Friday Five 5/21
Ransomware transparency, double encryption, and predictions for the future - catch up on all of the week's infosec news with the Friday Five!
1. National security officials outline hopes for US data breach notification law by Tim Starks
National security officials this week began to discuss what the parameters might be for a national data breach reporting law. Such legislation could be an alternative to government surveillance of private sector networks, an idea that has faced blowback. The language of the legislation would have to be tailored and specific to only the most sensitive breaches as to not be too burdensome. The easier and clearer the law, the more likely private organizations are to follow it. No specific legislation is in the works, but it’s clear that a solution is needed to prevent the next SolarWinds type attack.
2. Ransomware victim shows why transparency in attacks matters by Lawrence Abrams
It feels like most of the recent cybersecurity news headlines have concerned ransomware attacks and how to properly respond. This story covers a recent example of how a company effectively responded to ransomware. Since getting attacked, the company in question, Volue, has been completely transparent with daily updates and the CEO and CFO have been available to answer any questions or concerns. In addition, Volue has shared all indicators of compromise with the Norwegian Computer Emergency Response Team to help protect other companies. Compared to the normal delay and obfuscation behavior of most breached companies, Volue’s response has been a breath of fresh air and should serve as a model for other companies.
3. Ransomware's Dangerous New Trick Is Double-Encrypting Your Data by Lily Hay Newman
In the latest escalation in ransomware trends, cybercriminals have doubled down by encrypting victim’s data twice at the same time. This tactic can take the form of an attack in which criminals encrypt the data with two different kinds of ransomware requiring two separate keys to regain access to the data; or side-by-side encryption, where cybercriminals encrypt some of the data with one kind of ransomware and the rest of the data with another kind of ransomware. Double encryption fits well into the revenue-sharing model used by cybercriminals where different parts of the infrastructure carry out specific attacks, which helps share both the workload and payout of an attack. If this trend of double ransomware encryption continues, it will further de-incentivize companies from paying the ransom, as it makes it harder to successfully retrieve the data.
4. Automation & Pervasive, Connected Technology to Pose Cyber Threats in 2030 by Robert Lemos
At RSA this week, researchers presented what they think the future of cybersecurity will look like in 2030. Among the challenges are more processes being turned over to machines, an increase in IoT devices, and a national fiat digital currency. As our world gets more digitally connected, the damage that hackers can wreak increases proportionally: for example, they could mess with an implant in your body or lock you in your house if its connected to the internet, researchers theorized. Further, the report highlights three major trends for the future: automation, connectedness, and pervasive integration. From a cybersecurity threat perspective, the industry will continue to contend with disinformation delivered by targeted algorithms and tampering with supply chains to deliver ransomware. Even though it’s not likely that every prediction in the report will be correct, it’s worth mulling over the challenges it proposes.
5. Hacking Ring Allegedly Stole Americans' Identities, Rented Them to Gig Workers by Lorenzo Franceschi-Bicchierai and Lauren Kaori Gurley
A troubling scheme involving identity theft and fraudulent rideshare apps was revealed this week when the US Department of Justice announced charges against 24 Brazilian nationals. The scheme involved setting up fake accounts on ridesharing and food delivery apps using stolen driver’s license and social security numbers. These fake accounts were then used to circumvent hiring requirements and game the bonus system through tactics such as manipulating how far a ride or delivery looked to the app. Authorities say that criminals stole the identities of upwards of 2,100 people. The case is an example of how gig workers are often a preferred target of scammers and criminals as they have less legal protections.