Ransomware was on everyone's mind again this week as the world's largest meat processing company, JBS SA, faced an attack that crippled its operations in Australia and North America. The company was able to restore operations in just a few days, but the situation underscored once again ransomware's dire threat to supply chains and critical infrastructure worldwide.
Researchers are going deeper on investigations of Apple's recently released custom processor, M1, and they're finding all sorts of fascinating behavior and dynamics. And in the world of election security, Microsoft took a big step this week with the announcement that major voting machine vendor Hart InterCivic is incorporating the tech company's open source ElectionGuard software into its existing devices. Hart's first goal is to conduct a real-world pilot of ElectionGuard's “end-to-end verifiable” voting.
Ransomware is certainly the digital attack of the moment, but take a few minutes this weekend to brush up on supply chain attacks. It's another notorious (and more ingenious) type of hack that's had plenty of moments in the sun, from NotPetya to SolarWinds, and will inevitably resurface again.
But wait, there's more! Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories, and stay safe out there.
After Attacks on Critical Infrastructure, DOJ and FBI Elevate Ransomware to Urgency of Terrorism
After a series of high-profile ransomware attacks that disrupted critical services in the US, the Department of Justice said this week that it is prioritizing ransomware investigations at a level similar to terrorism inquiries. The news was first reported by Reuters. “It’s a specialized process to ensure we track all ransomware cases regardless of where it may be referred in this country, so you can make the connections between actors and work your way up to disrupt the whole chain,” said John Carlin, principle associate deputy attorney general.
Meanwhile, FBI director Christopher Wray told The Wall Street Journal that the agency is currently tracking roughly 100 different types of ransomware. Many of the strains have ties to criminal hackers in Russia. Wray said the threat and challenge currently posed by ransomware is similar in scale to that of the terrorist attacks of September 11, 2001. "There are a lot of parallels, there’s a lot of importance, and a lot of focus by us on disruption and prevention,” Wray said. “There’s a shared responsibility, not just across government agencies but across the private sector and even the average American.”
The White House also issued an alert to businesses this week from Anne Neuberger, deputy assistant to the president and deputy national security adviser for cyber and emerging technologies. The unusual letter outlined information, best practices, and resources for defending against ransomware attacks and responding to them if they occur.
Last week, however, WhatsApp quietly changed that plan. Now, if you don't accept the policy you can continue using WhatsApp like normal and will just periodically receive nudges to accept the policy. These reminders will come up especially frequently when you interact with features impacted by the new policy, like if you chat with a business account. “Given recent discussions with authorities and privacy experts, we want to make clear that we currently have no plans to limit the functionality of how WhatsApp works for those who have not yet accepted the update," WhatsApp said in a statement to Forbes.
US Supreme Court Moves to Limit Scope of Controversial Anti-Hacking Law
A Supreme Court decision on Thursday limits what kind of activity can be prosecuted under the Computer Fraud and Abuse Act, a 1986 law that prohibits unauthorized access to computers and networks, and whose enforcement security researchers have long criticized as overly broad. The case, Van Buren v. the United States, concerned a police officer who was convicted under the act after using his credentials to search a license plate database in exchange for money. The government argued that by doing so, the officer “exceeded authorized access,” in violation of the law. The Supreme Court disagreed and reversed the conviction in a 6-3 decision. The majority opinion, written by Justice Amy Coney Barrett, holds that the CFAA “covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.” So if you use hacking techniques to get access to data, CFAA applies. If you use legitimate system access, the CFAA doesn't apply, but other laws may.
Laws That Undermine Encryption Protections Take an Economic Toll
A new study from the Internet Society found that Australia's 2018 Telecommunications and Other Legislation Amendment (Assistance and Access) Act comes with “potential for significant harm to the economy,” a warning to other governments seeking similar powers. TOLA expands the Australian government's ability to mandate that tech companies build mechanisms to bypass the data protections they've built into their software. In addition to potential security risks from these so-called backdoors, the Internet Society also found that such laws undermine trust and confidence in tech companies and their products. In a survey of 79 companies, including 54 based in Australia, 36 percent of those who were impacted by TOLA said their risk environment had been negatively impacted and about 20 percent said the law had “a negative impact on their business.”