Image: Tile Tile has released QR code stickers designed to help you recover your lost stuff without having to give away your exact whereabouts. Tile’s Lost and Found labels are stickers that can be attached to anything with a flat surface and can be used to reunite a lost item with its owner. The stickers circumvent the […] More

<!–> With the password re-prompt option enabled, any time anyone (including yourself) wants to view a password, that person has to type your vault master password a second time. Olemedia/Getty Images When it comes to passwords and online security in general, I tend to go a bit overboard. Why? Because I’ve watched as so many […] More

[embedded content]
An unidentified hacker has accessed the computer systems for the water treatment facility in the city of Oldsmar, Florida, and has modified chemical levels to dangerous parameters.
News of the attack was disclosed today in a press conference by city officials.

ZDNet Recommends

The intrusion took place on Friday, February 5, when the hacker accessed a computer system that was set up to allow for the remote control of water treatment operations.
The hacker first accessed this system at 8 am, in the morning, and then again for a second and more prolonged intrusion at 1:30 pm, in the afternoon.
This second intrusion lasted for about five minutes and was detected right away by an operator who was monitoring the system and saw the hacker move the mouse cursor on the screen and access software responsible for water treatment.
Hacker modified lye levels
“Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners. It’s also used to control water acidity and remove metals from drinking water in the water treatment plant,” said Oldsmar Sheriff Bob Gualtieri.
“The hacker changed the sodium hydroxide from about 100 parts per million to 11,100 parts per million. This is obviously a significant and potentially dangerous increase.”

Oldsmar city staff said that no tainted water was delivered to local residents as the attack was caught in time before any lye levels could be deployed.
According to Sheriff Gualtieri, the hacker disconnected as soon as they modified the lye levels, and a human operator set the chemical level back to normal right away.
Officials didn’t attribute the attack to any specific hacker group or entity. The timing of the attack is also of note as the city of Oldsmar is located near the Tampa urban center, which hosted the Super Bowl LV game on Sunday.
Not the first time
This is the second incident of its kind where a hacker has accessed a water treatment facility and modified chemical levels.
A similar incident was reported back in 2015-2016 at an unnamed water treatment facility, but investigators said the intruders didn’t seem to know what they were doing, making random changes, and investigators classified the intrusion as an accident rather than an intentional attack.
Another set of attacks took place earlier this year, but without as dire consequences. In the spring and summer of 2020, Israeli officials reported attacks against local water treatment facilities, water pumps, and agricultural irrigation systems.
Tel Aviv officials, which blamed the attacks on the Iranian government, said hackers tried to access the management panels of several types of smart water management systems and asked local organizations to change their passwords.
None of the attacks were successful, officials and local media reported at the time. More

Cyber criminals and hackers are actively taking aim at sports teams, organisations and leagues with phishing, ransomware attacks and more in attempts to scam huge sums of money.
The UK’s National Cyber Security Centre has detailed the cyber threats faced by the elite sports industry – and revealed that more than 70% of sports institutions have been the victim of some kind of attempted cyberattack or hacking incident over the past 12 months.

More on privacy

Almost a third had recorded at least five attempted attacks, which are predominantly conducted by financially motivated criminals – although the report warns there’s a chance nation states could attempt campaigns against sports organisations, particularly those that are involved with international events such as the Olympic Games.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  
The key cyberattacks that sports organisations are warned to protect themselves against are business email compromise phishing attacks, fraud, and ransomware campaigns being used to shut down critical event systems and stadiums – a quarter of malware attacks targeting sports organisations are said to have involved ransomware.

One incident includes the email account of a Premier League football club’s managing director being hacked before a transfer negotiation, which almost led to the £1m fee being stolen by cyber criminals as part of a business email compromise scheme.
The director inadvertently entered their credentials into a spoof Office365 login page that provided the attackers with their details and the ability to monitor their emails – including one about the impending transfer of a player.
Attackers used the stolen credentials to start a dialogue between the two clubs and the deal was even approved – but the payment didn’t go through because the bank identified the cyber criminals’ account as fraudulent.
Meanwhile, a ransomware attack against an English football club crippled corporate and security systems, stopping the turnstiles from working, something that stopped fans being able to get in or out of the stadium and almost led to the cancellation of the league fixture, which would have cost the club hundreds of thousands of pounds in lost income.
It’s believed that attackers got into the network via a phishing email or by remote access to the connected CCTV system. Once the hackers were in, they could spread across the network, as it was not segmented. The attackers demanded 400 bitcoin (almost £300,000) but the club didn’t pay, eventually restoring the network themselves.
Another incident detailed in the NCSC’s Cyber Threat to Sports Organisations report reveals that a member of staff at a racecourse had £15,000 stolen in a scam where attackers spoofed eBay.
The warning to sports clubs and league bodies to stay alert for cyberattacks comes at a time when many are already struggling with finances due to the impact of the coronavirus pandemic on sports fixtures, many of which have been cancelled or are being forced to be played behind closed doors. The prospect of losing more money because of a cyberattack could, therefore, be highly damaging.
“While cybersecurity might not be an obvious consideration for the sports sector as it thinks about its return, our findings show the impact of cyber criminals cashing in on this industry is very real,” said Paul Chichester, director of operations at the NCSC.
“I would urge sporting bodies to use this time to look at where they can improve their cybersecurity – doing so now will help protect them and millions of fans from the consequences of cybercrime.”
SEE: Ransomware attacks jump as crooks target remote working
Almost a third of the reported incidents detailed by the NCSC paper resulted in direct financial damage at an average cost of £10,000 each time – with the biggest single loss coming in at over £4 million.
To help protect against cyberattacks, the NCSC recommends that sports organisations should implement email security controls, something that the report says “isn’t routinely applied” throughout the sector. Organisations should also ensure that staff receive cybersecurity training and that cyber-risk management is taken seriously at all levels.
And to protect against ransomware and other cyberattacks targeting infrastructure, organisations should make sure that all systems are patched with the latest security updates to stop criminals exploiting known vulnerabilities. Remote access should also be restricted where it isn’t necessary.
MORE ON CYBERSECURITY More

Leaked documents have revealed the concerns of law enforcement in how Internet of Things (IoT) technology can pose a risk to the safety of police officers. 

Smart doorbell vendors including Ring have created product lines that have transformed traditional bells and door chimes into intelligent technological solutions that provide location monitoring, real-time camera feeds, audio and visual recordings, and the ability to communicate with visitors remotely. 
For homeowners, an IoT doorbell can provide an additional layer of security at points of entry. For law enforcement, their rapid adoption provides a new stream of intelligence for criminal investigations. 
Amazon acquired Ring in 2018. In the past few years, doorbells have been donated to residents in areas including Kansas City to tackle crime (.PDF), and in total, Ring now works with over 400 US police departments.
See also: Ring to enable 2FA for all user accounts after recent hacks
The Neighborhoods initiative brings Ring doorbells together as part of a wider network that displays installations on a map — highlighting where law enforcement could request footage from residents rather than obtain warrants. 
However, nodes in this network may also be used to push back against the police, according to leaked documents. 
As reported by The Intercept, a 2019 analysis bulletin highlights how IoT footage can be used to corroborate witness statements or alibis, but in turn, smart surveillance technology can also “pose security challenges” for law enforcement. 
Namely, when police officers are considered unwanted visitors. 
“Most IoT devices contain sensors and cameras, which generate an alert or can be remotely accessed by the owner to identify activity in and around an owner’s property,” the bulletin reads. “If used during the execution of a search, potential subjects could learn of LE’s [law enforcement] presence nearby, and LE personnel could have their images captured, thereby presenting risk to their present and future safety.”
In “standoff” situations, too, IoT devices containing motion sensors could alert suspects to the position of police officers around or in a property. 
CNET: How to avoid the latest text scam about package deliveries
A 2017 case noted in the bulletin says that the FBI once visited a residential home to serve a search warrant. A Wi-Fi doorbell at the property alerted the subject of the warrant, who was at another location. The subject then contacted his neighbor and landlord regarding the FBI’s presence at his home, rather than engage directly with the police. 
The publication cites another bulletin, “Video Doorbell Devices Pose Risk to Law Enforcement in New Orleans, Louisiana as of 25 July 2017,” which noted the “subject may have been able to covertly monitor law enforcement activity while law enforcement was onthe premises.”
TechRepublic: The best developer-centric security products
Another challenge posed by IoT devices is when users pull the footage and post suspected criminal activity across social media — a trend that you can often see in local Facebook groups, for example — before an investigation is launched. This can result in false accusations and may also tip off criminals to the existence of footage before the police become involved. 
Smart doorbells can be of benefit to consumers who want to enhance their home security. However, when surveillance becomes a sales pitch, muddying the water between a consumer product, law enforcement, and criminal investigations can pose a variety of issues — not just for our personal privacy, but also as these products can be turned away from their original purpose. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More