Cyber Security Headlines: CISA reporting rules, LastPass key crack, connected cars fail on privacy

CISA close to finalizing incident reporting rules

The director of the Cybersecurity and Infrastructure Security Agency, Jen Easterly, said that the organization is finishing up its cyber incident reporting rules for critical infrastructure. Congress initially tasked CISA with implementing these rules in the 2022 spending bill. The initial mandate called for final rules to be in place within three years, but Easterly previously said the agency planned to move much faster. This comes after the US Securities and Exchange Commission adopted material breach disclosure rules back in July. 

(The Record)

Krebs on cracked LastPass keys

Security journalist Brian Krebs reports that a rash of cracked crypto wallets indicates that threat actors began successfully cracking stolen LastPass keys. Back in November, LastPass disclosed a data breach involving stolen password vaults for over 25 million users. According to MetaMast CEO Taylor Monahan, their researchers connected thefts targeting 150 to potentially cracked vaults, with over $35 million in losses. Monahan began tracking these thefts in March. These users all seemingly stored their private key “seed phrase” in LastPass. Krebs and Monahan recommend changing important credentials stored in LastPass since November. 

(Krebs on Security)

Connected cars not great for privacy and security

A recent report on connected cars from Mozilla gave all 25 major brands in the report a failing grade on security and privacy. Mozilla noted that privacy polies from these cars informs customers the companies can collect health and genetic information, immigration status, facial expressions, location, and in some instances sexual activity. This includes data colleced from telematics systems, but also extends to mobile apps and dealership visits. Over half the brands said they can share information with law enforcement, while 76% gave them the right to sell personal data to third parties. 

(Security Week)

Asus routers open to remote code execution

Asus disclosed vulnerabilities in three of its high-end consumer routers that open the door to remote code execution. Attackers can execute these format string vulnerabilities remotely and without authentication using maliciously crafted inputs targeting API functions. Asus recommends turning off the remote admin features on the routers to prevent further exploits. The company released patches for all the flaws. However, given that routers often languish with stock firmware, it’s unclear how quickly these updates will be applied.  

(Bleeping Computer)

Huge thanks to our sponsor, DataBee, from Comcast Technology Solutions

Are you still using whiteboards and pivoting between tools to find out who owns what data sources and the relationships between data points?

It’s time to improve your OODA loop and enhance your security and compliance efforts with DataBee, from Comcast Technology Solutions. Learn how DataBee weaves together and enriches data from across the enterprise to provide deeper insights into your security, risk and compliance posture. Visit

UK backs down on encryption fight

Up until now, drafts of the UK’s proposed Online Safety Bill required company’s offering end-to-end encrypted messaging services to include the capability to scan messages for signs of child sexual abuse material. Due to the technical infeasibility of this mandate, messaging platforms like Signal and WhatsApp threatened to leave the market. The UK previously proposed a client-side scanning approach, having devices scan against hashes of CSAM material at the point of sending. The UK government will not remove the provision from the bill, but will not enforce it, saying that the technology to do so does not yet exist. 


TikTok tries to mollify Europeans with Project Clover

We’ve covered many of the moves TikTok made in the US to assuage privacy and security concerns. Under its Project Texas initiative, it partnered with Oracle to review code and host US data. To address similar concerns in the EU, TikTok began a similar Project Clover. This will utilize the UK-based cybersecurity firm NCC to review its data storage and security policies, independent of reviews by the UK’s National Cyber Security Council. As of this month, NCC will begin a full audit of TikTok’s data practices. Project Clover will also see TikTok store European user data across three data centers in Dublin and Norway by early 2024. 

(Cybersecurity Insiders)

China weaponizing disclosed flaws

Back in 2021, China passed a law requiring any network technology business to disclose any discovered software vulnerabilities to the Ministry of Industry and Information Technology within two days. Now a new report by the Atlantic Council tracked how China uses these vulnerabilities. The data is added to  Cybersecurity Threat and Vulnerability Information Sharing Platform and disseminated to several government bodies. The report found that one of these bodies shared this information with China’s Ministry of State Security, generally understood as operating many of China’s offensive hacking operations. The information also made its way to organizations orchestrating cyber attacks under China’s People Liberation Army. The report found evidence that non-Chinese firms comply with the disclosure mandate, including those providing industrial control system technology. 


Toyota’s defrag went very wrong

On August 29th, Toyota halted production at 12 of its 14 assembly plants in Japan, citing an undefined system malfunction. Given that we’ve seen ransomware operators particularly target manufacturing, it was easy to assume the worst. However Toyota clarified that the outage occurred due to it running out of storage. During planned maintenance, it attempted to defragment a database, but ran out of storage before it could be completed, resulting in a shutdown of its production ordering system. So no ransomware, just an IT nightmare scenario. 

(Bleeping Computer)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.