The Security Digest: #38

by Daniel Tobin on December 8, 2020

Hello and welcome to TSD, your weekly blog post with top of mind security issues. TSD began as an internal newsletter that our Security Lead, Daniel Tobin, would circulate to the team each Tuesday. It proved to be a great resource for all of us so we thought, why not share it with all of you? Our hope is that it helps make you just a bit more secure.

Check back here every Tuesday for more TSD or sign up below to stay in the loop!

Please reach out to us directly, via [email protected] or on Twitter at @dant24 if you have any questions, concerns, tips or anything else!

Florida agents raided the home of the former Florida official now running her own state COVID-19 dashboard. The complaint against her alleged “that a person illegally hacked into their emergency alert system.” The hacking was due to the fact that “all users ‘share the same username and password’” and she is no longer an authorized user…via NPR.
The Philadelphia Inquirer is reporting that a local hunger relief group, Philabundance, lost nearly $1 million in a phishing scam. They accidentally wired the money thinking they were paying a construction firm, and did not notice for 18 days this past July. Philabundance is expected to distributing 50 million pounds of food this fiscal year, twice that of the previous year. Luckily they were still able to actually pay their bill and have been able to weather the loss.
Meanwhile, phishing scams are attacking the full supply chain for the COVID-19 vaccines via CNN. Read the full report from IBM.
As we move closer to the end of the year, KrebsOnSecurity is reporting that the IRS will be allowing all “all taxpayers to apply for an identity protection personal identification number” to help prevent tax refund scams.
Help Net Security covers a report from McAfee stating “cybercrime costs the world economy more than $1 trillion, or just more than one percent of global GDP, which is up more than 50 percent from a 2018 study that put global losses at close to $600 billion.” Read the full report at McAfee.
iPhone had a zero click WiFi that was so wildly scary I don’t even know where to begin but just be glad that Ian Beer, a researcher at Project Zero, found it. Read the overview of it at Ars Technica which breaks down the incredibly in depth 30,000 word writeup.
In facial recognition and surveillance news, Massachusetts passed a wide ranging police reform bill and banned facial recognition for police departments and public agencies according to TechCrunch. At the federal level, a wide range of companies have all hired lobbyists to advocate for positions on face recognition laws according to Wired. Mentions of the technology “jumped more than four-fold from 2018 to 2019”. Meanwhile, Wired has another report on Baltimore’s secret aerial surveillance program. Over a period of 8 months, “planes with high-tech cameras circled the city up to 40 hours a week.”
Finally, the TikTok saga may be over? The deadline passed on December 4th, the Justice Department seems to have quietly decided to not enforce it and yet another judge has completely blocked the action according to NPR.

Owl fun and facts:

Project SNOWStorm has made its mission to start tracking Snowy owls with GPS transmitters. The image above is the path of Dorval, who is back in range to send her GPS data. Overall, Snowy Owls are showing up in lots of places across the country this and have now been spotted as far south as central Ohio. Wisconsin is also seeing their own snowy owls. The numbers this year seem to match non irruption years so far though.

A Shout Out:

We love Security as Code so we had to share this post from Bridgecrew as they dig deep into using their config scanning tool, checkov, to scan Helm charts for insecure configurations. Checkov supports 150+ out-of-the-box checks for K8s, so this post shows how you can convert your helm charts and even set them up as part of your build pipeline. Love to see it!