Thursday, July 27, 2017

Cyber: 'Devil's Ivy' Vulnerability Could Afflict Millions of IoT Devices

If you’d like to test whether your human capacity for shock has been overworked to the point of total ruin by Donald Trump’s presidency, watch his Monday evening address to the Boy Scouts of America’s quadrennial jamboree. Every beat more self-obsessed, petty, and hateful than the last, the speech found Trump cussing and alluding to sexual exploits in front of a crowd of children, congratulating himself and demeaning his ideological opponents at an event that has pretty much steered clear of partisanship for 80 years.

Fake ‘ONI’ Twitter account is fake, PM’s department confirms. Satirical accounts walk a fine line. One purporting to be the Office of National Intelligence was shut down, while another account that uses a version of the Australian coat of arms and has the handle @ASIO is still up and running

FBI Seized Smashed Hard Drives From Debbie Wasserman Schultz IT Aide’s Home

Gov Info Security

A new offensive by Microsoft has been making inroads against the Russian government hackers behind last year’s election meddling, identifying over 120 new targets of the Kremlin’s cyber spying, and control-alt-deleting segments of Putin’s hacking apparatus. How are they doing it? It turns out Microsoft has something even more formidable than Moscow’s malware: Lawyers

The state of Colorado is moving to audit future digital election results, hiring a Portland-based startup to develop software to help ensure that electronic vote tallies are accurate.

A Democratic senator is pressing the Department of Homeland Security (DHS) to mandate the government-wide use of an email authentication tool “to ensure that hackers cannot send emails that impersonate federal agencies.” Sen. Ron Wyden (D-Ore.) made the request in a letter to a top official at the National Protection and Programs Directorate (NPPD), the DHS office in charge of securing cyber and physical infrastructure. “I write to ask you to take immediate steps to ensure that hackers cannot send emails that impersonate federal agencies,” Wyden wrote Tuesday to Jeanette Manfra, the DHS official. “The threat posed by criminals and foreign governments impersonating U.S. government agencies is real.” Rob Joyce, President Trump’s cybersecurity coordinator, was also copied on the letter. Specifically, Wyden asked DHS to require agencies to use a tool called the Domain-based Message Authentication, Reporting and Conformance (DMARC), a standard developed by the industry that lets organizations send impersonating emails to a spam folder or have them rejected by victims’ email providers.

After 2016 Hack, House Democratic Committee Switches To Encrypted Messaging

Hackers who breached a Kansas Department of Commerce data system used by multiple states gained access to more than 5.5 million Social Security Numbers and put the agency on the hook to pay for credit monitoring services for all victims. The number of SSNs exposed across the 10 states whose data was accessed has not been previously reported. The Kansas News Service, a collaboration of KCUR, Kansas Public Radio, KMUW and High Plains Public Radio, obtained the information through an open records request. More than half a million of the SSNs were from Kansas, according to the Department of Commerce. The data is from websites that help connect people to jobs, such as, where members of the public seeking employment can post their resumes and search job openings. Kansas was managing data for 16 states at the time of the hack, but not all were affected. In addition to the 5.5 million personal user accounts that included SSNs, about 805,000 more accounts that did not contain SSNs were also exposed. 

Ashley Madison wants to put that sordid data breach affair behind it. On Friday, Ashley Madison parent company Ruby Life, née Avid Dating Life, announced that it's reached an $11.2 million settlement agreement with plaintiffs in a consolidated lawsuit that was filed against the infidelity dating site following its massive July 2015 data breach. The full terms of the settlement agreement have yet to be approved by the court. But the proposal calls for Ruby to contribute "a total of $11.2 million to a settlement fund," designed, in part, to compensate "settlement class members who submit valid claims for alleged losses resulting from the data breach and alleged misrepresentations" tied to Ashley Madison, Ruby says in a statement.

The security woes of the internet of things stem from more than just connecting a bunch of cheap gadgets to a cruel and hacker-infested internet. Often dozens of different vendors run the same third-party code across an array of products. That means a single bug can impact a startling number of disparate devices. Or, as one security company's researchers recently found, a vulnerability in a single internet-connected security camera can expose a flaw that leaves thousands of different models of device at risk. On Tuesday, the internet-of-things-focused security firm Senrio revealed a hackable flaw it's calling "Devil's Ivy," a vulnerability in a piece of code called gSOAP widely used in physical security products, potentially allowing faraway attackers to fully disable or take over thousands of models of internet-connected devices from security cameras to sensors to access-card readers. In all, the small company behind gSOAP, known as Genivia, says that at least 34 companies use the code in their IoT products. And while Genivia has already released a patch for the problem, it's so widespread—and patching so spotty in the internet of things—that it could persist unfixed in a large swath of devices 

A new Harvard study shows that multiple researchers independently uncover the same security flaws more often than previously thought, a discovery that could affect the way governments determine whether to keep those flaws secret for use in espionage.
Study shows hacking techniques harder to keep secret than first thought

Estonia, the only country in the world where voters elect their leaders through online balloting, is taking steps to fend off potential hacking attacks as cyber-security fears intensify. A software overhaul for the system, introduced in 2005, is ready for testing before local elections in October, according to Tarvi Martens, the National Electoral Committee’s head of e-voting. The upgrade includes anti-tampering features known as end-to-end verifiability that addresses security concerns from groups such as the Organization for Security and Cooperation in Europe, he said. “End-to-end verifiability is the ‘Holy Grail’ for electronic voting,” Martens said this month in a phone interview. “When we talk about international criticism, the new software now addresses it.”

GCHQ Says Hackers Have Likely Compromised UK Energy Sector Targets

Cyberattack on Ukrainian clinics, pharmacies worries experts

A 29-year-old British man has confessed to carrying out a cyber-attack on Deutsche Telekom’s routers last year, claiming he had acted on behalf of a Liberian telecommunications company but that his mission had got out of hand. Speaking via a translator at a court in Cologne, the man, who was arrested under a European arrest warrant at Luton airport in February, described it as the “biggest mistake of my life”. The November attack hijacked about 900,000 routers and briefly stopped their owners getting online, affecting about 1.25 million Deutsche Telekom customers. The Bonn-based company estimated the cost of the attack to have been more than €2m (£1.79m).

Commons committee was hit by cyber attack

US Senator Ron Wyden (D-Ore.) criticized the Federal Communications Commission for failing to turn over its internal analysis of the DDoS attacks that hit the FCC's public comment system. The FCC declined to provide its analysis of the attacks to Gizmodo, which had filed a Freedom of Information Act (FoIA) request for a copy of all records related to the FCC analysis "that concluded a DDoS attack had taken place." The FCC declined the request, saying that its initial analysis on the day of the attack "did not result in written documentation." “If the FCC did suffer a DDoS attack and yet created no written materials about it, that would be deeply irresponsible and cast doubt on how the FCC could possibly prevent future attacks," Wyden told Gizmodo in a story today. "On the other hand, if FCC is playing word games to avoid responding to FoIA requests, it would clearly violate Chairman Ajit Pai’s pledge to increase transparency at the FCC.” Wyden also said that the FCC's response to the FoIA request raised "legitimate questions about whether the agency is being truthful when it claims a DDoS attack knocked its commenting system offline.”