Shownotes Transcript
The EU bans anonymous cryptocurrency payments. Russian cyber spies are going after German political parties. The US will undertake a privacy review of its 10 biggest airlines. And Apple chips leak secret keys in a new side channel attack. This is Risky Business News, prepared by Katalin Kimpanu and read by me, Claire Aird.
Today is the 25th of March and this podcast episode is brought to you by Sublime Security, an email security platform that's not a black box. In today's top story, the EU Parliament has passed new anti-money laundering legislation that bans anonymous cryptocurrency payments.
The legislation applies to payments made through online service providers, also known as hosted wallets. It also applies to platforms that exchange crypto for regular fiat currency. It does not apply to owners of hardware or self-hosted wallets. The anonymous crypto payments ban is part of a new anti-money laundering package that also bans anonymous cash payments over €3,000 and any cash payments, anonymous or not, over €10,000.
In other news, the US Department of Transportation will undertake a privacy review of the country's 10 largest airlines. Officials will analyse how airlines collect, handle and use passengers' personal data. The DOT seeks to find out if airlines are protecting user data and assess sales of data to third parties.
The UK's Privacy Watchdog has published the guidance the agency will use when determining fines for privacy violations and security breaches. The ICO has promised reduced fines for companies that report breaches and collaborate with the UK's Cyber Security Agency. The fine reduction will vary based on each company's cooperation and engagement level. Companies that benefit financially from their rule-breaking should expect higher fines.
Russian hackers linked to the country's intelligence services are targeting German political parties. The attacks have been carried out by APT29, one of the cyber units inside Russia's SVR, Foreign Intelligence Service. Mandian says this is the first time APT29 has targeted political parties. The campaign comes as political tensions rise surrounding Germany's support for Ukraine.
A team of academics has discovered a side-channel attack that can extract secret keys from Apple CPUs. The attack is named GoFetch and can leak data from a CPU's data memory-dependent prefetches. GoFetch attacks affect all Apple M chips. It's a micro-architectural issue and can't be easily fixed via a software update. GoFetch defenses can be added inside third-party software, but they are known to degrade performance.
Thank you.
Wired reports that despite the vendor's effort, only a third of all locks were patched.
Danish authorities have sentenced a 53-year-old man to 18 months in prison for fraud and copyright infringement. Officials say the man uploaded both original and stolen songs to Spotify and Apple Music accounts. He then used bot accounts to generate billions of plays and collect royalties. According to Wired, the man's fraud helped him become the 46th highest earning musician in Denmark.
A South Korean judge has ordered the Korea Credit Bureau to pay $46 million in damages to the KB Cookman card company over a 2013 security breach. The court found the Korea Credit Bureau was at fault for placing a new employee in a position that had access to KB's customer data. The employee later stole the personal data of 53 million KB customers and sold it to an advertiser and loan agency.
Spanish airline Air Europa says that hackers might have stolen customer data in a security breach last year. The airline sent a letter to customers announcing that it got breached in October of last year. The company says hackers may have stolen data such as passport details, ID cards, phone and email addresses.
Blockchain game Super Sushi Samurai has recovered $4.6 million worth of tokens that were stolen in an incident last week. The company says the hack was the work of a security researcher who exploited a bug in its code to move the funds and prevent a future theft. Super Sushi Samurai described the incident as a white hat rescue and ended up hiring the white hat as a technical advisor.
A threat actor has stolen $1.8 million worth of assets from the Dolomite cryptocurrency exchange. The incident took place on the 20th of March. The hacker exploited a vulnerability in one of the platform's 2019 smart contracts. Users who still had the contract allow listed lost funds from their wallets. A European cloud trade consortium has urged regulators and courts to investigate Broadcom over its new VMware licensing tactics.
CISPA says Broadcom unilaterally cancelled all VMware licences following its acquisition of the company last year. Broadcom has since hiked prices for some licences as much as 12 times. CISPA warns that several EU cloud providers are in danger of going bankrupt as a result. The organisation claims Broadcom should be classed a gatekeeper under the terms of the EU's New Digital Markets Act.
The United Nations General Assembly has adopted a resolution on artificial intelligence. UN officials have called on tech companies to develop safe and reliable AI systems that comply with international human rights. Systems that don't comply should be taken offline. Officials said the same rights that apply offline should also be protected online.
And finally, security researcher Manfred Paul has won the Pwn2Own hacking contest after hacking all four major browsers. Paul found exploits in Chrome, Edge, Firefox and Safari. Mozilla patched the Firefox exploit within hours of it being demoed at the contest. Security researchers successfully demoed 29 zero days during the contest and took home $1.1 million in prize money.
And that is all for this podcast edition. Today's show was brought to you by our sponsor, Sublime Security. Find them at sublime.security. Thanks for your company.
