Friday Five 3/4
Utah latest state poised to pass privacy law, the Conti ransomware leaks, and more - catch up on the week's infosec news with the Friday Five!
1. Congress should prioritize data privacy protections by Linda Moore
Another week, another firmly worded editorial urging Congress to strongly consider passing data privacy legislation. This one comes from the President and CEO of Technet, a trade group that represents tech companies like Apple, Google, Salesforce, and Oracle to name a few. The consortium has made its stance clear in the past, outlining a federal policy agenda in 2019 designed to guide Congress towards federal privacy legislation and piggybacking on a report released earlier this year that illustrated just how costly it will be for states to continue to roll out state-by-state privacy laws. This editorial frames the problem by looking at how many Olympians at last month's Winter Games were urged to leave their cell phones at home, hinting that a future in which there isn't data privacy legislation could jeopardize Americans data and eliminate the country's competitive edge.
2. Utah on the cusp of US's latest comprehensive state privacy law by Joseph Duball
On the other side of the coin, here’s news on a state-specific privacy law that’s made tremendous strides over the course of just a week. Based on this piece, via the International Association of Privacy Professionals, it sounds like the legislation, the Utah Consumer Privacy Act, cruised through the Senate and House in less than a week: It cleared the Senate Feb. 25 28-0 and then the House 71-0. As Joseph Duball notes, there are some formalities left but it certainly sounds like the bill is on the fast track to becoming law. If passed, the law will closely mirror Virginia's Consumer Data Privacy Act and apply to companies that make more than $25 million in annual revenue, but those companies also have to hold personal data on 100,000 Utah consumers or derive 50% of revenue from selling the data of more than 25,000 consumers.
3. Conti Ransomware Group Diaries, Part I: Evasion by Brian Krebs
Brian Krebs digs into the Conti ransomware group leak, including the trove of data on the group and its members that was uncovered over the last week or so. On Sunday a Ukrainian researcher using the handle @Contileaks shared 393 JSON files containing over 60,000 internal messages taken from the Conti and Ryuk ransomware gang's private XMPP chat server. Krebs takes a closer look at some of the chat logs, which detail conversations from January 2021 to February 2022, that should give readers a better idea of the innerworkings of the group, including how to goes about communicating with victims and negotiating ransom payments.
4. How Rwanda’s data protection, privacy law will benefit users by Edwin Ashimwe
From time to time we spotlight news stories that break down ongoing data protection efforts abroad. This week, The New Times, a daily newspaper in Rwanda, breaks down a new data protection law in the country that's set to go into effect in October 2023. The publication talks to the country's Minister of Information and Communications Technology and Innovation Paula Ingabire about how the law should both help empower individuals and impose requirements on entities that process data. "First, [the law] legally mandates organizations to put in place technical and organizational measures to ensure protection - technical measures here include encryption, secure storage in-country, pseudo-anonymization, while organizational measures include internal protection and privacy policies, trainings and other processing procedures,” Ingabire tells the paper.
5. Data-stealing app found in Google Play downloaded thousands of times by Carly Page
Techcrunch has news on what sounds like a nasty banking trojan that was uncovered in Google's Play store. The trojan, disguised as an app - an awfully generic one, QR Code & Barcode - Scanner - was stealing user data, including passwords and text messages, from those who downloaded it in Russia, Hong Kong, and the U.S. While the app has been deleted from the app store, it was still downloaded thousands of times, according to Techcrunch's writeup. The actual trojan, TeaBot, first surfaced back in May 2021. Also known as Anatsa and Toddler, the malware was spotted targeting Portuguese banks last summer.