Pages

Wednesday, August 01, 2018

New Spectre attack enables secrets to be leaked over a network

Prisoners ‘Hack’ $225,000 in Credits From Digital System – But the Victim Is the One Under Fire Fortune

The State of New York is moving to evict its largest internet and cable provider for failing to deliver on fast connection promises that had won it approval two years ago for a merger with Time Warner Cable.

What Are Machine Learning Models Hiding? Freedom to Tinker
Story image for ato tax from Forbes

Australia's Tax Office Sees The Value in Cryptocurrencies

 


How a data project is making investigations safer for AFP staff
JANIS DALINS: Using data doesn't just have to be about making better decisions ‒ it can also help protect employees by reducing dangerous tasks.



Data breaches on the rise
The number of data breach notifications has increased steadily with each month since Australia's new mandatory disclosure laws came into effect earlier this year.

 
 
On the left, a large white shelf stores an impressive collection of vintage records. On the right, a cowhide rug adds a softening touch to a rustic music room with a wooden piano and guitars.
Temple Press Release, Second Update on Rankings:
The university has been carefully scrutinizing rankings data submissions to identify misreporting for other Fox programs
The 6 Types Of Cyber Attacks To Protect Against In 2018 – Lizzie Kardon’s article is a timely guide to the different methods by which cyber attacks are launched and the tools used to deliver them. As the goals and objectives for such attacks differ, it is critical to employ accurate and effective strategic and tactical processes to prevent and to repel attacks that are steadily increasing as the Internet of Things (IoT) expands in arenas that span work, home, government, social media, healthcare and beyond.

Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the Nation, GAO-18-645T: Published: Jul 25, 2018. Publicly Released: Jul 25, 2018. “GAO has identified four major cybersecurity challenges and 10 critical actions that the federal government and other entities need to take to address them. GAO continues to designate information security as a government-wide high-risk area due to increasing cyber-based threats and the persistent nature of security vulnerabilities…”


Fifth Domain
July 27, 2018
The National Security Agency is set to transfer a program that guards against malware to the Defense Information Systems Agency, according to a spokeswoman for the agency.

The Daily Beast
July 26, 2018
The Russian intelligence agency behind the 2016 election cyberattacks targeted Sen. Claire McCaskill as she began her 2018 re-election campaign in earnest, a Daily Beast forensic analysis reveals.

Federal News Radio
July 26, 2018
As agencies face an increasing volume of cyber threats, the Government Accountability Office will examine whether the Trump administration has a reliable hierarchy of cybersecurity leadership. Last year, federal civilian agencies reported more than 35,000 information security incidents to U.S. Computer Emergency Readiness Team (US-CERT), a more than 14 percent increase from the previous year, according to a GAO report released Wednesday.

The Hill
July 26, 2018
House Democrats are prodding their Republican colleagues to examine foreign threats to upcoming U.S. elections, raising concerns that the Trump administration is not adequately tackling the threat. The top Democrats on four House committees demanded Thursday that their Republican counterparts hold a joint hearing on election security featuring top Trump administration officials.

Nextgov
July 25, 2018
President Donald Trump’s executive order declaring Cabinet secretaries will be held responsible for their agency’s cybersecurity failings was the easy part, a former top White House cyber official told lawmakers Wednesday.

FCW
July 25, 2018
The lead sponsor of the Modernizing Government Technology Act expressed confidence that congressional appropriators will eventually replenish a revolving fund for IT modernization, but unresolved issues regarding transparency need to be addressed.

CyberScoop
July 25, 2018
Sen. Ron Wyden has called on federal agencies to stop using Adobe Flash, multimedia software that has consistently proven vulnerable over the years.

NBC
July 25, 2018
A bipartisan duo of U.S. senators is urging President Donald Trump to pay more attention to the threat posed by Russia against critical infrastructure like the nation's electric grid, and to provide an analysis of the risk and a plan of action within 90 days.

Fifth Domain
July 25, 2018
If the United States were to fall victim to a large-scale cyberattack that took out critical infrastructure, the Department of Defense could turn to little-used authorities to assist federal civilian agencies with its response.

CyberScoop
July 25, 2018
The Department of Defense says it has a plan to make sure that all of its public-facing websites are configured in a way that doesn’t put the security of their visitors at risk. In a letter responding to a lawmaker dated July 20, DOD Chief Information Officer Dana Deasy wrote that the department plans by the end of 2018 to fix issues with trust certificates and encryption that are present across many websites affiliated with it.

Nextgov
July 24, 2018
The Homeland Security Department would have broad authority to bar technology contractors that officials believe pose cybersecurity and national security risks under legislation forwarded by the House Homeland Security Committee Tuesday.

The Hill
July 24, 2018
A bipartisan pair of senators on Tuesday asked the Treasury Department to impose financial sanctions on the 12 Russian intelligence officers indicted by special counsel Robert Mueller last week for allegedly hacking the emails of top Democratic Party officials.

FCW
July 24, 2018
The federal government allocated $380 million to protect and improve election system security. In a June 24 House Oversight Committee hearing, officials and House Democrats made the case for a few dollars more. Thomas Hicks, commissioner of the Election Assistance Commission, confirmed that $335 million of the $380 million in the omnibus spending bill passed in March earmarked for election security assistance has been dispersed to states and that 100 percent of the funds have been requested.

The Hill
July 23, 2018
The final version of an annual defense policy bill would set new authorities for the Department of Defense to deter and respond to attacks in cyberspace, including establishing the first U.S. policy on cyber warfare. Following House and Senate negotiations, a conference report on the National Defense Authorization Act (NDAA) released Monday says the United States should be able to use every option on the table, including offensive cyber capabilities. "


ADMINISTRATION

Reuters
July 27, 2018
The Pentagon is working on a software "do not buy" list to block vendors who use software code originating from Russia and China, a top Defense Department acquisitions official said on Friday. Ellen Lord, the under secretary of defense for acquisition and sustainment, told reporters the Pentagon had been working for six months on a "do not buy" list of software vendors.

CyberScoop
A new report from a U.S. counterintelligence agency details persistent efforts by China, Iran, and Russia to steal U.S. trade secrets, warns that those campaigns are here to stay and raises concerns about the software supply chain as a vector for economic espionage. China, Iran, and Russia are “three of the most capable and active cyber actors tied to economic espionage,” and they will “remain aggressive and capable collectors of sensitive U.S. economic information and technologies, particularly in cyberspace,” states the report released Thursday by the National Counterintelligence and Security Center (NCSC). L

Nextgov
July 26, 2018
The nation’s cyber spy agency is suffering from substantial cyber vulnerabilities, according to a first-of-its-kind unclassified audit overview from the agency’s inspector general released Wednesday. Those vulnerabilities include computer system security plans that are inaccurate or incomplete, removable media that aren’t properly scanned for viruses, and an inadequate process for tracking the job duties of National Security Agency cyber defenders to ensure they’re qualified for the highest-level work they do, according to the overview.

CyberScoop
July 26, 2018
Most federal agency web domains are on track to meet a requirement that protects them from email spoofing, according to a report from email security company Agari. The requirement in question is Domain-based Message Authentication, Reporting and Conformance (DMARC), a policy that gives network administrators more visibility and control over how their domain is being used with regard to email. Without it, malicious actors can send emails that appear to be from a trusted source, such as a .gov website, to unsuspecting victims.

Yahoo News
July 25, 2018
Amid mounting warnings about another Russian cyberattack on the 2018 midterm elections, President Trump’s former homeland security adviser said a recent staff shakeup ordered by national security adviser John Bolton has left the White House with nobody in charge of U.S. cyber policy and raised concerns about “who is minding the store.” “On cyber, there is no clear person and or clear driver, and there is no clear muscle memory,” said Tom Bossert, who served as White House homeland security adviser until last April, in an interview with the Yahoo News podcast Skullduggery. “In some way playing jazz music, improvising policy because there is no clear playbook for it,” Bossert said. “And so, yes, if you’re asking me do I have any concerns? The concern would be who’s minding the store in the coordination and development … of new and creative cyber policies and strategies.”

Houston Public Media
July 25, 2018
Houston is now conducting a three-day exercise aimed at helping it fend off cyberattacks. This comes just days after news that Russian hackers infiltrated U.S. electric utilities, giving them the ability to trigger blackouts. The simulation, called “Jack Voltaic 2.0,” includes two simultaneous incidents: a natural disaster and a cyberattack. Mayor Sylvester Turner said, 

The Wall Street Journal
July 24, 2018
The Government Accountability Office warns that the 2020 Census, which will employ new digital technologies such as cloud and mobile computing, faces a greater risk of cyberattack than did earlier, lower-tech efforts. Hackers interested in attacking the new census systems could undermine trust in the data, steal information for future attacks, or skew results with implications for democratic process in the U.S., say cybersecurity experts. An estimated 146 million housing units in the U.S. are due to be counted starting April 1, 2020.

FCW
RS officials charged with protecting and authenticating taxpayer data are getting better at their jobs – but so are fraudsters. A Government Accountability Office audit released July 23 gave the agency mostly passing marks on the fundamentals of identity authentication. However, auditors also identified a range of incomplete tasks with uncertain funding mandates as well as a burgeoning threat landscape that threatens to overwhelm the cash-strapped agency's cybersecurity and IT resources. Online services – which accounts for 16.5 million of the approximately 28.5 million people authenticated in 2017 – fared the best, with auditors noting IRS "regularly assesses risks and monitors" its online applications but "has not established equally rigorous internal controls for its telephone, in-person and correspondences channels." Officials have started holding regular "security summits" with industry and cybersecurity experts to gain better insight into the current threat landscape. A strategic road map developed in 2016 outlined core strategic objectives for achieving better identity proofing and unearthed dozens of recommended steps to get there. However, auditors noted that in many cases, officials at the tax agency have failed to match those projects with available funding or agency resources, leading to concerns that momentum could stall or the projects could become de-prioritized.

The New Yorker
July 24, 2018
Last week, when Donald Trump endorsed Brian Kemp over Casey Cagle in Georgia’s Republican-gubernatorial-primary runoff election—which takes place on Tuesday—it looked like the President was simply choosing the candidate who was running as the self-proclaimed “politically incorrect conservative.”

Fifth Domain
July 24, 2018
In his first public comments since assuming the head of U.S. Cyber Command, Gen. Paul Nakasone said the Department of Defense is taking a more aggressive approach to protect the nation’s data and networks and aims to stay ahead of malicious cyber and information-related activity

CNN
Rob Joyce, President Donald Trump's former cybersecurity coordinator, has been tapped to serve as the National Security Agency's top representative in the United Kingdom, according to a former senior intelligence official and a second source familiar with the matter. 


INDUSTRY

Gov Info Security
July 27, 2018
A recent hacking incident at Boys Town National Research Hospital is the largest ever reported by a pediatric care provider or children's hospital, according to the federal health data breach tally. A wide variety of data on some 105,000 individuals, including young patients as well as employees, was exposed, opening the door to potential fraud. The U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website, commonly called the "wall of shame," lists breaches reported since 2009 that affected 500 or more individuals. The tally now includes about 35 major breaches at children's hospitals or pediatric healthcare providers impacting a total of more than 434,000 individuals.

Ars Technica
July 26, 2018
COSCO’s computer networks in the Americas remained completely severed from the Internet on Thursday, almost 48 hours after the Chinese shipping giant reported it was hit by a ransomware attack. In a statement published Thursday, COSCO officials said the failures affected networks in the US, Canada, Panama, Argentina, Brazil, Peru, Chile, and Uruguay.

CNBC
July 26, 2018
Cyber risk management company Tenable closed out its first day of trading up 31.5 percent, after jumping 40 percent in its public market debut Thursday. Shares opened at $33.00, nudging the company's market value above $3 billion, and closed at $30.25 per share.

Infosecurity Magazine
July 26, 2018
The US Department of Homeland Security (DHS) has flagged a new report highlighting an increase in attacks on critical ERP apps by state-sponsored hackers, cyber-criminals and hacktivists. .

Krebs on Security
July 25, 2018
Identity theft protection firm LifeLock — a company that’s built a name for itself based on the promise of helping consumers protect their identities online — may have actually exposed customers to additional attacks from ID thieves and phishers.

CyberScoop
July 25, 2018
The automotive industry is looking to step up its collaboration with cybersecurity researchers to identify software and hardware bugs in order to better protect vehicles, which are becoming more connected and automated.

Krebs on Security
Hackers used phishing emails to break into a Virginia bank in two separate cyber intrusions over an eight-month period, making off with more than $2.4 million total. Now the financial institution is suing its insurance provider for refusing to fully cover the losses. According to a lawsuit filed last month in the Western District of Virginia, the first heist took place in late May 2016, after an employee at The National Bank of Blacksburg fell victim to a targeted phishing email.

Wired
July 24, 2018
Nearly two years ago, Google made a pledge: It would name and shame websites with unencrypted connections, a strategy designed to spur web developers to embrace HTTPS encryption. On Tuesday, it finally is following through. With the launch of Chrome 68, Google now will call out sites with unencrypted connections as “Not Secure” in the URL bar.

Reuters
July 23, 2018
A former Equifax Inc employee pleaded guilty on Monday to having engaged in insider trading before the credit reporting company last year disclosed a cyber attack that exposed the personal data of about 148 million people. Sudhakar Reddy Bonthu, a former software development manager who was involved in assisting in Equifax's response to the breach, pleaded guilty in federal court in Atlanta to a single insider trading count, prosecutors said. Bonthu, 44, is one two former Equifax employees who federal prosecutors have accused of seeking to profit by trading on confidential information related to the cyber attack before the company disclosed the data breach last September. Meg Strickler, his lawyer, confirmed Bonthu's plea but had no other immediate comment. He is scheduled to be sentenced on Oct. 18. Equifax fired Bonthu in March after he refused to cooperate with an internal investigation, according to the U.S. Securities and Exchange Commission, which has reached a related settlement with him. Equifax has said it was cooperating with authorities.

AP
July 23, 2018
One app promotes itself as a way to discuss sensitive negotiations and human resources problems without leaving a digital record. Another boasts that disappearing messages “keep your message history tidy.” And a popular email service recently launched a “confidential mode” allowing the content of messages to disappear after a set time.

CyberScoop
July 23, 2018
Private sector cybersecurity companies are increasingly stuck with difficult decisions when it comes to publicizing research into malware. Over the past few years, nation-states have increasingly devoted time, money and man-hours to creating sophisticated weapons that wreak havoc once they are unleashed on the internet.

Krebs on Security
Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity. Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device)


INTERNATIONAL

The New York Times
July 25, 2018
Russian hackers who penetrated hundreds of U.S. utilities, manufacturing plants and other facilities last year gained access by using the most conventional of phishing tools, tricking staffers into entering passwords, officials said Wednesday.

CyberScoop
July 25, 2018
A newly uncovered hacking group has breached a number of critical infrastructure and government organizations in the Middle East with a mixture of publicly available and custom-built tools, according to new research from cybersecurity giant Symantec.

Gov Info Security
July 25, 2018
The scale of data breaches in Europe is rapidly evolving past the "problem unknown" stage, thanks to the EU's General Data Protection Regulation, for which enforcement began on May 25.

The Weekly Standard
On Friday, July 13, the Justice Department charged 12 Russian military intelligence officials with hacking Democratic National Committee (DNC) email servers as well as leaking stolen documents to outlets such as WikiLeaks, in an effort to influence the 2016 presidential election. Among those least surprised by the charges was former British spy Matt Tait. I first met Tait in the fall of 2017, when he was in Washington, D.C., to be interviewed by Special Counsel Robert Mueller. The cheerful, lanky 29-year-old does not look or act like someone who is being carefully watched by both U.S. and Russian intelligence communities, nor like someone who has traveled the world as a consultant for technology companies and spent four years working at the U.K.’s top digital intelligence agency. Despite his modest demeanor, Tait was a key player in deciphering Russian election interference. On June 15, 2016, when the first trove of stolen documents from the DNC was leaked online under the pseudonym Guccifer 2.0; before the FBI launched an investigation into election interference; and before the U.S. intelligence community attributed the cyberattacks to the Russian government, Tait used publicly available information to compile incriminating evidence of metadata and technical slip-ups against the Russian intelligence agency GRU, concluding that the attack bore the hallmarks of a classic Russian influence campaign.

Reuters
July 24, 2018
Germany is considering laws that would let it respond actively to foreign cyber-attacks, Interior Minister Horst Seehofer as he presented a domestic intelligence agency report showing Iran was the latest power to ramp up hack attacks on German systems.

FCW
The victims of an ongoing, long-running Russian-backed hacking campaign against infrastructure providers, including electric companies, number in the "hundreds," but immediate electrical blackouts resulting from the hacks to the grid are not in the cards, at least not in the short term, according to DHS officials.

Reuters
Singapore has disconnected computers from the internet at public healthcare centers to prevent cyberattacks of the kind that caused its worst breach of personal data, a government official said on Tuesday. Singapore started to cut web access for civil servants in 2016 to guard against cyberattacks, but stopped short of including public healthcare institutions.


TECHNOLOGY

Ars Technica
July 26, 2018
When the Spectre and Meltdown attacks were disclosed earlier this year, the initial exploits required an attacker to be able to run code of their choosing on a victim system. This made browsers vulnerable, as suitably crafted JavaScript could be used to perform Spectre attacks. Cloud hosts were susceptible, too. But outside these situations, the impact seemed relatively limited. That impact is now a little larger. Researchers from Graz University of Technology, including one of the original Meltdown discoverers, Daniel Gruss, have described NetSpectre: a fully remote attack based on Spectre. With NetSpectre, an attacker can remotely read the memory of a victim system without running any code on that system.

Ars Technica
July 25, 2018
A large number of device makers is patching a serious vulnerability in the Bluetooth specification that allows attackers to intercept and tamper with data exchanged wirelessly. People who use Bluetooth to connect smartphones, computers, or other security-sensitive devices should make sure they install a fix as soon as possible.
 via Nick Leiserson


ClauseBank launched for cheaper, faster government contract drafting
The Department of Finance has developed a set of pre-drafted contract terms that can be used in government contracts without obtaining additional legal advice.