[ This article was originally published here ]
Apple plugs security holes for Easter as cops bring Genesis to an end. The UK fines TikTok over underage data use. DDoS attacks surge and cybersecurity professionals keep quiet over breaches.
By Joe Fay
Apple rushed out patches for its iOS, iPadOS and macOS operating systems on Good Friday after it emerged that the bugs they addressed had already been exploited. CVE-2023-28205 affects WebKit and could allow “arbitrary code execution” after a user processed “maliciously crafted web content” Apple warned, while CVE-2023-28206 effects IOSurfaceAccelerator, and potentially allows the execution of arbitrary code with kernel privileges. Both bugs had been exploited in the wild, Apple admitted. Apple credited Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab with reporting the issues.
The FBI and allies from 15 other nations last week shut down the Genesis Market after a two-year effort to penetrate the prolific trading hub for stolen credentials. The takedown involved 119 arrests, 208 property searches and 97 “knock and talk measures”, according to a statement from Europol. Authorities seized the website and its supporting infrastructure. At the time of the move on Genesis, the marketplace carried 1.5 million bot listings with over two million identities. A “bot” listing represented an identity which had been hijacked by malware, including fingerprints, logins and cookies, and the means for a criminal to exploit it. They were priced from as little as 70 cents to hundreds of dollars.
TikTok has come under more pressure in the U.K., with a £12.7m fine from the Information Commissioner’s Office (ICO) for “misusing children’s data”. The data regulator estimated that more than 1.4 million children under 13 were on the video sharing site in 2020, “contrary to its terms of service”, that their personal data was being used without parental consent, and that TikTok did not do enough to check who was using the platform or remove underage children. “TikTok should have known better” said U.K. Info Commissioner John Edwards. In recent months U.K. organizations including the civil service, parliament and the BBC have told users to remove TikTok from work devices, amidst fears the Chinese government could access data from the platform.
The UK’s National Cyber Force (NCF) has outlined the “principles” under which it operates, as part of a commitment to being “a responsible cyber power”. The document provides a justification for the U.K.’s decision to stage offensive cyber efforts, including its deterrence effect. It broadly outlined the sort of operations the NCF could undertake, such as disrupting an adversary’s communications or engaging in influence operations, while stating that where “traditional responses” to threats were appropriate, NCF would not get involved. When it does get involved, any efforts must be accountable, precise, and calibrated.
DDoS attacks have surged in recent years, fueled in part by pro-Russian groups, research from Netscout has shown. The research showed that complex multi-vector attacks and sophisticated adversary methodologies were now commonplace. Netscout said that its ATLAS platform reported daily network transit of over 34 exabits and aggregate peaks of 436 petabits of DDoS attack traffic. The second half of 2022 saw 6.8 million attacks, an increase of 13% on the first half of the year. Attacks on the U.S. national security sector related to the Killnet group rose 16,815% it claimed.
More than half of cybersecurity professionals surveyed by BitDefender said they have experienced a security breach because of a cybersecurity incident in the last year, with the figure rising to 75% in the U.S. However, BitDefender found that over 40% of professionals claimed they had been told to keep quiet about breaches – irrespective of disclosure obligations. This rose to 71% amongst U.S.-based respondents. Which really isn’t something to shout about.
Ad