Infosec Round-Up Sep 17th

Play Video

Apple Flaw, TikTok Data Investigation & Microsoft Passwords

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

Ireland Investigates TikTok

The social media platform TikTok is currently under investigation by the Irish data protection authority over two separate data protection issues.

Announced this week, the Irish Data Protection Commission (DPC) will be investigating not only “the processing of personal data... for users under age 18, and age verification measures for persons under 13”, but also “transfers by TikTok of personal data to China”.

Having faced multiple accusations of sharing personal data with its parent company ByteDance, which would be in violation of GDPR, TikTok has repeatedly denounced these claims, though many doubt their transparency.

This investigation comes only months after the former Children’s Commissioner for England Anne Longfield launched a claim against the platform for the collection of children’s personal information without the necessary consent, transparency, or warning required by law.

Though the DPC investigation is still being undertaken, Ms Longfield has previously alleged that the “shadowy” platform is “a data collection service that is thinly veiled as a social network" which has "deliberately and successfully deceived parents”.

Pegasus Flaw Fixed

Apple has this week issued emergency software updates following the discovery of a flaw which allowed the execution of sophisticated spyware developed by Israel’s now notorious NSO Group.

The spyware, known and marketed as Pegasus, used what is referred to as a “zero click remote exploit”, allowing parties to turn on a user’s camera and microphone, record messages, texts, emails, and calls - even those sent via encrypted platforms.

With the flaw having been discovered by security researchers at Citizen Lab, Apple are now urging users to undertake the necessary updates to protect themselves against malicious actors.

As part of Citizen Lab’s disclosure of the discoveries, the company stated: “Despite promising their customers the utmost secrecy and confidentiality, NSO Group’s business model contains the seeds of their ongoing unmasking.”

Adding “As presently engineered, many chat apps have become an irresistible soft target. Without intense engineering focus, we believe that they will continue to be heavily targeted, and successfully exploited.”

Microsoft Goes Passwordless

Microsoft has this week announced that it will be rolling out Passwordless login support, allowing users to log into accounts without using a password.

Having made the feature available to business users back in March, the system, which will be available in the coming weeks, will let customers choose between an authentication mobile app called Windows Hello, or a verification code being send to either phone or email.

Relying primarily on biometric data to bypass traditional passwords, this move is to help improve security, with Microsoft’s announcement noting that the company detects a “whopping” 579 password attack incidents every second, or 18 billion each year.

Corporate Vice President of Security, Compliance and Identity, Vasu Jakkal stated on the matter: “Passwords are incredibly inconvenient… We are expected to create complex and unique passwords, remember them, and change them frequently - but nobody likes doing that.”

Adding, “While passwords can be guessed, stolen, or phished, only you can provide fingerprint authentication, or provide the right response on your mobile at the right time.”

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.

Featured

Infosec Round-Up Sep 10th

Infosec Round-Up Sep 10th - Hut Six

Ragnar Locker threatens victims with possible data leaks. UK student jailed for "cynical" cyber crime. ProtonMail faces criticism.

Infosec Round-Up Sep 3rd

Infosec Round-Up Sep 3rd - Hut Six

Insider threat destroys 21GB of credit union data. Hackers leak UK firearms marketplace data. Coinbase accidentally sends 125K warning emails.

Infosec Round-Up Aug 27th

Infosec Round-Up Aug 27th - Hut Six

Ethical hacker rewarded with $500K after returning stolen crypto. Japanese exchange attacked. US loses $2.3 million to BEC scam.

Infosec Round-Up Aug 20th

Infosec Round-Up Aug 20th - Hut Six

48 million T-Mobile customers' data breached. Secret 'no-fly' list exposed on internet. Brazil Government hit with another ransomware attack.

Infosec Round-Up Aug 13th

Infosec Round-Up Aug 13th - Hut Six

Apple responds to CSAM scanning criticism. Crypto hacker returns over $300 million worth of tokens. Crytek game developer confirms data leak hack.

Infosec Round-Up Aug 6th

Infosec Round-Up Aug 6th - Hut Six

Zoom to pay $86 million on privacy lawsuit. LockBit 2.0 cyber criminals recruiting insider threats. Isle of Wight schools hit with ransomware attack.

InfoSec Round-Up July 30th

InfoSec Round-Up July 30th - Hut Six

Israeli government raids NSO Group offices. Biden warns cyber breach could lead to "hot-war". Irish DoH data leak.

InfoSec Round-Up July 23th

InfoSec Round-Up July 23th - Hut Six

NSO responds to international criticism. Saudi Aramco hacked for a second time. Chinese government denies involvement with Microsoft Hack.

InfoSec Round-Up July 16th

InfoSec Round-Up July 16th - Hut Six

UK Police seize £180 million in money laundering investigation. REvil ransomware website mysteriously disappears. Iran targets British academics in phishing attack.

InfoSec Round-Up July 2nd

InfoSec Round-Up July 2nd - Hut Six

Member of public finds Ministry of Defence (MoD) documents. Salvation Army loses data in cyber attack. Denmark's Central Bank affected by SolarWinds hack.