This week’s Cyber Security Headlines – Week in Review, May 2-6, is hosted by Rich Stroffolino with our guest, Shawn Bowen, CISO, World Fuel Services
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
India gives orgs 6 hours to report cyber incidents
India’s Computer Emergency Response Team (CERT-In), has issued a new directive that requires service providers, corporations, and government entities to report cyber incidents within 6 hours of detection. The mandate also requires virtual asset, exchange, and wallet providers to maintain records on KYC and financial transactions for a period of five years. Additionally, service providers will be required to maintain 180 days worth of system logs and will need to assist India’s CERT with cyber incident remediation activities. Meanwhile cloud and VPN providers will now need to register validated names, emails, and IP addresses of their subscribers.
The White House wants more powers to crack down on rogue drones
The White House has laid out its plans to give authorities more power to respond to nefarious drone activity which poses risks to public safety, privacy and homeland security. The plan proposes to expand the use of technologies that can identify and neutralize rogue drones, for example RF jammers, for federal agencies including Departments of Justice, Defense, State, and Homeland Security as well as the CIA and NASA. In addition, state and local authorities as well as critical infrastructure owners and operators would have expanded authority to use anti-drone technology. Currently, non-federal entities need to seek assistance from authorized entities, like DHS, to respond to drone threats.
(ZDNet)
Solana network goes dark after bot swarm
A swarm of bots hit the popular NFT minting tool called Candy Machine over the weekend, hiting it with four million transaction requests and 100 gigabits of data per second, ultimately pushing validators of the blockchain out of consensus. The network went dark for roughly seven hours as a result, only coming back online after restarting the validators in an effective hard fork. It’s unclear at this point how the bot swarm caused it to lose consensus.
(CoinDesk)
DoD phished for $23.5 million
The US Department of Justice convicted California resident Sercan Oyuntur of multiple counts related to phishing activities against the Defense Department, finding he incurred $23.5 million in damages. This began in September 2018, when Oyuntur registered the dia-mil.com domain for its phishing operations, similar to the legitimate dla.mil domain. He used the domain to send emails to users of a vendor database to a fake login.gov site, where Oyuntur would steal credentials. He eventually obtained credentials for a Southeast Asia corporation with active fuel provision contracts, and changed the banking information to a foreign account he controlled.
Thanks to our episode sponsor, Censys
Results from the first defense industrial base bug bounty
Almost 300 security researchers took part in the Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP) Pilot over the last twelve months, turning up over 400 valid vulnerabilities. HackOne ran the pilot in coordination with the Defense Cyber Crime Center and Defense Counterintelligence and Security Agency, looking at 41 entities and 348 systems. This represents a small amount of the organizations that contract directly with the Pentagon, estimated on the low-end to be 100,000. The Pentagon hopes to take lessons learned from the pilot to inform a larger funded program.
Decade-old bugs discovered in Avast, AVG antivirus software
Researchers have disclosed two high-severity vulnerabilities in Avast and AVG antivirus products which have gone undetected for ten years. On Thursday, SentinelOne published a security advisory on the flaws, tracked as CVE-2022-26522 and CVE-2022-26523. Avast acquired AVG in 2016 for $1.3 billion. According to the cybersecurity firm, the vulnerabilities have existed since 2012 and, therefore, could have affected “dozens of millions of users worldwide.” SentinelLabs reported the vulnerabilities to Avast on December 20, 2021 and they were patched by February 11. SentinelLabs said there is no evidence of active exploitation in the wild.
(ZDNet)
Health and Human Services hammered over security
The US Department of Health and Human Service conducted an internal security audit, and ruled that its information security program was ineffective for the fourth consecutive year. This audit looked if the department was in compliance with the Federal Information Security Modernization Act of 2014. The audit found HHS did not meet adequate levels of maturity in its ability to Identify, Protect, Detect, Respond, and Recover functions for security issues. The audit acknowledged that HHS is aware of these issues and is in the process of improving toward compliance.
Biden orders new quantum push to ensure encryption isn’t cracked by rivals
US president Joe Biden issued two directives on Wednesday aimed at ensuring the nation – and like-minded friends – remain ahead of other countries in the field of quantum computing. Especially as applied to cryptography. The first directive, creates a National Quantum Initiative Advisory Committee comprising up to 26 experts from industry, academia, and federal laboratories – all appointed by the president and under the authority of the White House. The second is a memorandum designed to promote US leadership in quantum computing while mitigating risks to cryptographic systems. While acknowledging the positive developments that quantum computing can bring, his statement also issued a stark warning: “Research shows that at some point in the not-too-distant future, when quantum computers reach a sufficient size and level of sophistication, they will be capable of breaking much of the cryptography that currently secures our digital communications on the Internet.”