Friday Five: Delayed Cyber Legislation, NIST Updates, Passkeys, & More
Trouble in D.C. is causing cyber legislation delays, fake browser updates are scamming users with malware, and another cybercrime site was taken down this past week. Catch up on all the latest InfoSec updates in this week’s Friday Five!
HOUSE CYBERSECURITY SUBCOMMITTEE CHAIRMAN SAYS GOP SPEAKER DRAMA IS IMPACTING CYBER LEGISLATION BY CHRISTIAN VASQUEZ
The search for a new House Speaker by House Republicans is hindering funding efforts for the Cybersecurity and Infrastructure Security Agency (CISA), according to Republican Rep. Andrew Garbarino, who says that the absence of a Speaker delays legislative work. Once a successor is chosen, the Representative says that safeguarding CISA's funding in the appropriations process will become crucial. The House Republicans' fiscal year 2024 appropriations bill allocated $2.9 billion to CISA, but Senate Republicans like Sen. Rand Paul reportedly could oppose this due to concerns about CISA's authority and funding. Garbarino supports CISA's Director Jen Easterly and believes CISA should play a central role in addressing cyber threats.
NIST TO ISSUE CYBER UPDATES, INTRODUCE NEW SECURITY CONTROLS BY ALEXANDRA KELLEY
The National Institute of Standards and Technology (NIST) is releasing a security control patch, version 5.1.1, in early November to strengthen the United States' cybersecurity posture. It includes enhancements to two controls--identity management and server authorization--and introduces a new security control. A public comment period on the updated framework is open until October 31, 2023, and minor grammatical adjustments will also be made by the NIST without affecting control procedures. Special Publication 800-53 serves as a resource for managing cyber risks in public and private sectors, and users can choose to implement these changes when they see fit.
POLICE SEIZE RAGNAR LOCKER LEAK SITE BY AJ VICENS
As a part of a recent series of law enforcement efforts against cybercrime and nation-state cyber operations, multiple global law enforcement agencies, including the FBI, German police, and Japanese authorities, seized a website used by the criminal hacking group Ragnar Locker, known for leaking stolen data. The operation also led to the arrest of a "key target" in Paris and interviews with five suspects in Spain and Latvia. Authorities seized the group's infrastructure in the Netherlands, Germany, and Sweden. The operation follows the arrest of two ransomware operators in Ukraine in September 2021, involving law enforcement officials from 11 countries. Ragnar Locker, operating since 2019, was distinctive for targeting large entities, demanding payment in exchange for not leaking stolen data, and posting data from 100 victims across 27 sectors.
THE FAKE BROWSER UPDATE SCAM GETS A MAKEOVER BY BRIAN KREBS
Hackers have recently revived an old trick by using hacked websites to display fake browser update alerts, leading users to install malware. They've taken a new approach by hosting malicious files on a decentralized cryptocurrency blockchain--specifically the Binance Smart Chain (BSC)--to evade takedowns. Hosting files on the BSC is said to provide an untraceable, cost-free, and resilient method for attackers to obtain data. While BSC is aware of this abuse, they've blacklisted associated addresses and are working on proactive threat detection. Several threat actor groups have been successful in utilizing such fake browser updates, taking advantage of users' trust in legitimate sites and updates.
PASSKEYS ARE COOL, BUT THEY AREN'T ENTERPRISE-READY BY ROBERT LEMOS
Passwordless authentication using passkeys, based on the FIDO Alliance's WebAuthn standard, is gaining support from major internet firms like Apple, Google, and Microsoft, simplifying the user experience. However, at this time, passkeys may not provide the control and attestation necessary for large corporations, as passkeys becoming an optional factor within existing public key infrastructure (PKI) or credential-based systems is still currently the more likely scenario. Passkeys could help eliminate phishing attacks, but businesses remain hesitant due to device recovery issues and concerns about device attestation. For enterprises, passkeys could offer a standardized PKI, but challenges remain, such as ensuring key security and centralized policy management.