Newsletters

Microsoft's lacklustre cloud product security is finally biting it on its ass. In a strongly worded open letter to key US government agency heads, Senator Ron Wyden, a member of the Senate's Intelligence Committee, asked them to investigate what he called "negligent cybersecurity practices" by Microsoft that enabled a recent hack of the company's cloud services by a hostile actor, likely from the PRC.

Wyden's letter requests action on the issue from several different US government agencies, including the Federal Trade Commission (FTC), the Department of Justice and the Cybersecurity and Infrastructure Security Agency (CISA).

He asked the FTC to investigate whether Microsoft's security practices violated a prior consent decree and its regulations, and the Department of Justice to explore whether Microsoft had violated federal contracting laws through negligent security practices.

The Russian government passed last week a series of laws aimed at cracking down on the use of foreign IT services inside Russia and driving citizens to Russian alternatives where it can easily exert pressure through its state apparatus.

Law amendments have been passed to limit the use of foreign web hosting providers, foreign email services, and foreign news aggregators.

In addition, the government also passed a generic law banning Russian citizens from participating in the activities of foreign non-profit organizations, which theoretically criminalizes participation in foreign open-source projects.

The European Union has sanctioned the operators of a Russian disinformation network known as "RRN" (Recent Reliable News) for spreading fake news and propaganda about Russia's invasion of Ukraine.

The EU says Russian government bodies participated in creating, running, and disseminating RNN's fakes on social media.

Five organizations and seven individuals managing them, including GRU agents, were added to the EU's sanctions list.

The US Securities and Exchange Commission has passed a new set of cybersecurity rules for publicly traded companies.

The new rules would require companies to disclose any cybersecurity incident to the SEC within four days after a company has deemed the incident grave to be "material." In the context of the SEC, material refers to events that impact a company's operations, finances, or may sway shareholder voting decisions—so it's likely to cover quite a lot of incidents.

The new rule is not without its fair share of controversy. The rules passed in a close 3-2 partisan vote following more than a year of negotiations and rulemaking. Both Republican-appointed members voted against it.

New legislation in the US designed to combat law enforcement’s use of commercially procured data is welcome, but won't solve the core problem: that this data is being collected and brokered in the first place, including to foreign intelligence services.

The Fourth Amendment is Not For Sale Act will require government intelligence and law enforcement agencies to obtain a warrant before procuring information about US citizens. The US House Judiciary Committee has just given it a stamp of approval, and so onwards it goes towards becoming law.

The legislation would apply to federal, state and local law enforcement agencies and cover information purchased from data brokers, as well as data acquired from leaks or illegitimate hacks.

A threat actor has exploited a MobileIron zero-day to breach twelve Norwegian government agencies, the country's security service said on Tuesday.

The identity of the attacker, the dates of the intrusions, and the names of the compromised agencies have not been revealed.

Norwegian authorities say the zero-day targeted a piece of software named the Ivanti Endpoint Manager Mobile (EPMM), previously known as MobileIron Core. The platform is used to manage mobile devices used by government employees and grant remote access to government systems and applications.

A team of four Google engineers has proposed a new Web API named Web Environment Integrity that would allow websites to block client apps that modify their code.

In layman's terms, the proposal would force clients, such as desktop and mobile browsers, to cryptographically sign a CBOR token that contains details about their local environment.

Based on the token they receive, websites can then decide if they want to continue delivering service to the client or not.

Microsoft has expanded the number of security logs that customers of the lower tier of its cloud service can access.

Thirty-one log categories have been moved from the premium tier of the Microsoft Purview Audit service into the standard offering.

The log retention policy for the standard tier has also been changed from 90 to 180 days, Microsoft said in an announcement on Wednesday.

Microsoft and JumpCloud both disclosed breaches of their cloud services last week. It's nice they each disclosed these incidents, but it shouldn't be up to them. We need a mandate that will force cloud service companies to publish detailed postmortems when these things happen.

In the first announcement on 11 July, Microsoft revealed details of a likely China-based actor it calls 'Storm-0558' that had successfully accessed the cloud-based Outlook email of 25 organisations. The actor had targeted government agencies and individual consumer accounts likely associated with these organisations. Microsoft did not specify the affected organisations, but The Washington Post reported that the US Commerce and State departments were affected.

In a more detailed analysis of Storm-0558’s techniques, Microsoft says the group has "primarily targeted US and European diplomatic, economic, and legislative governing bodies, and individuals connected to Taiwan and Uyghur geopolitical interests". According to the vendor, the group’s objective in most campaigns is to access the email accounts of its targets. Microsoft says it has "moderate confidence" that the group is a China-based espionage actor, although from our standpoint, it walks like a duck and quacks like a duck, so it's probably a duck.

The White House and the FCC have announced a voluntary cybersecurity labeling program for internet-connected devices sold in the US.

The program will roll out in 2024 and is named the US Cyber Trust Mark.

It will take the form of a shield logo applied to routers and IoT devices sold through US retailers. The logo will be applied to devices that meet a set of basic cybersecurity criteria, such as devices using unique and strong default passwords, can receive security updates, protect user data, and restrict access to their management interfaces.