This week’s Cyber Security Headlines – Week in Review, is hosted by Rich Stroffolino with guest Shawn Bowen, CISO, World Kinect Corporation
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Signal adds quantum-resistant encryption
The encrypted messaging service announced it upgraded its key agreement protocol to Post-Quantum Extended Diffie-Hellman or PQXDH. This uses both its previously utilized protocol, X3DH and the NIST-approved post-quantum key encapsulation mechanism CRYSTALS-Kyber. In a blog post, Signal said it did not want to entirely “replace our existing elliptic curve cryptography foundations with a post-quantum public key cryptosystem,” but said it believe in CRYSTALS-Kyber as a solid foundation for the future. The messaging service also said this represented an initial move as part of its efforts to offer quantum-resistant end-to-end encryption.
Cisco buys Splunk for $28 billion cash
The $28 billion purchase is intended to boost its software business and reduce its reliance on its networking hardware business while taking on new security issues presented by AI technology. Cisco already had a partnership with Splunk and actually sought to purchase it last year in a deal that at that time fell through. The deal is scheduled to be completed at the end of third quarter 2024, however, according to Reuters, rumblings of antitrust scrutiny have already started.
(Reuters)
Ransomware hits trucking software provider
New Jersey-based ORBCOMM on Friday disclosed a ransomware attack that occurred on September 6 that impacted their FleetManager platform and BT product line. ORBCOMM provides, among other things, electronic logging device systems that are required by the U.S. Department of Transportation to monitor drivers’ driving time. The disruption has forced drivers to return to paper logbooks. At Friday’s announcement, the company would not say which ransomware group was behind the incident or whether a ransom would be paid.
DHS council seeks to simplify cyber incident reporting rules
On Tuesday, the Department of Homeland Security’s (DHS) Cyber Incident Reporting Council delivered a 100-page report that recommends revamping cyber incident reporting requirements imposed upon US critical infrastructure operators. The Cyber Incident Reporting Council is composed of the Office of the National Cyber Director, Federal Trade Commission and the Departments of Energy, Treasury, Defense and Justice. The report found that critical infrastructure entities face a dizzying 45 active reporting requirements from 22 different federal agencies with an additional five under consideration. Harmonizing these requirements is expected to help both the private sector and federal government better understand the threat landscape while helping them prioritize their efforts.
UK passes the Online Safety Bill
On Tuesday, the British government’s controversial Online Safety Bill finally completed its passage through parliament. Notably, the bill does not include a ban on end-to-end encryption, which tech companies claimed would nullify user protections with some even threatening to pull their services out of the country instead of compromising this feature. The law does contain a provision that could require messaging platforms to use “accredited technology” to identify certain content, like terrorism and child sexual abuse material (CSAM), if they are ordered to do so by the communications regulator, Ofcom. It should be noted that no accredited technology currently exists, and Ofcom is yet to set out how it would go about accrediting such technology.
Further to a story we brought you on Wednesday, the internet plans approved by lawmakers in the UK will substantially impact large players like Meta, Google and TikTok. It is being hailed as making Britain “the safest place in the world to be online.” In the works since 2021, the new law requires platforms to not only take down illegal content, but to prevent it from being posted in the first place, legally requiring them to verify that users are of age. According to SecurityWeek, “The law applies to any internet company, no matter where it’s based as long as a U.K. user can access its services. Companies that don’t fall in line face fines of up to 18 million pounds ($22 million) or 10% of annual global sales, whichever is greater.”
(SecurityWeek) (The Record and Techdirt)
Joint story: Microsoft’s bad week
Microsoft leaks terabytes of internal data
Researchers at Wiz shared research with TechCrunch, showing that Microsoft AI researchers exposed sensitive data in a storage bucket of AI training data on GitHub. The researchers intended to share image recognition models. However, misconfigured permissions granted access to 38 terabytes of data, including private keys, passwords, and over 30,000 internal Teams messages. Microsoft initially published this bucket in 2020. Because the bucket granted “full control,” a savvy user could potentially delete or add content to the dataset. Wiz researchers notified Microsoft on June 22nd and Microsoft revoked the token causing the issue on June 24th. The company said this did not expose any customer data.
FTC denies blame for Microsoft Xbox leak
Late Monday evening, what some are describing as the “biggest leak in Xbox history” took place and apparently stemmed from Microsoft’s dealings with the FTC related to the Activision Blizzard acquisition. In addition to documents related to the acquisition, Microsoft appears to have also accidentally uploaded a series of highly sensitive PDFs and slides that revealed Microsoft’s plans for Xbox, including new consoles, Game Pass fees, expected subscriber growth rates, and an upcoming games list. On Tuesday, the FTC confirmed that Microsoft was responsible for the errant file upload. A judge has ordered the removal of the documents with final exhibits due for re-upload by September 22.
Thanks to today’s episode sponsor, Hyperproof
Huawei ships chips for surveillance cameras
For the past four years, the US Department of Commerce instituted various export controls to reduce the capability of Huawei and other Chinese firms to produce their own chips. However Reuters’ source say earlier this year Huawei’s HiSilicon chip unit began shipping newly created chips to surveillance camera manufacturers. Sources say these chip shipments will have a significant impact on the surveillance market. This comes after Huawei announced a new Mate 60 Pro phone using internally developed advanced chips om August, although US Commerce Secretary Gina Raimondo found no evidence Huawei made these chips in volume.
(Reuters)
California’s DELETE Act goes to the governor
California’s legislature passed the DELETE Act. This bill requires the California Privacy Protection Agency to create a website where citizens can see registered data brokers in the state and delete personal data. Once a citizen in the state requests deletion, the bill prohibits brokers from selling or sharing any newly collected information. The site would go online by 2026 under the bill. The DELETE Act now goes to Governor Gavin Newsom for signature. Current law gives California citizens the right to request data brokers delete their data, but it requires contacting them individually. The DELETE Act creates a centralized way to request deletion and enforcement for violations.
Google’s Bard chatbot can now find answers in your mail or on your drive
A new development in the fast-changing world of AI search is Google’s Bard AI chatbot, which can “find and summarize the contents of an email or even highlight the most important points of a document you have stored in Drive.” As an opt-in feature, Google emphasizes that it will not use the data it finds to train Bard. Users can initiate a search within Gmail by using @mail or “Check my email.” It will also connect with Maps, YouTube, and Google Flights by default.