After just over two years of Congress passed a major bill that encouraged businesses to share with the government how and when threat actors were trying to get into their systems, only six companies and other non-Federal entities have shared that information, according to Nextgov media. These figures have been compared to the 190 entities and 60 federal departments and agencies that are receiving threat data from the automated national security indicators exchange program. This low level of private sector involvement is an additional blow to the program, which has struggled to provide businesses and government agencies with the kind of actionable intelligence promised by the 2015 Cybersecurity Act.
The law promised liability protections to businesses if they shared cyberthreat indicators with the government and each other. In this sense, it did not protect companies from being sued if they were breached, but it prohibited customers from suing the company simply for sharing their information with the government. The idea was for the government to organize and prioritize all the information on corporate threats, combine it with the government’s own threat data repository, collected by the intelligence and national security services, and share the results with anyone interested, strengthening the nation’s collective defense.
According to experts, the problem boils down to incentives. CISA gave companies legal protection to share threat information with the government, but did not justify why they would be interested in doing so. It is very easy to consume the data that others produce, but the problem lies in convincing companies that they have a social responsibility to do so.
California, looking for a new privacy law
California lawmakers unanimously passed a new privacy bill on Thursday that would give residents of the state more control over the information businesses collect on them and impose new penalties on businesses that don’t comply. The new legislation gives Californians the right to see what information businesses collect on them, request that it be deleted, get access to information on the types of companies their data has been sold to, and direct businesses to stop selling that information to third parties. On the other hand, it creates “Spotify exception,” which allows companies to offer different services or rates to consumers based on the information they provide—for instance, a free product based on advertising. But, the bill states, the difference must be “reasonably related to the value provided to the consumer by the consumer’s data.”
WhatsApp Research Awards for social science and misinformation
WhatsApp is commissioning a competitive set of awards to researchers interested in exploring issues that are related to misinformation on WhatsApp. These awards will be used to fund independent research proposals designed to be shared with WhatsApp, Facebook, the academic community and wider political communities. In this sense, WhatsApp will prioritize among the following research areas: information processing of problematic content, election related information, network effects and virality, digital literacy and misinformation, detection of problematic behavior within encrypted systems. Applications are due by August 12, 2018, 11:59pm PST. Award recipients will be notified of the status of their application by email by September 14, 2018.
News from the rest of the week
Facebook rolls out API restrictions, discloses blocking bug
In addition to implementing stricter standards within its app review process, the social networking giant is requiring advanced developer permissions on some APIs and shutting others down entirely. In a separate blog post, Facebook disclosed the existence of a bug in both Messenger and Facebook that cleared out some people’s blocked users list. “The bug was active between May 29 and June 5 and, while someone who was unblocked could not see content shared with friends, they could have seen things posted to a wider audience. For example pictures shared with friends of friends,” wrote Erin Egan, chief privacy officer for Facebook.
Thunderbird recibe su parche para EFAIL
Thunderbird ha introducido las correcciones para una docena de vulnerabilidades de seguridad, incluyendo el correspondiente a la vulnerabilidad de EFAIL descubierta el pasado mes de mayo. Las correcciones específicas de EFAIL abordan dos errores en el manejo de mensajes cifrados por parte de Thunderbird: CVE-2018-12372, en el que un atacante puede construir oráculos de descifrado S/MIME y PGP en mensajes HTML, y CVE-2018-12373, en el que se puede filtrar texto plano S/MIME si se reenvía un mensaje.
New virus decides if your computer good for mining or ransomware
Security researchers have discovered an interesting piece of malware that infects systems with either a cryptocurrency miner or ransomware, depending upon their configurations to decide which of the two schemes could be more profitable. Researchers at Russian security firm Kaspersky Labs have discovered a new variant of Rakhni ransomware family, which has now been upgraded to include cryptocurrency mining capability as well.