The cybersecurity industry, and security researchers, in particular, had a big win this week. The Department of Justice announced policy revisions that will impact arcane charging practices for violations of the Computer Fraud and Abuse Act (CFAA). Specifically, the changes dictate that security researchers acting in good faith should not be charged.
“‘Computer security research is a key driver of improved cybersecurity,’ said Deputy Attorney General Lisa O. Monaco in the press release. ‘The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.’”
To understand the difference between a hacker and an attacker, check out this RSAC 365 webcast on Hackers’ Rights with Harley Geiger, Chloe Messdaghi, and Beau Woods. You can catch all of them at RSA Conference 2022 in a couple of weeks. Check out the full agenda and look for Geiger, who will again be speaking on the topic of hacker law. If you don’t want to miss it, be sure to reserve a seat for Hacker Law After the Supreme Court Ruling: Insider Threats, Research & CFAA.
Now let’s take a look at what else made industry headlines this week.
May 20: “More than 380,000 of the 450,000-plus servers hosting the open-source container-orchestration engine for managing cloud deployments allow some form of access,” Threatpost reported.
May 20: Infosecurity Magazine reported, “Sextortion cases in the UK doubled in 2021 compared to 2020, new figures have shown.”
May 19: CISA issued an emergency directive that federal agencies immediately patch or deactivate a suite of vulnerable VMware products.
May 19: After Conti hackers infiltrated government institutions in Costa Rica with a ransomware attack, they demanded $20 million in ransom, then warned they would overthrow the government. President Rodrigo Chaves responded, saying his country is at war with the cybercriminals.
May 18: MITRE has created another framework for cybersecurity teams to use in improving supply chain security.
May 18: “A group of Democratic lawmakers has urged the Federal Trade Commission to investigate identity verification company ID.me, claiming that its CEO made misleading comments about how the company uses facial recognition,” Vice reported.
May 18: In a piece explaining how SBOMs can help to improve enterprise security, Solutions Review noted, “SBOMs will soon become an important decision factor in software procurement since increased visibility into products being considered may expose risks organizations are unwilling to take.”
May 17: KrebsOnSecurity reported on low-cost smart ID card readers that allegedly come packaged with malware known as Ramnit.
May 17: Cybersecurity authorities from Canada, New Zealand, the Netherlands, the United Kingdom, and the United States issued a joint security advisory highlighting the top 10 initial attack vectors used to breach networks.