Canadian online harms legislation to be revealed today, and more.
Welcome to Cyber Security Today. It’s Monday, February 26th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
The Canadian government will release its long-promised online harms legislation today in Parliament. According to a story published last week by the Toronto Star, it will focus on protecting children: That includes preventing sexual content that exploits minors, content that induces a child to harm themselves like committing suicide and bullying messages aimed at children. The purpose of the bill is to compel social media providers to discover and deal with harmful content, according to The Star. But the proposed law will also cover the sharing of intimate content online of people of any age without consent. I’ll have a story with details later today on ITWorldCanada.com.
The U.K. Online Safety Act, which became law last October, may be a model. Segments will take effect over three years. Search engines, social media services, video-sharing services, online marketplaces, discussion forums, and gaming services will have obligations to get rid of illigal content. Exactly what and how will be set by the country’s telecommunications regulator, Ofcom by the end of this year.
Briefly, larger services will have more obligations. The largest social media (or user-to-user services) will be classed as “Category 1” services. Other large U2U services will have obligations as “Category 2B” services, while the largest search or combined services will face obligations as “Category 2A” services.
A new open-source tool for mapping networks is being used by threat actors to find login credentials. Researchers at Sysdig say SSH-Snake is supposed to help IT teams by hunting for SSH keys and then creating a network map. However, threat actors have discovered the six-week-old tool is also a handy utility for them. Essentially, the tool is a worm — one that is benign in the hands of approved IT staff, bad in the hands of a threat actor. This is like threat actors copying and using the legitimate Cobalt Strike tool for attacks. The Hacker News asked the developer about the abuse of his tool. He replied that IT leaders should make their systems resistant to an outsider running unapproved tools.
Microsoft has released a tool defenders can use to find risks in their generative AI systems. Called PyRIT (rhymes with PIRATE) it can be used by red teams or knowledgeable IT members. Among other things, its scoring system can help find ungrounded or inaccurate content created by a generative AI systems. Microsoft says the tool is not a replacement for manual red teaming of generative AI systems, but can be used to automate tasks. For those who don’t know, red teams are hackers authorized by an organization to use real attackers’ tactics.
Unite Here, a union that represents hospitality workers in the U.S., says hackers captured the personal information of almost 80,000 people last October. Data stolen included names, Social Security numbers, financial account information, driver’s licences and state identification numbers.
Washington County Hospital and Nursing Home in Chatom, Alabama is notifying just over 31,000 people personal data it held was stolen in a data breach just before Christmas Day last year.
medQ, a cloud-based service that helps doctors and nurses track patient progress, is notifying just over 54,000 people their personal information was stolen in a data breach discovered just after Christmas Day. In the data breach notification letter sent to victims the company doesn’t say the attack was ransomware. But it does say the attacker encrypted as well as stole company data. Information stolen included names, Social Security numbers, medical diagnoses, medication and lab results.
Australian carrier Tangerine Telecom says data of 232,000 customers has been stolen. The company realized there had been a data breach when the stolen data was disclosed on February 18th. Those impacted were customers between 2019 and 2023 on what the company says was a legacy customer database. How were they stolen? By exploiting the login credentials of a temporary employee. No credit or debit card info was taken, but the crooks got names, dates of birth, mobile numbers and Tangerine account numbers.
Finally, Apple’s iMessage text service now has protection against attacks in the future by quantum computers. The company said last week the service has added the new PQ3 cryptographic protocol. Texts are now encrypted with this protocol, which resists being cracked by sophisticated quantum attacks.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.