Tech Talk Show Notes
January 3-9, 2021
The large-scale shift to remote work and the increased reliance on online services as the result of the global pandemic this year gave threat actors new opportunities to use distributed denial-of-service (DDoS) attacks to harass and extort organizations.
Providers of DDoS mitigation services reported an overall increase in attack volumes, attack sophistication, and attack complexity in 2020 compared with prior years. Adversaries went after more organizations in more industries than ever before, and the motives for launching attacks became as varied as the attacks themselves.
There are plenty of security solutions in place that protect sensitive data in motion, and at rest in enterprise storage and the cloud, from firewalls to data loss prevention software. But the mobile endpoint is one of the biggest security weaknesses today. Hackers know this and are exploiting it every day — Verizon’s “2020 Mobile Security Report” found that four in 10 companies were breached through a mobile device.
Mobile devices have been at the crux of some of the year’s most notable and high-profile attacks. Amazon CEO Jeff Bezos’ alleged iPhone compromise incident became a key example of how mobile devices can be penetrated without sophisticated brute-force hacking or techniques.
Like thousands of other parents, I decided to get my kids a cheap drone for Christmas. I spent $24 for a plastic flying machine with rudimentary collision-avoidance capabilities. A plastic cage mostly kept small fingers away from the four propellers. The kids were delighted for the first couple of hours.
Then my five-year-old daughter somehow managed to get one of the propellers stuck in her hair. The drone was never the same after that. Instead of hovering in the air, it started veering crazily to one side and falling to the floor. A couple of hours later, I noticed that another propeller—not the one that had grabbed my daughter’s hair—had fallen off entirely. Now when you toss it up it immediately flips over and plunges to the floor.
The COVID-19 pandemic accelerated a trend that was already well underway: employers letting their workers perform their jobs remotely, from home, most or all of the time. But even if you and your employer both know exactly where you live and work, you may be surprised to learn that state departments of taxation can have some very different ideas about where “here” is. As a result, Texans, Utahns, and Arkansawyers who work for New York- or Massachusetts-based companies will have income taxes withheld from their paychecks, even if they’ve never set foot in the home office.
In the wake of the pandemic, dozens of major companies are embracing employees’ desire to stay remote, increasing their support for working from home permanently. Some businesses have even closed offices or let leases lapse, counting on a physically distant, flexible workforce to reduce their real estate needs.
In February 2019, Nijeer Parks was accused of shoplifting candy and trying to hit a police officer with a car at a Hampton Inn in Woodbridge, N.J. The police had identified him using facial recognition software, even though he was 30 miles away at the time of the incident.
Mr. Parks spent 10 days in jail and paid around $5,000 to defend himself. In November 2019, the case was dismissed for lack of evidence.
Mr. Parks, 33, is now suing the police, the prosecutor and the City of Woodbridge for false arrest, false imprisonment and violation of his civil rights.
Whenever a polarizing event occurs, there are people looking for ways to exploit the situation. Cyber crooks are long known for using large events or important topics to try to phish and scam, infiltrate networks, and establish footholds. And the events that polarized the world’s largest economy in 2020 set the perfect stage for advanced persistent threat (APT) groups and other organized cybercriminals to act. It is the ideal combination of all the ingredients you need for successful attacks, not only in the United States but everywhere in the world.
Why? Simply put, when large segments of the population are polarized (in fact, tribalized), they are eager to consume the things that help them make sense of their convictions. Opponents’ facts and experiences are perceived with bias and even disbelief, which amplifies the impact of things that a person believes “makes sense.” Playing to this scenario makes it straightforward for cybercriminals to distribute infected files or share links to malicious websites or downloads.
It said offenders had even spoken to responding officers via the hacked kit.
It marks the latest escalation of a crime known as “swatting”, in which offenders fool armed police or other emergency responders to go to a target’s residence.
The FBI said there were “deadly” risks.
A fake call about a hostage situation led to police shooting a man in Kansas three years ago, and there have been non-fatal injuries in other cases.
The hackers behind the massive SolarWinds cyberattack, an operation allegedly backed by Russia that compromised networks at many U.S. agencies and Fortune 500 corporations, also broke into Microsoft’s internal systems and accessed one of the company’s most closely guarded secrets: its source code.
“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories,” said the Microsoft Security Response Center team in a blog post on Thursday.
Microsoft had previously confirmed that it, like the scores of other cyberattack victims, unknowingly downloaded malicious code hidden in SolarWinds’ popular network management tool Orion Platform. But Thursday’s disclosure is its first admission that hackers accessed internal company systems.