security in brief The fallout from an eight-month-old cyber attack on a county in Long Island, New York has devolved into mud-slinging as leaders try to figure out just what is going on.
Suffolk County was hit with a ransomware attack in early September 2022, which led county executive Steve Bellone to issue nine separate emergency declarations, Long Island publication Newsday said – the most recent of which was enacted earlier this month.
Bellone's detractors don't believe the state of emergency needs to continue, however, and county legislators have introduced a resolution to terminate the continued declarations. In Suffolk County, a state of emergency gives executives the ability to issue no-bid contracts and hire staff without legislative approval.
Bellone used those powers in December to suspend Suffolk County clerk IT director Peter Schlusser without pay, with Bellone and his team placing much of the blame for the intrusion and accompanying $2.5 million ransom demand on the clerk office's shoulders.
A spokesperson for the county told Newsday that the continued state of emergency was necessary "because certain functions, including remote public document searches, remain offline and require a complete overhaul due to the fact that the former clerk IT administrator failed to update these systems in decades."
Schlusser disagrees, and claims he alerted Bellone's IT team to potential intrusions months before the ransomware attack, as well as an FBI warning that there was an active ransomware campaign being waged against the county shortly before the attack was discovered.
Despite claims that the county's state of emergency is long past expired, a post-breach report found 600 instances of malware on county systems that had gone undetected for years. So far, the ransomware incident has cost Suffolk County $5.4 million for investigation and restoration, and $12 million for new hardware and software.
Anyone hosting code on GitLab should take this week's list of critical vulnerabilities seriously – the code repository released an emergency patch for a rather serious path traversal flaw this week.
Identified as CVE-2023-2825, the issue exists in community and enterprise editions of GitLab running version 16.0.0, while prior versions of the platform aren't affected. Those vulnerable could find that an unauthenticated attacker could read arbitrary files on a GitLab server when attachments are nested at least five groups down on public projects.
GitLab's own security advisory for the flaw contained minimal information, but did include a warning to update to version 16.0.1 as soon as possible.
So get to it.
Outside of the GitLab report, a quartet of critical ICS vulnerabilities were reported by CISA this week:
The man behind a popular website that allowed cyber criminals to fake their caller ID location has been sentenced to 13 years and four months in prison, the Metropolitan Police said this week.
Tejan Fletcher, the operator of iSpoof, was arrested in November last year and pleaded guilty to making or supplying articles for use in fraud, encouraging or assisting in the commission of an offense, possessing criminal property and transferring criminal property, the Met said.
The UK leads as the most likely European nation to have card details available for sale online, NordVPN announced in a report on card theft this week.
An analysis of six million stolen card details found that the UK was third – behind only the US and India – as the leading sources of stolen payment data. More worryingly for UK residents, 63 percent of stolen card data is available with other personally identifiable information like addresses, insurance numbers and other contact details.
Despite that, the UK actually ranked 22nd when stolen cards are compared to population and the number of cards in circulation. Take your peace of mind where you can find it.
iSpoof was a massive international operation, with £48 million ($59 million) in losses reported from victims in the UK alone. Users of the site, of whom there were a reported 59,000, made ten million calls via iSpoof in the 12 months ending in August 2022 – 3.5 million of those targeted UK residents and customers of banks like Barclays, HSBC and Lloyds. Some 169 people have been arrested in the UK under suspicion of using iSpoof.
"This type of crime will not be tolerated and those who are involved in fraud and cyber crime will be found and brought to justice," said City of London Police Commander Nik Adams.
Education technology firm Edmodo was fined $6 million by the US Federal Trade Commission this week, and will have to conform to several other requirements, after an investigation determined the company illegally collected and sold minors' data to be used to serve ads.
Edmodo reportedly foisted legal compliance onto districts and teachers, violated data retention rules, and committed numerous other violations of COPPA, the FTC said.
Edmodo won't face the fine, however, as it said it doesn't have the ability to pay. The FTC suspended the fine in response, but let other provisions of its order stand – despite the fact that Edmodo suspended its US operations in response to the investigation.
Edmodo isn't doing business anywhere right now, which may be why the $6 million penalty is a bit out of its price range. If the company ever resumes operations, it'll be required to collect only information that's reasonably necessary for students to participate in virtual classroom activities. The other orders prohibit it from collecting or using data to serve ads, and require it to get explicit consent from parents – not schools – to collect data. ®
Source: The register