Security Researchers Are Crucial to FTC Cyber Actions

As a reminder, on Tuesdays and Thursdays, our premium subscribers have full access to our original content, expansive summaries, intelligently clustered related articles, our best and worst things of the day, and our customary closing thoughts.

So, please consider upgrading your subscription today to access this content along with Metacurity's complete archives.

Summary of the most critical infosec developments you should know today (complete postings available below to premium subscribers)

• The UK Home Office proposes a “targeted” ban that will bar all public sector bodies from making ransomware payments, including schools, the NHS, and local councils.
• According to NHS data, a cyberattack that paralyzed hospitals and clinics in London last year resulted in harm to dozens of patients, leading to long-term or permanent damage to their health in at least two cases,
• New findings from the crypto-tracing firm Elliptic show that one of the biggest players in that sphere, Huione Guarantee, has likely enabled $24 billion in gray market transactions. The volume of activity on the platform has rocketed up 51 percent since initial investigations last summer.
• Researchers at Halcyon report that cybercriminals have begun to encrypt data held in Amazon storage tools used by thousands of organizations around the globe, documenting a recent trend of hackers going after S3 buckets and using the company’s encryption tools to lock customers out of their data.
• As TikTok anxiously awaits a Supreme Court decision that could determine whether it will be banned in the United States, users are preemptively fleeing the app and migrating to another Chinese social media platform called Xiaohongshu, which means “little red book” in Mandarin.
• Sources say Chinese officials are evaluating a potential option involving Elon Musk acquiring TikTok's US operations if the company fails to fend off a controversial ban on the short-video app.
• ​CISA has tagged a command injection vulnerability (CVE-2024-12686) in BeyondTrust's Privileged Remote Access (PRA) and Remote Support (RS) as actively exploited in attacks.
• The State of Texas sued Allstate, accusing the insurer of illegally tracking drivers using their phones through a subsidiary called Arity, which claimed to have the “world’s largest driving behavior database.
• Security researcher Thomas Roth has been able to hack Apple’s USB-C controllers used in current iPhones, which would usually raise concerns about security and the ability to jailbreak the iPhone.
• A “furry” hacker breached the education and publishing company Scholastic this month and stole data on 8 million people.
• According to comments from developer Grinding Gear Games (GGG) made during a podcast, a hacker compromised an administrative account on the website for the popular game Path of Exile 2, which allowed them to reset the passwords on dozens of players’ accounts.
• Blockchain analytics firm Chainalysis has made its first foray into artificial intelligence by acquiring fraud detection startup Alterya for a reported $150 million.

Security researchers are crucial to FTC cyber enforcement actions

At this year's final Shmoocon, two cybersecurity specialists, Andy Sellars, partner at public interest law firm Albert Sellars LLP, and Michael A. Specter, Assistant Professor in Computer Science at Georgia Tech, presented their research on US Federal Trade Commission (FTC) enforcement actions during a talk entitled "Software Screws Around, Reverse Engineering Finds Out: How Independent, Adversarial Research Informs Government Regulation."

The pair developed a dataset measuring how often the Federal Trade Commission relies on the work of independent researchers to regulate consumer privacy and security. They manually analyzed all public FTC consumer privacy and security actions between Jan. 1, 2017, and July 15, 2024, with 102 FTC cases and 332 individual counts.

They discovered that a substantial portion of FTC actions related to cybersecurity can be attributed to the hard work of security researchers. "We're making a bunch of macroscopic observations about the greater relationship between hackers and lawyers and, in particular, lawyers that work for the government," Sellars said during this talk. "We wanted to better understand the relationship between independent research and how the government is able to hold software accountable."