Friday Five: New Federal Compliance Requirement, a Russian Hacking Spree, & More
Contact Us | |
Free Demo | |
Chat | |
This past week's InfoSec headlines were dominated by a high-profile, Kremlin-backed cyberattack, CISA and the OMB's new attestation form, the so-called "TikTok Bill," and more. Catch up on all the latest in this week's Friday Five!
CISA, OMB RELEASE SECURE SOFTWARE DEVELOPMENT ATTESTATION FORM BY MATT BRACKEN
The Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) have released a new form requiring software makers supplying the federal government to affirm their products are developed with secure practices. The form, part of the Biden administration's cybersecurity strategy, aims to ensure software producers adhere to secure development techniques. CISA emphasizes principles of secure-by-design, shifting security responsibility to software producers. The form checklist includes requirements for logging, monitoring, encryption, multi-factor authentication, vulnerability checks, and trusted source code supply chains. This initiative follows extensive stakeholder engagement and complements efforts to drive global software security improvements.
MICROSOFT SAYS KREMLIN-BACKED HACKERS ACCESSED ITS SOURCE AND INTERNAL SYSTEMS BY DAN GOODIN
Microsoft disclosed that the Kremlin-backed hacking group known as Midnight Blizzard, linked to the Russian Federal Security Service, has escalated its cyberattacks on the company's network and customers after gaining access to Microsoft's corporate network in January by exploiting weak passwords. Since then, they've compromised source code and internal systems, leveraging information from Microsoft's corporate email systems. Despite the breach, Microsoft reassured that no evidence suggests customer-facing systems have been compromised. Midnight Blizzard has increased its password-spraying attacks, attempting to access sensitive data, underscoring the unprecedented global threat landscape posed by sophisticated nation-state actors. The group's activities have expanded beyond Microsoft, targeting aviation, education, law enforcement, government agencies, and military organizations.
CHATGPT 0-CLICK PLUGIN EXPLOIT RISKED LEAK OF PRIVATE GITHUB REPOS BY LAURA FRENCH
Vulnerabilities were recently discovered in ChatGPT and its plugins, allowing attackers access to user conversations and account contents, including a zero-click exploit targeting private GitHub repositories. These vulnerabilities involved flaws in the OAuth implementation, enabling interception or misuse of OAuth tokens. PluginLab, a framework for ChatGPT plugins, was found vulnerable to a zero-click exploit, while other plugins failed to validate the "redirect_uri" link an OAuth token is sent to, allowing attackers to access victims' accounts. Although these vulnerabilities were patched, the incident highlights the emerging risks associated with generative AI tools. The rapid adoption of such tools poses various threats, from theft of sensitive data to phishing attacks. Despite the importance of AI in gaining a competitive edge, security evaluations and employee training should not be overlooked.
FCC APPROVES CYBERSECURITY LABEL FOR CONSUMER DEVICES BY CHRISTIAN VASQUEZ
The Federal Communications Commission (FCC) has approved the U.S. Cyber Trust Mark, a voluntary label indicating that consumer Internet of Things (IoT) devices meet basic security standards. This initiative, resembling the Energy Star program, aims to address vulnerabilities in smart devices and enhance consumer safety and signifies adherence to cybersecurity standards established by the National Institute of Standards and Technology. Biden administration officials emphasize its importance in mitigating both consumer safety and national-security risks associated with IoT devices, often targeted by hackers. The FCC order mandates transparency in labeling, compliance testing by accredited labs, and comprehensive security information accessible via QR codes. While praised as a positive step, experts suggest that more robust security elements, such as encryption and privacy disclosures, should be incorporated in future iterations of the label.
TIKTOK BAN RAISES DATA SECURITY, CONTROL QUESTIONS BY NATHAN EDDY
The US Congress has passed a bill that could ban TikTok if signed into law, citing security concerns due to its Chinese ownership by ByteDance and its potential to spread misinformation. The bill requires ByteDance to divest TikTok to a US-based company within 180 days, with penalties for non-compliance. Although the House overwhelmingly supported the bill, its passage in the Senate remains uncertain. Amid mounting scrutiny, however, TikTok has invested in restructuring its operations in the US. Experts highlight TikTok's potential threat due to its unrestricted data usage and manipulation of algorithms. The ban could also impact TikTok's significant economic contributions, but businesses reliant on the platform may need to reconsider their dependency. Despite the ban's intent, challenges remain in enforcing it effectively, highlighting the complexity of regulating foreign-owned apps and the need for comprehensive oversight measures.
Recommended Resources
All the essential information you need about DLP in one eBook.
Expert views on the challenges of today & tomorrow.
The details on our platform architecture, how it works, and your deployment options.
Don't Fall Behind
Get the latest security insights
delivered to your inbox each week.
Thank you for subscribing!