CISA Sees Elimination of 'Bad Practices' as Next Secure-by-Design Step by Matt Bracken
The Cybersecurity and Infrastructure Security Agency (CISA) has made significant strides in its secure-by-design initiative, gaining 230 software vendors' commitments to strengthen security features like multi-factor authentication and reducing default passwords. By shifting security responsibilities to software creators, CISA aims to ensure products are secure from the start, preventing end-users from facing unforeseen security risks later on. CISA is now focusing on its Product Security Bad Practices publication, highlighting risky software practices, such as using memory-unsafe languages and failing to address vulnerabilities, and is beginning by encouraging manufacturers to implement features that discourage disabling security settings. Public comments on the document are open until December 2.
Biden Administration Nears Completion of Second Cybersecurity Executive Order with Plethora of Agenda Items by Tim Starks
The White House is finalizing a second cybersecurity executive order that builds on President Biden’s first order and includes new focuses on AI, secure software, cloud security, identity credentialing, and post-quantum cryptography. Expected by December, this order emphasizes AI for cyber defense, transparency in software security, and updates to cloud standards following recent incidents. It also aims to modernize federal identity and access management (IAM) and address open-source cybersecurity. Experts suggest the order could serve as a valuable follow-up, especially in AI-focused cyber defense, but note the challenges of implementing further mandates without guaranteed funding.
Vishing, Mishing, Go Next-Level with Fakecall Android Malware by Elizabeth Montalbano
The so-called 'FakeCall' malware, which has evolved since 2022, now includes enhanced capabilities for monitoring and controlling Android devices, allowing attackers to carry out advanced voice and mobile phishing (vishing and mishing) attacks. By exploiting Android's Accessibility Service, FakeCall enables attackers to manipulate the user interface, intercept calls, access sensitive data, and monitor Bluetooth and screen states, all while remaining undetected and masquerading as a legitimate app. Experts emphasize the need for advanced security solutions and user awareness to defend against these sophisticated attacks, particularly as mobile devices play a critical role in business operations, making their compromise potentially disastrous.
US Charges Russian National for Developing Redline Infostealer by Christian Vasquez
The U.S. has charged Russian national Maxim Rudometov with developing RedLine, a major infostealer malware used to steal sensitive data from "millions of victim computers," according to the Justice Department. Rudometov faces charges including access device fraud, conspiracy to commit computer intrusion, and money laundering. The charges, which include access device fraud, conspiracy to commit computer intrusion, and money laundering, are part of Operation Magnus—an international effort involving multiple countries—which has led to the seizure of RedLine’s source code and infrastructure. Rudometov was identified through poor operational security, linking him to online aliases and personal accounts. Two other individuals were detained in Belgium, with one still in custody. Rudometov faces up to 35 years in prison if convicted.
FBI: Upcoming U.S. General Election Fuel Multiple Fraud Schemes by Bill Toulas
The FBI warns of scams exploiting the 2024 U.S. general election to steal money and personal information. Scammers impersonate candidates and political groups to solicit fake donations, sell nonexistent campaign merchandise, and trick people into providing personal information through fraudulent voter registration alerts. Common schemes include fake investment pools promising returns if a candidate wins, fraudulent PACs posing as real committees, deceptive campaign merchandise sites, and phishing voter registration alerts. Scammers also promote pump-and-dump cryptocurrency schemes using political figures. The FBI advises skepticism toward unsolicited communications, verifying political affiliations through the FEC, and reporting scams to the IC3.