Tuesday, October 02, 2018

He Took Home Documents to Catch Up on Work at the N.S.A. He Got 5½ Years in Prison


 


FCW

September 28, 2018

The head of the Department of Energy's cybersecurity office told a congressional panel she plans to distill threat and intelligence data into actionable reports for critical infrastructure providers. Private sector personnel won't necessarily have to possess security clearances to view such reports, Karen Evans, assistant secretary of the DoE's Office of Cybersecurity, Energy Security, and Emergency Response, said at a Sept. 27 Capitol Hill hearing. Evans, who has been at CESER for a month, told the House Energy and Commerce Committee she plans to combine threat and intelligence data into reports that energy sector critical infrastructure providers can act on immediately. Critical infrastructure providers have complained about the Department of Homeland Security's efforts to share threat information, which can require infrastructure provider employees get security clearances to see that data.

 


Fifth Domain

September 27, 2018

The past few years have seen the United States experience election hacking efforts by foreign adversaries and corporate data breaches from underground hacktivists, among other events, leaving many officials to wonder what the U.S. doctrine for cyberspace even is. The new U.S. Cyberspace Solarium Commission was created to answer just that. "We lack a doctrine that defines how, when and where we play offense and defense. We don’t have a playbook. It’s time to draft one,” said Sen. Ben Sasse, R-Neb., who is credited with developing the commission to help contextualize cyber in the broader national and economic security discussion. The Cyberspace Solarium Commission, modeled after President Eisenhower’s Project Solarium, was established by the National Defense Authorization Act of 2019. The purpose of the commission, according to the legislation, is “to develop a consensus on a strategic approach to defending the United States in cyberspace against cyberattacks of significant consequences.” The bipartisan Cyberspace Solarium commission will include a total of 14 members, including the deputy director of national intelligence, the deputy secretary of homeland security, the deputy secretary of defense, and the director of the FBI.

 


The Hill

September 27, 2018

Democrats on the House Intelligence Committee have requested an intelligence briefing on President Trump’s accusations that China has tried to interfere in the midterm elections. Rep. Adam Schiff (D-Calif.), the committee’s ranking member, told The Hill Thursday that the minority has requested a briefing before the House’s next recess on Trump's claims. “We have requested to be briefed on what he was referring to,” Schiff said. “We expect that we will, before we recess, have the opportunity to ask just what he is talking about.” On Wednesday, Trump accused China of trying to meddle in the elections during a speech at a United Nations Security Council meeting in New York. “Regrettably, we found that China has been attempting to interfere in our upcoming 2018 election,” Trump said. “They do not want me or us to win because I am the first president ever to challenge China on trade.” At a later press conference, Trump pointed to an insert in the Des Moines Register purchased by a Chinese government-backed media company that criticized Trump’s trade policies. He described the alleged Chinese interference as “different” than Russia’s efforts to interfere in the 2016 vote.

 


FCW

September 27, 2018

The Transportation Security Agency has the authority to regulate cybersecurity of natural gas and oil pipelines, but many lawmakers and stakeholder are starting to wonder whether that is the best arrangement, considering the vulnerability of infrastructure to remote attacks directed via industrial control systems. In particular, some lawmakers have objected to TSA's oversight because its cybersecurity standards are voluntary for industry, despite possessing the authority to lay down mandatory rules. This differs from the electrical sector, which is subject to mandatory standards imposed by the Federal Energy Regulatory Commission. Pipeline policy experts told FCW that TSA's standards are out of date, predating the National Institute of Standards and Technology's cybersecurity framework. They also said recent TSA updates to its standards this past summer came just before NIST updated its cyber framework.

 


Nextgov

September 26, 2018

Legislation introduced in the House Wednesday would create a stronger federal chief information officer and establishes a chain of command for some of the administration’s most important IT officials. The Federal CIO Authorization Act of 2018 would make the federal CIO a presidential appointee who would report directly to the Office of Management and Budget director. Currently the federal CIO reports to OMB’s deputy director for management. Introduced by Reps. Will Hurd, R-Texas, and cosponsor Robin Kelly, D-Ill., the legislation also renames the Office of E-Government to the Office of the Federal Chief Information Officer. Under the legislation, the federal CIO would directly oversee the federal chief information security officer, and codifies the federal CISO position as a presidential appointment. The legislation firmly establishes the federal CIO as the top civilian tech official, and directs whoever holds the position to “submit a proposal to Congress for consolidating and streamlining IT across federal agencies.” Suzette Kent currently serves as the federal CIO. Grant Schneider was named federal CISO in July.

 


FCW

September 26, 2018

Senate appropriators continue to negotiate this week over a general government "minibus" spending package that includes the Technology Modernization Fund. While talks could bleed over into next week, Rep. Will Hurd (R-Texas), author of the Modernizing Government Technology Act, told FCW that he expects the funding to be restored when the final package is unveiled. "I'm pretty sure that we have resolved the issue with TMF and what the final amount is I think is going to be what we saw in the House package," Hurd told FCW on Sept. 26. "I feel good about it." The Technology Modernization Fund still has $55 million leftover from this year's appropriations, and members of the board responsible for doling the money out to worthy agency projects have said they are getting ready to award another round of funding soon. House appropriators sought $150 million for the fund fiscal year 2019, but the Senate zeroed out those dollars after some senators complained that the Office of Management and Budget was not being nearly transparent enough around how the board operates and how projects were being selected.

 


Nextgov

September 26, 2018

Federal agencies would be able to override union objections to block employees from using personal email accounts or Facebook on work computers under a bill the Senate Homeland Security Committee forwarded Wednesday. The bill, sponsored by Committee Chairman Ron Johnson, R-Wisc., would give agencies authority to block websites if there’s a pressing cybersecurity need. The Federal Information Systems Safeguards Act, which is less than 250 words, passed on a voice vote. Though senators did not individually record their votes, several voted against the measure. Johnson was the only senator who spoke directly about the bill, saying: “It’s a good piece of legislation. I think it’s necessary.” A similar bill passed the House Oversight Committee in July. The American Federation of Government Employees, a major federal employee union, put out a statement opposing the House bill, saying it “does not increase federal IT security” and “would take collective bargaining rights away from employees when it comes to IT.”

 


McClatchy

September 25, 2018

With some 40 days remaining to the crucial midterm elections, signs of digital meddling in campaigns are mounting. But most candidates have spent little or nothing on cybersecurity, and say it’s too hard and expensive to focus on hacking threats with all the other demands of running for office. Only six candidates for U.S. House and Senate spent more than $1,000 on cybersecurity through the most recent Federal Election Commission filing period. Yet those who monitor intrusions and digital mayhem say hackers are active. And various reports cite at least three candidates still in races or ousted in primaries were suffering attempted breaches of their campaigns.

 


The Hill

September 25, 2018

Sen. James Lankford (R-Okla.) said Tuesday that a bipartisan election security bill won’t be passed by Congress ahead of November’s midterm elections. Lankford told The Hill that the text of the bill, known as the Secure Elections Act, is still being worked out. And with the House only being in session for a limited number of days before the elections, the chances of an election security bill being passed by then are next to none. “The House won’t be here after this week so it’s going to be impossible to get passed,” Lankford said of the bill. The legislation, which aims to protect elections from cyberattacks, was initially set to be addressed by a Senate committee last month. But the markup was abruptly postponed by Senate Rules and Administration Committee Chairman Roy Blunt (R-Mo.) over a lack of Republican support and after some secretaries of state shared concerns about the bill, a GOP Senate aide told The Hill at the time. The White House was also critical of the legislation, saying that it “cannot support legislation with inappropriate mandates or that moves power or funding from the states to Washington for the planning and operation of elections.” The legislation is co-sponsored by Sen. Amy Klobuchar (D-Minn.), who has urged lawmakers to take steps to secure U.S. elections.

 

 

ADMINISTRATION

 


FCW

September 28, 2018

The Department of Homeland Security issued a Binding Operational Directive in May directing all agencies to identify, categorize and prioritize cybersecurity for high value assets. However, according to a new technical report by the agency, communications in the wake of that directive "show that agencies need help in understanding the architectural weaknesses within [high value] systems" and need additional assistance to protect them. The federal government is making a concerted effort to shift its cybersecurity resources and focus to the most sensitive and mission critical systems that agencies need to carry out their missions. At an August 2018 FCW event, federal CIO Suzette Kent said that 100 percent of agencies have submitted their inventory of high value assets, but watchdogs continue to find agencies that need to implement stronger protections around those assets.

 


Gov Info Security


If all goes according to plan, the Food and Drug Administration will launch in fiscal 2019 a new digital health "center of excellence" that includes a cybersecurity unit. The new unit would not only deal with cyber issues pertaining to new health technologies, but also challenges facing older medical devices. The FDA's $5.8 budget request for fiscal 2019 - which begins Oct. 1 - includes $70 million for the FDA to establish "a new paradigm for digital health technologies," according to the agency's budget justification document released earlier this year. President Trump is reportedly planning to avert a partial government shutdown that would start at midnight Sept. 30 by signing an $852 billion continuing resolution budget bill for fiscal 2018 that was passed by Congress this week and would fund the government through Dec. 7. FDA funding - including the request for the digital health initiative's center of excellence - is not part of that spending bill, but rather is part of the FDA's overall fiscal 2019 budget request.

 


Nextgov

September 27, 2018

New policy and guidance are coming for agencies to ensure they are using secure network connections. It won’t look like the old Trusted Internet Connection policy but it’s not clear yet what it will look like, according to a top official. When devices and applications connect to the internet, agencies need to ensure that connection is secured from outside influence and infiltration. As technologies like cloud become more abundant and defined network perimeters disappear, creating hard rules has become more difficult, according to Mark Bunn, program manager for the Homeland Security Department’s TIC initiative. Bunn said his department has been hard at work on an update to the current document, which was released in 2008. As they assess the current landscape, TIC officials have found themselves on the cusp of a sea-change. “We’ve seen a lot of things change with a stagnant program,” Bunn said during a Sept. 27 event hosted by FCW. “We have the whole concept of boundaries, and now we have technologies that don’t have boundaries. How do you apply a boundary program to try to leverage data and use data when there’s no such thing as a boundary anymore?” Under the current policy and guidance, agencies are instructed to build strong perimeter defense like firewalls and enclaves “and pretend like it’s a 2008 network,” Bunn said. The new environment is so different, the office even considered renaming the program. For now, they’re calling it TIC 3.

 


Fifth Domain

September 27, 2018

Secretary of Defense Jim Mattis predicted the U.S. government will one day offer cyber protection to businesses that work with critical infrastructure and may even extend such a buffer to some individuals. The top Pentagon official said during a Sept 25. speech at the Virginia Military Institute that he envisions a voluntary program that would be spurred by the rapid change in technology. “Because the Department of Defense has about 95 percent more of the capability to protect the country on cyber, we are probably going to have to offer to banks, to public utilities, (to) electrical generation plants and that sort of thing, the opportunity to be inside a government protected domain,” Mattis said. “It’s not going to be forced and there are constitutional issues, but I think we should also offer it to small businesses and individuals.” Mattis, who rarely discusses cyber at length in speeches, did not put a timeline on the plan, only predicting that it would happen “in the long run.” “I am talking to real smart people about what they do on cyber defense so that we are more resistant and more resilient,” Mattis said.

 


The New York Times Magazine

September 26, 2018

It was mid-July 2016 when Neil Jenkins learned that someone had hacked the Illinois Board of Elections. Jenkins was a director in the Office of Cybersecurity and Communications at the Department of Homeland Security, the domestic agency with a congressional mandate to protect “critical infrastructure.” Although election systems were not yet formally designated as such — that wouldn’t happen until January 2017 — it was increasingly clear that the presidential election was becoming a national-security issue. Just a month before, Americans had been confronted with the blockbuster revelation that Russian government actors had hacked the Democratic National Committee’s servers and stolen private email and opposition research against Donald Trump, the Republican presidential candidate. And now, it emerged, someone was trying to infiltrate the election system itself.

 


Financial Planning

September 26, 2018

Almost eight years after the Identity Theft Red Flags rule went into effect, the SEC announced its first enforcement of the law. The Des Moines, Iowa-based broker-dealer and investment advisor Voya Financial Advisors will pay $1 million to settle charges that it failed to adopt procedures that protected customer records and address weaknesses in its cybersecurity policy after cyber intruders gained access to the personal information of several thousand customers. Over the course of six days in April 2016, cyber thieves impersonated Voya Financial Advisors contractors on the firm’s technical support line and requesting representatives’ passwords be reset for access to the proprietary web portal Voya used to share customer information with contractors. The SEC order states that two of the phone numbers the impersonators used had already been identified by the company as linked to prior attempts to impersonate Voya Financial Advisor contractors. Nonetheless, Voya Financial’s support staff still reset their passwords and even provided the representative’s username.

 


The New York Times

September 25, 2018

As a Vietnamese immigrant with imperfect English, Nghia H. Pho felt he was falling behind his fellow National Security Agency software developers in promotions and pay. So in 2010, after four years on the job, he began taking highly classified documents to his Maryland home to get extra work done at night and on weekends in an effort to improve his performance evaluations. But in the five years that Mr. Pho, 68, stored the material on his insecure home computer, officials believe it was stolen by Russian hackers using the antivirus software installed on the machine. Mr. Pho worked for the N.S.A.’s hacking unit, then known as Tailored Access Operations, and his cache is believed to have included both hacking tools and documentation to go with it. On Tuesday, as family members wept in the courtroom, Mr. Pho was sentenced to five and a half years in prison after pleading guilty to a single count of willful retention of national defense information. Mr. Pho, a slender man with a thatch of white hair, chose to address the court in English despite the presence of an interpreter. “I did not betray the U.S.A.,” he said. “I did not send the information to anyone. I did not make a profit.”

 


CyberScoop

September 24, 2018

While the Department of Homeland Security has looked to step up its use of drones to patrol the U.S.-Mexico border, lax security policies have left the collected data vulnerable to hackers and insider threats, a new audit finds. IT systems used by the Customs and Border Protection to share drone-gathered data are “at increased risk of compromise by trusted insiders and external sources” because of security shortcomings, a DHS inspector general report states. “Continuous monitoring to facilitate effective security incident handling, reporting, and remediation was lacking, while system maintenance and oversight of contractor personnel were inconsistent,” the report says. The IG investigation comes as DHS has sought more advanced drone technology to surveil border areas. In July 2016, for example, the department asked industry for proposals for small and easily deployable commercial drones.

 


BuzzFeed

September 23, 2018

The good news is that the thousands of county and municipal governments that administer elections across the US have a variety of effective cybersecurity programs available to them, free of charge. The bad news is that the vast majority don't use any of them. In the complex debate about US election security, the focus tends to be on campaigns, parties, states, voting equipment manufacturers, and national trends. But the literal administration of elections, like the printing of ballots, coordinating poll workers, and organizing polling places, falls to more than 10,000 county clerks and local municipalities, according to the nonprofit organization Verified Voting. And those are the people the Department of Homeland Security would like to sign up for its cybersecurity program. “There should not be any counties left out, because they can sign up for cyber hygiene scanning,” Jeanette Manfra, DHS’s top cybersecurity official, told BuzzFeed News. “They absolutely have the ability to be a partner. They might not know about it, so we’ve got to keep working to get the message out,” Manfra said.

 

 

INDUSTRY

 


The Washington Post

September 28, 2018

Facebook said Friday that hackers had stolen information that could have allowed them to take over 50 million user accounts, in the latest mishap for the social media company, which has spent months struggling to regain the confidence of policymakers and the public. The company said that as many as 90 million Facebook users — out of a total of 2.2 billion — will have to log back into their accounts as a result of the breach. Notifications will appear at the top of the Facebook news feed for the 50 million users who were directly affected, executives said on a call with reporters. The hackers were able to gain access to profile information, such as users' names, hometowns and genders, Facebook said. It is possible they could have had access to more information, but Facebook said its investigation is in the early stages. No credit card information was exposed, Facebook executives said, and so far there is no evidence the attackers sought to access private messages or post fraudulent messages from the accounts. “This is a serious issue, and we’re committed to addressing it,” said Facebook chief executive Mark Zuckerberg. “This underscores that there are constant attacks from people who are trying to take over accounts or steal information from people in our community.”

 


E&E News

September 27, 2018

North American grid regulators share the U.S. government's misgivings about Moscow-based cybersecurity company Kaspersky Lab, according to a confidential alert sent to the power sector last year. On Oct. 5, 2017, the North American Electric Reliability Corp. issued a rare "Level 2" cybersecurity recommendation — one of just three such warnings since 2013 — covering power utilities' potential use of Kaspersky anti-virus software, sources confirmed to E&E News. NERC is responsible for setting and enforcing security rules for the bulk U.S. power grid. Bill Lawrence, NERC's vice president and chief security officer, said the regulator based its supply chain security alert on dialogue with the departments of Energy and Homeland Security and the Federal Energy Regulatory Commission, the independent federal agency that gets final say over grid security standards. NERC declined to comment on the contents of the document, which is restricted from public disclosure under the "Traffic Light Protocol."

 


SC Media

September 27, 2018

A report covering connected car security from 2016-2017 has found the number of vulnerabilities has decreased in number and likelihood, but more work needs to be done baking in security during the design phase and applying industry best practices in the future. IOActive’s research, which follows up on a similar report issued in 2016, included a look at threat modeling, attack vectors and attack methodologies to come up with a series of potential vulnerabilities and then the listing the likelihood they could be implemented by a malicious actor. The good news from the report is the number of vulnerabilities found have decreased as has the impact they can have on a system. In 2018 10 percent were rated as potentially having a critical impact, down 15 points from the 2016 report, while the number of medium and low impact issues increased to 52 percent of the total. A greater focus on cybersecurity at the factory level is credited for this change.

 


ZDNet

September 27, 2018

Google launched today a new set of services for enterprise customers of VirusTotal, a website that lets users test suspicious files and URLs against an aggregate of multiple antivirus scanning engines at the same time. This collection of new tools is part of the new VirusTotal Enterprise service, which Google described as "the most significant upgrade in VirusTotal's 14-year history." As the name implies, this new service is specifically aimed at enterprise customers and is an expansion of VirusTotal's current Premium Services. Google says VirusTotal Enterprise consists of existing VirusTotal capabilities, but also new functionality, such as improved threat detection and a faster search system that uses a brand new interface that unifies capabilities in VirusTotal's free and paid sites.

 


The San Diego Union-Tribune

September 26, 2018

The Port of San Diego said Wednesday it is investigating a highly sophisticated cybersecurity threat to its technology systems that is currently affecting the public agency’s ability to process park permits and records requests, and perform other business services. The digital assault is similar, in some ways, to a ransomware attack that was launched against the city of Atlanta in March, security analysts say. The hackers were able to shut down many services, including people’s ability to pay traffic tickets and water bills. The attackers — who sought bitcoins as ransom — also temporarily knocked out wireless communications at the Atlanta airport. The San Diego Harbor Police Department, the law enforcement arm of the Port, is also affected by the attack and is said to be using alternative technology systems. “The Port of San Diego has experienced a serious cybersecurity incident that has disrupted the agency's information technology systems,” CEO Randa Coniglio said in a statement. “The Port has mobilized a team of industry experts and local, regional, state and federal partners to minimize impacts and restore system functionality, with priority placed on public safety-related systems.”

 


CyberScoop

September 26, 2018

Ridehailing company Uber will pay $148 million across all 50 states and Washington, D.C., as part of a settlement stemming from a data breach that revealed sensitive information on 57 million of the company’s users. The breach took place in October 2016 and revealed names, email addresses, phone numbers and U.S. driver’s license numbers. The company paid the hackers $100,000 to stay quiet and delete the data. Several attorneys general released statements after the settlement was announced, with each state getting a varying amount.

 


ZDNet

September 26, 2018

A new academic study published today reveals that Android-based password managers have a hard time distinguishing between legitimate and fake applications, leading to easy phishing scenarios. The study looked at how password managers work on modern versions of the Android OS, and which of the OS features attackers can abuse to collect user credentials via phishing attacks carried out via fake, lookalike apps. What the research team found was that password managers, initially developed for desktop browsers, aren't as secure as their desktop versions. The problem comes from the fact that mobile password managers have a hard time associating a user's stored website credentials with a mobile application and then creating a link between that website and an official app.

 


Reuters

September 26, 2018

Cyber-security firm Darktrace said on Wednesday it has raised $50 million in its latest funding round led by European private equity firm Vitruvian Partners LLP, valuing the company at $1.65 billion. The series E funding round also included existing investors KKR & Co Inc and TenEleven Ventures. The company, founded in 2013, has raised a total of $229 million so far. Chief Executive Officer Nicole Eagan told Reuters that the latest funds will be used to increase headcount. Darktrace employs 750 people at present and expects to end fiscal 2019 with 1,000 employees. Eagan said the company does not plan to go public at the moment, nor is it looking forward to any deals. Darktrace differentiates itself in using advanced machine learning and mathematics developed at the University of Cambridge to identify abnormalities in a company's IT network that might be an attack.

 


Fifth Domain

September 25, 2018

For years the secretive market for zero-day exploits — unpatched bugs in software or hardware — thrived in the dark corners of the internet. But vulnerability sales have been all but driven off the dark web, according to experts, and now operate in the open. The cyber intelligence firm FireEye has only recorded three zero-day sellers on the dark web so far this year, Jared Semrau, a vulnerability and exploitation manager at the firm, told Fifth Domain. That compares to the peak of at least 32 zero-day sellers in that marketplace in 2013, Semrau said. He explained the drop-off as being caused by a combination of “people being cautious and exploit developers selling on the dark web likely being wrapped up in arrests.” Semrau also said that manufacturers have increased their bug-bounty programs, offering payouts for hackers to report rather than reveal exploits, which has contributed to the slowdown in black-market sales. Years ago it was challenging for some to sell or acquire zero-day exploits, said Amit Serper, head of security research at the cybersecurity firm Cybereason. “Now it has changed. That’s the whole point of a bug-bounty program.”

 


The Hill

September 25, 2018

Cyber criminals are ratcheting up efforts to target devices with cryptocurrency malware, according to a new report. Cybersecurity firm McAfee found that the use of cryptocurrency mining malware increased by 86 percent during the second quarter of 2018. The increase continues a trend that has already escalated over the past few months. Christiaan Beek, the lead scientist and senior principal engineer with McAfee Advanced Threat Research, said that in the past few years devices like internet routers have emerged as possible targets for cryptomining. Bitcoin has a $232 billion market, and approximately $1.5 billion worth of cryptocurrency has been stolen in the past two years, according to McAfee.

 


CBS News

September 24, 2018

Cybersecurity is "job one" for businesses, consumers and governments around the world today, and technology companies are "the first line of defense," according to Microsoft president Brad Smith. "The security engineers who work at our company – we have 3,500 of them – are the first responders when things go wrong. It has fundamentally changed the role we need to play and really elevated the responsibility we need to fulfill," Smith said Monday on "CBS This Morning." Asked about the threat China poses to the U.S. in terms of cybersecurity, Smith pointed to the broader picture. "There are plenty of governments that are worried about each other these days. I don't think that this is a problem that one can use to point at a single government. I think it's one that we need to think about from a global perspective. We need stronger technology, we need people to implement the technology we provide, and we also need stronger international laws in this space as well," Smith said. He noted Microsoft announced last month that it had uncovered new Russian hacking attempts targeting U.S. political groups ahead of the 2018 midterm elections, claims Moscow denied.

 

 

INTERNATIONAL

 


CyberScoop

September 28, 2018

esearchers with cybersecurity company ESET have discovered a malware campaign that is able to compromise a device’s firmware component, which they say in a report published Thursday is the first known instance of such an attack in the wild. ESET says that it found attributes in the malware that link it to the prominent Russian hacking group APT28. The malware, dubbed LoJax, can “serve as a key to the whole computer” by infecting the Unified Extensible Firmware Interface (UEFI) of a device, according to the report. ESET explains that firmware rootkits like LoJax have in the past been demonstrated in theory and are suspected to be in use by some governments, but haven’t been observed in the wild. This kind of malware is hard to detect and has advanced persistence properties, as it’s able to survive a complete operating system reinstall and even a hard drive replacement. If LoJax sounds familiar, that’s because it mimics the the persistence methods of the legitimate LoJack anti-theft software, which itself was co-opted into being used in APT28 malware.

 


AP

September 27, 2018

European Union lawmakers appear set this month to demand audits of Facebook by Europe's cybersecurity agency and data protection authority in the wake of the Cambridge Analytica scandal. A draft resolution submitted Thursday to the EU Parliament's civil liberties and justice committee urged Facebook to accept "a full and independent audit of its platform investigating data protection and security of personal data." The assembly summoned Facebook CEO Mark Zuckerberg in May to testify about allegations that political consulting firm Cambridge Analytica used the data of millions of Facebook users to target voters during political campaigns, including the one that brought U.S. President Donald Trump to office. Claude Moraes, the chairman of the EU parliamentary committee who drafted the resolution, said the probes "need to be done." "Not only have Facebook's policies and actions potentially jeopardized citizens' personal data, but then they have also had an impact on electoral outcomes and on the trust citizens pose in digital solutions and platforms," Moraes said. The committee aims to adopt the resolution, which will almost certainly be modified, by Oct. 10 and put it to the full assembly for endorsement in late October, well ahead of EU elections next May.

 


The Strait Times

September 27, 2018

A server exploited by hackers to ultimately reach SingHealth's critical system, leading to Singapore's worst data breach in June, had not received the necessary security software updates for more than a year. Servers are typically patched several times a month. This server became one of the many pathways hackers exploited, as it fell through the cracks of Integrated Health Information Systems' (IHiS) oversight, the Committee of Inquiry (COI) heard on Thursday (Sept 27). At the COI hearing into the breach, Mr Tan Aik Chin, a senior manager of cancer service registry and development at the National Cancer Centre Singapore (NCCS), testified that he became the "convenient" custodian of the server in question. On paper, he was not supposed to manage the server, but he had been doing so in practice since 2014.

 


Defense One

September 27, 2018

Estonia’s new ambassador-at-large for cyber security, Heli Tiirmaa-Klaar, recently explained to the Wall Street Journal that “compared to many other security fields, in cyber we have reached maybe 10 percent of total readiness to understand the threats, to respond to threats and also to prevent the threat or maybe deter the threat. We have lots of room for development.” She’s right; just look at the most basic of metrics: How do governments count cyber attacks? How do they classify them? The problems — imprecision of language, and a lack of policy — can be seen in a trio of official quotes from a single month last year. On Jan. 7, French Defense Minister Jean-Yves Le Drian warned that 2016 had seen 24,000 cyberattacks against French defense targets, and that the attacks were doubling every year. On Jan. 8, the Financial Times reported off an interview with EU security commissioner Sir Julian King that “there were 110 separate attempts to hack the European Commission’s servers in 2016, a 20 percent rise on the year before.” And on Jan. 19, NATO Secretary General Jens Stoltenberg told Die Welt that “there was a monthly average of 500 threatening cyber attacks last year against NATO infrastructure that required intensive intervention from our experts. That’s an increase of 60 percent compared to 2015.”

 


AP

September 26, 2018

Taking center stage at the United Nations, President Donald Trump on Wednesday accused China of trying to interfere in the upcoming U.S. congressional elections because it opposes his tough trade policies. The White House provided scant evidence of anything akin to the level of Russia's meddling in the 2016 presidential election. "They do not want me or us to win because I am the first president ever to challenge China on trade," Trump said as he chaired the U.N. Security Council for the first time. He made his accusation against the backdrop of the special counsel's investigation into Russian interference in the last election to help him and amid concerns that this November's elections also could be vulnerable. Asked later what evidence he had, Trump said there was "plenty" but didn't immediately provide details, suggesting that some of the material was classified. Instead, he zeroed in on China's propaganda efforts to flood the heartland with ads and statements against Trump's billions of dollars in punishing tariffs.

 


CyberScoop

September 26, 2018

VPNFilter, the malware framework that co-opted half a million networking devices into a botnet earlier this year, has “even greater capabilities” than previously documented, new research shows. Talos, Cisco’s threat intelligence unit, said it recently found seven more VPNFilter modules that “add significant functionality to the malware,” whose botnet loomed over Ukraine ahead of a key soccer match in late May as well as an important public holiday in that country. Among the newly discovered capabilities of VPNFilter are the ability to exploit endpoint devices via compromised network gear, plus “data filtering and multiple encrypted tunneling capabilities to mask command and control and data exfiltration traffic,” Talos researcher Edmund Brumaghin wrote in a blog post Wednesday. The VPNFilter-enabled botnet had the ability to “brick” or disable hundreds of thousands of devices, so researchers and U.S. law enforcement urgently sought to raise awareness of and mitigate the threat.

 


The Financial Times

September 24, 2018

Tesco is in line to face the biggest fine on record from the UK financial watchdog for a cyber-related fraud. The Financial Conduct Authority and Tesco’s banking arm are locked in negotiations over a penalty for the incident that took place in late 2016, with regulators considering a fine as high as £30m, according to people familiar with the situation. But Tesco Bank is hoping the matter will be resolved with a fine of under £20m, another person familiar with the discussions told the Financial Times. It is typical for the FCA and a company to negotiate an eventual penalty even in a case where the company under investigation accepts the regulator’s findings of fact. A sustained cyber attack on Tesco Bank in November 2016 forced the company to repay £2.5m of losses to 9,000 customers in a heist described at the time as “unprecedented” by regulators. The FCA looked into whether Tesco Bank had left its customers exposed to fraud because it had issued sequential debit-card numbers, a practice most lenders avoid.

 

 

TECHNOLOGY

 


Ars Technica

September 27, 2018

Today, six prominent information-security experts who took part in DEF CON's Voting Village in Las Vegas last month issued a report on vulnerabilities they had discovered in voting equipment and related computer systems. One vulnerability they discovered—in a high-speed vote-tabulating system used to count votes for entire counties in 23 states—could allow an attacker to remotely hijack the system over a network and alter the vote count, changing results for large blocks of voters. "Hacking just one of these machines could enable an attacker to flip the Electoral College and determine the outcome of a presidential election," the authors of the report warned. The machine in question, the ES&S M650, is used for counting both regular and absentee ballots. The device from Election Systems & Software of Omaha, Nebraska, is essentially a networked high-speed scanner like those used for scanning standardized-test sheets, usually run on a network at the county clerk's office. Based on the QNX 4.2 operating system—a real-time operating system developed and marketed by BlackBerry, currently up to version 7.0—the M650 uses Iomega Zip drives to move election data to and from a Windows-based management system. It also stores results on a 128-megabyte SanDisk Flash storage device directly mounted on the system board. The results of tabulation are output as printed reports on an attached pin-feed printer.

 


Wired

September 24, 2018

By now it’s hopefully been drilled into you to enable two-factor authentication on your online accounts, giving you more protection than a password alone. And while the most ubiquitous second factor is a numeric code sent to your smartphone via an app, physical tokens that you plug into your computer have become increasingly popular. And now they're angling to make passwords obsolete. On Monday, the hardware authentication company Yubico is announcing a new generation of its physical YubiKey tokens that support password-less login. The Series 5 YubiKeys get this streamlined mojo from FIDO2, a new version of an open source standard that facilitates secure authentication. As companies like Microsoft adopt the standard over the next few months, all you'll need for a secure log-in is to plug in and tap your new YubiKey. That's it.

 


The New York Times

September 22, 2018

Ask any hacker who’s been around long enough, and there’s a good chance you’ll hear an archetypal story, tinged with regret, about the first time his or her real identity was publicly disclosed. After enjoying years of online anonymity, the hacker known as Grifter was unmasked by a less-than-scrupulous spouse. “Hey, Neil!” his wife called out at him, absent-mindedly, from across a crowded room, while accompanying him (for the very first time) at a hacking conference. “My beautiful wife, she outed me in front of the entire hacker community,” he said with a laugh. Dead Addict’s version of the story involves an employer who pushed him to apply for a patent — for which he was required to provide his full legal name. “The people who later doxxed me,” he said, using a term for publishing private information about someone, usually with malicious intent, “pointed to that patent.” Nico Sell managed to stay “ungoogleable,” she said, until around 2012, when, acting as chief executive of a secure-messaging company, Wickr, she felt she needed to become more of a public figure — if reluctantly. “My co-founders and I, we all drew straws,” she said, “and that was that.”