Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Stay Safe at Tax Time
Tax time may not be your favourite time of year, but don’t make it worse by falling victim to cyber fraud. Here are five tips to help you stay cyber safe as you get ready to file:
1. Use strong passwords or pass phrases to protect your CRA and financial accounts. Employ two-factor authentication or better wherever it is supported. It’s an easy and powerful way to protect your information.
2. Never reveal your password, PINs, or any personal or financial information to callers.
3. Be wary of fake calls from CRA – intimidating robo-calls threatening fines or jail time for tax arrears are commonplace this time of year. Don’t fall for scare tactics – contact the CRA directly if you have any genuine concerns.
4. Similarly, don’t fall for unsolicited emails, texts, social media posts – avoid clicking links or downloading attachments. Use an independent link to log into your CRA account from a trusted link.
5. Don’t access your personal financial information over public Wi-Fi.
The Government of Canada’s Get Cyber Safe program offers an infographic with statistics and additional tips.
U.S. cyber reporting rules one step closer to law
On March 11, The United States Senate passed a provision that would require critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a substantial cyber attack or if they make a ransomware payment.
The provision is part of the Strengthening American Cybersecurity Act of 2022, which comprises three bills intended to bolster public- and private-sector security. The Act includes direction on the modernization of federal agencies’ cyber postures and guidance on how they can better adopt cloud-based technologies. The legislation would affect companies across 16 federally-designated critical infrastructure sectors, including energy and financial services. Companies covered by the legislation will have to report designated breaches to CISA within 72 hours, and report ransomware payments within 24 hours. Under the new legislation, current federal cybersecurity laws would be updated to enhance coordination between federal agencies as well.
“Critical infrastructure operators defend against malicious hackers every day, and right now, these threats are even more pronounced due to possible cyber-attacks from the Russian government in retaliation for our support of Ukraine. It’s clear we must take bold action to improve our online defenses. This provision will create the first holistic requirement for critical infrastructure operators to report cyber incidents so the federal government can warn others of the threat, prepare for widespread impacts, and help get our nation’s most essential systems back online so they can continue providing invaluable services to the American people,” said Senator Gary Peters (D-MI), who co-authored the provision with Senator Rob Portman (R-OH).
CISA issued a press release commending the decision by the Senate. The Act is expected to be signed into law by American President Joe Biden as early as this week.
Video game house Ubisoft suffers hack
On March 10, video game developer Ubisoft Entertainment confirmed that it had suffered a “cyber security incident” that caused disruption to its games, systems, and services. Ubisoft’s brief statement confirmed that the company had engaged the services of external experts to assist with the investigation, and had initiated a company-wide password reset directive as a precaution against further attack.
“[W]e can confirm that all our games and services are functioning normally and that at this time there is no evidence any player personal information was accessed or exposed as a by-product of this incident,” continued the statement.
Data extortion Lapsus$ Group has claimed responsibility for the incident. Lapsus$ Group is the same hacking group that allegedly breached two other technology firms in recent weeks:
– Graphics card and chip manufacturer NVIDIA on February 23 involving 1TB of source code, credentials for more than 71,000 NVIDIA employees, and two (expired) code-signing certificates that NVIDIA uses to sign drivers and executables
– South Korean tech giant Samsung on March 4, involving hundreds of gigabytes of sensitive operating data and confidential Samsung and Qualcomm source code
Password manager 1Password announces $1M bug bounty
In a March 10 statement, Toronto-based password manager firm 1Password announced it has increased its maximum bug bounty reward to $1 million (all figures USD).
Since beginning the bug bounty program in 2017, 1Password said that while it has paid out an average of $900 per reward for a total of $103,000 to security researchers, all detected bugs have been “minor” and showed “no threat to the secrecy of sensitive customer data”.
Jeff Shiner, CEO of 1Password, said: “Increasing our bug bounty to $1 million will attract another layer of outside expertise to make sure our systems are as secure as possible.”
Companies offer bug bounty programs to encourage independent security researchers to identify and report bugs to an organization so they can be remediated before malicious hackers find and exploit those vulnerabilities. The programs give them access to a much wider and more diverse pool of testers than they could maintain on their own.
PressReader continues recovery after cyber attack
Vancouver-based PressReader, the world’s largest digital newspaper and magazine distributor, is still recovering after a March 3 cyber attack that left readers unable to access its catalogue of over 7000 publications. Services around the world were affected, taking PressReader’s local, regional, and international newspapers and magazines offline for days at a time.
In its initial press release, the company confirmed that it had not found any evidence that customer data had been compromised. In its last update on March 6, PressReader advised that internal operations had been restored, but not all subscription titles were yet available: “… we are now able to process and release current newspapers and magazines, however, we continue to scale these systems back to their full capacity,” according to the release.
Of note, the attack came just days after the company removed dozens of Russian titles from its catalogue, and announced that it would offer its publications free of charge to readers in Ukraine in order to help them access news and information following Russia’s invasion. No information has been released on the nature of the cyber attack, so the timing may simply be a coincidence.