All change in the capital as the Biden administration takes charge, and thankfully without a hitch (or violence) after the attempted insurrection two weeks earlier.
In this week’s Decrypted, we look at the ongoing fallout from the SolarWinds breach and who the incoming president wants to lead the path to recovery. Plus, the news in brief.
THE BIG PICTURE
Google says SolarWinds exposure “limited,” more breaches confirmed
The cyberattack against SolarWinds, an ongoing espionage campaign already blamed on Russia, claimed the U.S. Bureau of Labor Statistics as another federal victim this week. The attack also hit cybersecurity company Malwarebytes, the company’s chief executive confirmed. Marcin Kleczynski said in a blog post that attackers gained access to a “limited” number of internal company emails. It was the same attackers as SolarWinds but using a different intrusion route. It’s now the third security company known to have been targeted by the same Russian hackers after a successful intrusion at FireEye and an unsuccessful attempt at CrowdStrike.
But Google said in a blog post this week that it was “confident that no Google systems were affected” by the SolarWinds breach. “We make very limited use of the affected software and services, and our approach to mitigating supply chain security risks meant that any incidental use was limited and contained,” Google said.
Signal jumps after WhatsApp flubs policy change
End-to-end encrypted messaging app Signal got a much-welcome boost this week in the aftermath of the controversy over WhatsApp’s privacy policy change.
Facebook, which owns the rival encrypted messaging app, was forced to delay the rollout of the new policy until it could figure out how to explain the change without losing millions of users in the process. The new policy doesn’t change much more than it did four years ago to allow Facebook to see who you communicate with on WhatsApp, your location and other information about your WhatsApp use — but not your end-to-end encrypted messages.
According to a tweet from the app maker, Signal gained as much as 40 million installs in a single week. It’s no wonder the app buckled, albeit briefly, under the weight of new sign-ups. It’s like Signal thought of every possible way to secure the app from onlookers or snoops, but never considered immediate overnight fame would crash the service altogether.
ICYMI
India has called on WhatsApp to withdraw its privacy policy changes, citing “grave concerns regarding the implications for the choice and autonomy of Indian citizens.” India is currently WhatsApp’s biggest market.
Amazon’s Ring Neighbors app had a security bug that exposed real-world user locations and addresses. The bug meant the app was pulling in sensitive data even if it wasn’t displayed on screen.
Period app and fertility tracker Flo was slapped with a settlement by the Federal Trade Commission this week after it was caught sharing users’ private health information with third parties.
The European Medical Agency, tasked with coordinating a COVID-19 vaccine across the 27-member state bloc, was hit by a “hack and leak” operation designed to steal and publish internal agency data. The agency said some documents were manipulated “in a way which could undermine trust in vaccines.”
MOVERS AND SHAKERS
The revolving door at NSA spins again: NSA’s director of cybersecurity Anne Neuberger has joined the White House to oversee cybersecurity at the National Security Council, where she will serve as deputy national security adviser for cyber and emerging technology. Neuberger spoke at Disrupt 2020 about the agency’s efforts to secure the COVID-19 vaccine supply chain and emerging threats from China. At the NSC, Neuberger will lead the response to the SolarWinds breach. She also served on the Russia Small Group, a task force aimed at countering Russian interference.
Replacing Neuberger at NSA is former White House cybersecurity czar Rob Joyce, who previously served under multiple positions at NSA. Joyce returns from the U.S. Embassy in the U.K. to become the second NSA cybersecurity director. Joyce is also a well-known Christmas lights enthusiast. Once a hacker, always a hacker.
$ECURITY $TARTUPS
U.K.-based cybersecurity startup PPC Protect has landed £2 million ($2.7M) in seed funding to help businesses protect against click fraud, which abuses the pay-per-click advertising model.
Israeli cyber company L7 Defense has also landed $2 million as part of its efforts to secure APIs and web application firewalls (WAFs). The investment was led by Quick Heal Technologies, a data protection provider.
Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more.