Friday Five 11/6
New privacy laws, botnet schemes, and Bitcoin seizures - catch up on all the week's infosec news with the Friday Five!
1. One Clear Message From Voters This Election? More Privacy by Sidney Fussell
On election night, voters in Michigan and California approved new privacy laws. California’s Prop 24 extends provisions of a 2018 privacy law, the California Consumer Privacy Act, and Michigan Prop 2 codifies the requirement that police seek warrants before seizing electronic data. Though privacy is a bipartisan issue, the political lines drawn on specific legislation can be unconventional; for example, the ACLU opposed the California proposition while police chiefs supported the Michigan initiative. The updates included in California’s Prop 24 are intended to improve upon 2018’s CCPA so that it more closely matches Europe’s GDPR. One such improvement is removing the loophole that allowed companies to sell data by claiming that they’re only sharing data. Though there will certainly be issues in the future, both laws, especially Prop 24, are moves in the right direction for protecting the data of individuals.
2. Why Paying to Delete Stolen Data is Bonkers by Brian Krebs
New research from Coveware shows that there is little merit in paying ransom groups to delete stolen data. The study found that in cases where companies paid to have their stolen data deleted (along with the data being returned) there were numerous cases where some or all of the stolen data was still released. The tactic of threatening to release data became more frequent after companies got better at maintaining backups, thus making the threat of just returning data less significant. The essential problem with paying to delete data is that it’s hard to verify that the stolen data has actually been erased, which raises the concern that the ransom gang can come back multiple times for more money. According to the research, the solution is to not pay the ransom, but instead, hire private attorneys, perform an audit to see what data was stolen, and notify affected customers.
3. $100 million botnet scheme earns Russian man 8 years in prison by Tim Starks
A Russian National was sentenced to eight years in prison for his role in stealing personal and financial information through a botnet conspiracy. Aleksandr Brovko’s role was to write software scripts that scanned botnet logs and conducted searches to extract valuable personal information and banking credentials. Prosecutors allege that Brovko gained access to more than 200,000 “unauthorized access devices” which include credits cards, mobile identification numbers, and any other device that can be used to transfer funds. In a previous indictment, prosecutors also alleged that Brovko had discussed accessing two major US banks on an elite online forum designed for information sharing between cybercriminals. Botnets and the damage they can cause continue to be a problem, and prosecutors hope that the sentencing will serve as a warning to other botnet operators.
4. Cybersecurity threats to corporate America are present now 'more than ever,' SEC chair says by Kevin Stankiewicz and Bob Pisani
The chairman of the SEC, Jay Clayton, warned corporate America that they need to be more vigilant around cybersecurity. In recent months, the SEC has issued warnings about the increase in ransomware and credential stuffing. The financial industry is especially worried about potential disruption that could come from a DDoS attack, as evidenced by the temporary shutdown of the New Zealand Stock Exchange a few months ago. Clayton stressed the importance of cyber hygiene, which for individuals means two-factor authentication and strong passwords. It’s also important to stay up to date with software patches. Though the pandemic has led to other stresses that might distract from cybersecurity preparedness, the threats to cybersecurity have not gone away, but in fact, have increased, and our preparedness must reflect that reality.
5. US govt behind $1 billion Bitcoin transfer of Silk Road funds by Ax Sharma
This week, the DOJ seized one billion dollars’ worth of Bitcoin from a Bitcoin wallet that had ties to both hackers and the notorious darknet marketplace the Silk Road (which was shut down in October 2013). The operation is the largest Bitcoin seizure in DOJ’s history. The money answers a long-standing question of what happened to all of the ill-gotten gains that disappeared after the founder of the Silk Road was successfully prosecuted in 2015. Apparently, the money seized from the bitcoin wallet 1HQ3Go3ggs8pFnXuHVHRytPCq5fGG8Hbhx is that money. Part of the reason it was so hard to track is that the hackers were running Bitcoin transactions through a "tumbler" that made it difficult to track via the otherwise public Blockchain ledger. The United States now has to provide evidence that justifies their actions for the seizure of the Bitcoin to be finalized.