT leaders don’t ensure cybersecurity policies enforced in the office are also practiced at home. The latest example of poor planning allegedly involves the U.S. government. As cybersecurity reporter Brian Krebs reports, Washington issues smart cards to employees and defence contractors for logging into government applications, which they use from their offices with government-approved smart card readers. When COVID hit many of these people had to work from home. But they weren’t issued approved card readers for use from home. Nor, apparently, did they get advice on where to buy an approved reader. At least one person turned to Amazon to buy a device that met the government’s Common Access Card standard. However, a driver that was on the device manufacturer’s site seems to be infected with malware. That could have led to government systems being infected. It isn’t known how many federal employees in the U.S. bought compromised card readers. One lesson is if an organization requires a special login ID for employees it has to be prepared if they suddenly have to work from home.
The annual Pwn2Own hacking contest at Vancouver’s CanSecWest conference ended Friday with 17 participants winning just over $1 million. They did it by finding ways to evade defences in commercial software such as Windows, Ubuntu and several browsers. Winners included a team that was able to get into the infotainment system used in a Tesla Model 3 car. The contest, sponsored by Trend Micro’s Zero Day Initiative, is run at a number of cyber conferences around the world to help find vulnerabilities before crooks do.
Here’s another example of a third-party ransomware attack. An American non-profit called Battelle for Kids, which holds student data from a number of school systems across the United States, has acknowledged it was hit last year by a ransomware attack. This was revealed in a letter sent to parents by Chicago’s public school system on Friday. According to the Bleeping Computer news site, the data of almost a half-million students in the Chicago system between 2015 and 2019 was copied by the attackers. It included their names, dates of birth and some performance scores. Data on 60,000 Chicago school board employees was also stolen. No Social Security or home addresses were stolen.
I’ve reported before on the need of application developers to watch for malicious software packages on open source libraries like NPM. That’s not the only place malware can be deposited. Researchers at Sonatype have discovered a malicious package in the open Python registry called PyPI. The bad package has a similar name to the legitimate library called PyKafka. Tricking victims by closely spelling a file name to a legitimate name is called typosquatting, and its common in open source registries. Earlier this month Sonatype found a file with a name similar to the popular library called ‘colors.’ Application and web developers using open source files must make sure they download and scan only legitimate files to use in their work.
Finally, last week Cisco Systems’ Talos threat intelligence service published an information paper on the BlackByte ransomware gang. One common way it infects organizations is by getting an employee to open a phishing email. But another way is by attacking unpatched applications, particularly SonicWall’s VPN and Microsoft Exchange. This means chief executives have to ensure there are regular security awareness training sessions for employees, and IT leaders must have a rigorous patch management program.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.
