May of 2020 has come and gone, and we’re another week closer to the start of summer. The end of this week signals the need for another “Byte Sized News” brought to you by PlexTrac. There were a lot of very interesting stories and new developments in the industry that are sure to both entertain and inform our readers. As always, this series isn’t intended to provide readers with details on every story and topic, but rather to fill busy professionals in on the most compelling developments in the field.
Without further ado, let’s get to this week’s top news stories!
Our first story this week comes from Krebs on Security and focuses on the cyber-gang called REvil ransomware enterprise. This group has begun selling the sensitive data it has obtained from cyber attacks to the highest bidder on the Dark Web “Happy Blog.” The first data auction is said to have more than 22,000 files in it from an agriculture company. This auction is likely to be hard to track and neutralize. The effects of the COVID-19 pandemic are exacerbating the situation further since many companies who’ve fallen victim to these types of attacks simply don’t have the capital to pay ransoms, and must watch helplessly as their precious data is illegally sold to an outside party.
Our next article comes from CSO and is related to a version of Microsoft Office from 2012 that is vulnerable to attack. As of December 2019, Chinese state cyber actors have been continuing to exploit a vulnerability (CVE-2012-0158) that was supposedly patched in 2012. This is the vulnerability that the U.S. government publicly assessed in 2015 as the “most used in their cyber operations.” It is insane to see that a vulnerability supposedly patched in 2012 was still being exploited in 2019. This vulnerability affects Office 2003, 2007, and 2010, so be on the look out if you still use those versions of the product.
The next big headline from this week comes from SCMagazine, who reported on an official statement from the United States Office of Management and Budget (OMB). This statement reported that 8 percent fewer cybersecurity incidents happened to government agencies in the 2019 fiscal year when compared to 2018. This improvement was largely attributed to the “maturity of agencies’ security programs”, a sentiment we’re proud to hear. The total reported number for 2019 was 28,581, compared to 31,107 in 2018. The statement from OMB goes on to claim that “improper usage” was the most common attack vector exploited, making up 12,507 incidents. The OMB also reported that 72 of the 96 agencies received an overall rating of “Managing Risk.”
Our next story comes from CPO Magazine and discusses Facebook’s acquisition of GIPHY, their potential merger with Instagram, and the implication of these moves on people’s data. Facebook recently acquired GIPHY, one of the biggest repositories on the Internet for the popular animated “gif”. While this likely involves a positive integration between the platform, there is a growing opposition to Facebook’s many mergers and acquisitions. These individuals claim that their data has never been in a more vulnerable position, and this fear will only rise as time moves forward. Additionally, some users are concerned about the potential censoring on the platform, as Facebook is a large brand with harsh content standards. Overall, the public perception of Facebook’s ethical standards relating to data management is at an all time low and any move they make is likely to be met with some level of skepticism.
Our last news story of the week comes from Security Week. This new bipartisan bill in the United States seeks to provide individuals with “increased control over sharing of data with services designed to notify them if they have been exposed to COVID-19”. This bill was proposed by Maria Cantwell (D-WA) and Bill Cassidy (R-LA) and is sponsored by Amy Klobuchar (D-MN). The legislation looks to both protect consumer privacy and promote public health. Many automated exposure notification services (websites, apps, etc.) are set to be released in the coming weeks to help track the spread of the COVID-19 pandemic and deliver notifications to users who “may have been” exposed to the virus. However, the Exposure Notification Privacy Act looks to make the participation in these exposure notifications voluntary and based on express consent.