Cybersecurity Roundup: Facebook v Malware; CISPA Progress; Cloud Risks; and More
This week's cybersecurity roundup includes stories on a U.S. court ruling that found a recent corporate data theft does not violate a fraud act; Facebook's bolstered efforts to combat the sharing of malicious URLs on its site; CISPA developments; and more.
By Constantine von Hoffman, CIO
U.S. Court: Stealing Corporate Data Doesn’t Violate Fraud Law: The Ninth Circuit Court in California ruled that a man did not violate the Computer Fraud and Abuse Act (CFAA) when he received contacts from his former employer’s client databases via friends still working at the company. The man then reportedly used the client information in a competing business venture. In David Nosal vs. USA, the court ruled the CFAA’s prohibition on “exceeding authorized access” to a computer is limited to violations of restrictions on access to information and not restrictions on the use of such information, as long as it is fairly obtained. Because Nosal did not hack into the former employer’s system himself, he cannot be prosecuted under the statute.
Facebook, Security Firms Go After Malware: Facebook has teamed up with five top security software vendors in an attempt to stop Facebook users from sharing URLs that lead to phishing and virus-laden websites. Microsoft, McAfee, TrendMicro, Sophos, Symantec plan to give Facebook access to their databases of malicious URLs. The partnership will augment Facebook’s current system for preventing users from sharing links to sites that could install malware. Facebook users will also have access to free six-month trials of the companies’ anti-virus software.
White House Threatens Veto as House Passes CISPA: With support from Democrats, the Republican-controlled House passed the Cyber Intelligence Sharing and Protection Act (CISPA) on a vote of 248-168. The White House and various civil rights advocates oppose the bill because of the broad powers it would give the government. The controversial bill encourages companies and the federal government to share information they collected on the Internet to help prevent electronic attacks from cybercriminals, foreign governments and terrorists.
Cloud Providers Not Cleaning Users’ Data from Disks: Some U.K. multi-tenant public-cloud providers are not wiping disks clean after customers use them, potentially exposing those customers’ sensitive data to other users. Context Information Security conducted the study to determine if they could access past customers’ data within the public-cloud environments of four providers. Context researchers prompted virtual machines to read raw data on cloud-based disks, and they successfully identified data from previous customers.
U.S. Loses Out as India Becomes #1 Producer of Spam: Despite American desire to be the best at everything, no one in the United States is complaining about India taking the title of top junk email source. India was responsible for 9.3 percent of global email spam during the first quarter of the year, according to Sophos’ latest Dirty Dozen report, which lists the top 12 countries that produce the most spam. The U.S came in second with 8.3 percent, and South Korea took the bronze with a 5.7 percent.
Iran Cuts Off Internet Access to Oil Refineries After Malware Attack: Iran shut down its oil-export terminal on Khark Island and other oil facilities after they were became the targets of malware and hackers. The oil ministry and other related agencies were also reportedly disconnected from the Internet. The Iranian government has formed a crisis team to deal with the issue, according to The BBC. About 80 percent of Iran’s daily 2.2 million barrels of crude export is transferred through Khark Island.