News for the cybersecurity community during the COVID-19 emergency
Telework standards, some relaxation of GDPR enforcement, more COVID-19-themed phishing, and Zoom agonistes.
CISA updates US Federal telework guidance.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued Trusted Internet Connections (TIC) 3.0 Telework Guidance documents. The TIC guidance is intended to support Federal agencies as they seek to comply with Office of Management and Budget direction to maximize both the opportunity for, and the security of, remote work across the Government during the pandemic emergency.
One of the agencies likely to stand in need of the guidance is NASA. BleepingComputer reports that the space agency is receiving particular social engineering attention as much of its workforce is now telecommuting.
Phishing schemes spoof White House emails on COVID-19.
Researchers at INKY describe some implausible emails on the coronavirus pandemic that pretend to originate from either the White House or US Vice President Pence. INKY outlines two distinct series of emails.
The first said that current measures against the pandemic (which the authors characterize with both orthographic and factual inaccuracy as a “Carnatine”) would continue through August, and that the IRS had pushed “Tax Day” back from April 15th to August 15th. It also urged recipients to download the President’s guidance that would “protect you and your family from pandemic” (sic). The second series reiterated the claims of the first, and encouraged recipients to follow a link for more information.
The spelling and usage are of course appalling (and not as funny as the ShadowBrokers' malapropisms used to be, and where are those guys these days?), but the attackers did use some of the White House’s actual html code. The emails originate from Russia, but they seem pretty clearly to be a criminal as opposed to a state-sponsored campaign. For one thing, the troll farmers of St. Petersburg handle American English much better, without all the Boris-Badenovisms on display in these communications. Nevertheless, someone somewhere is likely to fall for them.
Postponing GDPR fines.
SC Magazine says that the UK’s Information Commissioner’s Office (ICO) is deferring the large fines for data breaches it imposed last year on British Airways and Marriott International, respectively £183 million for British Airways and £99 million for Marriott International. The extension recognizes the economic stress the COVID-19 pandemic has imposed, especially on the travel industry. It is a deferral and not forgiveness; the companies are expected eventually to pay up.
Zoom fixes some security issues, but finds itself unwelcome in more enterprises.
Zoom continues to suffer from the pyrrhic commercial triumph the company enjoyed when demand for its teleconferencing services exploded in February and March. It’s fixed some security issues—Yahoo says Zoom has added a new security menu in its latest versions, and ZDNet reports that the company has removed meeting IDs from its toolbar—but on balance it’s still been a bad week, what CIO Dive calls a “no good, very rotten week.”
According to BuzzFeed, Google has banned its employees from using the teleconferencing app on grounds of its questionable security. And as the US Congress continues to figure out how it will conduct as much business as possible online (and the Washington Post has a summary of some of the measures under consideration), the Senate at least is fighting shy of Zoom. Reuters reports that Senators are being told not to use Zoom’s services.