Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, February 16th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
 |
 |
 |
In a few minutes David Shipley, head of Beauceron Security, will be here to discuss recent news headlines. These include new cyber incident and data breach reporting obligations for American telecom companies; the progress of Canada’s proposed cybersecurity law; a cyber attack on an insurance broker to Canada’s federal employees; and the proper strategy for stopping the theft of vehicles with digital keys.
But before I bring in David, here’s a summary of other things that happened this week in cybersecurity:
The U.S. Department of Defence is notifying tens of thousands of people their personal information was exposed in an email error by a service provider exactly a year ago. TechCrunch says the incident involved a cloud email server that for three weeks was accessable from the internet without a password.
Poland’s new prime minister says the previous administration illegally used the Pegasus spyware against people. This app gets surreptitiously implanted on victims smartphones. The Record quotes local news reports saying the government believes there was a “very long” list of targets. Last September Poland’s Senate investigated whether Pegasus had been used to hack an opposition politician. Listeners may recall that a number of governments including Canada and the U.S. agreed last week to investigate the abuse of commercially-sold spyware like Pegasus.
Crooks have started using the Bumblebee malware again. According to researchers at Proofpoint, several threat groups had been using the payload in infected email attachments and links up until last October. Then its use disappeared — until last week.
Microsoft and OpenAI say they have disrupted threat groups from China, Russia and North Korea who were trying to use OpenAI’s artificial intelligence tools to improve their malware. The groups had opened accounts at OpenAi — the creator of ChatGPT — for querying open-source information, translating documents, finding coding errors and running basic coding tasks. OpenAI has shut the accounts.
An Islamic non-profit in Saudi Arabia was likely compromised in 2021 with a custom backdoor, say researchers at Cisco Systems. The malware copied data and sent it out twice a month. Cisco discovered the espionage campaign just over a year ago and delayed release of the news until now. The attacker is a mystery.
And Canada’s OpenText joined the U.S. government’s Joint Cyber Defense Collaborative. It’s a public-private partnership to help the public and private sectors up their cybersecurity. Also this week the Collaborative released a list of its priorities for this year. They include defending against advanced persistent threat operations, helping U.S. state and local officials secure their IT infrastructure and anticipating emerging technology and risks.
(The following transcript of the first of the four topics discussed this week has been edited for clarity. To get the full discussion play the podcast.)
Howard: American telecom providers will soon have new cyber incident and data breach reporting rules. The U.S. Federal Communications Commission has finalized new cyber attack reporting and consumer data breach notification rules for American telecom providers. They haven’t quite set the date on when the new rules come into effect, but telcos would have to report within seven days to the commission as well as the FBI and the Secret Service of any breach of a consumer’s proprietary network information — that’s data like your subscription plan details and the numbers that you call. New is the addition that the FCC has to be notified of these data breaches in addition, consumers will have to be notified within 30 days if there’s a theft or inadvertent disclosure of their personal data. The addition of inadvertent disclosure for American telecom providers is new. Also new is the elimination of the rule that carriers don’t have to report data breaches if they believe no reasonable harm will come to consumers from the theft of particular data, like just a name and phone number.
David, this is a sign that regulators are getting impatient with data breaches from phone companies and with consumers complaining that they aren’t notified fast enough when there is a data breach.
David Shipley: I think it is, and I think regulators are right to be impatient. But let’s remember, it’s more than just phone companies getting popped. We were just talking a few weeks ago about the so-called Mother Of All Breaches — or more accurately the child of all breaches, as it’s an aggregation of a whole bunch of data breaches over the past 20 years. It’s literally an evil version of ‘Have I been Poned?’ Phone companies have been contributing significantly to the amount of data now available to criminals to cause harm. Phone companies had an awful, terrible 2023 in the United States. According to cyber intelligence firm Cyble, the personally identifiable information on 74 million Americans was leaked in 2023 by one or more telecommunications companies. That’s more than 23 per cent of all American telecommunications users in 1 year alone. The challenge for phone companies is this is only going to get worse as we move to password-less technologies like passkeys — biometric authentication with your smartphone — as the digital keys to your life. The [smart]phone is now the most important part of your personal, and in some cases corporate, identity and access management. That turns the heat up on the telephone companies to keep their customers safe in ways that make them more like financial institutions, in that the importance of security has never been greater. So the heat on them Is only going to get worse from regulators, because it’s only going to get worse from criminals.
Howard: Note that it’s not only data thefts of personal information that American telecom carriers are going to have to report to authorities. The FCC expands the definition of personal information now to include biometrics like fingerprints and facial images that are used for logins. And it also includes as reportable inadvertent exposure of data due to things like misconfigurations.
David: The FCC ruling was genuinely was fun to read … It contains one of the clearestdescriptions of what constitutes PI [personal information] that I’ve ever seen from a regulator. It’s beautiful in the holes it pokes for folks who would look to not have to report this. What’s also interesting is their definitions also include disassociated or anonymized data. You don’t get a pass if you say, ‘The data was scrambled,’ if the attackers reasonably had access to the key that could reconnect individuals to that data. If any telco folks are listening to me at the executive level at the security team level, please, please hear the following point I’m going to make loud and clear: Do not store biometric data — voice, face, fingerprints. The only way biometrics should be used is on a device — never stored in groups on a server –in a secure enclave on the device. Convert them into an encrypted form that can’t be unscrambled without like a nation-state-level resource associated with it, if at all possible. You can change a password, you can replace an MFA token, but aside from Hollywood celebrities most of us can’t easily change our face.
Howard; It’s interesting that other critical infrastructure providers have to report data breaches to American authorities within 72 hours. The seven-day reporting requirement for American telcos stays.
David: I’m not a lawyer but I think I have a rough handle on what’s going on here and the distinction that the FCC is trying to make. The U.S. critical infrastructure reporting that does include telcos has to do more with hacks that could jeopardize the ongoing availability and operation of critical infrastructure providers — like the Colonial Pipeline attack or JBS Meats, where all of a sudden the operations of the business are actually disrupted. As gross as data breaches are they don’t knock the phones offline or internet connections offline. That’s a loophole that can often be used to avoid reporting under the critical infrastructure side of things. Along with the threshold known as the ‘real risk of significant harm,’ which, as you pointed out, is something that has been used [by companies] in the past to say, ‘Well, it’s just their first name and their email address. How big of a deal is that?” So they’ve eliminated that real risk of significant harm threshold and now say, ‘This could cause customer harm. You have to report it.’ This new FCC rule makes it clear that if PI is lost there’s a risk of customer harm and you’ve got to report. I think this is helpful.
