Welcome to your weekly security roundup, providing you all with the security news you deserve, but maybe might not need.
As always, these news stories are human-curated by me - no fancy algorithms, no machine learning, and definitely no trending topics here.
We are less than two weeks away from Blackhat in sunny Las Vegas. We’ll be there - pop along to booth 528 and say hello if you’re there.
Google: Security Keys Neutralized Employee Phishing
Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes.
- Google: Security Keys Neutralized Employee Phishing | Krebs on Security
While we’re on the topic of phishing, attackers used phishing emails to break into a Virginia bank twice in eight months, making off with more than $2.4 million in total. Now the bank is suing its cybersecurity insurance provider for refusing to fully cover the loss.
- Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M | Krebs on Security
We’re probably going to see more of this kind of back and forth as companies that have taken out cyber insurance and suffered a breach fight with their insurers over liability and who will cover the cost.
Breaking the Chain
Supply chain and third party risks are getting better understood, but understanding a risk doesn’t necessarily mean it will reduce the risk.
Tesla, VW, and dozens of other car manufacturers had their sensitive information exposed due to a weak security link in their supply chains.
SIM Swap - A Victim’s Perspective
This is a really good write-up by AntiSocial engineer taking a look at how SIM swap fraud can impact victims, and why mobile phone operators need to do more to prevent this kind of fraud.
“It’s an all too common story, the signal bars disappear from your mobile phone, you ring the phone number – it rings, but it’s not your phone ringing. Chaos ensues. You’re now getting password reset emails from Facebook and Google. You try to login to your bank but your password fails. Soon enough the emails stop coming as attackers reset your account passwords. You have just become the newest victim of SIM Swap Fraud and your phone number is now at the control of an unknown person.”
- SIM Swap Fraud - a victim’s perspective | AntiSocial Engineer
EU Fails to Regulate IoT Security
In this week’s head-scratching moment of “what were they thinking?”, the European Commission has rejected consumer groups' calls for mandatory security for consumer internet-connected devices because they believe voluntary security from manufacturers is adequate. What a blow!
And on cue,
- Swann's home security camera recordings could be hijacked | BBC
- Hide ‘N Seek Botnet Targets Smart Homes | Security Week
When an Outdated Router Costs $1M
If you have an outdated router in a remote branch, what’s the worst that could happen? Well, apparently a lot more than you bargained for.
A notorious hacking group known as MoneyTaker has stolen roughly $1 million from a Russian bank after breaching its network via an outdated router.
The victim of the hack is PIR Bank, which lost at least $920,000 in money it had stored in a corresponding account at the Bank of Russia.
- Hackers Breach Russian Bank and Steal $1 Million Due to Outdated Router | Bleeping Computer
The Impact of GDPR
Under GDPR, data breach reports in the UK have quadrupled. The ICO has reported 1,750 breaches in June, up from 400 in April.
- Under GDPR, Data Breach Reports in UK Have Quadrupled | Bank infosecurity
And speaking of breaches:
Here are a few other news and articles I found interesting this week, some of which aren’t related directly to security.