This week
Meta fined €1.2 billion for mishandling data
- Ireland’s Data Protection Commission (DPC) has fined Facebook owner Meta €1.2 billion (£1bn; $1.3bn) for mishandling personal data transfers between Europe and the US. It’s the largest fine issued under General Data Protection Regulation (GDPR). It’s a massive fine but adds up to less than 6% of Meta’s 2022 net profit. Meta says that it will appeal the “unjustified” penalty.
- The decision hinges on Facebook’s reliance on standard contractual clauses (SCCs) to cover its transfer of EU citizens’ data to the US to run its social network. The DPC’s decision in July 2022 did not include a fine, but fellow regulators, through the European Data Protection Board (EDPB), the decision to court (vol. 6, iss. 2), which overruled the Irish decision and instructed it to impose a fine.
- The Economist has an opinion piece looking at the weak enforcement of GDPR and potential flaws in supervision that have led to Ireland overseeing four of the world’s five largest digital platforms.
US-China cyber tensions
- The Cyberspace Administration of China has banned Micron from its critical infrastructure sector, citing “serious network security risks”. The US government says the action against Micron, a US chipmaker, has “no basis in fact.” We can expect more of this in the coming years. Supply chains are complex, and these bans are now an established part of the diplomatic toolkit.
- Also this week, Microsoft says that the Chinese state-sponsored group ‘Volt Typhoon’ has compromised US critical infrastructure, including that supporting the US Western Pacific military outpost in Guam. While the initial focus has been on gathering intelligence, Microsoft says it has ‘moderate’ confidence that the ultimate aim is the ability to disrupt communication between the US and Asia during a future crisis. This kind of pre-positioning is what US doctrine calls ‘defend forward’ and ‘persistent engagement’.
- The UK NCSC, with Five Eyes allies, has issued a warning to critical infrastructure operators and provided guidance (PDF) on how to deal with the Volt Typhoon campaign, which makes extensive use of ‘living off the land’ techniques to avoid detection.
BrutePrint unlocks Android smartphones for $15 in as little as 40 minutes
- Researchers from Zhejiang University in China have developed BrutePrint, a method to brute forcing fingerprint authentication on smartphones. The technique requires dissembling the phone to attach a new circuit board and circumventing some protections that restrict the number of failed attempts. It’s limited on iPhone but successful against Android devices, brute forcing access in anywhere from 40 minutes to 14 hours.
- I’m sure that this will be of interest to law enforcement. Long, complex passphrases are better than fingerprints if you believe you’ll be targeted by police, with the FBI previously gaining a warrant to force a user to unlock their device, regardless of the potential for self-incrimination (vol. 5, iss. 30).
Interesting stats
60% of phishing websites were registered through Freenom in November 2022, dropping to <10% in April 2023, after Meta sued the company for ignoring abuse complaints, according to Interisle Consulting Group.
Other newsy bits / in brief
-
TikTok is suing the US state of Montana for the “unconstitutional” ban of its service, announced last week (vol. 6, iss. 21).
-
Stop Scams UK is a cross-industry group of banks, tech companies and telcos that are banding together to gather intelligence and tackle scammers in the UK. It’s in response to rising fraud rates and disappointment in the UK government’s strategy to combat fraud, released earlier this month (vol. 6, iss. 19), with measures watered down to a ‘voluntary’ charter.
-
The US has issued sanctions against four entities and one individual for their involvement in providing an “army” of thousands of IT workers to generate revenue for North Korea.
-
iRecorder Screen Recorder, an Android app, surreptitiously recorded audio from 500,000 devices every 15 minutes and upload it to command and control servers. The app started legitimate but was updated after nine months to include the AhMyth open-source remote access trojan (RAT).
-
SentinelOne says that cybercriminals in Brazil have been targeting 30 Portuguese financial institutions in a campaign they are calling Operation Magalenha.
-
Mandiant discovered malware linked to Russia that is designed to disrupt industrial control systems. ‘CosmicEnergy’ appears to have been developed by Rostelecom-Solar, a Russian telco, and shows signs of being used for a training exercise. The malware was uploaded to VirusTotal in December 2021.
-
Zyxel is warning of two critical vulnerabilities in its firewall and VPN products that could allow denial-of-service or remote code execution on affected devices. CVE-2023-33009 and CVE-2023-33010 both have a CVSS score of 9.8).
-
D-Link also has released a patch to fix a similar remote code execution and authentication bypass vulnerability in its D-View network management software.
-
Israeli startup Memcyco has closed a $10 million seed funding round for its ‘digital watermark’ technology that it says will help alert users when they are visiting fraudulent websites impersonating legitimate brands.
And finally
- Insider threat: A former security analyst at Oxford Biomedica has pleaded guilty to blackmail and unauthorized access to a computer with intent to commit other offences. Ashley Liles was in the cyber security team of Oxford Biomedica in February 2018 when the company suffered a security incident. Liles modified the ransom emails from attackers to include his own Bitcoin address hoping to receive part of the £300,000 demands. The good-guy-turned-bad also set up a similar email address and pressured the firm’s management to pay up. Terrible OpSec got Liles arrested as he accessed his fake attacker email address directly from his home internet connection, leading police to be able to track him down from his IP address. (H/T @JoeTidy).