Trump and Kim's 13-second handshake was a scene as complex as their rivalry
The world stood in amazement as 'Little Rocket Man' and 'the Dotard' smiled in front of each other's flags.
Latitude and N Korean propaganda? It came from the White House
Soaring music boomed over the speakers, and a montage began portraying North Korea as some sort of paradise.
Australia 'flirting with danger' in debate over China, race
Facebook delivers 500 pages of answers to Congress about Cambridge Analytica Washington Post: “…Facebook pledged to continue refining its privacy practices and investigating its entanglement with Cambridge Analytica in nearly 500 pages of new information supplied to Congress and published Monday (See also TechCrunch as a non pay-walled source) – though the social giant sidestepped some of lawmakers’ most critical queries. Much as it did during the hearing, Facebook told lawmakers on the Senate Judiciary Committee and the Senate Commerce Committee that it is reviewing all apps available on its platform that had access to large queries of data, a process that already has resulted in 200 suspensions…
But Facebook did say that its consultants embedded in 2016 presidential campaigns, including President Trump’s team, “did not identify any issues involving the improper use of Facebook data in the course of their interactions with Cambridge Analytica.” In another exchange, Facebook said it had provided “technical support and best practices guidance to advertisers, including Cambridge Analytica, on using Facebook’s advertising tools.”BuzzFeed - Here Are 18 Things You Might Not Have Realized Facebook Tracks About You: “When Facebook CEO Mark Zuckerberg testified before Congress in April in the aftermath of the Cambridge Analytica scandal, he said he’d have his team follow up on questions he couldn’t answer in full during the hearing. On Monday, Congress released a massive document with written answers to those questions. These responses were a good reminder that Facebook records a ton of information about you, including:
- Information from “computers, phones, connected TVs, and other web-connected devices”
- mouse movements” on your computer
- “app and file names” (and the types of files) on your devices etc...
The Hill
June 8,
2018
Senators
are trying to pass legislation aimed at securing U.S. election systems from
cyberattacks by inserting the measure into annual defense policy legislation.
Sens. James Lankford (R-Okla.) and Amy Klobuchar (D-Minn.) have introduced a
new version of the Secure Elections Act as an amendment to the National Defense
Authorization Act (NDAA), which the upper chamber is poised to take up next
week. The lawmakers, backed by a bipartisan group of co-sponsors, originally
introduced the legislation last December amid rising fears over threats to
voter registration databases and other digital systems as a result of Russian
interference in the 2016 presidential election. According to U.S. officials,
Russian hackers targeted election-related systems in 21 states as part of its
plot to meddle in the 2016 vote. Since, Lankford and Klobuchar have been
working with state election officials to revise the legislation. Some state
officials have been wary of federal efforts to address election security,
fearing a federal takeover of elections, which have historically been
administered by states.
Nextgov
June 7,
2018
State and
local governments would be barred from passing and implementing laws that
undermine encryption under a federal bill introduced by a bipartisan quartet of
House lawmakers Thursday. The bill, sponsored by Rep. Ted Lieu, D-Calif., among
others, would effectively supersede any state or local law that required
manufacturers to build surveillance tools into their products or to ensure
customer communications or other activities could be decrypted. The Ensuring
National Constitutional Rights for Your Private Telecommunications, or ENCRYPT,
Act was also sponsored by Reps. Mike Bishop, R-Mich., Suzan DelBene, D-Wash.,
and Jim Jordan, R-Ohio. Lieu introduced an earlier version of the bill in 2016,
which never reached a committee vote. That bill came soon after the FBI tried
to compel Apple to help it crack into an encrypted iPhone used by San
Bernardino shooter Syed Farook.
Axios
June 7,
2018
Two Senate
Democrats have introduced a bill that would provide $50 million to stand up
National Guard cyber units in every state to prevent and respond to election
security issues. But there's a glitch: the Defense Department is somewhat
resistant to shifting its authority to states. The bill's authors, Sen. Maria
Cantwell and Sen. Joe Manchin, and other advocates point out that the National
Guard is already working on other critical infrastructure issues — including
election security — in the states. As a result, the National Guard is uniquely
familiar with the technological landscape that it would need to protect when it
comes to election security, said Kilmer. Standing up state-backed cyber units
would naturally pull some resources away from the DOD. “If there’s the Army and
the Air Force paying for their training and equipment they’d like to have these
people at their disposal when they need them,” the spokesman for the National
Guard Association of the U.S. tells Axios. And yet the state perspective is,
“this infrastructure is just as important."
CyberScoop
June 7,
2018
By the
Senate Armed Services Committee’s estimation, the United States has held back
in cyberspace. The committee is angling to change that with the latest National
Defense Authorization Act, proposing to free up the military on the front lines
of cyber conflict, create a new strategic cyber entity and respond to Russian
aggressions in-kind. The bill’s authors wrote that lawmakers have long-standing
concerns about the lack of an effective U.S. strategy to deter and counter
cyber threats. To counter foreign state actors bent on stealing, striking,
spying or disrupting in cyberspace, the bill suggests boosting resilience,
increasing attribution capabilities, emphasizing defense and enhancing the
country’s ability to respond to attacks. “We’re letting episodes define
strategy. It should be the other way around, where we clearly articulate our
cyber deterrence strategy and rules of engagement,” said Frank Cilluffo,
director of George Washington University’s Center for Cyber and Homeland
Security.
Nextgov
June 7,
2018
The Defense
Department will, as a general rule, have to comply with new Homeland Security
Department rules aimed at improving civilian government cybersecurity under the
Senate’s version of a must-pass defense policy bill. Homeland Security has
issued a slew of the rules, known as binding operational directives, since the
Trump administration took office, including banning the Moscow-based Kaspersky
anti-virus from government systems and mandating anti-spoofing email security
tools. Right now, though, the binding operational directives are only binding
on civilian agencies. The Senate’s version of the National Defense
Authorization Act specifically directs the Defense Department to implement the
anti-spoofing email security directive. If the provision makes it into law, the
department will follow the same three-month schedule to implement the tool,
known as DMARC, that civilian government did. For future Homeland Security
directives, the Defense Department chief information officer must “notify the
congressional defense committees within 180 days…whether the Department of
Defense will comply with the directive or how the Department of Defense plans
to meet or exceed the security objectives of the directive,” according to the
text of the bill.
Gov Info
Security
June 6,
2018
As part of
efforts to bolster the nation's readiness to deal with health disasters and
emergencies - natural and man-made - Congress is considering beefing up the
focus on healthcare sector cybersecurity issues in legislation to reauthorize
the Pandemic and All-Hazards Preparedness Act, which was enacted in 2006. A
Wednesday hearing of the House Energy and Commerce Committee's Subcommittee on
Health focused on bipartisan draft legislation, the Pandemic and All-Hazards
Preparedness Reauthorization Act of 2018 introduced by Rep. Susan Brooks
R-Ind., and Rep. Anna Eshoo, D-Calif. The legislation seeks to beef up the
nation's ability to prepare for and respond to health threats from infectious
diseases, bioterrorism, chemical attacks, radiological emergencies and
cybersecurity incidents. But the effort to bolster healthcare sector
cybersecurity requires addressing confusion about who's ultimately responsible
for cybersecurity within the Department of Health and Human Services.
The Hill
June 6,
2018
The House
Homeland Security Committee has advanced legislation designed to boost security
around systems used to power the electric grid and other critical services in the
United States. The measure, approved by the committee on Wednesday, would
codify and expand the Department of Homeland Security’s current efforts to
identify and mitigate cyber threats to industrial control systems — technology
used in a wide swath of critical sectors, including power and water systems,
manufacturing and transportation. Security researchers have observed hackers
growing more interested in targeting systems used to power critical
infrastructure in recent years. Last month, cybersecurity firm Dragos released
research showing that a hacking group that deployed sophisticated destructive
malware to an industrial plant in the Middle East last year had expanded its
operations to other targets and developed new capabilities. “The next Dec. 7 won’t
be a strictly kinetic attack with missiles and torpedoes, but will be paired
with cyberattacks to our private sector functions,” Rep. Don Bacon (R-Neb.),
who is sponsoring the legislation, said Wednesday, referring to the attack on
Pearl Harbor.
Reuters
June 4,
2018
The head of
the U.S. Securities and Exchange Commission (SEC) will warn of the need to
boost its defenses against "advanced" and "persistent"
cyber threats when he asks Congress on Tuesday for more funding, according to
prepared remarks seen by Reuters on Monday. SEC chairman Jay Clayton will
testify on Tuesday before the Financial Services and General Government
Subcommittee of the Senate Committee on Appropriations to make the case to
increase the agency's budget. In prepared remarks, he will tell lawmakers that
the agency has taken various steps to reinforce the security of its electronic
database, EDGAR, after a 2016 cyber intrusion. Clayton, appointed by President
Donald Trump a year ago, will also highlight the agency's effort to strengthen
the system through penetration testing and a review of the database's security
code to help identify and fix system vulnerabilities. The SEC disclosed last
September that the database, which houses millions of filings on corporate
disclosures, had been hacked and the information potentially used for insider
trading.
Inside
Cybersecurity
June 4,
2018
A key House
member is continuing the push for action on data-security and breach
notification legislation, but as the congressional calendar slips away, some
sources say this year's work can be viewed positively -- but more realistically
-- as an incremental step in the long-running campaign to craft a uniform
federal standard. “The Financial Services Committee is primed to act,” a source
close to financial institutions and consumer credit subcommittee Chairman
Blaine Luetkemeyer (R-MO) said last week, while cautioning that there is no
timing yet for moving the lawmaker's draft bill on the topic as Congress
returns from recess this week. At the same time, House Energy and Commerce
digital commerce and consumer protection subcommittee Chairman Bob Latta (R-OH)
has led a series of deep-dive “listening sessions” with business, state and
consumer groups. Latta held a session with representatives from 30-plus groups
just prior to the Memorial Day recess. “It's fair to say there were differences
of opinion,” said one industry source. For instance, the source said, a
representative of Realtors argued that whatever party suffers the breach should
do the public notification, while tech and telecom representatives countered
that the “consumer-facing business” should do so.
ADMINISTRATION
Fifth
Domain
June 8,
2018
The Air
Force is shifting its cyber operations to Air Combat Command, the service
announced on June 7, a decision designed to bolster its digital combat
readiness. Under the new structure, Air Combat Command will be responsible for
organizing, training and equipping the service to conduct “full-spectrum cyber
missions and operations.” Previously, cyber responsibilities in the Air Force
were under Space Command. “Integrating cyber operations and intelligence in
cyber capabilities under one command is a significant step towards enhancing
our war-fighting capabilities to conduct multidomain operations,” said Gen. Jay
Raymond, head of Air Force Space Command, in a statement. Seventy-two airmen
and civilians will be reassigned from Peterson Air Force base in Colorado to
Virginia because of the realignment, according to the Colorado Springs Gazette.
The shift means that cyber operations will return to Air Combat Command, where
it was previously located.
Gov Info
Security
LabMD, a
now-defunct cancer testing laboratory, has won a major victory in its
longstanding legal dispute with the Federal Trade Commission. The U.S. Court of
Appeals in the 11th circuit ruled on Wednesday in favor of LabMD, vacating an
FTC enforcement action against the lab in a data security dispute dating back
to 2013. In the ruling, the appeals court says: "Assuming [the argument]
that LabMD's negligent failure to implement and maintain a reasonable data
security program constituted an unfair act or practice [under Section 5 of the
FTC Act], the commission's cease and desist order is nonetheless
unenforceable." The court adds that the consent order against LabMD
"does not enjoin a specific act or practice. Instead, it mandates a
complete overhaul of LabMD's data security program and says precious little about
how this is to be accomplished. "In addition, the court notes that the FTC
"effectually charges the district court with managing the overhaul. This
is a scheme Congress could not have envisioned."
Nextgov
June 6,
2018
The
government’s top auditor is investigating the Federal Communications
Commission’s claim that its commenting system suffered a distributed
denial-of-service attack during a controversial debate over repealing net
neutrality rules in May 2017, a spokesman told Nextgov Wednesday. The alleged
DDoS attack, which slowed but did not completely disable the commenting site,
came after comedian John Oliver urged his viewers to submit comments opposing
the net neutrality rewrite favored by the Trump administration. Those new
rules, which are favored by internet service providers, will take effect next
week. The timing has led some critics to suggest the massive increase in
traffic to the FCC commenting site may have come from citizens with legitimate
concerns about the policy change rather than from automated computer bots. The
FCC has not released data to support its claim that the system was hit by a
DDoS attack and declined to provide that information to Nextgov Wednesday.
Vice
Motherboard
June 6,
2018
US
government researchers believe it is only a matter of time before a
cybersecurity breach on an airline occurs, according to government documents
obtained by Motherboard. The comment was included in a recent presentation
talking about efforts to uncover vulnerabilities in widely used commercial
aircraft, building on research in which a Department of Homeland Security (DHS)
team successfully remotely hacked a Boeing 737. The documents, which include
internal presentations and risk assessments, indicate researchers working on
behalf of the DHS may have already conducted another test against an aircraft.
They also show what the US government anticipates would happen after an
aircraft hack, and how planes still in use have little or no cybersecurity
protections in place. “Potential of catastrophic disaster is inherently greater
in an airborne vehicle,” a section of a presentation dated this year from the
Pacific Northwest National Laboratory (PNNL), a Department of Energy government
research laboratory, reads. Those particular slides are focused on PNNL’s
findings around aviation cybersecurity. “A matter of time before a cyber
security breach on an airline occurs,” the document adds.
CNN
June 6,
2018
The Defense
Department is in the market for a secure browser to wall off its employees from
the open internet, a solution that will effectively block hackers from nation
states such as Russia and China from ever reaching its network. According to a
new request for information published on Tuesday, the Pentagon asked the
private sector to pitch a "cloud based" product that would isolate
more than 3 million Defense Department officials' internet traffic. Typically,
if a user clicks on a link in a phishing email, that malicious code is able to
spread throughout the network unimpeded, stealing secrets or shutting down key
functions of the device-like opening a door to a home. But with the cloud
browser, the user will only see a video representation of their internet
session taking place on a remote server, as if the traffic lived in an empty
room far away. If that session gets hacked, it will be sandboxed and never
reach the Pentagon.
Reuters
June 6,
2018
The Atlanta
cyber attack has had a more serious impact on the city’s ability to deliver
basic services than previously understood, a city official said at a public
meeting on Wednesday, as she proposed an additional $9.5 million to help pay
for recovery costs. Atlanta’s administration has disclosed little about the
financial impact or scope of the March 22 ransomware hack, but information
released at the budget briefings confirms concerns that it may be the worst
cyber assault on any U.S. city. More than a third of the 424 software programs
used by the city have been thrown offline or partially disabled in the
incident, Atlanta Information Management head Daphne Rackley said. Nearly 30
percent of the affected applications are considered “mission critical,”
affecting core city services, including police and courts. Initially, officials
believed the reaches of the cyber assault on city software was close to 20
percent and that no critical applications were compromised, Rackley said. “It’s
a lot more... it seems to be growing every day,” she told the Atlanta City
Council, which must vote on a fiscal 2019 budget by the end of the month.
CyberScoop
The
Department of Homeland Security is on standby to alert state officials about
any malicious cyber-activity during Tuesday’s primary elections, but the states
themselves will likely know first if something is amiss, Matthew Masterson, a
senior cybersecurity adviser at DHS, told CyberScoop. With voters going to the
polls in eight states, Tuesday’s primaries are a chance for DHS to test the
communication protocols it has sought to ingrain in election personnel across
the country. State officials, who generally have the best views of their
networks, will flag potentially malicious activity for DHS, which can in turn
alert other states, according to Masterson. “If we see or have information to
suggest something is going on, we have the ability to immediately share it with
the states,” he said in an interview. Ahead of the midterm elections, DHS has
looked to “ramp up” its cyberthreat reports to state officials to get them
information that is easily understood and not overly technical, Masterson
added.
Nextgov
June 5,
2018
It’s said
business eats cybersecurity for breakfast. But when it comes to agile
development, security is integral to the process, and that means security has
to be agile, as well. Federal agencies have been embracing a shift to agile
development methodologies—releasing projects in stages to get user feedback and
rectify bugs early in the process and continuing to iterate and improve over
time. But security is often a far less agile process, particularly when it
comes to getting an authority to operate, or ATO—an arduous process that can
stall deployment of even small-scale systems. The developers at 18F—an internal
digital advisory group based out of the General Services Administration—are
taking this challenge head-on, developing an agile ATO process for agencies
that puts the security work up front, rather than at the tail end of a project.
The Hill
June 5,
2018
The Election
Assistance Commission (EAC) on Tuesday released a list of 26 states that have
requested and received cybersecurity funding, money that aims to ensure state's
voting systems are properly secured ahead of the 2018 midterm elections. An EAC
press release broke down which states have requested the cyber funds as well as
how much they received. To date, these states have requested nearly $210
million in newly available funds, or about 55 percent of the total amount
available. The funds were distributed under the Consolidated Appropriations Act
of 2018, a bill passed by Congress that allocated $380 million in funds to the
Help America Vote Act (HAVA). “This steady stream of funding requests from the
states demonstrates an undeniable recognition that this money can have a
tangible and immediate impact on the efficiency, security and accessibility of
our nation’s elections systems," EAC Chairman Thomas Hicks said in a
statement.
FCW
June 4,
2018
Coast Guard
Rear Adm. Doug Fears will take up a senior National Security Council post that
includes being the top White House official on cybersecurity, the Trump
administration announced June 1. Fears will double as the senior White House
cybersecurity advisor, managing the White House Cybersecurity Directorate.
That's the most senior cybersecurity role in the administration, now that the
post of White House cybersecurity coordinator has been eliminated. The job
carries the rank of deputy assistant to the president, which is below the level
occupied by Tom Bossert, the previous occupant of the job. Bossert was widely
reported to have been forced out of his job the day after John Bolton took over
as national security advisor. "Doug Fears brings more than three decades
of experience across a range of vital homeland security areas including
counterterrorism, cybersecurity, and disaster response to the NSC," Bolton
said in a statement.
INDUSTRY
CyberScoop
June 7,
2018
The
commercial cybersecurity division of Leidos is being sold to Capgemini, a
French multinational business consultancy, the companies announced on Thursday.
Capgemini says it hopes the acquisition will reinforce its presence in North
America and help “meet growing customer demand for its portfolio of
cybersecurity services and solutions across the region.” In a statement,
Capgemini CEO Paul Hermelin called Leidos Cyber a “pioneer” in cybersecurity
that “defined the market in protecting the industrial control ecosystem for the
mission critical infrastructure needs of global enterprises.” Reston,
Virginia-based Leidos provides IT, engineering, science and defense contracting
services and is one of the top U.S. federal contractors. However, Leidos Cyber
is commercially focused. The division employs about 500 cybersecurity
professionals spread out across North America, according to the press release.
Ars Technica
June 6,
2018
More than
115,000 websites—many run by major universities, government organizations, and
media companies—remained wide open to hacker takeovers because they hadn’t
installed critical patches released 10 weeks ago, security researcher Troy
Mursch said Monday. A separate researcher reported on Tuesday that many of the
sites were already compromised and were being used to surreptitiously mine
cryptocurrencies or push malware on unsuspecting visitors. Infected pages
included those belonging to the University of Southern California, Computer
World’s Brazil site, and the Arkansas Judiciary’s Courts and Community
Initiative, which were causing visitors’ computers to run resource-intensive
code that mines cryptocurrency, Jérôme Segura, lead malware intelligence
analyst at antivirus provider Malwarebytes, told Ars.
CyberScoop
June 5,
2018
CrowdStrike
is affording customers of its flagship cybersecurity service a free warranty to
at least partially cover the cost of a breach should one occur on a system it’s
protecting. CrowdStrike announced the warranty on Tuesday, claiming that it is
the first of its kind to be offered in the endpoint security breach prevention
space. “Other industries have long offered product warranties to assure
customers that the products they purchase will function as advertised. This has
not been the case in cybersecurity, where customers generally have little
recourse when security products fail to protect them,” the company said.
Historically, even if an organization employs a reputable cybersecurity product
to protect its systems, it generally has to bear the cost if it suffers a
breach. CrowdStrike’s new warranty covers the company’s Falcon Endpoint
Protection Complete customers for up to $1 million if a breach happens in the
environment was hired to protect. Breaches come in all sizes, and $1 million is
chump change compared to the cost of responding to behemoth ones like
Equifax’s, on which the company has reportedly spent more than $240 million.
But a free-of-charge breach warranty is nonetheless a unique offering as
CrowdStrike seeks to differentiate itself in an increasingly crowded
marketplace for endpoint security services.
CNBC
June 5,
2018
One of the
world's largest digital currency exchanges shut down briefly Tuesday morning
due to a cyberattack. Bitfinex was targeted in what's known as a DDoS, or a
distributed denial-of-service attack, which overwhelms a system with multiple
virus-infected servers. "The previous outage was caused by issues with one
of our infrastructure providers," the company said on its website.
"While the platform was recovering, the attack caused extreme load on the
servers." Bitcoin prices fell 2 percent following the news, hitting a low
of $7,373.47, according to data from CoinDesk.
Reuters
A security
breach at family networking and genealogy website MyHeritage leaked the data of
over 92 million users, the company said in a blog posted on Monday. The breach
took place on Oct. 26 last year, and consisted of the email addresses and
hashed passwords of users who signed up to the website up to the date of the
breach, according to the blog post. The company said it learned about the
breach on Monday, when its chief information security officer was notified by a
security researcher who found a file with the email addresses and hashed passwords
on a private server outside of MyHeritage. MyHeritage said no other data was
found on the server, and that there was no evidence of data in the file being
used. Information about family trees and DNA data are stored on separate
systems and were not a part of the breach, the blog said.
CyberScoop
June 5,
2018
One of the
largest bug bounty firms in the business has launched an initiative that will
allow states’ election officials to test the security of election systems ahead
of the 2018 midterm elections. Redwood City, California-based Synack announced
Tuesday its offering free crowdsourced remote penetration testing services to
state and local governments until November. Synack co-founder Jay Kaplan told
CyberScoop the idea came together after a series of meetings with government
officials, including top executives at the Department of Homeland Security,
that discussed how the private sector could be doing more to ward off digital
meddling. After Synack’s services are completed, states and localities can
harden their systems based on the test’s results. In a letter written to all 50
secretaries of state, which was provided to CyberScoop, Kaplan wrote: “Staying
one step ahead of the adversary is critical to success. Our pro bono services
look for vulnerabilities in remotely-accessible voter registration databases
and online voter registration websites from a hacker’s perspective.”
Vice
Motherboard
June 4,
2018
Last week,
a hacker took control of the ticket-distribution website Ticketfly, defacing
its homepage, and stealing customers’ personal data. The hacker also posted
some of the stolen information online, and threatened to post more, but has yet
to follow through on his threat. Ticketfly’s parent company Eventbrite said
it's still investigating the incident, and hasn’t revealed the extent of the
data breach, nor how much or what kind of data was stolen. Motherboard
downloaded a series of CSV database files posted on a public server by the
hacker last week and shared it with Troy Hunt, the founder of the “Have I Been
Pwned,” a website dedicated of informing users of data breaches. Hunt analyzed
the databases and found 26,151,608 unique email addresses. The databases did
not include passwords nor credit card details. But for most users, they did
include their home and billing address and phone numbers.
INTERNATIONAL
The
Washington Post
Chinese
government hackers have compromised the computers of a Navy contractor,
stealing massive amounts of highly sensitive data related to undersea warfare —
including secret plans to develop a supersonic anti-ship missile for use on
U.S. submarines by 2020, according to American officials. The breaches occurred
in January and February, the officials said, speaking on the condition of
anonymity to discuss an ongoing investigation. The hackers targeted a
contractor who works for the Naval Undersea Warfare Center, a military
organization headquartered in Newport, R.I., that conducts research and
development for submarines and underwater weaponry. The officials did not
identify the contractor.
Wired
British
security researcher Marcus Hutchins, who was indicted and arrested last summer
for allegedly creating and conspiring to sell the Kronos banking trojan, now
faces four additional charges. Hutchins, also called MalwareTech and
MalwareTechBlog, is well-known in the security community for slowing the spread
of WannaCry ransomware as it tore through the world's PCs in May 2017. And as
the months have dragged on since his indictment—he has been living in Los
Angeles on bail—the latest developments in the case have stoked further fears
among white hat hackers that the Department of Justice wants to criminalize
their public interest research. Wednesday's superseding indictment, which ups
the total number of charges Hutchins faces to 10, alleges that in addition to
Kronos, Hutchins also created a hacking tool called UPAS Kit, and sold it in
2012 to a coconspirator known as "VinnyK" (also called
"Aurora123" and other monikers). Prosecutors also assert that
Hutchins lied to the FBI during questioning when he was apprehended in Las
Vegas last year. The original Hutchins indictment listed a redacted defendant
along with Hutchins; the superseding indictment only lists Hutchins, which
indicates to some observers that a shift has occurred.
The Wall Street Journal
June 7,
2018
Spies are increasingly hacking into the smartphones of political
opponents and dissidents around the world, security researchers say, giving
them access to data far more sensitive than what most people keep on personal
computers. Mobile-security firm Lookout Inc. counted 22 phone-hacking efforts
in the first five months of this year that appeared to be government-backed.
Most targeted political opponents in developing nations, Lookout said. The
company’s researchers identified just two such efforts in all of 2015. The
increase is being driven by the proliferation both of low-cost smartphones and
of companies selling spyware and hacking tools to access them, said Claudio
Guarnieri, a security researcher with the human-rights group Amnesty
International. Most hacking efforts now target mobile phones, Mr. Guarnieri
said, while in 2015 the majority still involved personal computers. “It is one
thing to compromise someone’s computer,” said Mike Murray, Lookout’s vice
president of security research. “It’s another thing to have a listening device
that they carry around with them 24 hours a day.”
CyberScoop
A zero-day
vulnerability in Adobe Flash was recently used to infect a likely diplomatic
target in Qatar with malware, new research from Seattle-based cybersecurity
company ICEBRG and Chinese tech firms Qihoo and Tencent shows. Adobe patched
the vulnerability Thursday as part of a broader software update in a release
that credited Seattle-based cybersecurity firm ICEBRG for alerting the company
to the flaw. The findings come as Qatar faces significant geopolitical
struggles, including a trade blockade established by the United Arab Emirates
(UAE), Saudi Arabia, Bahrain and Egypt. Over the last six months,
politically-motivated Middle Eastern hacking has popped up numerous times. In
late May, Qatar was outed as being connected to a hacking operation against top
Republican donor Elliot Brody, an influential critic of the gulf state. Months
earlier, Qater blamed UAE for hacking and editing content hosted by the Qatari
News Agency (QNA), a government-backed news program. Subsequent reporting tied
the QNA hack to a mix of operators from Russia, Iran and the UAE.
Ars
Technica
Two weeks
ago, officials in the private and public sectors warned that hackers working
for the Russian government infected more than 500,000 consumer-grade routers in
54 countries with malware that could be used for a range of nefarious purposes.
Now, researchers from Cisco’s Talos security team say additional analysis shows
that the malware is more powerful than originally thought and runs on a much
broader base of models, many from previously unaffected manufacturers. The most
notable new capabilities found in VPNFilter, as the malware is known, come in a
newly discovered module that performs an active man-in-the-middle attack on
incoming Web traffic. Attackers can use this ssler module to inject malicious
payloads into traffic as it passes through an infected router. The payloads can
be tailored to exploit specific devices connected to the infected network.
Pronounced “essler,” the module can also be used to surreptitiously modify
content delivered by websites.
The Financial Times
June 6,
2018
South Korea
has been hit by “significant” cyber attacks in recent weeks, according to a
leading internet security group, which warned the barrage was likely to
increase ahead of next week’s meeting between US president Donald Trump and
North Korean leader Kim Jong Un. California-based internet security group
FireEye said it had found evidence of advanced China and Russia-linked hacking
outfits targeting South Korean entities, which are likely to have links to the
government in Seoul. “These attacks are likely just the tip of the iceberg.
Geopolitical tensions are often reflected through cyber attacks and these
incidents can help us understand the interests of their sponsors,” FireEye
said. Mr. Trump is due to meet Mr. Kim in Singapore on Tuesday for a highly
anticipated summit that the US leader hopes will lead to North Korea abandoning
its arsenal of nuclear weapons. Speculation was also running high that the
meeting — the first between leaders of the two nations — would be used to
formally declare an end to the Korean war, which concluded in 1953 only with a
simple armistice agreement.
BuzzFeed
At first
glance, you couldn’t see much of a difference between DEF CON, the notoriously
rowdy American hacker conference, and its newly formed franchise in Beijing,
where in May China hosted its first hacker conference. Famous American speakers
still gave technical talks while bathed in neon green light. Upstairs,
instructors in small rooms offered hands-on classes on soldering computer
chips, social engineering (the art of convincing someone to do what you want,
like clicking a phishing email), and picking locks. Just outside, two dudes in
jeans and T-shirts plugged a laptop into a sedan and invited you to try your
hand at hacking its console. What you wouldn’t notice was the Chinese
government’s presence lurking just beneath the surface. While the lock-picking
village let you try your hand at various padlocks, government officials had
objected to instructors bringing in handcuffs; they didn’t want imagery of
people breaking free from custody. The two men running the car-hacking village
were in China before they learned they would, indeed, be provided a rental car
to mess with. Though they could tell it was a Chevy Cruze, and assume its age,
they couldn’t tell for sure, because all identifying marks had been covered
with heavy black tape to obscure the model. Even the conference's logo had gone
through government approval. Jeff Moss, DEF CON’s founder and owner, originally
submitted an outline of the US and China on a motherboard. But three different
government officials had objected, insisting that China’s outline must include
Taiwan. But while Moss and others with DEF CON are reaching out to China’s
cybersecurity community, China’s government is forcing its cybersecurity
researchers to retreat from the outside world.
The
Atlantic
It was a
cyberattack that showed just how vulnerable Germany’s digital infrastructure
truly is. In the summer of 2017, a group of hackers infiltrated NetCom BW, a
regional telecommunications provider with about 43,000 subscribers in the state
of Baden-Württemberg in Germany’s southwest. Given the company’s modest size,
it may not seem like a prime target. But NetCom BW is a subsidiary of EnBW, one
of Germany’s biggest power utilities. EnBW is part of what the government
regards as its critical infrastructure: companies that operate crucial public
services, from electricity to telecommunications to health care. When news of
the breach emerged in mid-May, a spokesperson from EnBW said that the hackers
only gained limited access to the provider’s networks for a few minutes before
its IT team fended off the incursion. A serious cyberattack on such a provider,
by contrast, could’ve caused large-scale disruption. Still, this near miss
provided little comfort. Germany’s intelligence agencies have warned that
increasing cyberattacks are “ticking time bombs” that endanger critical
infrastructure, and authorities are racing to fortify defenses. Yet this is
new, uncomfortable terrain for a country battling to overcome a weak digital
infrastructure and a history of pacifism in the postwar era. That has cast
doubt over Germany’s ability to mount a more aggressive approach to cyberwar.
TECHNOLOGY
ZDNet
June 6,
2018
Security
firm Snyk has disclosed a widespread and critical flaw in multiple archive
file-extraction libraries found in thousands of open-source web application
projects from HP, Amazon, Apache, Oracle, LinkedIn, Twitter and others. As Snyk
explains, some ecosystems, such as Java, don't provide a central software
library for fully unpacking archive files, leading developers to write their
own code snippets to enable that functionality. In this case, those code
snippets contain a vulnerability, dubbed Zip Slip, that exposes an application
to a directory traversal attack. This flaw would allow an attacker to reach the
root directory and from there enable remote command execution. The vulnerable
code has been found in multiple archive extraction libraries for use across numerous
ecosystems, including .NET, Java, JavaScript, Go, and Ruby.
