This week in InfoSec takes us back to a chapter in the life of Paris Hilton, master hacker Rant of the Week is finding a pattern with companies Jack Dorsey co-founds Billy Big Balls is another bold move from the cyber insurers Industry News brings us the latest and greatest security news stories from around the world Tweet of the Week is a list of things everyone should know by the time they’re 30
This week in InfoSec: (The one and only):
23rd August 2006: SpoofCard confirmed that Paris Hilton was among the terminated customers, and that Lindsay Lohan was among those whose voicemail accounts were broken into. SpoofCard said it had implemented controls to prevent recurrences.
https://twitter.com/todayininfosec/status/1297213638059728896
26th August 2008: It was reported that a laptop on the International Space Station was infected by removable media containing the http://W32.Gammima.AG worm.
Space. Where you don't want to be dealing with malware.
Malware detected at the International Space Station
https://twitter.com/todayininfosec/status/1298690676448735232
Rant of the Week:
Block sued after ex-staffer siphons customer data
Block – the digital payments giant formerly known as Square – faces allegations it failed to take adequate measures to protect customers' personal information.
A lawsuit, filed Tuesday in a federal district in Oakland, California, on behalf of two users of Cash App, operated by Block subsidiary Cash App Investing, claims the company failed to implement reasonable security. As a result, a former employee was able to download internal reports containing personal information after leaving the firm.
Coincidentally, Twitter – another venture co-founded by Block Head Jack Dorsey – was accused of subpar security by its former security chief in a recent whistleblower complaint.
Block disclosed the December 10, 2021 data theft on April 4, 2022, and stated it was contacting 8.2 million current and former customers about the privacy snafu. The biz said, "a former employee downloaded certain reports of its subsidiary Cash App Investing LLC … that contained some US customer information."
The employee had access to those reports while employed but in this instance downloaded the files after leaving the company. The data obtained included customers' full name and brokerage account numbers, and in some cases, brokerage portfolio values, brokerage portfolio holdings and/or stock trading activity for one trading day.
As far as the litigants are concerned, Block didn't meet its security obligations, failed to notify customers in a timely manner, provided too little information about the incident, and failed to offer credit or identity monitoring services.
Billy Big Balls:
Lloyd's to exclude certain nation-state attacks from cyber insurance policies
Lloyd's of London insurance policies will stop covering losses from certain nation-state cyber attacks and those that happen during wars, beginning in seven months' time.
In a memo sent to the company's 76-plus insurance syndicates, underwriting director Tony Chaudhry said Lloyd's remains "strongly supportive" of cyber attack coverage. However, as these threats continue to grow, they may "expose the market to systemic risks that syndicates could struggle to manage," he added [PDF], noting that nation-state-sponsored attacks are particularly costly to cover.
Because of this, all standalone cyber attack policies must include "a suitable clause excluding liability for losses arising from any state-backed cyberattack," Chaudhry wrote. These changes will take effect beginning March 31, 2023 at the inception or renewal of each policy.
At a minimum – key word: minimum – these policies must exclude losses arising from a war, whether declared or not, if the policy doesn't already have a separate war exclusion. They must also at least exclude losses from nation-state cyber attacks that "significantly impair the ability of a state to function or that significantly impair the security capabilities of a state."
Industry News:
Counterfeit Android Devices Revealed to Contain Backdoor Designed to Hack WhatsApp
Ex-Security Chief Accuses Twitter of Cybersecurity Negligence
Facebook Bug Causes Users’ Feeds to Be Spammed
Plex Suffers Data Breach, Warns Users to Reset Passwords
Scammers Create 'AI Hologram' of C-Suite Crypto Exec
Workplace Stress Worse than Cyber-Attack Fears for Security Pros
US Firm Pays $16m to Settle Healthcare Fraud Claims
Talos Renews Cybersecurity Support For Ukraine on Independence Day
Microsoft Attributes New Post-Compromise Capability to Nobelium
Tweet of the Week:
https://twitter.com/J4vv4D/status/1562775110544949248?s=20