Lawmakers Press DHS for Answers on Water System Hacks Amid Drought Concerns

A bipartisan pair of House lawmakers, Reps. Pat Fallon (R-TX) and Ruben Gallego (D-AZ), are seeking a briefing from Homeland Security Secretary Alejandro Mayorkas on the recent hack of a water facility in Texas, which was attributed to a group with suspected ties to the Russian government. The lawmakers expressed concerns about the potential "devastating" impact of such hacks on rural water systems, particularly in states experiencing historic droughts like Arizona. They asked Mayorkas to provide information on DHS's response to the incident, its coordination with international and local partners, and whether additional authorities are needed to protect the nation's water supply. This follows a similar letter sent by Gallego and Rep. Jim Banks (R-IN) last year after a water authority in Pennsylvania was hacked by an Iran-linked group.

Microsoft CEO says Security is Our Top Priority

Microsoft CEO Satya Nadella has announced that security is the company's number one priority, following recent scrutiny from the federal government and private sector over product security and customer trust. Nadella made the statement during the company's fiscal third quarter earnings call, highlighting the launch of the Secure Future Initiative, which aims to advance cybersecurity protection across all aspects of the company. The initiative focuses on six key areas, including protecting tenants and production systems, identities and secrets, networks, engineering systems, monitoring and detecting threats, and accelerating response and remediation. This commitment comes after a critical report from the Cyber Safety Review Board, which found that Microsoft's prioritization of speed to market over security led to the preventable 2023 Microsoft Exchange compromise.

Millions of Malicious Containers Found on Docker Hub

Docker Hub, a popular open-source registry, has been targeted by cybercriminals who planted millions of malicious "imageless" containers over the past five years. Researchers discovered 4.6 million repositories with no content except for documentation that lures users to phishing or malware-hosting websites. Three campaigns, dubbed Downloader, E-book phishing, and Website, were identified, with 2.81 million repositories used as landing pages to redirect users to fraudulent sites. The threat actors created 208,739 fake accounts to spread the malware, all which has been deactivated by Docker following the disclosure. This incident highlights the risk of supply chain attacks through open-source ecosystems and the need for developers to exercise caution when downloading packages.

New Law in the UK Bans Default Passwords on Smart Devices

As of April 29, 2024, the UK has enforced a new law, the Product Security and Telecommunications Infrastructure (PSTI) act, which prohibits manufacturers from using default passwords on smart devices. This law aims to protect consumers from cyber attacks by requiring manufacturers to provide secure devices with unique passwords, a point of contact for security issues, and a clear duration for security updates. Non-compliance can result in fines of up to £10 million or 4% of global annual revenues. This law applies to various internet-connected products, including smart speakers, TVs, and domestic appliances. The UK is the first country to outlaw default usernames and passwords for IoT devices, setting a precedent for cybersecurity standards worldwide.