Skip to main content

Friday Five: New Federal Compliance Requirement, a Russian Hacking Spree, & More

by Robbie Araiza on Friday March 15, 2024

Contact Us
Free Demo
Chat

This past week's InfoSec headlines were dominated by a high-profile, Kremlin-backed cyberattack, CISA and the OMB's new attestation form, the so-called "TikTok Bill," and more. Catch up on all the latest in this week's Friday Five!

CISA, OMB RELEASE SECURE SOFTWARE DEVELOPMENT ATTESTATION FORM BY MATT BRACKEN

The Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) have released a new form requiring software makers supplying the federal government to affirm their products are developed with secure practices. The form, part of the Biden administration's cybersecurity strategy, aims to ensure software producers adhere to secure development techniques. CISA emphasizes principles of secure-by-design, shifting security responsibility to software producers. The form checklist includes requirements for logging, monitoring, encryption, multi-factor authentication, vulnerability checks, and trusted source code supply chains. This initiative follows extensive stakeholder engagement and complements efforts to drive global software security improvements.

Read more

MICROSOFT SAYS KREMLIN-BACKED HACKERS ACCESSED ITS SOURCE AND INTERNAL SYSTEMS BY DAN GOODIN

Microsoft disclosed that the Kremlin-backed hacking group known as Midnight Blizzard, linked to the Russian Federal Security Service, has escalated its cyberattacks on the company's network and customers after gaining access to Microsoft's corporate network in January by exploiting weak passwords. Since then, they've compromised source code and internal systems, leveraging information from Microsoft's corporate email systems. Despite the breach, Microsoft reassured that no evidence suggests customer-facing systems have been compromised. Midnight Blizzard has increased its password-spraying attacks, attempting to access sensitive data, underscoring the unprecedented global threat landscape posed by sophisticated nation-state actors. The group's activities have expanded beyond Microsoft, targeting aviation, education, law enforcement, government agencies, and military organizations.

Read more

CHATGPT 0-CLICK PLUGIN EXPLOIT RISKED LEAK OF PRIVATE GITHUB REPOS BY LAURA FRENCH

Vulnerabilities were recently discovered in ChatGPT and its plugins, allowing attackers access to user conversations and account contents, including a zero-click exploit targeting private GitHub repositories. These vulnerabilities involved flaws in the OAuth implementation, enabling interception or misuse of OAuth tokens. PluginLab, a framework for ChatGPT plugins, was found vulnerable to a zero-click exploit, while other plugins failed to validate the "redirect_uri" link an OAuth token is sent to, allowing attackers to access victims' accounts. Although these vulnerabilities were patched, the incident highlights the emerging risks associated with generative AI tools. The rapid adoption of such tools poses various threats, from theft of sensitive data to phishing attacks. Despite the importance of AI in gaining a competitive edge, security evaluations and employee training should not be overlooked.

Read more

FCC APPROVES CYBERSECURITY LABEL FOR CONSUMER DEVICES BY CHRISTIAN VASQUEZ

The Federal Communications Commission (FCC) has approved the U.S. Cyber Trust Mark, a voluntary label indicating that consumer Internet of Things (IoT) devices meet basic security standards. This initiative, resembling the Energy Star program, aims to address vulnerabilities in smart devices and enhance consumer safety and signifies adherence to cybersecurity standards established by the National Institute of Standards and Technology. Biden administration officials emphasize its importance in mitigating both consumer safety and national-security risks associated with IoT devices, often targeted by hackers. The FCC order mandates transparency in labeling, compliance testing by accredited labs, and comprehensive security information accessible via QR codes. While praised as a positive step, experts suggest that more robust security elements, such as encryption and privacy disclosures, should be incorporated in future iterations of the label.

Read more

TIKTOK BAN RAISES DATA SECURITY, CONTROL QUESTIONS BY NATHAN EDDY

The US Congress has passed a bill that could ban TikTok if signed into law, citing security concerns due to its Chinese ownership by ByteDance and its potential to spread misinformation. The bill requires ByteDance to divest TikTok to a US-based company within 180 days, with penalties for non-compliance. Although the House overwhelmingly supported the bill, its passage in the Senate remains uncertain. Amid mounting scrutiny, however, TikTok has invested in restructuring its operations in the US. Experts highlight TikTok's potential threat due to its unrestricted data usage and manipulation of algorithms. The ban could also impact TikTok's significant economic contributions, but businesses reliant on the platform may need to reconsider their dependency. Despite the ban's intent, challenges remain in enforcing it effectively, highlighting the complexity of regulating foreign-owned apps and the need for comprehensive oversight measures.

Read more

Tags:  Compliance Cybercrime Artificial Intelligence Data Security Data Privacy

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.

Get the latest security insights
delivered to your inbox each week.