Friday Five: 11/2 Edition
The DOJ charges Chinese intel officers over IP theft, how to secure elections, and password security best practices - catch up on the week's infosec news with this roundup!
1. US government accuses Chinese hackers of stealing jet engine IP by Imad Khan
It took a couple of years but the Department of Justice finally formally charged a handful of Chinese individuals for hacking into companies in an attempt to steal intellectual property. The individuals, two of whom were Chinese intelligence officers, were after American IP, specifically data on the type of turbofan jet engines used in commercial airliners. In attacks spanning five years, from 2010 to 2015, hackers used spear phishing, malware, and “watering hole” attacks to infiltrate unnamed companies located in Arizona, Massachusetts and Oregon. Also this week, as is to be expected, the DOJ's Criminal Division came out in strong support of the AG's efforts to counter Chinese cyberespionage operations.
"To counter these efforts and complement the work of the National Security Division, prosecutors in the Criminal Division work collaboratively every day with U.S. Attorneys’ Offices (USAOs) around the country to bring charges against Chinese companies and individuals for the theft of trade secrets. Today, we are announcing a commitment to redouble our efforts, Brian A. Benczkowski, the division's Assistant Attorney General said Thursday.
2. Canada's Mandatory Breach Notification Rules Now in Effect by Mathew J. Schwartz
We've mentioned this news before in this space but it bears repeating as we're into November and the law now applies: As of yesterday, November 1, private sector organizations in Canada need to report serious data breaches to The Office of the Privacy Commissioner. As BankInfoSecurity points out, the law - the Personal Information Protection and Electronic Documents Act, or PIPEDA - says orgs need to inform the government watchdog if it experiences a breach that poses "a real risk of significant harm," essentially anything trhat could lead to identity theft, a damaged credit score, loss of property, or financial loss. While the requirements are no doubt a good thing not everyone is completely on board: Canada's privacy commissioner called the requirements "imperfect but a step in the right direction" this week, adding that he fears his office's work will be superficial going forward.
3. How to make elections secure in the age of digital operatives by Annalee Newitz
With the midterms only days away, not weeks or months, there's little left we can do to harden voting machines from being hacked. That doesn't mean securing them in the long run is futile however. Ars Technica had a story (and video!) this week where they sit down with Facebook's former CSO, Alex Stamos, to dig into how to best secure democracy. Facebook of course, was a breeding ground for Russian disinformation operatives leading up to the 2016 election so Stamos has some insight on the topic. If you want his complete take watch the video but Stamos ideally imagines a future in which
4. Why don’t we follow password security best practices? By Emily Cain
We’d admittedly never heard of Increment, a digital magazine of sorts, until a friend recommended this essay published there this week. It's an excellent deep dive around password behavior/habits, including how many of us (unfortunately) write passwords down and reuse them. Failing that, we use twists on the same password, different combinations of the same phrase, like adding a 1 or an exclamation point to the end of a word. We're all guilty of it. There's a couple different takeaways from the piece - yes, you should get a password manager - but it's more than that. When it comes to passwords, technologists and software companies should be understanding of users and make it as easy as possible to facilitate password changes.
5. Pervasive Emotet Botnet Now Steals Emails by Kelly Jackson Higgins
The Emotet botnet just keeps evolving. The malware, which spreads through spam emails, among other vectors, can now outright steal email. Per DarkReading's Kelly Jackson Higgins, the botnet boasts a new module that's responsible for infecting 40,000 and 50,000 machines across 170 countries. The Department of Homeland Security called the Trojan "among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors," in July. Those infections have apparently cost victims $1 million per incident to remediate.