Welcome to our weekly post where I will be sharing some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!
You can also Subscribe to receive Cyber Intelligence Weekly in your inbox each week.
Before we get started on this week’s CIW, I’d like to highlight an excellent article by our very own Jake Murphy, who explores how attackers exploit file upload features within web applications.
Away we go!
1. Microsoft “Raising the Baseline Security for all Organizations in the World”
Back in October of 2019 Microsoft introduced security defaults for all new tenants, basically ensuring that the tenants would be protected from common security issues by placing basic hygiene items in place, such as MFA.
However, these security defaults did not apply to the 60 million other tenants that preceded the change. Per a recent announcement from Microsoft, they are going to turn on security defaults for all tenants.
These security defaults will now challenge users with MFA prompts when deemed necessary. It will look at data factors such as location, device, role and task. Power admins will always be required to use MFA when signing in. Global admins of these tenants will be notified through email of these changes and then in June they will receive prompts during the sign-in process.
This is a big step forward to protecting a vast amount of cloud users who are likely not that tech savvy when it comes to security their tenants. As cloud computing services become more ubiquitous, it is good to see leaders in the market such as Microsoft taking the lead and advancing security for customers in this way.
2. FTC Charges Twitter with Deceptively Using Account Security Data to Sell Targeted Ads
Last week, the Federal Trade Commission (FTC) announced penalties against Twitter for “profiting from deceptively collected data.” The complaint states how Twitter began asking users for their phone number or email address in 2013 to improve account security. In many cases, these bits of data can be helpful when users need to unlock their accounts or for enabling MFA.
Apparently, over 140 million Twitter users provided their phone number or email address to Twitter for these purposes. Twitter, however, had other plans for the data as well. Twitter also decided to use the data for targeted marketing purposes. Essentially, Twitter used their users’ desire for better security to further exploit them.
A statement from Twitter describes how they have been in compliance with the FTC rules since 2019 and have worked hand in hand with the FTC to resolve the issues and have paid the $150 million penalty. They also mentioned their new “Data Governance Committee” who’s aim is to oversee all decisions to collect, maintain, use, disclose, or provide access to customer data internally.
3. Hacker Steals Data on Hundreds of Verizon Employees
A recent report from Vice reveals how a hacker stole data on hundreds of Verizon employees. The hacker, who reached out to Vice to share this information, said that they reached out to a Verizon employee pretending to be “internal support.”
Once the hackers were in the Verizon network, the hackers gained access to a Verizon internal tool that allows users to lookup employee information. The hackers then wrote a script and downloaded data points on hundreds of users.
The concern over attacks like this is that hackers could leverage this sort of data to perform further attacks and target other internal employees with deeper access. One of the holy grails for hackers is to gain access to carrier systems that allow for SIM swapping. Taking over someone’s phone through SIM swapping can lead to serious harm.
This attack sounds eerily similar to attacks like the LAPSU$ group might undertake. It is always disconcerting to hear just how far a hacker can go once that initial foothold is given. This is why the concept of zero trust philosophy is such an important thing that organizations need to focus on.
Thanks for reading!
About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about