Information Security News – 1/13/2025

White House Launches Cybersecurity Label Program for Consumers

Article Link: https://cyberscoop.com/us-cyber-trust-mark-launches-white-house-nist/

• The White House has unveiled the U.S. Cyber Trust Mark, a new initiative designed to guide consumers toward safer internet-connected devices.
• This program, similar to the Energy Star label for energy efficiency, will display a shield logo on certified products. Devices that meet rigorous security standards set by the National Institute of Standards (NIST) will qualify for the label.
• According to the 2023 Deloitte Connected Consumer Study, which surveyed 2,018 U.S. consumers, the average household uses 21 connected devices, creating vulnerabilities to cyber threats. The Cyber Trust Mark aims to reduce these risks by incentivizing manufacturers to prioritize security during development.
• Retail giants, like Best Buy and Amazon, are already supporting the initiative, and starting in 2027, federal agencies will only purchase devices carrying the label. For consumers, this program offers an easy way to choose devices designed with security in mind.
• 2023 Deloitte Study: https://www2.deloitte.com/us/en/insights/industry/telecommunications/connectivity-mobile-trends-survey.html

Thousands of Credit Cards Stolen in Green Bay Packers Store Breach

Article Link: https://www.bleepingcomputer.com/news/security/thousands-of-credit-cards-stolen-in-green-bay-packers-store-breach/

• The Green Bay Packers’ official online store, Packers Pro Shop, has fallen victim to a data breach, exposing credit card information of over 8,500 customers.
• Hackers planted malicious code on the store’s checkout page, allowing them to steal customers’ personal and payment details during purchases.
• The breach has left thousands at risk of identity theft and financial fraud, raising serious questions about the security of e-commerce platforms.
• Affected customers are urged to review their financial statements for any suspicious activity and consider replacing compromised cards. Meanwhile, the Packers have removed the malicious code and are ramping up security efforts to prevent future breaches.

New DoubleClickjacking Attack Bypasses Existing Security Measures

Article Link: https://latesthackingnews.com/2025/01/07/new-doubleclickjacking-attack-bypasses-existing-security-measures/

• A newly identified cyberthreat known as “DoubleClickjacking” is sparking concerns across the tech industry, as attackers find ways to bypass anti-clickjacking protections and compromise user security.
• This sophisticated method exploits the tiny interval between a user’s double-clicks, manipulating the on-screen content mid-action to hijack the second click. Hackers can then perform malicious acts, such as gaining unauthorized access to accounts or bypassing critical security authentication.
• DoubleClickjacking poses a remarkable risk to websites, browser extensions, and mobile apps, as it evades most existing defenses, leaving countless platforms vulnerable to exploitation.
• Experts are advising developers to apply stronger protections, including client-side tools to block clicks on sensitive buttons and advanced iframe-based techniques to guard against these advanced attacks.

Casio Admits Security Failings as Attackers Leak Employee and Customer Data

Article Link: https://www.infosecurity-magazine.com/news/casio-failings-attackers-leak-data/

• Japanese electronics powerhouse, Casio, has confirmed a ransomware attack resulting in leakage of personal and business data belonging to employees, business partners, and customers, turning a trusted brand into the latest target of cybercriminals.
• The Underground ransomware group is believed to be behind the attack, revealing internal business details such as invoices, partner contacts, and meeting documents, including information on over 6,400 employees and 1,900 business partners. Even delivery information for 91 customers in Japan didn’t escape their grasp.
• Experts recommend keeping a sharp eye on personal accounts, steering clear of suspicious emails, and double-checking dodgy requests for credentials.
• Casio is standing firm, refusing to pay the ransom, and is working with top information security specialists to tighten its defenses. Authorities are involved, and those impacted are being contacted.

Researcher Turns Insecure License Plate Cameras into Open-Source Surveillance Tool

Article Link: https://www.404media.co/researcher-turns-insecure-license-plate-cameras-into-open-source-surveillance-tool/?ref=daily-stories-newsletter

• Security researcher, Matt Brown, has uncovered a critical vulnerability in Motorola Reaper HD license plate cameras, which were misconfigured to stream live video and plate data to the open internet without requiring authentication.
• These misconfigurations leave sensitive surveillance footage and license plate data exposed, creating substantial privacy risks and raising the possibility of unauthorized tracking of individuals’ movements.
• The revelation of unsecured license plate cameras draw attention to the broader dangers of poorly configured surveillance tools, triggering privacy alarms over data security and the potential for exploitation by malicious actors.
• Motorola Solutions has announced it is developing a firmware update to address the issue. In the interim, administrators are strongly encouraged to review these devices and enforce stricter protocols to prevent further unauthorized access.

The Fundamental Components to Achieving Shift-Left Success

Article Link: https://www.cyberdefensemagazine.com/the-fundamental-components-to-achieving-shift-left-success/

• Shift-left security is reshaping software development by embedding protection early in the Software Development Life Cycle, reducing vulnerabilities and minimizing costs associated with late-stage fixes.
• The ‘shift-left’ strategy reconstructs software security by evolving through four phases: starting with basic compliance, moving to early developer-security collaboration, advancing to shared responsibility for resolving issues, and achieving continuous, built-in protection throughout the software lifecycle.
• Experts warn that delaying security integration can lead to exploitable vulnerabilities and costly after-market solutions and strongly stress the importance of moving security to the start of development.
• Software development leaders encourage companies to cultivate a secure coding mindset, leverage cutting-edge tools, and optimize workflows to progress through these maturity stages and achieve strong, end-to-end application security.
  

PowerSchool Hack Exposes Student, Teacher Data From K-12 Districts

Article Link: https://www.bleepingcomputer.com/news/security/powerschool-hack-exposes-student-teacher-data-from-k-12-districts/

• In a major cyberattack targeting the education sector, PowerSchool, a leading provider of education software, has been breached, exposing sensitive information belonging to students and teachers from multiple K-12 school districts.
• Hackers gained access to personal details, including names, addresses, and academic records, leading to heightened fears about identity theft and phishing schemes. This incident calls attention to the security weaknesses in systems trusted to protect educational data.
• PowerSchool is collaborating with information security experts to investigate the attack and reinforce its protections. Impacted school districts are being notified, and individuals are urged to monitor their accounts and take necessary precautions.

WH National Cyber Director Finalizing Software Liability Proposals

Article Link: https://federalnewsnetwork.com/cybersecurity/2025/01/wh-national-cyber-director-finalizing-software-liability-proposals/

• Taking a decisive step, the white House’s Office of the National Cyber Director is finalizing a landmark proposal to hold software producers accountable for insecure products. This shift would transfer liability from end-users to developers, making them responsible for the security of their creations.
• The initiative aims to encourage companies to integrate security throughout the development process, addressing vulnerabilities early and improving overall digital safety. Experts predict this could reshape the software industry, providing stronger protection for users while redefining how cyber risks are managed.
• Software producers are being called upon to adopt secure-by-design principles and conduct thorough security assessments at every development stage, aligning with these anticipated regulations.
• For consumers, this could mean fewer data breaches and a greater sense of trust in the software they use daily. However, the proposal stops short of detailing specific benefits, leaving questions about how much end-users will truly feel the impact.

EU Court Fines European Commission for Breaching Its Own Data Privacy Laws

Article Link: https://techcrunch.com/2025/01/08/eu-court-fines-european-commission-for-breaching-its-own-data-privacy-laws/

• In an unprecedented decision, the European Union’s General Court has fined the European Commission €400 (around $410) for violating its own data protection laws. The breach occurred when the personal data of a German citizen, including their IP address, was unlawfully transferred to Meta Platforms in the U.S. via the “Sign in with Facebook” feature on an EU login page.
• The ruling casts doubt on the accountability of organizations responsible for enforcing privacy rules and their ability to effectively safeguard personal information. Privacy advocates point to this case as a reminder that all entities, regardless of authority, must respect data protection standards.
• The monetary admonishment intends to broadcast a clear message that even EU institutions must strictly adhere to data privacy regulations. The European Commission has stated it will review its data handling practices to prevent similar incidents in the future.