WebProNews

Category: CybersecurityUpdate

CybersecurityUpdate

  • Microsoft Taking Platform Agnostic Approach to Cloud Security

    Microsoft Taking Platform Agnostic Approach to Cloud Security

    Microsoft has signaled it wants to provide security for cloud-based companies in general, regardless of whether they use Azure, AWS, or Google Cloud.

    Microsoft is a far different company under Satya Nadella than it was under Bill Gates and Steve Ballmer. Instead of ruthlessly protecting and pushing its own operating systems and platforms, the company has shifted to the cloud, with a focus on providing the best applications and services on a variety of systems and platforms.

    The company is now extending that philosophy to cloud security, with its latest update to Microsoft Defender for Cloud. Formerly known as Azure Defender, the company changed its name to better reflect its emphasis on securing multicloud environments. Microsoft has also added support for Google Cloud, roughly three months after adding support for AWS. In both cases, the company used open programming APIs to integrate Microsoft Defender with its rivals’ platforms.

    “Today most of our customers have AWS and they have Azure and they have Google Cloud and they have different workloads around and then they have security solutions which are native to each of these,” Vasu Jakkal, CVP Microsoft Security, Compliance, Identity & Privacy told Bloomberg in an interview. “Think about the security practitioners sitting in a Security Operations Center looking at these alerts in this pane of glass — they’re dealing with three if not more.”

    This is not the first time Microsoft has set itself apart from its rivals. In early February, the company released its Open App Store Principles, in which it committed to behavior that is almost diametrically opposite from the manner in which Apple and Google run their app stores.

    For those who remember Microsoft of the ’90s and early 2000s, this open, enlightened Microsoft is a refreshing change, and increasingly serves as an example for the rest of the industry. Hopefully more companies will take note and imitate it.

  • More Surveillance Than China — Clearview AI’s Business Plan

    More Surveillance Than China — Clearview AI’s Business Plan

    Few companies would proudly tout their business plan as offering more comprehensive surveillance than China, but that’s exactly what Clearview AI is doing.

    Clearview AI gained fame and notoriety for scraping images from popular websites and social media platforms in an effort to build a massive database of photos for facial recognition — and in violation of those platforms’ terms. The company claimed to only provide its software to law enforcement and government agencies, but reports indicate it was far more loose than it admitted, in terms of who had access to its platform. In addition, the company was found to be working with various authoritarian regimes.

    As if the company couldn’t become anymore controversial, The Washington Post reports the company is proudly calling its surveillance platform more comprehensive than similar systems in China, thanks to the “public source metadata” and “social linkage” information the company bases its product on.

    Clearview is also working to establish itself as the leader in the field, at a time when the industry leaders are taking a more responsible, measured approach to facial recognition. Clearview, in contrast, sees Microsoft, Amazon, and IBM’s cautious approach as a market opportunity, as it seeks to gain investment for a massive expansion effort.

    What’s more, accord to The Post, the company is sending out conflicting messages about its plans. Until now, Clearview has promised it will only sell to law enforcement and government agencies. In the presentation material view by The Post, however, government contracts are shown as only making up a small portion of the company’s potential market. The presentation material discusses building out the company’s personnel, specifically to target the financial and commercial market. Even more alarming, Clearview wants to build a “developer ecosystem” to help other companies use its database in their own products.

    Jack Poulson, a former Google research scientist and current head of research advocacy group Tech Inquiry, asked if there was anything “they wouldn’t sell this mass surveillance for? If they’re selling it for just regular commercial uses, that’s just mass surveillance writ large. It’s not targeted toward the most extreme cases, as they’ve pledged in the past.”

    Clearview’s unethical behavior and irresponsible approach to privacy and data security, not to mention the legal implications of its data collection, have already led to multiple lawsuits, investigations, and bans in some countries and jurisdictions.

    Here’s to hoping more countries crack down on this bottom-feeder.

  • PSA: Update Chrome Now to Avoid Actively Exploited Vulnerability

    PSA: Update Chrome Now to Avoid Actively Exploited Vulnerability

    Another week, another Chrome update to address a bug that is being actively exploited.

    Google Chrome is the world’s most popular web browser by far, with billions of users relying on the browser. Unfortunately, it’s become an all-too-common occurrence for Google to release an update that addresses a major security vulnerability. Often these are vulnerabilities that are being actively exploited.

    The latest update is no exception. Google has released version 98.0.4758.102 for macOS, Linux, and Windows. The update fixes a slew of issues, but the one of particular note is issue “CVE-2022-0609: Use after free in Animation.”

    According to the release notes, “Google is aware of reports that an exploit for CVE-2022-0609 exists in the wild.”

    Google has not given any additional details, although it’s believed the exploit could allow an attacker to remotely run code on a vulnerable computer. Once the update has been downloaded by a majority of users, Google will likely reveal more information, but will not do so until then to protect users from being attacked.

  • Microsoft Reportedly In Talks to Buy Security Firm Mandiant

    Microsoft Reportedly In Talks to Buy Security Firm Mandiant

    Microsoft is continuing its efforts to strengthen its cybersecurity capabilities, working on a deal to purchase Mandiant.

    Like many Big Tech firms, Microsoft has joined US government efforts to improve the country’s cybersecurity and protect individuals and companies from attack. Nonetheless, the company has had its own troubles protecting its users and combating online threats.

    To help improve its abilities, the company is looking to buy Mandiant, one of the leading cybersecurity firms with a nearly two decade track record in the industry. Sources familiar with the negotiations spoke to The Seattle Times, although neither company has confirmed anything.

    Industry watchers are already praising the possibility as a good match.

    “This would be a smart move for Microsoft,” said Bloomberg Intelligence’s Anurag Rana. “In the future, the cloud with most security features would win.”

    If the deal does go through, it would mark the third time Mandiant has been acquired by another company. It was originally bought by FireEye in 2013, before it was sold to Symphony Technology Group in 2021.

  • ExpressVPN Offering One-Time $100,000 Bug Bounty

    ExpressVPN Offering One-Time $100,000 Bug Bounty

    ExpressVPN is offering a one-time, $100,000 reward to anyone who can hack its servers.

    ExpressVPN is one of the leading VPN services on the market, and is consistently recommended by many reviewers. Like a lot of companies in the tech industry, ExpressVPN offers bug bounties as a way of encouraging white hat hackers and security researchers to find bugs and report them, before they can be exploited by bad actors.

    The company is now offering a major incentive, in the form of $100,000, specifically for proof of “unauthorized access to a VPN server or remote code execution,” or vulnerabilities “that result in leaking the real IP addresses of clients or the ability to monitor user traffic.”

    Obviously, the company will require proof of the exploit, in order to pay the bounty.

    In order to qualify to claim this bounty, we will require proof of impact to our user’s privacy. This will require demonstration of unauthorized access, remote code execution, IP address leakage, or the ability to monitor unencrypted (non-VPN encrypted) user traffic.

    It’s a safe bet security researchers will be eager to take a shot at ExpressVPN’s services, with that much money at stake.

  • Microsoft Will Block Downloaded Office Macros by Default

    Microsoft Will Block Downloaded Office Macros by Default

    Macros have long been a major factor in Office security issues, and it appears Microsoft is taking a major step toward addressing the problem.

    Macros have been around for years, with Office power users having their own personal collection of macros they swear by. Unfortunately, they are also one of the most targeted attack vectors that bad actors use. Microsoft has taken various steps to try to mitigate the danger, but their latest is one of their most ambitious.

    Beginning in Version 2203, Microsoft will block downloaded macros for Access, Excel, PowerPoint, Visio, and Word.

    For macros in files obtained from the internet, users will no longer be able to enable content with a click of a button. A message bar will appear for users notifying them with a button to learn more. The default is more secure and is expected to keep more users safe including home users and information workers in managed organizations.

    Microsoft has said it will also implement the change for Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013 at a future date.

    Users intent on using downloaded macros will still be able to, but they’ll need to jump through a couple of hoops to do so. Users will be presented with a warning message, including a Learn More button.

    The Learn More button goes to an article for end users and information workers that contains information about the security risk of bad actors using macros, safe practices to prevent phishing & malware, and instructions on how to enable these macros.

    The change is likely to inconvenience some users, but hopefully the measure will help protect Office users.

  • IRS Backtracks, Ends Bid to Require Facial Recognition

    IRS Backtracks, Ends Bid to Require Facial Recognition

    The IRS is backtracking on its plans to require facial recognition to access online accounts, following backlash from security and privacy experts.

    The IRS announced in mid-January that it was partnering with ID.me, with plans to require facial recognition for users accessing their online accounts. As Krebs on Security documented, the process involved in setting up facial ID was relatively complicated. Meanwhile, security experts and customers worried about the implications of people’s biometric data being collected.

    According to The New York Times, the Treasury Department is now abandoning the plan, despite awarding ID.me an $86 million contract.

    “The I.R.S. takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” said Charles P. Rettig, the agency commissioner. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”

    The agency is evidently working on an alternative method of identification that will not involve facial recognition, although it’s unclear at this time what that method may be.

  • Like a Bad Penny the EARN IT Act Is Back

    Like a Bad Penny the EARN IT Act Is Back

    In the latest attack on privacy and encryption, lawmakers have re-introduced the EARN IT Act, described as “one of the worst pieces of Internet legislation.”

    The Eliminating Abuse and Rampant Neglect of Interactive Technologies Act is a piece of wildly unpopular legislation that was originally introduced in 2020. The goal of the legislation was to protect children and help eliminate online sexual abuse, obviously admirable goals that any decent human being supports.

    Unfortunately, when it was first introduced, the bill essentially sounded a death knell on encryption, which is the very basis of online privacy and security, and treated every online citizen as a suspect. The bill would have required companies to follow mandatory “best practices,” practices that would have forced companies to weaken encryption in order to comply.

    In its original incarnation, the bill was eventually amended to exclude encryption from the list of things that could increase corporate liability, and the “best practices” were changed to recommendations instead of requirements. Nonetheless, the bill remained unpopular enough to eventually be dropped.

    Mass Surveillance Is Once Again on the Table

    Despite its unpopularity, Senators Richard Blumenthal and Lindsay Graham have once again reintroduced it. The Electronic Frontier Foundation (EFF) describes the sweeping impact the bill would have.

    Let’s be clear: the new EARN IT Act would pave the way for a massive new surveillance system, run by private companies, that would roll back some of the most important privacy and security features in technology used by people around the globe. It’s a framework for private actors to scan every message sent online and report violations to law enforcement. And it might not stop there. The EARN IT Act could ensure that anything hosted online—backups, websites, cloud photos, and more—is scanned.

    The bill’s goal is multi-pronged:

    • First and foremost, it attacks end-to-end encryption, encouraging “states to pass laws that will punish companies when they deploy end-to-end encryption, or offer other encrypted services.”
    • The bill encourages the use of government-approved software that will be used to scan everything sent online.
    • The bill paves the way for the establishment of a 19-person commission, made up largely of law enforcement personnel, that will establish voluntary “best practices” for companies to follow.

    As the EFF points out, despite provisions being added to protect encryption, the provisions fall far short of actually doing so. The door is still left wide open for companies to be held liable for what users of their platforms do, with a platform’s use of encryption being held up as an “evidence” of its culpability.

    Further, the bill essentially deputizes tech companies in an effort to do an end-run around the legal and constitutional issues of having a government-run surveillance state.

    The EARN IT Act doesn’t target Big Tech. It targets every individual internet user, treating us all as potential criminals who deserve to have every single message, photograph, and document scanned and checked against a government database. Since direct government surveillance would be blatantly unconstitutional and provoke public outrage, EARN IT uses tech companies—from the largest ones to the very smallest ones—as its tools.

    In view of the enormity of problems the EARN IT act causes, Evan Greer, Director of digital human rights group Fight for the Future, said:

    The EARN IT Act is truly one of the worst pieces of Internet legislation I have seen in my entire career, and … that’s saying a lot. Please, we need REAL solutions to the harms of Big Tech, not poorly written laws that will get people killed and do more harm than good /endrant

    — Evan Greer (@evan_greer), January 31, 2022

  • FBI Was One of NSO Group’s Customers

    FBI Was One of NSO Group’s Customers

    NSO Group has quickly become one of the most reviled security firms, even being banned by the US government. Despite that, it appears the FBI was one of its customers.

    News broke in mid-2021 that NSO Group’s Pegasus spyware was being used by authoritarian governments to spy on journalists, civil rights activists, and US diplomats. The US Commerce Department ultimately ended up blacklisting the company, preventing any US companies from doing business with it.

    Amid the controversy surrounding the NSO Group, it has now come out that the FBI was one of its customers, according to The Seattle Times, a revelation that is not sitting well with many groups.

    “Spending millions of dollars to line the pockets of a company that is widely known to serially facilitate widespread human rights abuses, possible criminal acts, and operations that threaten the U.S.’s own national security is definitely troubling,” Ron Deibert, director of Citizen Lab, told the Times. Citizen Lab is an internet watchdog with the University of Toronto, that has been exposing Pegasus hacks since 2016.

    The FBI has been tight-lipped about its relationship with NSO Group, but reports form The New York Times and The Guardian indicate it initially paid $5 million for a one-year license, before renewing it for $4 million. The Guardian’s sources say the FBI never actually used the software.

  • Atlas VPN Adopts WireGuard Protocol

    Atlas VPN Adopts WireGuard Protocol

    VPN provider Atlas VPN is the latest to adopt the WireGuard protocol, giving its customers access to the latest security option.

    WireGuard is an open source protocol designed to be “a more modern, faster, and secure alternative to existing legacy protocols.” A number of services have already adopted WireGuard, with Atlas VPN being the latest.

    “WireGuard is one of the fastest and most secure VPN protocols available right now. Therefore, we wanted to make it available for Atlas VPN users. It works seamlessly with all Atlas VPN features and further enhances the VPN’s performance”, says Ruta Cizinauskaite, the PR Manager at Atlas VPN.

    The addition of WireGuard gives customers a choice of several different protocols.

  • FBI: Don’t Take Personal Devices to Beijing Olympics

    FBI: Don’t Take Personal Devices to Beijing Olympics

    The FBI is warning athletes to leave their personal devices at home when they travel to Beijing for the Winter Olympics.

    The Dutch Olympic Committee warned its athletes in mid-December against bringing personal electronics to China. China has a long-standing history of espionage and surveillance, a major concern for visiting athletes and dignitaries.

    The FBI is now echoing the Dutch committee’s warning, telling athletes to leave their personal devices at home, in favor of burner devices.

    “The FBI urges all athletes to keep their personal cell phones at home and use a temporary phone while at the Games,” the FBI warns. “The National Olympic Committees in some Western countries are also advising their athletes to leave personal devices at home or use temporary phones due to cybersecurity concerns at the Games. The FBI to date is not aware of any specific cyber threat against the Olympics, but encourages partners to remain vigilant and maintain best practices in their network and digital environments.”

  • Smaller ISPs the Weak Link in Cybersecurity War

    Smaller ISPs the Weak Link in Cybersecurity War

    Everyone uses an internet service provider (ISPs) to connect to the internet, but not all ISPs are created equal when it comes to security.

    Cybersecurity has become a major focus, for private companies and government agencies alike. Recent ransomware attacks have illustrated the vulnerabilities of software, services, and cloud options. Supply chain attacks, where bad actors compromise a commonly-used software component, have become a major attack vector.

    Another, often-overlooked, possible avenue of attack are ISPs. Unfortunately, the playing field isn’t always a fair one, according to Gustavas Davidavicius, Abuse Prevention Team Lead at IPXO. While larger ISPs have the IP and human resources needed to response swiftly to threats, smaller ISPs often can’t compete.

    Davidavicius used the example of a recent DDoS attack against Vocus NZ, New Zealand’s third-largest ISP.

    “The pressures of having to make swift decisions can have a significant impact when managing security breaches. In this case, it seems that a few unfortunate decisions led to filtering out tons of legitimate traffic for all, leaving users without an Internet connection,” Davidavicius explained.

    “Cyber resilience has always been one of the top priorities, however, there is no single best solution that could address all the issues. As with all internet-related activities, the best way to protect yourself varies based on use cases and scope,” he continued.

    Unfortunately, until smaller ISPs are able to address their limitations, they will continue to be a weak link that hackers can exploit, leading to further internet outages.

  • Apple Users Should Update Their Devices Immediately

    Apple Users Should Update Their Devices Immediately

    Apple has released updates to iOS, iPadOS, macOS, and watchOS that fix a major vulnerability in Safari.

    A vulnerability was discovered in Safari earlier this month by FingerPrintJS, one that let “any website track your internet activity and even reveal your identity.” The issue revolved around Apple’s implementation of IndexedDB, a common API that most browsers use to store data. Unfortunately, Apple’s implementation leaked user data.

    While Apple doesn’t go into detail on the specifics of security fixes when it releases an update, to prevent the issue from being further exploited, the most recent OS updates specifically list CVE-2022-22594, the ID used to identify the flaw. The release notes also credit FingerPrintJS for discovering the bug.

    Impact: A website may be able to track sensitive user information

    Description: A cross-origin issue in the IndexDB API was addressed with improved input validation.

    CVE-2022-22594: Martin Bajanik of FingerprintJS

    Needless to say, all Apple users should update their various devices immediately. This is especially important on iOS, since all iOS web browsers use Safari’s rendering engine.

  • Linux Vulnerability Discovered Impacting All Major Distros

    Linux Vulnerability Discovered Impacting All Major Distros

    A major Linux vulnerability, impacting virtual all major distributions (distros), has been discovered, allowing a bad actor to obtain root privileges.

    On Linux, Unix, macOS, and other Unix-style operating systems, the root account has ultimate access to the system. As a result, when a user account is set up, it doesn’t have root access as a way of protecting the system from accidental damage.

    Unfortunately, according to security firm Qualys, there is a major flaw in the popular polkit’s pkexec utility that is included in every major Linux distro. Qualsys’ Bharat Jogi, Director, Vulnerability and Threat Research, describes the role polkit plays in Unix-style systems.

    Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).

    When the vulnerability is exploited, a regular user is able to gain root privileges, completely compromising the system. Unfortunately, Qualsys says the vulnerability has been in existence for 12+ years, since at least May 2009.

    Qualsys has already notified all vendors and recommends users install security patches for their distro immediately.

  • Microsoft Warns of Phishing Attack ‘Targeting Hundreds of Orgs’

    Microsoft Warns of Phishing Attack ‘Targeting Hundreds of Orgs’

    Microsoft is warning of a new phishing attack that is abusing OAuth request links and “targeting hundreds of orgs.”

    OAuth is an open standard designed to allow services, apps, or websites access to an individual or organization’s information on other services, without the need to provide a password and full access.

    Unfortunately, it appears bad actors are using OAuth request links in a phishing attempt to gain access to users’ email. The bad actors are then able to set up filters to forward emails to another account, with experts warning this may be an attempt to acquire sensitive information.

    Microsoft warned about the issue on Microsoft Security Intelligence Twitter account:

    Microsoft is tracking a recent consent phishing campaign, reported by @ffforward, that abuses OAuth request links to trick users into granting consent to an app named ‘Upgrade’. The app governance feature in Microsoft Defender for Cloud Apps flagged the app’s unusual behavior.=

    The phishing messages mislead users into granting the app permissions that could allow attackers to create inbox rules, read and write emails and calendar items, and read contacts. Microsoft has deactivated the app in Azure AD and has notified affected customers.

    We’re seeing the campaign targeting hundreds of orgs. Microsoft Defender for Cloud Apps, Azure AD, and Defender for Office 365 can help protect against similar attacks by blocking the OAuth consent links or flagging unusual behavior of users or cloud apps.

    — Microsoft Security Intelligence (@MsftSecIntel), January 21, 2022

  • DC AG Sues Google For Using ‘Dark Patterns’ to Undermine Privacy

    DC AG Sues Google For Using ‘Dark Patterns’ to Undermine Privacy

    Google is once again in the crosshairs for its privacy (or lack thereof), with the DC Attorney General suing it over “Dark Pattern” practices.

    Dark Patterns are deceptive practices some websites and apps use to trick users into buying things or taking actions they otherwise wouldn’t, or didn’t mean to. The website DarkPatterns.org is dedicated to shaming companies that engage in this type of behavior.

    Google is now facing accusation from the DC Attorney General Karl A. Racine that it is using such Dark Patterns to get its customers to compromise their privacy.

    To gain access to user location data, Google manipulates its users through deceptive design choices that alter user decision-making in ways that harm the user and benefit Google. These practices are known as “dark patterns.” Google has made extensive use of dark patterns—such as repeated nudging, misleading pressure tactics, and evasive and deceptive descriptions of features and settings—to stop users from protecting their privacy and cause them to provide more and more data inadvertently or out of frustration.

    AG Racine also accuses the company of making it impossible for customers to truly opt out of location tracking, deceiving customers about how much control they have over their privacy, and misleading customers about how much changing device settings really protects their privacy.

    AG Racine is leading a coordinated, bipartisan effort to take Google to task for these actions, with the Indiana, Texas, and Washington AGs also filing lawsuits against Google in their states.

    “Google falsely led consumers to believe that changing their account and device settings would allow customers to protect their privacy and control what personal data the company could access,” said AG Racine. “The truth is that contrary to Google’s representations it continues to systematically surveil customers and profit from customer data. Googles bold misrepresentations are a clear violation of consumers’ privacy. I’m proud to lead this bipartisan group of attorneys general that will hold Google accountable for its deception. Through this lawsuit, we will hold Google accountable, and in the process, educate consumers on how their personal data—particularly sensitive data about their physical location—is collected, stored, and monetized. This result of our collective action is that consumers, not Google, will determine how their data is or is not used.”

  • Crypto.com Says 483 Accounts Hacked, $35 Million Stolen

    Crypto.com Says 483 Accounts Hacked, $35 Million Stolen

    Just days after a hack that impacted user accounts, Crypto.com is revealing more details on the extent of the attack.

    Crypto.com announced on Monday, January 17, that “a small number of users experienced unauthorized activity in their accounts.” The company reassured users their funds were safe, but users were quick to dispute that claim, pointing to unauthorized withdrawals from their accounts..

    The company is now revealing a total of 483 accounts were hacked, and the equivalent of roughly $35 million was withdrawn. Fortunately for users, the company has reimbursed everyone impacted.

    On 17 January 2022, Crypto.com learned that a small number of users had unauthorized crypto withdrawals on their accounts. Crypto.com promptly suspended withdrawals for all tokens to initiate an investigation and worked around the clock to address the issue. No customers experienced a loss of funds. In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed.

    The incident affected 483 Crypto.com users.

    Unauthorised withdrawals totalled 4,836.26 ETH, 443.93 BTC and approximately US$66,200 in other currencies.

    Crypto.com first noticed the issue when some accounts were accessed without the corresponding 2FA input. The company halted all transactions, forced users to create new 2FA tokens, and migrated to a new 2FA architecture.

  • IRS Will Require Photo ID and Live Selfie to Access Online Account

    IRS Will Require Photo ID and Live Selfie to Access Online Account

    The IRS will soon begin requiring a photo ID, paired with a live selfie, in order to access online accounts.

    As online security becomes a growing concern, the IRS is taking a major step forward to verify users’ identities. According to Krebs on Security, the IRS is adopting ID.me’s verification service.

    Beginning in the summer of 2022, users looking to access their online IRS accounts will need to upload a copy of their government-issued IDs, such as a driver’s license or passport. Once the document is uploaded, the new system requires the person to use their computer camera or mobile device to film a video selfie, which ID.me then compares to the uploaded photo ID.

    The system then prompts the user for a mobile or landline phone number — not a VoIP service — along with a copy of a social security card, birth certificate, health insurance card, or utility bill. In fact, Krebs reports the system requires two such “secondary identification documents.”

    Users may be understandably concerned about giving over so much personal information to a third-party company, but ID.me founder and CEO Blake Hall told Krebs that if a person signs up “in connection with legal identity verification or a government agency we will not use your verification information for any type of marketing or promotional purposes.”

    Despite the hassle, Krebs believes services like ID.me are unavoidable, and may provide significant security benefits.

    Love it or hate it, ID.me is likely to become one of those places where Americans need to plant their flag and mark their territory, if for no other reason than it will probably be needed at some point to manage your relationship with the federal government and/or your state. And given the potential time investment needed to successfully create an ID.me account, it might be a good idea to do that before you’re forced to do so at the last minute (such as waiting until the eleventh hour to pay your quarterly or annual estimated taxes).

  • Crypto.com Halts Transactions After Thefts, Upgrades Account Security

    Crypto.com Halts Transactions After Thefts, Upgrades Account Security

    Crypto.com halted all transactions Monday, after a small number of accounts were compromised, and is beefing up account security in response.

    Crypto.com is a popular cryptocurrency trading platform. Some of the platform’s users experienced unauthorized activity, with some reporting the theft of their crypto.

    The company halted all transactions in response, making the announcement in a series of tweets.

    Earlier today a small number of users experienced unauthorized activity in their accounts. All funds are safe.

    In an abundance of caution, security on all accounts is being enhanced, requiring users to:

    -Sign back into their App & Exchange accounts

    -Reset their 2FA

    — Crypto.com (@cryptocom), January 17, 2022

    This update will be rolled out to users progressively over the next few hours.

    Once complete, withdrawals will be re-enabled.

    We understand this may be an inconvenience, but security comes first.

    Thank you for your support.

    — Crypto.com (@cryptocom), January 17, 2022

  • FCC Wants Stricter Data Breach Reporting Requirements

    FCC Wants Stricter Data Breach Reporting Requirements

    FCC Chairwoman Jessica Rosenworcel has proposed new requirements that would strengthen data breach reporting rules.

    Data breaches have become a near-daily occurrence, with customers’ data being stolen, bought, and sold on the dark web. While there are requirements in place for how companies should address data breaches, Rosenworcel wants to see those requirements strengthened in a way that protects consumers even more.

    “Current law already requires telecommunications carriers to protect the privacy and security of sensitive customer information. But these rules need updating to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected consumers,” said Chairwoman Rosenworcel. “Customers deserve to be protected against the increase in frequency, sophistication, and scale of these data leaks, and the consequences that can last years after an exposure of personal information. I look forward to having my colleagues join me in taking a fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.”

    In particular, the new proposal would eliminate the seven day mandatory waiting period before companies can notify customers of a breach, require notification of inadvertent breaches, and require carriers to notify the FCC, the FBI, and the US Secret Service of all reportable breaches.