Data Privacy Weekly: Your Industry News Series
01. Saying Goodbye to the Lock Icon: Chrome’s Refreshing Approach to Online Security
Google’s decision to retire the lock icon aims to address the common misunderstanding surrounding website safety. The new “tune” icon will provide users with additional privacy controls, offering a more comprehensive approach to online security.
Chrome 117, set to release in early September, will introduce these changes while warning users about insecure connections to non-HTTPS sites.
02. Privacy Advocates Demand Slack: Encrypt and Protect!
A coalition of tech, civil liberties, reproductive justice, and privacy advocacy groups is urging Slack to implement end-to-end encryption to protect users’ messages from government surveillance and employer monitoring. The groups argue that basic safety and privacy features are crucial, especially in the current political climate.
The campaign, led by Fight for the Future, aims to encourage messaging companies to adopt encryption following concerns about security and privacy violations. While some companies have responded to the call, Slack has been less responsive. The letter also highlights the potential risks of unauthorized access and legal repercussions for users.
03. Security Breach Shakes US Department of Transportation
The US Department of Transportation (DoT) experienced a security breach in its TRANServe system, exposing the personal information of 237,000 current and former employees. The breach occurred in systems used for administrative functions and didn’t affect transportation safety.
The DoT is investigating the incident, suspended system access, and aims to restore it securely. Coincidentally, a recent report by the US Government Accountability Office highlighted shortcomings in DoT’s cybersecurity efforts and unfulfilled recommendations, including addressing workforce issues and privacy matters. The DoT needs to improve its cybersecurity posture and implement the GAO’s recommendations to enhance agency operations.
04. Unmasking Stealthy Phishing: RPMSG Attachments Target Microsoft Credentials
Attackers are exploiting encrypted RPMSG attachments sent through compromised Microsoft 365 accounts for targeted phishing attacks, using fake login forms to steal Microsoft credentials.
The phishing emails redirect recipients to legitimate Microsoft services, then to a fake SharePoint document hosted on Adobe’s InDesign service, collecting system information and login details.
Detecting and countering this low-volume, targeted attacks are challenging, and educating users and enabling Multi-Factor Authentication (MFA) are recommended for mitigation.
05. China-Based Group Infiltrates Critical US Infrastructure Undetected
A China-based group called Volt Typhoon has infiltrated critical infrastructure organizations in the US and Guam undetected, according to Microsoft and the “Five Eyes” nations. The group focuses on espionage and information gathering, hiding its activities within infected machines, and using compromised network equipment.
Its main targets are communication, manufacturing, utility, transportation, and government sectors. Microsoft warns of potential disruptions to US-Asia communications infrastructure during crises. The group uses stealthy techniques, relying on legitimate tools and stolen credentials to avoid detection. Chinese hackers have also targeted Kenya’s government to gather information on debt owed to Beijing.
