Introducing the Ransom Disclosure Act

This bicameral legislation was introduced by Senator Elizabeth Warren and Representative Deborah Ross. It would require companies and organizations to provide the U.S. Department of Homeland Security data on ransomware payments within 48 hours, including the amount paid and the type of cryptocurrency used. This would not apply to individuals. This would also require Homeland Security to set up a website to report ransom payments and to publish annual anonymized reports on payments disclosed the previous year. 

(TechCrunch)

Facebook details why it suffered a massive outage

We previously reported on the outage that impacted all of Facebook’s apps and internal services on October 4th. Now Facebook has provided more detail on why it happened. According to Facebook VP of infrastructure Santosh Janardhan, engineers were doing maintenance which meant taking down a part of its system, so they did a routine command to assess global availability, meant to confirm they were only took down what they intended. The command for the assessment was apparently malformed because Facebook says it unintentionally took down all connections in Facebook’s internal network, which a bug in an internal audit tool meant to detect that sort of thing let through. By default, Facebook’s DNS servers disable BGP for a data center if it is unavailable. Because all the data centers appeared to be down, DNS disabled BGP for all its data centers, including the DNS servers themselves. This required Facebook’s response team to physically go to data centers to debug, which took a while because of hardening protocols meant to prevent unauthorized access. After that Facebook brought services online slowly to prevent a traffic and power surge. 

(Facebook)

Twitch’s source code leaked

The Verge confirmed a 125GB torrent posted on 4chan contains the game stream broadcasting platform Twitch’s source code, including its code commit history. The poster of the leak claimed they did so to “foster more disruption and competition in the online video streaming space.” The leak also includes three years of creator payout records, code related to proprietary SDKs and internal AWS services, and an unreleased Steam competitor from Amazon. The leak was labeled “part one,” indicating more could follow. No personal information on Twitch users appears to be included in the data. Twitch confirmed it suffered a data breach and said its investigating the extent of the damage. 

(The Verge)

EU parliament call for facial recognition ban

The European Parliament approved a non-binding resolution calling on a ban of facial recognition technology by law enforcement in public spaces as well as private facial recognition databases. The resolution also calls on a ban of using AI tools to profile potential criminals before a crime is committed. If this is non-binding, why does this matter? Well a recent European Commission proposal for the EU’s AI Act would similarly ban the use of remote biometric identification in public spaces. If passed, the AI Act would be required to be passed into law by EU member countries. The passing of this resolution by the European Parliament indicates how negotiations on the AI Act will go. 

(Politico)

Thanks to our episode sponsor, Votiro

Your users need to accept and open files to do their jobs. Keep them safe and productive with Votiro. With Votiro, your users can download and use any file instantly, from PDF to Autodesk CAD, with malicious code already removed—and full file usability intact. The signatureless, agentless file sanitization process happens in milliseconds without user friction. Visit Votiro.com and learn why millions of users trust Votiro to disarm billions of files each year.

Google ramps up two-step verification enrollment

Google announced it intends to auto-enroll an additional 150 million users in its two-step verification process by the end of 2021. Google said it will auto-enroll “accounts that have the proper backup mechanisms in place to make a seamless transition.” Physical security keys, as well as Android phones and the iOS Google Smart Lock app are supported as a second step. Earlier this year Google made two-step verification default for new Google accounts.  

(Google)

US DOJ cracks down on crypto laundering

At the Aspen Cyber Summit, U.S. Deputy Attorney General Lisa Monaco announced the formation of the National Cryptocurrency Enforcement Team, meant to strengthen the department’s ability to disable financial markets used by cybercriminals. The group will include anti-money laundering and cybersecurity experts. Monaco also announced the civil cyber fraud initiative. This initiative will “use civil enforcement tools to pursue companies, those who are government contractors, who receive federal funds, when they fail to follow recommended cybersecurity standards.” The idea is to use civil penalties to emphasize to contractors that it’s more risky to be silent about a data breach than to report it. 

(Reuters)

YubiKey gets biometrics

Yubico launched YubiKey Bio, the first key to support password-less login and biometric authentication. It will also continue to allow users to use a PIN, in case biometric authentication fails due to temperature or moisture issues. The key does not require batteries, drivers, or custom software and works across Windows, Linux, and macOS. It supports FIDO2, WebAuthn and U2F authentication protocols. YubiKey Bio is now available in USB-A and USB-C versions for $80 and $85 dollars respectively. This release has been a long time coming, with Yubico first teasing the Bio line at Microsoft Ignite in 2019.

(The Record)

TSA launching new cyber regulations for rail and air

Homeland Security Secretary Alejandro Mayorkas announced the TSA will publish the new regulations later in 2021. These rules will require railroad operators and rail transit companies to “identify a cybersecurity point person” responsible for reporting incidents to CISA, and create “contingency and recovery plans” in the event of a cyber attack, opening the terrifying possibility that they don’t actually have one in place. The aviation sector will be required to name a similar “point person” for reporting. 

(The Record)