China imposed a “pilot program banning fishing in parts of the south-west Atlantic Ocean from July to October, and parts of the eastern Pacific Ocean from September to December.” However, the conservation group Oceana analyzed the data and figured out that the Chinese weren’t fishing in those areas in those months, anyway.

<

blockquote>In the south-west Atlantic moratorium area, Oceana found there had been no fishing conducted by Chinese fleets in the same time period in 2019. Between 1,800 and 8,500 fishing hours were detected in the zone in each of the five years to 2019. In the eastern Pacific zone, China’s fishing fleet appeared to fish only 38 hours in the year before the ban’s introduction.

“Ending squid fishing in areas where there is no fishing does nothing to protect squid,” said Oceana’s campaign director, Max Valentine.

<

blockquote>

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Read More

Security consulting giant Kroll disclosed today that a SIM-swapping attack against one of its employees led to the theft of user information for multiple cryptocurrency platforms that are relying on Kroll services in their ongoing bankruptcy proceedings. And there are indications that fraudsters may already be exploiting the stolen data in phishing attacks.

Cryptocurrency lender BlockFi and the now-collapsed crypto trading platform FTX each disclosed data breaches this week thanks to a recent SIM-swapping attack targeting an employee of Kroll — the company handling both firms’ bankruptcy restructuring.

In a statement released today, New York City-based Kroll said it was informed that on Aug. 19, 2023, someone targeted a T-Mobile phone number belonging to a Kroll employee “in a highly sophisticated ‘SIM swapping’ attack.”

“Specifically, T-Mobile, without any authority from or contact with Kroll or its employees, transferred that employee’s phone number to the threat actor’s phone at their request,” the statement continues. “As a result, it appears the threat actor gained access to certain files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX and Genesis.”

T-Mobile has not yet responded to requests for comment.

Countless websites and online services use SMS text messages for both password resets and multi-factor authentication. This means that stealing someone’s phone number often can let cybercriminals hijack the target’s entire digital life in short order — including access to any financial, email and social media accounts tied to that phone number.

SIM-swapping groups will typically call employees on their mobile devices, pretend to be someone from the company’s IT department, and then try to get the person on the other end of the line to visit a phishing website that mimics the company’s employee login page.

Multiple SIM-swapping gangs have had great success targeting T-Mobile employees for the purposes of reselling a cybercrime service that can be hired to divert any T-Mobile user’s text messages and phone calls to another device.

In February 2023, KrebsOnSecurity chronicled SIM-swapping attacks claimed by these groups against T-Mobile employees in more than 100 separate incidents in the second half of 2022. The average cost to SIM swap any T-Mobile phone number was approximately $1,500.

The unfortunate result of the SIM-swap against the Kroll employee is that people who had financial ties to BlockFi, FTX, or Genesis now face increased risk of becoming targets of SIM-swapping and phishing attacks themselves.

And there is some indication this is already happening. Multiple readers who said they got breach notices from Kroll today also shared phishing emails they received this morning that spoofed FTX and claimed, “You have been identified as an eligible client to begin withdrawing digital assets from your FTX account.”

A major portion of Kroll’s business comes from helping organizations manage cyber risk. Kroll is often called in to investigate data breaches, and it also sells identity protection services to companies that recently experienced a breach and are grasping at ways to demonstrate that they doing something to protect their customers from further harm.

Kroll did not respond to questions. But it’s a good bet that BlockFi, FTX and Genesis customers will soon enjoy yet another offering of free credit monitoring as a result of the T-Mobile SIM swap.

Kroll’s website says it employs “elite cyber risk leaders uniquely positioned to deliver end-to-end cyber security services worldwide.” Apparently, these elite cyber risk leaders did not consider the increased attack surface presented by their employees using T-Mobile for wireless service.

The SIM-swapping attack against Kroll is a timely reminder that you should do whatever you can to minimize your reliance on mobile phone companies for your security. For example, many online services require you to provide a phone number upon registering an account, but that number can often be removed from your profile afterwards.

Why do I suggest this? Many online services allow users to reset their passwords just by clicking a link sent via SMS, and this unfortunately widespread practice has turned mobile phone numbers into de facto identity documents. Which means losing control over your phone number thanks to an unauthorized SIM swap or mobile number port-out, divorce, job termination or financial crisis can be devastating.

If you haven’t done so lately, take a moment to inventory your most important online accounts, and see how many of them can still have their password reset by receiving an SMS at the phone number on file. This may require stepping through the website’s account recovery or lost password flow.

If the account that stores your mobile phone number does not allow you to delete your number, check to see whether there is an option to disallow SMS or phone calls for authentication and account recovery. If more secure options are available, such as a security key or a one-time code from a mobile authentication app, please take advantage of those instead. The website 2fa.directory is a good starting point for this analysis.

Now, you might think that the mobile providers would share some culpability when a customer suffers a financial loss because a mobile store employee got tricked into transferring that customer’s phone number to criminals. But earlier this year, a California judge dismissed a lawsuit against AT&T that stemmed from a 2017 SIM-swapping attack which netted the thieves more than $24 million in cryptocurrency.

Read More

This article talks about new Mexican laws about food labeling, and the lengths to which food manufacturers are going to ensure that they are not effective. There are the typical high-pressure lobbying tactics and lawsuits. But there’s also examples of companies hacking the laws:

Companies like Coca-Cola and Kraft Heinz have begun designing their products so that their packages don’t have a true front or back, but rather two nearly identical labels—except for the fact that only one side has the required warning. As a result, supermarket clerks often place the products with the warning facing inward, effectively hiding it.

[…]

Other companies have gotten creative in finding ways to keep their mascots, even without reformulating their foods, as is required by law. Bimbo, the international bread company that owns brands in the United States such as Entenmann’s and Takis, for example, technically removed its mascot from its packaging. It instead printed the mascot on the actual food product—a ready to eat pancake—and made the packaging clear, so the mascot is still visible to consumers.

Read More

The Securities and Exchange Commission (SEC) has introduced a new rule for public companies that requires them to be more transparent about cybersecurity incidents. The new rule requires companies to disclose any material cybersecurity incidents within four business days of that determination. The disclosure should describe the material aspects of the incident, including the nature of the incident, the impact on the company, and the company’s response.

The SEC’s proposed rules include written cybersecurity policies and procedures, IT risk assessments, user security, and access controls, threat and vulnerability management, incident response and recovery plans, board oversight, recordkeeping, and cybersecurity incident reporting and disclosures.

To help CISOs incorporate this requirement seamlessly into their existing incident response plan, here are some actionable tips:

Revisit your incident response plan: An incident response plan is a structured approach that outlines the steps you’ll take during a security breach or other unexpected event. Your business may be unprepared for a security incident without a response plan. An effective plan helps you identify and contain threats quickly, protect sensitive information, minimize downtime, and lessen the financial impact of an attack or other unexpected event.

Update the notification procedure and proactive planning for notification: Craft a well-defined notification procedure outlining the steps to comply with the SEC’s requirement. Assign roles and responsibilities for crafting, approving, and forwarding notifications to relevant parties. Develop communication templates with pre-approved content, leaving room for incident-specific details to be filled in during a crisis.

Material incident identification and impact: Define the criteria for determining materiality, including financial, reputational, and operational implications. This step is critical in meeting the tight four-day reporting deadline.

Data protection and disclosure balance: Develop protocols to protect confidential information during public disclosures and collaborate closely with legal counsel to ensure compliance with disclosure regulations.

Regular plan reviews and third-party assessments: Regularly update your incident response plan to stay abreast of evolving threats and compliance requirements. Engage external cybersecurity experts to conduct thorough assessments, identifying gaps and potential vulnerabilities that need immediate attention.

Conduct tabletop exercises: Organize tabletop exercises that simulate real-world cybersecurity incidents. Ensure these exercises involve the business aspect, focusing on decision-making, communications, and incident impact assessment. These drills will sharpen your team’s skills and enhance preparedness for the new 4-day deadline.

Foster a culture of cybersecurity awareness: Cultivate a company-wide culture that prioritizes cybersecurity awareness and incident reporting. Encourage employees to report potential threats promptly, empowering your team to respond swiftly to mitigate risks.

To determine your readiness posture, ask yourself the following questions:

Incident reporting and management questions

What is your process for reporting cybersecurity incidents?
How can you effectively determine the materiality of a breach or attack?
Are your processes for determining materiality thoroughly documented?
Have you determined the right level of information to disclose?
Can you report within four days?
How will you comply with the requirement to report related occurrences that qualify as “material”?

Incident management policies and procedures

Are your organization’s policies and procedures, risk assessments, controls, and controls monitoring strong enough to disclose publicly?
Are your policies and procedures aligned with the specifications in at least one recognized industry framework? Are they updated regularly? Does everyone in the organization know what they are and how they are responsible for following them? Are they well-enforced?

Governance and risk management

Is your risk assessment robust, and is it applied throughout the organization, focusing on top risks to the business?
How often do you do risk assessments? Are assessment results incorporated into your enterprise cyber strategy, risk management program, and capital allocations?
Have you engaged a third party to assess your cybersecurity program?

Board and leadership awareness

How does your organization monitor the effectiveness of its risk mitigation activities and controls? How mature are your capabilities, as evaluated against an industry framework?
How are leadership and the board informed about the effectiveness of these controls?
Are your C-level executives getting the information needed to oversee cybersecurity at the board level?

Conclusion

In conclusion, the new SEC rule for public companies and cybersecurity incidents requires companies to be more transparent about material cybersecurity incidents. To comply with this requirement, companies should revisit their incident response plan, update their notification procedure, conduct material incident identification and impact assessments, develop protocols for data protection and disclosure balance, conduct regular plan reviews and third-party assessments, conduct tabletop exercises, and foster a culture of cybersecurity awareness. By asking the right questions and taking the necessary steps, companies can ensure they are ready to comply with the SEC’s new cybersecurity incident disclosure rule.

Read More

Nearly one in three young adults has had their personal information misused

Read More