Friday Five: 2/23 Edition
Cryptojacking, data breach disclosure laws, and phishing -- catch up on the week's infosec news with this roundup!
1. Tesla Hackers Hijacked Amazon Cloud Account to Mine Cryptocurrency by Robert Hackett
If you follow this space regularly you know these days cryptocurrency mining (or cryptojacking) scams are a bit like Netflix shows: There’s almost too many to keep track of. There are a few twists, somewhat, to this one of this week's though. Attackers targeted Elon Musk's multi-billion dollar Tesla car company – no small target – by leveraging an Amazon cloud account belonging to the company. Once they had access they ran scripts to earn money leveraging computing power without the company's consent. The hack exposed Tesla telemetry, mapping, and vehicle servicing data in the process. News of the cryptojacking scam came the same week that researchers said they had uncovered a $3 million cryptocurrency mining scam in which attackers mined 10,829 Monero coins over the course of 18 months.
2. Colorado Proposes Requiring Data Breaches to be Reported in 30 Days by Jessica Davis
States are beginning to lay the groundwork for legislation designed to enhance protections for residents following a data breach. Spurred by last year’s Equifax breach, one such bill, introduced in Colorado in January, passed the state's House Committee on State, Veterans and Military Affairs last week. The bill, which would essentially mandate organizations report breaches 30 days after they happen, doubles down on laws currently on the book there. As HealthcareITNews noted this week, if the Colorado bill is passed, the state would join Florida in having the strictest laws in place around data breach reporting. Governor Rick Scott signed Florida's legislation - the Florida Information Protection Act - into law what seems like eons ago, in 2014.
Image of Colorado State Capitol via F Delventhal's Flickr photostream, Creative Commons
3. Higher Ed Users Are Less Susceptible to Phishing Scams by Meghan Bogardus Cortez
Universities have succeeded where all other industries have failed: educating users about phishing attacks. According to a study released this week via Wombat Security Technologies only 10 percent of simulated phishing emails sent to users at educational institutions were clicked through. That surpasses figures from a slew of other industries, including technology, entertainment, hospitality, government, consumer goods, retail and telecommunications. The company claims the report gathered data from tens of millions of phishing attacks staged over a 12-month period.
4. Supreme Court Denies CareFirst’s Petition to Review Data Breach Case by Evan Sweeney
We'll have to wait a little bit longer for the first case involving a data breach to reach the Supreme Court. As FierceHealthcare's Evan Sweeney reported this week the court on Tuesday denied an appeal filed by CareFirst, the largest health care insurer in the Mid-Atlantic region, to review a 2014 case, CareFirst v. Attitas. The case revolves around a data breach that exposed 1.1 million records at the time. The crux of the case, as The National Law Review points out, is based around “whether fear of identity theft flowing from a data breach is an ‘injury in fact’ sufficient to trigger Article III standing.”
5. North Korean Reaper APT Uses Zero-day Vulnerabilities to Spy on Governments by Charlie Osborne
Those patiently waiting for a deep dive on the hacking group behind this month's Adobe Flash zero day got their wish this week when FireEye published a nine page screed on the advanced persistent threat (APT) group, a collective it calls "Reaper," a.k.a. ScarCruft a.k.a. Group 123. According to researchers the group mostly targets South Korea but has also set its sights on Japan, Vietnam, and the Middle East. Those looking for more on the group could learn a lot from ZDNet's recap of the research but it's worth pointing out that FireEye's report (.PDF) is replete with graphs, timelines, and maps, a handful of visuals that really tell the story.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business