Marcel Brown:  December 28th, 1895. The world’s first projected movie screening takes place at the Salon Indien du Grand Café in Paris, France. 33 people attend at the admission price of 1 franc each to view 10 films at about 50 seconds each.

Edwin Kwan: Three malicious Chrome extensions disguised as VPNs infected approximately 1. 5 million users. The extensions – netPlus, netSafe, and netWin – were distributed through an installer hidden in pirated copies of popular video games like Grand Theft Auto and Assassin’s Creed.

Olimpiu Pop: The EU Cybersecurity Schemes, born from the EU Cybersecurity Act, are being developed for different industry categories such as ICT, Cloud services and 5G networks, and will consist of a comprehensive set of rules, technical requirements, standards and evaluation procedures for certification.

Ian Garrett:  New Year, New Data Breach Disclosure Rules issued by the U. S. Securities and Exchange Commission to reshape the cybersecurity landscape for publicly owned companies. Recently, starting on December 18th, these companies must now comply with the stringent rules requiring them to disclose material cyber incidents within 96 hours.

 

The Stories Behind the Cybersecurity Headlines

 

Edwin Kwan
Chrome Users Infected via Fake VPNs in Video Game Torrents

Three malicious Chrome extensions disguised as VPNs infected approximately 1. 5 million users, functioning as browser hijackers, cashback hack tools, and data stealers.

This is Edwin Kwan from Sydney, Australia.

Discovered by ReasonLabs, the extensions netPlus, netSafe, and netWin – were distributed through an installer hidden in pirated copies of popular video games like Grand Theft Auto and Assassin’s Creed and are downloaded from torrent sites.

The extensions are automatically installed at the registry level, targeting users primarily in Russia, Ukraine, Kazakhstan, and Belarus. The fake VPNs not only stole sensitive user data, but also disabled competing cashback and coupon extensions, redirecting profits to the attackers. ReasonLabs notified Google, leading to the remover of the malicious extensions from the Chrome Web Store.

The incident underscores the security risks associated with browser extensions, urging users to regularly check installed extensions and stay vigilant against potential threats.

Resources
– Bleeping Computer: https://www.bleepingcomputer.com/news/security/fake-vpn-chrome-extensions-force-installed-15-million-times/

 

Olimpiu Pop
Cybersecurity Legislation (CRA, US Legislation)

In the EU in 2023, the focus has been on strengthening and harmonizing cybersecurity across member states. Key developments include:

– NIS2 Directive: This directive applies to both essential and important entities across various sectors like energy, healthcare, and digital infrastructure. It mandates robust cybersecurity measures. including Risk Analysis, Incident Handling and Supply Chain Security. NIS2 enters into force in January 2023 and member states have until October 2024 to implement corresponding national legislation.

– The EU Cyber Resilience Act, aiming to insure the security of Internet of things products, sets the requirements for hardware manufacturers, software developers and distributors regarding product security throughout their life cycle. It includes measures such as risk assessment, software bill of materials, and continuous maintenance of vulnerability reporting processes.

The EU Cybersecurity Schemes, born from the EU Cybersecurity Act, are being developed for different industry categories such as ICT, Cloud services and 5G networks, and will consist of a comprehensive set of rules, technical requirements, standards and evaluation procedures for certification. These are the main changes in terms of legislation in the EU block for cybersecurity. There are major concerns regarding the open source and its future if the CRA passes in its current form.

Olympic Pop reported from Sylvania, Romania.

Resources
– Think Tank: https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2021)689333

 

Ian Garrett
6 Key Aspects of SEC Rules for Data Breaches

New Year, New Data Breach Disclosure Rules issued by the U. S. Securities and Exchange Commission to reshape the cybersecurity landscape for publicly owned companies. Today, we’ll dig into the six key aspects of the rules.

Hey folks, this is Ian Garrett in Arlington, Virginia.

Recently, starting on December 18th, these companies must now comply with the stringent rules requiring them to disclose material cyber incidents within 96 hours. This regulation, while aimed at increasing transparency and investor protection, has sparked significant debate and concern among organizations about the feasibility of such a tight reporting window and the potential risks it introduce.

Key Aspect 1: Reporting Requirements. Organizations must report cybersecurity incidents in a specific line item on a Form 8K report within four business days. This includes describing the incident’s nature, scope, timing, and material impact.

Key Aspect 2: Exemptions and Extensions. Smaller companies are granted a 100 day extension, and there’s a clause allowing delay in disclosure if the U. S. Attorney General deems it necessary for national security or public safety.

Key Aspect 3: Consequences of Non-Compliance. Failure to adhere to these regulations can lead to financial penalties, legal liabilities, reputational damage, loss of investor confidence, and increased regulatory scrutiny.

Key Aspect 4: Challenges and Concerns. The tight deadline for reporting and the broad definition of material incidents pose significant challenges for businesses. There’s also a concern that the required disclosures might inadvertently provide useful information to hackers.

Key Aspect 5: Potential for Exploitation. Cybercriminals are already exploiting these new rules. The Black Cat Ransomware Group, for instance, filed an SEC complaint against Meridian Link for not reporting a breach, illustrating how hackers might use the regulation to exert additional pressure on their victim.

Key Aspect 6: Impact on Cybersecurity Landscape. The SEC’s rules are expected to change how organizations approach cybersecurity, with a greater emphasis on rapid detection, response, and transparent communication.

As the cybersecurity landscape continues to evolve, these new SEC rules represent a significant shift in how cyber incidents are handled and disclosed. Organizations must adapt quickly to comply with these regulations while safeguarding against the evolving tactics of cybercriminals.

Resources
– TechCrunch: https://techcrunch.com/2023/12/18/new-sec-data-breach-disclosure-rules/

 

Marcel Brown
This Day, December 28, in Tech History

This is Marcel Brown serving up some technology history for December 28th.

December 28th, 1886. Josephine Cochran of Shelbyville, Illinois, received the first U. S. patent for a commercially successful dishwasher. Interestingly enough, she proceeded to invent the dishwasher because she was tired of her staff chipping her expensive china dishes.

She was quoted. “If you want something done right, do it yourself.”

December 28th, 1895. The world’s first projected movie screening takes place at the Salon Indien du Grand Café in Paris, France. The makeshift theater uses the Cinematograph, created by the Lumiere brothers, one of the earliest motion picture projectors in history.

33 people attend at the admission price of 1 franc each to view 10 films at about 50 seconds each. The film was created especially for the occasion. It shows workers leaving the Lumiere’s factory in Lyon by foot, by bicycle, and by car.

That’s your technology history for today. For more, tune in tomorrow and visit my website, ThisDayInTechHistory.com.

Resources
– This Day in Tech History: https://thisdayintechhistory.com/12/28