In this week’s Cyber Blurbs Roundup, we write about the government’s decision to take the reins on pipeline security, Microsoft’s concerning finding, and a promising future for an innovative company.
DHS to Regulate Pipeline Cybersecurity
The federal government has seen enough. Weeks after the United States’ east coast suffered a shortage in fuel due to a ransomware attack levied against one of the region’s most prominent providers (and some unnecessary panic buying), the Department of Homeland Security is stepping in to ensure this never happens again.
DHS decided earlier this month that it will begin regulating cybersecurity in the pipeline industry, as first reported by The Washington Post. Pipeline companies will now have to report cyber incidents to the Transportation Security Administration (yes, that TSA), an agency under the DHS umbrella, as well as adopt a series of rules to safeguard against cyber attacks. The agency expects to unveil a series of mandatory rules in the coming weeks, a noted shift from the voluntary guidelines of years past.
“The Biden administration is taking further action to better secure our nation’s critical infrastructure,” DHS spokeswoman Sarah Peck said in a statement to WaPo. “TSA, in close collaboration with [the Cybersecurity and Infrastructure Security Agency], is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems.”
Most critical infrastructures are not regulated by the federal government, lacking mandatory cybersecurity rulesets. But as we saw earlier this year with Colonial Pipeline, that can be a potentially catastrophic approach to safeguarding against malicious attacks. Colonial Pipeline was forced to watch its network go dark for 11 days, resulting in gas shortages and panic buying — with far too many people hoarding fuel in unsafe containers. Colonial says it paid $4.4 million to regain access to its compromised system.
Microsoft: SolarWinds Hackers Are Doing it Again
As the US and greater cyber community develop a better understanding of what occurred during the SolarWinds attack of 2020, Microsoft warns that those same hackers are at it again. In a blog post published on May 27, Microsoft Corporate Vice President of Customer Security & Trust Tom Burt stated the company has observed a wave of cyber attacks targeting approximately 3,000 email accounts across 150 organizations around the globe.
“Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020,” Burt wrote. “These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts.”
Burt writes that Nobelium is attempting to exploit software updates and mass email providers for government agencies, with the hackers sending out authentic-looking phishing emails that could potentially install a backdoor attack allowing hackers to do what hackers do.
Microsoft is calling for “clear rules” and “expectations” for cyber attacks carried out by nation states, also stating that consequences should be put in place for violating said rules. Consequences for cyber attacks have largely been absent in the past, mostly because virtually every country in the world is involved in carrying out cyber attacks against one another.
Good luck with that, Tom.
End-to-End Encrypted Google Docs Alternative Raises Funding
Google Docs is good at a lot of things. Need a platform to collaboratively develop a document with your colleagues? Boom — Google Docs has your back. Need a free alternative to Microsoft Word that will, at the very least, let you put words onto paper? Bingo — Google Docs is there.
But Docs isn’t perfect. For starters (and the purposes of this post, really), it’s not as secure as most would want it to be. Sure, Google offers the ability to keep documents private, only allowing access to whatever parties the originator deems necessary. It also encrypts the documents in transit and at rest. But full end-to-end encryption? Nowhere to be found.
Enter Skiff, a collaborative document editor that offers E2EE. No party, not even Skiff, will have the ability to read the document other than the originator and those provided with access to collaborate.
It’s a fairly simple idea that has drawn attention from some security enthusiasts with deep pockets. Skiff CEO Andrew Milich and CTO Jason Ginsberg announced last week that the company had received $3.7 million in seeding money from Sequoia Capital, according to TechCrunch. All this just a little over a year after the company was founded in March 2020.
“We propose a system that ensures that no sensitive information (including documents, docu- ment titles, and messages) is ever stored, seen, or processed in plaintext by our servers,” Skiff wrote in a whitepaper. “This is achieved using end-to- end encryption as well as additional safeguards, including robust authentication methods, out-of-band key verification, and two-step verification.”
You can read the full six-page whitepaper here.
Skiff currently has an invite-only program, boasting thousands of daily users. The company says it has about 8,000 users on a waitlist.
