August Cyber update II from the Office of Rob Kleeger
Aug 26, 2022 7:01 pm
It's not typical that I send out multiple email campaigns in a given month, however as we near Labor Day, I thought that alerting about the recent incidents may benefit many of you if unaware.
All the best,
CURRENT DATA SECURITY NEWS:
Security Researcher Finds Amazon Ring Vulnerability to Allow Hackers to Spy on You
A security researcher was able to find a flaw in the Amazon ring app that could lead to hackers spying on people. Hackers could use this exploit to be able to watch saved recordings.
Apple Reveals Critical Security Flaws for iPhones, Macs, and iPads — Millions of Apple Users At Risk!
Apple revealed critical security flaws for Macs, iPads, and iPhones that could potentially let attackers seize total control of their gadgets, according to a report by AP. Users of the iPhone 6S and later versions, various iPad models, as well as the 5th generation and later, all iPad Pro models, iPad Air 2, and Mac computers running macOS Monterey, have been advised to update the affected devices ASAP.
LastPass Says Source Code Stolen in Data Breach
Password management software firm LastPass has suffered a data breach. LastPass CEO, said that an unauthorized party had stolen "portions of source code and some proprietary LastPass technical information."
The company, which is owned by GoTo (formerly LogMeIn), disclosed the breach in an online notice posted, but insisted that the customer master passwords or any encrypted password vault data were not compromised.
LastPass operates on a zero-knowledge security model. Zero knowledge means that no one has access to your master password or the data stored in your vault, except you. They claim to never capture, see, or store your master password. To ensure only authorized access is granted to your vault, we use industry standard mechanisms, such as AES-256 encryption and PBKDF2 hashing, to keep your master password private.
Fingers Crossed the "source code or proprietary information" isn't what provides the Master Password/Phrase to be compromised in the future.
Hackers are attempting to steal millions of dollars from businesses by bypassing multi-factor authentication
A phishing and business email compromise (BEC) campaign that attempts to steal millions of dollars from victims is targeting Microsoft 365 accounts with attacks that can bypass multi-factor authentication (MFA).
Applying multi-factor authentication (MFA) is one of the best things that can be done to help secure user accounts from being compromised – but as with any other cybersecurity measure, malicious hackers are attempting to find ways to get around it. Threat actors abuse push-based MFA to spam users with notifications until they eventually accept the prompt and allow the threat actor access. Microsoft has recently announced that they will roll out MFA push notification with number matching to combat this.
DoorDash Data Breach Exposed Some Personal Customer Data
Food delivery giant DoorDash has confirmed a data breach that exposed customers’ personal information. DoorDash said malicious hackers stole credentials from employees of a third-party vendor that were then used to gain access to some of DoorDash’s internal tools.
DoorDash said the attackers accessed names, email addresses, delivery addresses and phone numbers of DoorDash customers. For a “smaller subset” of users, hackers accessed partial payment card information, including card type and the last four digits of the card number.
CURRENT LEGAL CASE UPDATES:
A monumental case looks to crack open the world of auto-warranty robocalls
If you’ve picked up the phone in response to an unknown caller anytime in the last several years, chances are you’ve encountered this irritating automated message “We have been trying to reach you about your car’s extended warranty.” But according to state and federal officials, just two men may be responsible for an overwhelming share of the billions of auto-warranty spam calls that have hit US phones. In a complaint filed last month by Ohio Attorney General Dave Yost, the ringleaders of the auto-warranty robocall scheme are identified as Roy Melvin Cox, Jr. and Aaron Michael Jones, two California individuals described as repeat offenders of US telemarketing rules.
Good things happen to Bad People
A Florida man was charged with Fraudulently Obtaining $1 Million in Unemployment Benefits and COVID-19 Loan. From March 2020 to in or about December 2020, five states paid out approximately $960,000 in unemployment insurance benefits in response to applications that used an internet provider (IP) address associated with Blanc in furtherance of the claim. Law enforcement officers interviewed four people in whose names the claims were made; each said they did not file a claim, authorize anyone to make a claim, or know Blanc.
In July 2020, the SBA provided an EIDL of approximately $65,000 in response to an application in the name of a victim. The loan was transferred to a bank account in Blanc’s name. The IP address used to file the EIDL application is also connected to 67 additional EIDL applications. The SBA provided approximately $250,000 in response to these applications.
Did you know that Digital4nx Group was recognized by Enterprise Security as one of the top ten digital forensics companies in 2022.
If you are an attorney who litigates, know one, or are a responsible business executive that's ass is on the line if a data breach occurs, I would love to have a call or introduction!
Please share the above information with those people or arrange an introduction. Look forward to seeing you in the flesh!
DON'T FORGET ABOUT US:
Digital4nx Group provides a blend of legal and technology services where we systematically identify, preserve, extract, analyze, and interpret digital evidence.
Our services are commonly used to:
- React and respond by providing litigation support services for plaintiffs or defendants, as well as providing expert testimony and consulting, both in and out of court.
- Proactively identify and provide insights on how to better secure your confidential data, technology, and compliance.
Cyber Security Services
Cyber incidents can be damaging to an organization, both in the short and long term. Digital4nx Group helps business leaders protect their “crown jewels” through reasonable, defensible, and cost-effective services... Before, During, and After a Data Incident! We offer a multi-disciplined approach to cyber services such as:
- Advanced “Ethical Hacking”
- Cyber Risk and Compliance Assessments
- Incident Response to Cyber Incidents or Data Breaches
- Cyber Security Awareness Training