Tag Archive for: commission

EU Commission pitches double reporting of open security loopholes in cybersecurity law – EURACTIV.com


The question of who should receive extremely sensitive cyber threat intelligence has been a sticking point in the negotiations on the Cyber Resilience Act. The Commission proposed a middle ground that would double the receivers.

The Cyber Resilience Act is a legislative proposal introducing security requirements for connected devices. The file is being finalised in ‘trilogues’ between the EU Commission, Council and Parliament.

Among the obligations of product manufacturers, there is one to report not only cybersecurity incidents, as has been the case in previous legislation, but also actively exploited vulnerabilities.

If a vulnerability is being actively exploited, it means there is an entry point for hackers that has not been patched yet. As a result, this type of information is highly dangerous if it falls into the wrong hands, and who should handle this task is a politically sensitive question.

In the original Commission text, ENISA, the EU cybersecurity agency, was assigned this complex work – an approach that found support in the Parliament. By contrast, European governments want to move this task to the national Computer Security Incident Response Teams (CSIRTs).

Following the last trilogue on 8 November, Euractiv reported how a possible landing zone could be envisaged by accepting the role of the CSIRTs but with a stronger involvement of ENISA and that the EU executive proposed that both bodies could receive the reporting simultaneously.

In an undated compromise text circulated after the trilogue, seen by Euractiv, the Commission put its idea in black-and-white.

“The manufacturers shall notify any actively exploited vulnerability contained in the product with digital elements that they become aware of to [the CSIRTs designated as coordinators pursuant to Article 12(1) of Directive (EU) 2022/2555 and ENISA],” reads the text.

National CSIRTs would, therefore, be in the driving seat of the reporting process, for instance, to request the manufacturer provide an intermediate report. The notifications would be submitted via a pan-European platform to the end-point of the CSIRT of the country where the company has its main establishment.

“A manufacturer shall…

Source…

New York State Gaming Commission Is Latest Casino Hacking Target


First casinos, and now the regulators. It’s been a tough couple of months for cyber security teams in the casino industry. That continued over the weekend at the New York State Gaming Commission.

The state’s casino regulator was hacked, bringing some grief not just to the gaming commission, but also for some New York slot venues. The commission’s slot management system was left inoperable for a time on Oct. 17, affecting some operators.

“Everi, the licensed operator of New York’s video lottery gaming central system, experienced a cybersecurity event that remains under investigation,” commission representative Brad Maione told the New York Post. “The commission has no indication that personal identifiable information was compromised. The Commission continues to monitor the situation.”

Latest Casino Industry Entity Victimized by Cyber Attack

MGM Resorts was recently victimized in a cyber attack that crippled many of the company’s operations around the country, including slot machines. In Canada, Gateway Casinos experienced a similar issue in April, leading to the closure of several casinos north of the border.

Caesars Entertainment also saw a similar ransomware attack as well. That company chose instead to pay a $30 million ransom to regain access to its computer systems, according to the Wall Street Journal. That may have been the best financial decision, given MGM recent disclosure that the hack will cost the company upwards of $100 million before insurance payouts.

New York State Gaming Commission representatives don’t believe any personal data was retrieved by hackers during the Empire State attack. The commission continues to investigate, but the attack has been another wake-up call for some in the industry.

“We shut down for a brief period,” James Featherstonhaugh, a part owner of Saratoga Casino, told the Post. “It got cleared up fairly quickly. It was all the same issue. It got everyone’s attention.”

Prevention Steps

Cyber crimes have cost MGM, Caesars, and Gateway millions of dollars in lost revenue and additional IT work. As the industry faces a growing number of cyber security issues, some experts say additional planning and training could…

Source…

US Securities and Exchange Commission Probes MOVEit Hack


Cybercrime
,
Fraud Management & Cybercrime

Progress Software Says Investigation Is Fact-Finding Inquiry

US Securities and Exchange Commission Probes MOVEit Hack
Image: Shutterstock

The zero-day campaign underpinning the May mass attack on Progress Software’s MOVEit file transfer software is now the vulnerability fueling a flotilla of attorneys, the software vendor disclosed in a regulatory filing listing pending litigation and governmental investigations.

See Also: Challenges and Solutions in MSSP-Driven Governance, Risk, and Compliance for Growing Organizations


Among the organizations investigating the May incident is the U.S. Securities and Exchange Commission, the company said.


An independent count of those directly or indirectly affected by the attack, executed by the Clop ransomware group, now tallies more than 2,500 organizations and over 64 million individuals. Among the organizations that recently acknowledged they were caught up in the breach is Sony, which alerted around 6,800 individuals earlier this month (see: Breach Roundup: Still Too Much ICS Exposed on the Internet).


Progress Software says in the regulatory filing that it received on Oct. 2 a subpoena seeking documents related to the incident. “The SEC investigation is a fact-finding inquiry, the investigation does not mean that Progress or anyone else has violated federal securities laws,” the company says. “Progress intends to cooperate fully with the SEC in its investigation.”


Russian-speaking Clop appears to have unleashed a highly automated mass attack on MOVEit instances around May 29, likely timed to take advantage of the U.S. Memorial Day holiday weekend. The group came into possession of a MOVEit zero-day vulnerability, a SQL injection flaw tracked as CVE-2023-34362, possibly as long…

Source…

Sen. Michael Bennet Proposes Commission To Oversee Digital Platforms Including Social Media – CBS Denver


DENVER (CBS4) – In hopes of furthering the trust and security of the general public on the internet, Senator Michael Bennet has proposed legislation that would create a commission to oversee businesses operating on the internet. Bennet, the senior senator from Colorado, said the proposal comes as a way to assure some of the most powerful companies in the world are operating in the best interest of the American people.

(credit: CBS)

As of now, Bennet is the sole sponsor of the bill. He proposed creating a “Digital Platform Commission” which would operate and oversee companies using the internet much like how the Food and Drug Administration oversees the country’s guidelines when it comes to pharmaceuticals.

Bennet told CBS4’s Dillon Thomas the commission would help prioritize and balance free speech, national security and mental health.

“Our advisories are infiltrating social media platforms in the country,” Bennet, a member of the Senate Intelligence Committee, said.

(credit: CBS)

In an interview with CBS4, the senator said the commission would oversee regulations and guardrails for big tech companies, including but not limited to platforms like Facebook, YouTube, Google, Amazon, Twitter and TikTok. While social media companies are behind many of the concerns some Americans have, Bennet said the commission would have oversight of American internet regulations.

Section 230, a law that was created in the 1990s, is one of the most debated federal laws when it comes to the powers given to major websites. The law largely gives immunity to companies for content uploaded by third parties. While Bennet said he believes Section 230 should potentially be revised, he felt the commission was a separate step that could be taken to further protect American interests.

“We have had basically completely unregulated social media platforms. These companies aren’t startups anymore. They are some of the most important and dominant companies in America,” Bennet said.

Bennet hoped the development of a five-person commission, made up of technology experts from differing parties and backgrounds, would help the country take action toward regulating big tech instead of allowing other…

Source…