This Week In Security - 05/04/2020
State Officials Call for Cybersecurity Relief
A coalition of state officials, led by the National Governors Association, has called on Congress to “authorize and fully fund a dedicated cybersecurity program”.
The coalition argues that the COVID-19 pandemic is “exerting greater pressure on cybersecurity” and exposing the vulnerabilities in outdated systems “that do not foster remote work”.
In the letter, the group went on to explain the burden felt by local and state government resources. Unemployment has soared in the US, placing new strain on unemployment benefit portals, while health insurance providers are also experiencing an increase in traffic.
According to the group, which also includes the National Emergency Management Association, and the Government Finance Officers Association, “this surge on our information technology infrastructure requires additional investment in both funding and manpower to keep up with the massive usage”.
Additional funding is also required to combat the increase in COVID-19-related cyber threats as cybercriminals continue to target the “government infrastructure, the healthcare sector, and individual citizens”.
Although the government’s approved $2.3 trillion relief package contains “some funding for federal broadband grant programs”, state officials argue “that broader support for government technology is needed”, especially as states face revenue shortfalls caused by the “sudden halt in economic activity”.
Instacart Orders Cartdash to Cease and Desist
Cartdash customers can no longer push in and grab the first available delivery slot from the Instacart online grocery delivery and pickup company.
The Cartdash service required Instacart customers to hand over the details of their order and account to the tool, after which, it would verify their login credentials, log in, and refresh the “checkout page over and over again until a new delivery window appeared”.
Developers of similar tools admitted that they give more those with more technical knowhow “an unfair advantage over others who aren’t tech-savvy but may still need to purchase items urgently”.
Instacart said that Cartdash and other independent services are not affiliated to the delivery services themselves, adding that “people claiming to be able to grab delivery slots outside of the main Instacart platform are, at a minimum, violating Instacart’s trademarks but also as the company’s terms of service”.
Cartdash creator, Devon Koch, said that, before creating the tool, he had checked Instacart’s terms and conditions and said, “there wasn’t anything in there that stuck out”, even though those same terms of service specifically state that users “may only access the Services through the interfaces that Instacart provides”.
Cybersecurity Becomes IT as Cybercriminals Wage War
Many cybersecurity professionals are being pushed into IT roles, and some fear this is giving cybercriminals new opportunities.
As the coronavirus continues its onslaught, nearly half of the world’s cybersecurity professionals are being reassigned into general IT positions, a survey by the International Information System Security Certification Consortium revealed.
Most of those are working from home, with just 10% going into the workplace. Many are dealing with a significant “rise in the number of cyberattacks and other security incidents”, with 23% saying that the increase coincided with the company’s transition to a remote work environment.
Of greater concern is the 30% of cybersecurity professionals reassigned to IT roles who say there’s been a notable increase in security incidents, compared to the 17% who have retained their original roles. Such statistics suggest that “organizations who are transferring security staff to IT are more at risk from hacking”.
The sudden shift to working from home came too quickly for most organizations, few of which were ready for such a transition. Many cybersecurity teams are struggling to find the necessary tools to keep their remote workers safe while 34% “say they have the tools for now but fear it’s only for the time being”.
Israeli Tech Company Pitches Spy Tools to Governments
The Israeli tech company, Cellebrite, is proposing to sell its data extraction software to governments to help with tracking and tracing those with coronavirus.
The company claims, “when someone tests positive, authorities can siphon up the patient’s location data and contacts” which will enable them to “quarantine the right people”.
Law enforcement agencies already use Cellebrite’s software to extract information from locked devices and, Cellebrite says, while governments would normally use the software only at the consent of the device owner, in “legally justified cases”, police could use the same tools to break into a confiscated device.
Cellebrite is also offering a similar, but less invasive, version of its software to healthcare workers to help “trace the spread of the virus”, although that version can’t be used to hack phones.
Cellebrite may sound like its right on track, but it faces stiff competition, with “at least eight surveillance and cyber-intelligence companies attempting to sell repurposed spy and law enforcement tools to track the virus and enforce quarantines”.
Reuters said it was “not aware” of the US government purchasing any mass surveillance tools, although executives also “declined to specify which countries have purchased their surveillance products, citing confidentiality agreements with governments”.