Meltdown and Spectre Rattle Cybersecurity Community for Second Week
While there has been “no public report of a successful mass attack campaign using the vulnerabilities” (according to The Hill), the Meltdown and Spectre hardware vulnerabilities are still leaving billions of devices exposed. We’ve included another summary of articles analyzing this situation during the last week.
Fancy Bear Likely Behind Espionage of US Senate
Trend Micro recently released a security report that indicates Fancy Bear, a hacking group likely associated with Russia’s GRU, is spying on the US Senate—gaining access to information through tactics such as phishing. According to Trend Micro, “Beginning in June 2017, phishing sites were set up mimicking the ADFS (Active Directory Federation Services) of the U.S. Senate. By looking at the digital fingerprints of these phishing sites and comparing them with a large data set that spans almost five years, we can uniquely relate them to a couple of Pawn Storm incidents in 2016 and 2017.”
Skype Introducing End-to-End Encryption
Microsoft-owned Skype is introducing end-to-end encryption for its users, currently testing this feature with Skype Insiders. According to Help Net Security, there are a few limitations: “Firstly, [Private Conversations] can be used to protect audio calls, text messages, and files (images, audio, videos), but not video calls. Secondly, Private Conversations are limited to one-on-one conversations (no group chats for the moment), and users can only participate in a Private Conversation from a single device at a time.” The original announcement from Signal says, “Microsoft joins a growing list of organizations including WhatsApp, Google, Facebook, and Signal itself that have integrated the open source Signal Protocol into their messaging platform.”
North Carolina Introduces “Act to Strengthen Identity Theft Protections”
Yet another state is enacting its own data breach notification laws with North Carolina’s “Act to Strengthen Identity Theft Protections” introduced by North Carolina Attorney General Josh Stein (D) and North Carolina Rep. Jason Saine (R). According to SC Magazine, “Unveiled on Jan. 8, the bipartisan ‘Act to Strengthen Identity Theft Protections’ updates the state's definition of a data breach, expanding the scope to include ransomware attacks. It also requires that affected companies report any such incident to the public and the AG's office within 15 days. Additionally, the bill also requires businesses that own or license consumers' personal information to execute reasonable security procedures and practices to protect said data, including medical records and insurance account numbers.”
Senators Introduce Legislation to Hold Credit Reporting Agencies Accountable for Data Breaches
On Wednesday, U.S. Senators Mark R. Warner (D-VA) and Elizabeth Warren (D-MA) introduced the Data Breach Prevention and Compensation Act to hold large credit reporting agencies (CRAs) accountable for data breaches involving consumer data. According to a press release, the bill would give the Federal Trade Commission (FTC) more direct supervisory authority over data security at CRAs, impose mandatory penalties on CRAs to incentivize adequate protection of consumer data, and provide robust compensation to consumers for stolen data.