Friday Five: 3/29 Edition
1. Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers by Kim Zetter
It’s not often we share pieces from the same author two weeks in a row but it almost seems impossible not to share this news, which broke right off the bat on Monday morning. The news, that half a million Windows machines received a malicious backdoor through a compromised ASUS server, comes via Kaspersky Lab's Global Research and Analysis Team in advance of the company's Security Analyst Summit next month in Singapore. The attack, dubbed ShadowHammer, is the biggest supply chain attack to make headlines since CCleaner, a software tool that was hijacked to infect 2.3 million machines in 2017. Coincidentally ASUS' servers were among those hit by CCleaner. There is clearly, as GREaT's VItaly Kamluk notes, more to come on this story:
That is not the end of the story! More details from the ASUS compromise case will be available at #TheSAS2019 conference in #Singapore. If you are concerned that you were a target, check your MAC address via website or free digitally signed tool here: https://t.co/CmSdAf4Baj
— Vitaly Kamluk (@vkamluk) March 25, 2019
2. DOD launches milDrive, the US military's Dropbox clone by Catalin Cimpanu
Some interesting news if you're in the military and looking to share files more securely: The Defense Information Systems Agency (DISA) has pulled back the curtains on milDrive, a Dropbox-esque file sharing service that allows users to sync files between two secure data center facilities. It's important to note that the service isn't for sharing sensitive, confidential data but combat troops, agencies and contractors looking to share other files can now do so. "milDrive allows users to store all their files in the cloud,” the DISA's cloud storage program manager, Carissa Landymore, said on Thursday, “It really ensures warfighters have continuous, reliable access to files without regard to device or location.”
*Pentagon photo via Wiyre Media's Flickr photostream, Creative Commons
3. US Congress proposes comprehensive federal data privacy legislation—finally by David Ruiz
We’ve written extensively about all of the advances in federal data privacy legislation of late but this piece, on MalwareBytes’ blog, does a pretty great job recapping a bunch of them in case if you’ve lost track – something that’s increasingly easy to do. It's a lengthy post and could probably benefit from a little breaking up but it gets everything in there, including bills from Senators Klobuchar, Ron Wyden of Oregon, Marco Rubio of Florida, and Brian Schatz of Hawaii. It also includes a bill floated by the Center for Democracy & Technology that would give individuals the right to access, correct, and delete data that is collected on them, along with the right to take their personal data and move it somewhere else, for good measure. There’s been a myriad of bills akin to these over the last two years; we’re going to keep our eyes on this blog to see if it can keep up with them all.
4. Groupon's Privacy Lawyer Dishes on CCPA, GDPR Compliance Challenges and Tips by Caroline Spiezio
Not an article per se but some insight here via Law.com on how a company, Groupon, tackled complying to the EU’s General Data Protection Regulation and how it may help the company when it comes to conforming to the California Consumer Privacy Act next year. Brock Wanless, the company's managing counsel, global privacy and regulatory told The Recorder it's obviously too early to know exactly how to prep but it certainly doesn't hurt to start looking over the CCPA now: "Whether you’re a tech company or manufacturing company or a brick-and-mortar retailer, CCPA is agnostic to your industry. So you should start evaluating now how the law may apply to you. Talk to your outside counsel and start building a compliance program now. Don’t wait."
5. Former NSA Contractor Pleads Guilty To Stealing Classified Information by Sasha Ingber
Well, it certainly took a lot longer than we all expected. It was reported Hal Martin, the former NSA contractor who purportedly stole 50 terabytes of data from the agency - one of the largest security breaches in US history – was going to plead guilty a year ago. It wasn't until Wednesday - a year later - that the Wall Street Journal's Dustin Volz broke the news that it was actually going to happen. This was after Martin III was indicted on 20 counts two years prior, back in 2017. The wildest part of this story to us is the sheer length of time Martin was able to steal and retain government documents: 20 years, from 1996 to 2016. It feels like the story has dragged on forever but we haven't heard the last yet: sentencing is scheduled for this summer, July 17.