Widespread hacking continued to be on everyone’s mind this week, while countless companies and organizations have continued to fight a number of major hacks. Now that Microsoft patches have been released some time ago, a number of nation states and criminal actors are becoming more aggressive in exploiting a set of Microsoft Exchange Server bugs that were already under active attack by the Chinese group Hafnium. Meanwhile, the White House is pondering a response to Russia’s recent SolarWinds espionage campaign, which has compromised data from various United States government agencies and private companies around the world. For the Biden government, the risk is that too strong retaliation could erode the rules and be seen as hypocritical, given that the United States and virtually all governments practice digital espionage.
Criminal hackers have also continued their wave of extortion related to a breach of network equipment and firewall maker Accellion. The world of digital chess is in an uproar and prone to digital harassment because of the accusations of a chess star from Twitch and YouTube that a novice challenger cheated in a game that the master lost. And Google researchers have developed a proof-of-concept browser exploit to raise awareness of the threat that speculative execution attacks, such as those exploiting the infamous “Specter” vulnerability, still pose for the web three years later.
The Brave browser, with a focus on privacy, launched its own search engine this week, with the aim of giving Google a chance, without aspiring so much user data. And we took a look at the top five password managers to use now. Now is a good time to review them, especially considering that Netflix may be cracking down on password sharing.
And there’s more! Each week, we gather all the news that we do not cover in depth. Click on the headlines to read the full stories. And stay safe out there.
Hackers breached the video surveillance services company Verkada on Monday, Bloomberg reported, gaining access to a “super administrator” account that allowed them to view more than 150,000 live feeds, as well as video files from Verkada customers. The exposed organizations included prisons, schools and hospitals – such as Madison County Prison in Huntsville, Alabama, and Sandy Hook Elementary School – as well as technology companies like Tesla and Cloudflare. More than 100 Verkada employees had access to thousands of customer streams – an additional surprising and likely disturbing revelation for customers of customers. Tillie Kottman, a hacker who took responsibility for the breach, said in a Mastodon post on Friday that authorities broke into his apartment in Lucerne, Switzerland, and confiscated his electronic devices. The search warrant was apparently related to an alleged hack from last year and not to the Verkada violation.
Security researchers warned this week that a thorough public proof-of-concept exploitation for recently fixed Microsoft Exchange Server vulnerabilities would disrupt a hacking frenzy that had already increased in recent days. On Wednesday, independent security researcher Nguyen Jang uploaded one of these exploits to the Github code repository platform. Within hours, Github removed the post. The incident sparked controversy within the security community, because Microsoft owns Github and Exchange Server. The idea that a corporate overlord could police Github content, or otherwise invade the open source community, caused a great deal of controversy during Microsoft’s acquisition of the service.
“We understand that publishing and distributing proof-of-concept exploit code has educational and research value for the security community, and our goal is to balance that benefit by keeping the broader ecosystem secure,” a Github spokesman said. Motherboard on Thursday. “In accordance with our Acceptable Use Policies, we have disabled the essence of the reports that it contains a proof of concept code for a recently disclosed vulnerability that is being actively exploited.”