A man from Texas could be facing up to 20 years in prison after pleading guilty to plotting to blow up a data center in Virginia.

Seth Aaron Pendley, of Wichita Falls, was arrested in April after trying to purchase what he believed to be an explosive device from an undercover FBI employee in Fort Worth.

The 28-year-old admitted that he had planned to use the device to destroy servers in an Amazon-owned data center located on Smith Switch Road in Ashburn, Virginia. 

According to his plea documents, Pendley shared the details of his plot with a source via an encrypted messaging app last February. 

When the source offered to help the would-be bomber obtain C4 plastic explosives, Pendley responded with the message: “F*** yeah.”

Pendley sent the source a list of data center addresses and said he hoped a successful attack would “kill off 70% of the internet.”

Pendley then showed the source a hand-drawn map of a data center in Ashburn that included details of how he intended to enter and exit the site. The source also heard how Pendley planned to disguise his car to escape detection by law enforcement.

In March, the source introduced the unsuspecting Pendley to an undercover FBI employee posing as an explosives supplier. Pendley was recorded telling that FBI employee that he wanted to blow up Amazon web servers. 

Pendley said he thought that the servers in the data center benefited the FBI, CIA and other federal agencies. By destroying the servers, Pendley hoped to prevent the United States from being taken over by a tyrannical Marxist government.

On April 8, Pendley was arrested after meeting with the FBI employee to collect inert devices that Pendley believed to be real explosives. At his residence, cops found an AR-15 receiver with a sawed-off barrel, a pistol painted to look like a toy gun, masks, wigs, and notes and flashcards related to the planned attack.

On June 9, Pendley pleaded guilty to a malicious attempt to destroy a building with an explosive. He is due to be sentenced on October 1. 

Federal authorities said Pendley was apolitical until he lost his job and began researching politics on the internet.

A councilor from New Jersey has been arrested and charged with waging a campaign of cyber-harassment against a former girlfriend. 

Detectives from the Cape May County Prosecutor’s Office, with the assistance of detectives from the Middle Township Police Department, launched an investigation into the activities of 43-year-old realtor and Cape May councilman Christopher Bezaire in May 2021 after allegations of cyber-abuse were made. 

Bezaire, who is the president of the Cape May County Board of Realtors, was taken into custody on Wednesday afternoon. Law enforcement officers then exercised search warrants at the realtor’s home address and at his workplace. 

Law enforcement officers have not released any comments on what, if any, evidence was discovered during the searches. 

Following the investigation, Bezaire was charged with invasion of privacy in the third degree, cyber-harassment in the fourth degree, and stalking in the fourth degree. He was also charged with contempt of court in the fourth degree. 

After being notified of the charges against him, Bezaire was placed at the Cape May County Correctional Facility to await court proceedings. 

News of Bezaire’s arrest was announced on June 16 by Cape May County prosecutor Jeffrey Sutherland and Chief Paul Skill of the Cape May County Prosecutor’s Office.

According to Sutherland, individuals convicted of third-degree crimes can receive a sentence of three to five years in New Jersey State Prison. Fourth-degree crimes can carry a sentence of up to eighteen months in state prison.

The prosecutor urged anyone who has any information relating to this investigation to contact the Cape May County Prosecutor’s Office, High Technology Crimes Unit.

Allegations of harassment and stalking have been made against Bezaire on social media, with posts on Facebook and change.org under the heading “Impeach Chris Bezaire of Cape May.”

Bezaire was elected to the council in 2020. Mayor Zack Mullock told the Press of Atlantic City that the city would not take any action to remove Councilman Bezaire from office unless he is convicted.

“All parties involved are entitled to due process, and that process still has to play itself out,” said Mullock.

The Centennial State has unanimously passed a new data privacy act to safeguard Coloradoans’ personal information.

On June 8, the state Senate approved the Colorado Privacy Act after a series of revisions were made. The Act is due to take effect on July 1, 2023, and now awaits the signature of state governor Jared Polis. 

Should the Act become law, Colorado will follow California and Virginia by enacting comprehensive privacy legislation.

The Act gives consumers who reside in Colorado five key rights over their personal data. Firstly, they have the right to opt out of the sale of their personal data, the processing of personal data for targeted advertising purposes, and automated profiling in furtherance of decisions that produce legal or similarly significant effects.

They also have the right to access their personal data held by a data controller and the right to make corrections to their personal data if inaccuracies are identified.

Finally, they have the right to be provided with their data in a portable and ready to use format, and the right to have their personal data erased.

The new Act will apply to all data controllers operating businesses in Colorado that process or control the personal data of 100,000 or more Colorado resident consumers in a calendar year or derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 or more Colorado resident consumers.

Under the new law, entities will have specific responsibilities pertaining to how they collect and process data.  Consumers must be informed about why their personal data is being collected and must be notified if their data is sold or used for targeted advertising.

Data controllers must limit their data collection, only gathering the information they need to serve their stated purpose. And the data they collect must be secured to prevent unauthorized access.

Sensitive information, such as data on ethnic origin, religious beliefs, mental or physical health, sexual orientation, citizenship status, genetic/biometric data, and the personal data of minors, cannot be collected and processed unless consumers provide their consent through an opt-in process.

Google has proposed a new framework to mitigate the growing risks posed by attacks on the software supply chain.

The Supply Chain Levels for Software Artifacts (SLSA, pronounced “salsa”) is designed to ensure the integrity of software artifacts across the entire supply chain.

It’s based on Google’s own Binary Authorization for Borg framework, which the tech giant has been using as standard for all its production workloads for over eight years.

“The goal of SLSA is to improve the state of the industry, particularly open source, to defend against the most pressing integrity threats,” Google explained. “With SLSA, consumers can make informed choices about the security posture of the software they consume.”

A typical software supply chain features multiple weak points and dependencies where attackers could strike — from the source repository and control platforms to the build and package phases.

The SolarWinds attackers that managed to compromise nine US government agencies compromised the build platform and installed an implant that injected malicious behavior during each build, for example.

In another recent supply chain attack affecting US firm Codecov, attackers used leaked credentials to upload a malicious artifact that was not built by the company’s CI/CD system. Users unwittingly downloaded this directly from its Google Cloud Storage bucket.

SLSA would have helped prevent both by requiring more robust security controls for the SolarWinds build platform and flagging the malicious artifact to Codecov, Google claimed.

It described SLSA as a “set of incrementally adoptable security guidelines” with four levels designed to go beyond best practice approaches.

“It will support the automatic creation of auditable metadata that can be fed into policy engines to give ‘SLSA certification’ to a particular package or build platform. SLSA is designed to be incremental and actionable, and to provide security benefits at every step,” Google explained.

“Once an artifact qualifies at the highest level, consumers can have confidence that it has not been tampered with and can be securely traced back to source — something that is difficult, if not impossible, to do with most software today.”

Infosecurity Europe has announced that it is postponing the live event due to run at London Olympia in July, following the government’s delay in lifting the final COVID-19 restrictions.

Infosecurity Europe will instead deliver a virtual exhibition and conference from 13-15 July 2021, the original dates of the event. The in-person event will now be held in 2022.

The plan, before government restriction lifting was delayed, was to combine both live and online elements of Infosecurity Europe. The planned virtual program will be retained and enhanced with a rich line-up of presentations, talks and discussions including – but not limited to – keynote presentations and the technology showcase. 

The event will include a virtual exhibition. The full program will be available on the Infosecurity website shortly. 

Nicole Mills, exhibition director at Infosecurity Group said: “Infosecurity Europe has always been the place where the cybersecurity industry’s finest minds come together to share knowledge, ideas and experiences. While we can’t yet meet in person, we’ll still be bringing the community together this July for a digital only event. We’ve run two very successful virtual conferences over the past year, and we’re ready to deliver a stimulating and insightful program of content, with plenty of opportunities to discuss, debate and discover the best ways to protect organizations and get ahead of cyber-criminals.”

All visitors, exhibitors and press who have already registered for Infosecurity Europe 2021 will be able to access the virtual event. Those that haven’t yet registered can do so here.

Enterprising cyber-criminals have found a way to create convincing phishing emails which abuse Google Docs and Drive functionality to bypass security filters, according to Avanan.

Researchers at the email security vendor claimed this is the first time such techniques have been used to piggyback on a popular service like Google’s.

The email that victims receive contains what appears to be a legitimate Google Docs link, Avanan explained in a blog post.

Clicking through takes the user to a Google Docs page hosting what appears to be a Word doc.

“This Google Docs page may look familiar to those who share Google Docs outside of their organization. This, however, isn’t that page. It’s a custom HTML page made to look like that familiar Google Docs share page,” Avanan explained.

“The attacker wants the victim to ‘Click here to download the document’ and once the victim clicks on that link, they will be redirected to the actual malicious phishing website where their credentials will be stolen through another web page made to look like the Google Login portal.”

The attack itself is fairly simple to execute. A malicious coder creates an HTML web page designed to resemble a Google Docs sharing page and uploads it to Google Drive.

Then they simply right-click to open in Google Docs, before embedding and publishing it to the web. Google does most of the hard work, including generating a link that will render the full HTML file, Avanan explained.

The vendor claimed a similar technique had been used to spoof a DocuSign document, taking the user to a fake DocuSign login page.

Using Google Docs in this way, attackers have a good chance of bypassing static link scanners that many legacy security products use, Avanan argued. An AI-based tool capable of spotting suspicious behavior should perform better.

Phishing remains the top threat vector for today’s cyber-criminals. Of the 62.6 billion cyber-threats detected by Trend Micro last year, over 91% were sent via email.

Hank Schless, senior manager of security solutions at Lookout, argued that phishing attacks like these could seriously impact corporate cybersecurity.

“Threat actors know that stealing legitimate login credentials is the best way to discreetly enter an organization’s infrastructure. Since most organizations use either Google Workspace or Microsoft 365 as their main productivity platform, attackers build phishing campaigns that specifically exploit those services,” he added.

“Once the attacker has those login credentials and can log into the cloud platform they’ve chosen to build their campaign around, there’s no limit to what data they could exfiltrate.”

One of the world’s largest cruise ship operators has disclosed a data breach from mid-March, impacting an unspecified number of customers, employees, and crew.

Carnival Corporation runs many of the globe’s leading cruise lines, including P&O, Cunard and Carnival Cruise Line.

According to a data breach notification letter sent to customers and seen by Infosecurity, the firm detected unauthorized third-party access to a “limited number” of email accounts on March 19.

“The impacted information includes data routinely collected during the guest experience and travel booking process or through the course of employment or providing services to the company, including COVID or other safety testing,” it continued.

“That information may include names, addresses, phone numbers, passport numbers, dates of birth, health information and in some limited instances additional personal information such as Social Security or national identification numbers.”

According to reports, the incident affected customers and employees on Carnival Cruise Line, Holland America Line and Princess Cruises.

Although Carnival claimed in the letter that there was a “low likelihood” of the data being misused, it urged recipients to review their account statements and credit history and be on guard for possible follow-on phishing attempts using the information.

The firm also offered those affected free credit monitoring and identity theft detection for 18 months. 

This isn’t the first time Carnival has suffered a security breach.

In March 2020, it revealed that the personal information of passengers and crew was obtained by a third party the previous May, impacting its Princess Cruises and Holland America Line brands.

Then in August 2020, it revealed that ransomware attackers managed to steal personal information from guests and employees of its Carnival Cruise Line, Holland America Line and Seabourn businesses.