Skip to main content

Friday Five: Delayed Cyber Legislation, NIST Updates, Passkeys, & More

by Robbie Araiza on Friday October 20, 2023

Contact Us
Free Demo
Chat

Trouble in D.C. is causing cyber legislation delays, fake browser updates are scamming users with malware, and another cybercrime site was taken down this past week. Catch up on all the latest InfoSec updates in this week’s Friday Five!

HOUSE CYBERSECURITY SUBCOMMITTEE CHAIRMAN SAYS GOP SPEAKER DRAMA IS IMPACTING CYBER LEGISLATION BY CHRISTIAN VASQUEZ

The search for a new House Speaker by House Republicans is hindering funding efforts for the Cybersecurity and Infrastructure Security Agency (CISA), according to Republican Rep. Andrew Garbarino, who says that the absence of a Speaker delays legislative work. Once a successor is chosen, the Representative says that safeguarding CISA's funding in the appropriations process will become crucial. The House Republicans' fiscal year 2024 appropriations bill allocated $2.9 billion to CISA, but Senate Republicans like Sen. Rand Paul reportedly could oppose this due to concerns about CISA's authority and funding. Garbarino supports CISA's Director Jen Easterly and believes CISA should play a central role in addressing cyber threats.

Read more

NIST TO ISSUE CYBER UPDATES, INTRODUCE NEW SECURITY CONTROLS BY ALEXANDRA KELLEY

The National Institute of Standards and Technology (NIST) is releasing a security control patch, version 5.1.1, in early November to strengthen the United States' cybersecurity posture. It includes enhancements to two controls--identity management and server authorization--and introduces a new security control. A public comment period on the updated framework is open until October 31, 2023, and minor grammatical adjustments will also be made by the NIST without affecting control procedures. Special Publication 800-53 serves as a resource for managing cyber risks in public and private sectors, and users can choose to implement these changes when they see fit.

Read more

POLICE SEIZE RAGNAR LOCKER LEAK SITE BY AJ VICENS

As a part of a recent series of law enforcement efforts against cybercrime and nation-state cyber operations, multiple global law enforcement agencies, including the FBI, German police, and Japanese authorities, seized a website used by the criminal hacking group Ragnar Locker, known for leaking stolen data. The operation also led to the arrest of a "key target" in Paris and interviews with five suspects in Spain and Latvia. Authorities seized the group's infrastructure in the Netherlands, Germany, and Sweden. The operation follows the arrest of two ransomware operators in Ukraine in September 2021, involving law enforcement officials from 11 countries. Ragnar Locker, operating since 2019, was distinctive for targeting large entities, demanding payment in exchange for not leaking stolen data, and posting data from 100 victims across 27 sectors.

Read more

THE FAKE BROWSER UPDATE SCAM GETS A MAKEOVER BY BRIAN KREBS

Hackers have recently revived an old trick by using hacked websites to display fake browser update alerts, leading users to install malware. They've taken a new approach by hosting malicious files on a decentralized cryptocurrency blockchain--specifically the Binance Smart Chain (BSC)--to evade takedowns. Hosting files on the BSC is said to provide an untraceable, cost-free, and resilient method for attackers to obtain data. While BSC is aware of this abuse, they've blacklisted associated addresses and are working on proactive threat detection. Several threat actor groups have been successful in utilizing such fake browser updates, taking advantage of users' trust in legitimate sites and updates. 

Read more

PASSKEYS ARE COOL, BUT THEY AREN'T ENTERPRISE-READY BY ROBERT LEMOS

Passwordless authentication using passkeys, based on the FIDO Alliance's WebAuthn standard, is gaining support from major internet firms like Apple, Google, and Microsoft, simplifying the user experience. However, at this time, passkeys may not provide the control and attestation necessary for large corporations, as passkeys becoming an optional factor within existing public key infrastructure (PKI) or credential-based systems is still currently the more likely scenario. Passkeys could help eliminate phishing attacks, but businesses remain hesitant due to device recovery issues and concerns about device attestation. For enterprises, passkeys could offer a standardized PKI, but challenges remain, such as ensuring key security and centralized policy management. 

Read more

Tags:  Legislation Cybercrime Malware

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.

Get the latest security insights
delivered to your inbox each week.