CISA close to finalizing incident reporting rules
The director of the Cybersecurity and Infrastructure Security Agency, Jen Easterly, said that the organization is finishing up its cyber incident reporting rules for critical infrastructure. Congress initially tasked CISA with implementing these rules in the 2022 spending bill. The initial mandate called for final rules to be in place within three years, but Easterly previously said the agency planned to move much faster. This comes after the US Securities and Exchange Commission adopted material breach disclosure rules back in July.
Krebs on cracked LastPass keys
Security journalist Brian Krebs reports that a rash of cracked crypto wallets indicates that threat actors began successfully cracking stolen LastPass keys. Back in November, LastPass disclosed a data breach involving stolen password vaults for over 25 million users. According to MetaMast CEO Taylor Monahan, their researchers connected thefts targeting 150 to potentially cracked vaults, with over $35 million in losses. Monahan began tracking these thefts in March. These users all seemingly stored their private key “seed phrase” in LastPass. Krebs and Monahan recommend changing important credentials stored in LastPass since November.
Connected cars not great for privacy and security
A recent report on connected cars from Mozilla gave all 25 major brands in the report a failing grade on security and privacy. Mozilla noted that privacy polies from these cars informs customers the companies can collect health and genetic information, immigration status, facial expressions, location, and in some instances sexual activity. This includes data colleced from telematics systems, but also extends to mobile apps and dealership visits. Over half the brands said they can share information with law enforcement, while 76% gave them the right to sell personal data to third parties.
Asus routers open to remote code execution
Asus disclosed vulnerabilities in three of its high-end consumer routers that open the door to remote code execution. Attackers can execute these format string vulnerabilities remotely and without authentication using maliciously crafted inputs targeting API functions. Asus recommends turning off the remote admin features on the routers to prevent further exploits. The company released patches for all the flaws. However, given that routers often languish with stock firmware, it’s unclear how quickly these updates will be applied.
Huge thanks to our sponsor, DataBee, from Comcast Technology Solutions
UK backs down on encryption fight
Up until now, drafts of the UK’s proposed Online Safety Bill required company’s offering end-to-end encrypted messaging services to include the capability to scan messages for signs of child sexual abuse material. Due to the technical infeasibility of this mandate, messaging platforms like Signal and WhatsApp threatened to leave the market. The UK previously proposed a client-side scanning approach, having devices scan against hashes of CSAM material at the point of sending. The UK government will not remove the provision from the bill, but will not enforce it, saying that the technology to do so does not yet exist.
TikTok tries to mollify Europeans with Project Clover
We’ve covered many of the moves TikTok made in the US to assuage privacy and security concerns. Under its Project Texas initiative, it partnered with Oracle to review code and host US data. To address similar concerns in the EU, TikTok began a similar Project Clover. This will utilize the UK-based cybersecurity firm NCC to review its data storage and security policies, independent of reviews by the UK’s National Cyber Security Council. As of this month, NCC will begin a full audit of TikTok’s data practices. Project Clover will also see TikTok store European user data across three data centers in Dublin and Norway by early 2024.
China weaponizing disclosed flaws
Back in 2021, China passed a law requiring any network technology business to disclose any discovered software vulnerabilities to the Ministry of Industry and Information Technology within two days. Now a new report by the Atlantic Council tracked how China uses these vulnerabilities. The data is added to Cybersecurity Threat and Vulnerability Information Sharing Platform and disseminated to several government bodies. The report found that one of these bodies shared this information with China’s Ministry of State Security, generally understood as operating many of China’s offensive hacking operations. The information also made its way to organizations orchestrating cyber attacks under China’s People Liberation Army. The report found evidence that non-Chinese firms comply with the disclosure mandate, including those providing industrial control system technology.
Toyota’s defrag went very wrong
On August 29th, Toyota halted production at 12 of its 14 assembly plants in Japan, citing an undefined system malfunction. Given that we’ve seen ransomware operators particularly target manufacturing, it was easy to assume the worst. However Toyota clarified that the outage occurred due to it running out of storage. During planned maintenance, it attempted to defragment a database, but ran out of storage before it could be completed, resulting in a shutdown of its production ordering system. So no ransomware, just an IT nightmare scenario.