Maryland's Bug Bounty Program; UN Cybercrime Convention; Microsoft Patch Tuesday

"There's no other state that's done a bug bounty with a scope this large," says Lance Cleghorn, Senior Director of State Cybersecurity for the state of Maryland. In an interview with StateScoop's Keely Quinlan, Cleghorn posits that the capability of bug bounty programs is unique, allowing them to find vulnerabilities that otherwise might go unnoticed. Tracing the development of Maryland's program out of his experiences with the Defense Digital Service and "Hack the Pentagon" program, he emphasizes "diversity of thought" and the human element in the program's success. He and Katie Savage, Maryland's chief information officer, look forward to applying lessons learned in the process, and may look into fostering a state vulnerability disclosure program.

In December, 2019, the United Nations resolved "to elaborate a comprehensive international convention on countering the use of information and communications technologies for criminal purposes." The draft of the UN Convention Against Cybercrime was approved on Monday, Nov 11, and will be up for a general assembly vote in December. Eleven articles enumerate actions that would be criminalized when taken "without right," including: access to computer systems or parts of systems; interception of "non-public" electronic data transmission; interference with data, such as deletion, damage, or alteration; and interference with a computer system's function. Because these actions also represent elements of good-faith cybersecurity work, the treaty may criminalize legitimate research, ethical hacking, protective interception of signals, penetration testing, and red-team activities, and may discourage vulnerability disclosure programs. Acknowledgement of these cases is not explicit in the treaty, and any protection for researchers would therefore rely on national laws. The Cybersecurity Tech Accord, comprising over 100 major tech companies "including Microsoft, Meta, Oracle, Cisco, SalesForce, Dell, GitHub, HP and more" has voiced objection to the treaty, citing potential threats to cybersecurity research, specifically AI system safety research. Ilona Cohen with CyberScoop argues for proactive steps from US agencies to "develop and disseminate best practices for implementing the treaty," laying a cooperative and globally visible foundation for the protection of good-faith researchers. Human rights groups and the Electronic Frontier Foundation have also expressed alarm over potential abuses of the treaty as a "tool of repression." Six US Senators have formally submitted their disapproval of the treaty over its possible risks to "privacy rights, freedom of expression, [and] cybersecurity and artificial intelligence safety." The Tech Accord's representative noted that a feature of the treaty codifying inter-governmental transfer of personal information "virtually guarantees the Convention's provisions will be used abusively."

On Tuesday, November 12, Microsoft released updates to address more than 80 security issues in their products. Of those, three are rated critical, two have been actively exploited in the wild, and two were disclosed previously disclosed. The actively exploited vulnerabilities are a hash disclosure spoofing issue in Windows NT LAN Manager (CVE-2024-43451) and a privilege elevation vulnerability in Windows Task Scheduler (CVE-2024-49039).

The US Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) issued a joint statement on November 13, 2024, reporting breaches and compromised data in the networks of US telecommunications companies by threat actors associated with the People's Republic of China (PRC). The unauthorized access, which was first disclosed in another joint statement in October 2024, is now confirmed to involve "theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders." The agencies state they are working on defense and support of those affected, and they ask any potential victims to contact their local FBI field office or CISA.

Since early 2024, the National Institute for Standards and Technology (NIST) has communicated delays in their analysis and metadata enrichment of vulnerability catalog entries due to a critical lack of resources. As of November 13, 2024, NIST has processed their full backlog of Known Exploited Vulnerabilities (KEVs), though their previous estimate for completing work on outstanding Common Vulnerabilities and Exposures (CVEs) by the end of the year was "optimistic" and will not be met, they stated in a news update. NIST stated "This is due to the fact that the data on backlogged CVEs that we are receiving from Authorized Data Providers (ADPs) are in a format that we are not currently able to efficiently import and enhance." The agency is working on new systems for processing these data, and has "a full team of analysts on board."

Switzerland's National Cyber Security Centre, Federal Office of Meteorology and Climatology MeteoSwiss, and Federal Office for Civil Protection (FOCP) have been receiving reports of people receiving letters containing malicious QR codes. The letters claim the code leads to a Severe Weather Warning app. In fact, when people scan the code, it downloads infostealing malware to their phones.

Canada has passed a pair of right to repair bills that amend the country's Copyright Act to allow circumvention of technological protection measures (TPMs) in the service of 'maintaining or repairing a product, including any related diagnosing,' and 'mak[ing] the program or a device in which it is embedded interoperable with any other computer program, device or component.' While the amendments allow the circumvention of TPMs in these cases, they do not provide access to the tools needed for the circumvention.

A federal judge in Massachusetts has sentenced former National Guardsman Jack Teixeira to 15 years in prison for leaking 'hundreds of pages of classified National Defense Information (NDI), including many documents designated top secret.' Earlier this year, Teixeira pleaded guilty to multiple counts of 'willful retention and transmission of classified information relating to the national defense.' Teixeira served as a cyber defense operations journeyman in the National Guard from 2019 until he was arrested last year.

A judge in the US state of Georgia has sentenced Robert Purbeck to 10 years in prison for gaining unlawful access to computers and stealing personal data. Purbeck's targets included a medical clinic and a Georgia municipality; he purchased access to these organizations on a darkweb marketplace. He also tried to extort bitcoin from a dentist in exchange for not leaking patient records. Purbeck was convicted of computer fraud and abuse earlier this year and has been ordered to pay more than $1 million in restitution.

A California teenager has pleaded guilty to multiple charges of 'making interstate threats to injure the person of another.' Eighteen-year-old Alan W. Filion targeted schools, religious institutions, government officials, and others; he also offered swatting-as-a-service. According to the plea agreement, Filion made approximately 375 swatting/threatening calls between August 2022 and January 2024, when he was arrested.