FCW
September
28, 2018
The head of
the Department of Energy's cybersecurity office told a congressional panel she plans
to distill threat and intelligence data into actionable reports for critical
infrastructure providers. Private sector personnel won't necessarily have to
possess security clearances to view such reports, Karen Evans, assistant
secretary of the DoE's Office of Cybersecurity, Energy Security, and Emergency
Response, said at a Sept. 27 Capitol Hill hearing. Evans, who has been at CESER
for a month, told the House Energy and Commerce Committee she plans to combine
threat and intelligence data into reports that energy sector critical
infrastructure providers can act on immediately. Critical infrastructure
providers have complained about the Department of Homeland Security's efforts
to share threat information, which can require infrastructure provider employees
get security clearances to see that data.
Fifth
Domain
September
27, 2018
The past
few years have seen the United States experience election hacking efforts by
foreign adversaries and corporate data breaches from underground hacktivists,
among other events, leaving many officials to wonder what the U.S. doctrine for
cyberspace even is. The new U.S. Cyberspace Solarium Commission was created to
answer just that. "We lack a doctrine that defines how, when and where we
play offense and defense. We don’t have a playbook. It’s time to draft one,”
said Sen. Ben Sasse, R-Neb., who is credited with developing the commission to
help contextualize cyber in the broader national and economic security
discussion. The Cyberspace Solarium Commission, modeled after President
Eisenhower’s Project Solarium, was established by the National Defense Authorization
Act of 2019. The purpose of the commission, according to the legislation, is
“to develop a consensus on a strategic approach to defending the United States
in cyberspace against cyberattacks of significant consequences.” The bipartisan
Cyberspace Solarium commission will include a total of 14 members, including
the deputy director of national intelligence, the deputy secretary of homeland
security, the deputy secretary of defense, and the director of the FBI.
The Hill
September
27, 2018
Democrats
on the House Intelligence Committee have requested an intelligence briefing on
President Trump’s accusations that China has tried to interfere in the midterm
elections. Rep. Adam Schiff (D-Calif.), the committee’s ranking member, told
The Hill Thursday that the minority has requested a briefing before the House’s
next recess on Trump's claims. “We have requested to be briefed on what he was
referring to,” Schiff said. “We expect that we will, before we recess, have the
opportunity to ask just what he is talking about.” On Wednesday, Trump accused
China of trying to meddle in the elections during a speech at a United Nations
Security Council meeting in New York. “Regrettably, we found that China has
been attempting to interfere in our upcoming 2018 election,” Trump said. “They
do not want me or us to win because I am the first president ever to challenge
China on trade.” At a later press conference, Trump pointed to an insert in the
Des Moines Register purchased by a Chinese government-backed media company that
criticized Trump’s trade policies. He described the alleged Chinese
interference as “different” than Russia’s efforts to interfere in the 2016
vote.
FCW
September
27, 2018
The
Transportation Security Agency has the authority to regulate cybersecurity of
natural gas and oil pipelines, but many lawmakers and stakeholder are starting
to wonder whether that is the best arrangement, considering the vulnerability
of infrastructure to remote attacks directed via industrial control systems. In
particular, some lawmakers have objected to TSA's oversight because its
cybersecurity standards are voluntary for industry, despite possessing the
authority to lay down mandatory rules. This differs from the electrical sector,
which is subject to mandatory standards imposed by the Federal Energy
Regulatory Commission. Pipeline policy experts told FCW that TSA's standards
are out of date, predating the National Institute of Standards and Technology's
cybersecurity framework. They also said recent TSA updates to its standards
this past summer came just before NIST updated its cyber framework.
Nextgov
September
26, 2018
Legislation
introduced in the House Wednesday would create a stronger federal chief
information officer and establishes a chain of command for some of the
administration’s most important IT officials. The Federal CIO Authorization Act
of 2018 would make the federal CIO a presidential appointee who would report
directly to the Office of Management and Budget director. Currently the federal
CIO reports to OMB’s deputy director for management. Introduced by Reps. Will
Hurd, R-Texas, and cosponsor Robin Kelly, D-Ill., the legislation also renames
the Office of E-Government to the Office of the Federal Chief Information
Officer. Under the legislation, the federal CIO would directly oversee the
federal chief information security officer, and codifies the federal CISO
position as a presidential appointment. The legislation firmly establishes the
federal CIO as the top civilian tech official, and directs whoever holds the
position to “submit a proposal to Congress for consolidating and streamlining
IT across federal agencies.” Suzette Kent currently serves as the federal CIO.
Grant Schneider was named federal CISO in July.
FCW
September
26, 2018
Senate
appropriators continue to negotiate this week over a general government
"minibus" spending package that includes the Technology Modernization
Fund. While talks could bleed over into next week, Rep. Will Hurd (R-Texas),
author of the Modernizing Government Technology Act, told FCW that he expects
the funding to be restored when the final package is unveiled. "I'm pretty
sure that we have resolved the issue with TMF and what the final amount is I
think is going to be what we saw in the House package," Hurd told FCW on
Sept. 26. "I feel good about it." The Technology Modernization Fund still
has $55 million leftover from this year's appropriations, and members of the
board responsible for doling the money out to worthy agency projects have said
they are getting ready to award another round of funding soon. House
appropriators sought $150 million for the fund fiscal year 2019, but the Senate
zeroed out those dollars after some senators complained that the Office of
Management and Budget was not being nearly transparent enough around how the
board operates and how projects were being selected.
Nextgov
September
26, 2018
Federal
agencies would be able to override union objections to block employees from
using personal email accounts or Facebook on work computers under a bill the
Senate Homeland Security Committee forwarded Wednesday. The bill, sponsored by
Committee Chairman Ron Johnson, R-Wisc., would give agencies authority to block
websites if there’s a pressing cybersecurity need. The Federal Information
Systems Safeguards Act, which is less than 250 words, passed on a voice vote.
Though senators did not individually record their votes, several voted against
the measure. Johnson was the only senator who spoke directly about the bill,
saying: “It’s a good piece of legislation. I think it’s necessary.” A similar
bill passed the House Oversight Committee in July. The American Federation of
Government Employees, a major federal employee union, put out a statement
opposing the House bill, saying it “does not increase federal IT security” and
“would take collective bargaining rights away from employees when it comes to
IT.”
McClatchy
September
25, 2018
With some
40 days remaining to the crucial midterm elections, signs of digital meddling
in campaigns are mounting. But most candidates have spent little or nothing on
cybersecurity, and say it’s too hard and expensive to focus on hacking threats
with all the other demands of running for office. Only six candidates for U.S.
House and Senate spent more than $1,000 on cybersecurity through the most
recent Federal Election Commission filing period. Yet those who monitor
intrusions and digital mayhem say hackers are active. And various reports cite
at least three candidates still in races or ousted in primaries were suffering
attempted breaches of their campaigns.
The Hill
September
25, 2018
Sen. James
Lankford (R-Okla.) said Tuesday that a bipartisan election security bill won’t
be passed by Congress ahead of November’s midterm elections. Lankford told The
Hill that the text of the bill, known as the Secure Elections Act, is still
being worked out. And with the House only being in session for a limited number
of days before the elections, the chances of an election security bill being
passed by then are next to none. “The House won’t be here after this week so
it’s going to be impossible to get passed,” Lankford said of the bill. The
legislation, which aims to protect elections from cyberattacks, was initially
set to be addressed by a Senate committee last month. But the markup was
abruptly postponed by Senate Rules and Administration Committee Chairman Roy
Blunt (R-Mo.) over a lack of Republican support and after some secretaries of
state shared concerns about the bill, a GOP Senate aide told The Hill at the
time. The White House was also critical of the legislation, saying that it
“cannot support legislation with inappropriate mandates or that moves power or
funding from the states to Washington for the planning and operation of
elections.” The legislation is co-sponsored by Sen. Amy Klobuchar (D-Minn.),
who has urged lawmakers to take steps to secure U.S. elections.
ADMINISTRATION
FCW
September
28, 2018
The
Department of Homeland Security issued a Binding Operational Directive in May
directing all agencies to identify, categorize and prioritize cybersecurity for
high value assets. However, according to a new technical report by the agency,
communications in the wake of that directive "show that agencies need help
in understanding the architectural weaknesses within [high value] systems"
and need additional assistance to protect them. The federal government is
making a concerted effort to shift its cybersecurity resources and focus to the
most sensitive and mission critical systems that agencies need to carry out
their missions. At an August 2018 FCW event, federal CIO Suzette Kent said that
100 percent of agencies have submitted their inventory of high value assets,
but watchdogs continue to find agencies that need to implement stronger
protections around those assets.
Gov Info
Security
If all goes
according to plan, the Food and Drug Administration will launch in fiscal 2019
a new digital health "center of excellence" that includes a
cybersecurity unit. The new unit would not only deal with cyber issues
pertaining to new health technologies, but also challenges facing older medical
devices. The FDA's $5.8 budget request for fiscal 2019 - which begins Oct. 1 -
includes $70 million for the FDA to establish "a new paradigm for digital
health technologies," according to the agency's budget justification
document released earlier this year. President Trump is reportedly planning to
avert a partial government shutdown that would start at midnight Sept. 30 by
signing an $852 billion continuing resolution budget bill for fiscal 2018 that
was passed by Congress this week and would fund the government through Dec. 7.
FDA funding - including the request for the digital health initiative's center
of excellence - is not part of that spending bill, but rather is part of the
FDA's overall fiscal 2019 budget request.
Nextgov
September
27, 2018
New policy
and guidance are coming for agencies to ensure they are using secure network
connections. It won’t look like the old Trusted Internet Connection policy but
it’s not clear yet what it will look like, according to a top official. When
devices and applications connect to the internet, agencies need to ensure that
connection is secured from outside influence and infiltration. As technologies
like cloud become more abundant and defined network perimeters disappear,
creating hard rules has become more difficult, according to Mark Bunn, program
manager for the Homeland Security Department’s TIC initiative. Bunn said his
department has been hard at work on an update to the current document, which
was released in 2008. As they assess the current landscape, TIC officials have
found themselves on the cusp of a sea-change. “We’ve seen a lot of things
change with a stagnant program,” Bunn said during a Sept. 27 event hosted by
FCW. “We have the whole concept of boundaries, and now we have technologies
that don’t have boundaries. How do you apply a boundary program to try to
leverage data and use data when there’s no such thing as a boundary anymore?”
Under the current policy and guidance, agencies are instructed to build strong
perimeter defense like firewalls and enclaves “and pretend like it’s a 2008
network,” Bunn said. The new environment is so different, the office even
considered renaming the program. For now, they’re calling it TIC 3.
Fifth
Domain
September
27, 2018
Secretary
of Defense Jim Mattis predicted the U.S. government will one day offer cyber
protection to businesses that work with critical infrastructure and may even
extend such a buffer to some individuals. The top Pentagon official said during
a Sept 25. speech at the Virginia Military Institute that he envisions a
voluntary program that would be spurred by the rapid change in technology.
“Because the Department of Defense has about 95 percent more of the capability
to protect the country on cyber, we are probably going to have to offer to
banks, to public utilities, (to) electrical generation plants and that sort of
thing, the opportunity to be inside a government protected domain,” Mattis
said. “It’s not going to be forced and there are constitutional issues, but I
think we should also offer it to small businesses and individuals.” Mattis, who
rarely discusses cyber at length in speeches, did not put a timeline on the
plan, only predicting that it would happen “in the long run.” “I am talking to
real smart people about what they do on cyber defense so that we are more
resistant and more resilient,” Mattis said.
The New
York Times Magazine
September
26, 2018
It was
mid-July 2016 when Neil Jenkins learned that someone had hacked the Illinois
Board of Elections. Jenkins was a director in the Office of Cybersecurity and
Communications at the Department of Homeland Security, the domestic agency with
a congressional mandate to protect “critical infrastructure.” Although election
systems were not yet formally designated as such — that wouldn’t happen until
January 2017 — it was increasingly clear that the presidential election was
becoming a national-security issue. Just a month before, Americans had been
confronted with the blockbuster revelation that Russian government actors had
hacked the Democratic National Committee’s servers and stolen private email and
opposition research against Donald Trump, the Republican presidential
candidate. And now, it emerged, someone was trying to infiltrate the election
system itself.
Financial
Planning
September
26, 2018
Almost
eight years after the Identity Theft Red Flags rule went into effect, the SEC
announced its first enforcement of the law. The Des Moines, Iowa-based
broker-dealer and investment advisor Voya Financial Advisors will pay $1
million to settle charges that it failed to adopt procedures that protected
customer records and address weaknesses in its cybersecurity policy after cyber
intruders gained access to the personal information of several thousand
customers. Over the course of six days in April 2016, cyber thieves
impersonated Voya Financial Advisors contractors on the firm’s technical
support line and requesting representatives’ passwords be reset for access to
the proprietary web portal Voya used to share customer information with contractors.
The SEC order states that two of the phone numbers the impersonators used had
already been identified by the company as linked to prior attempts to
impersonate Voya Financial Advisor contractors. Nonetheless, Voya Financial’s
support staff still reset their passwords and even provided the
representative’s username.
The New
York Times
September
25, 2018
As a
Vietnamese immigrant with imperfect English, Nghia H. Pho felt he was falling
behind his fellow National Security Agency software developers in promotions
and pay. So in 2010, after four years on the job, he began taking highly
classified documents to his Maryland home to get extra work done at night and
on weekends in an effort to improve his performance evaluations. But in the
five years that Mr. Pho, 68, stored the material on his insecure home computer,
officials believe it was stolen by Russian hackers using the antivirus software
installed on the machine. Mr. Pho worked for the N.S.A.’s hacking unit, then
known as Tailored Access Operations, and his cache is believed to have included
both hacking tools and documentation to go with it. On Tuesday, as family
members wept in the courtroom, Mr. Pho was sentenced to five and a half years
in prison after pleading guilty to a single count of willful retention of
national defense information. Mr. Pho, a slender man with a thatch of white
hair, chose to address the court in English despite the presence of an
interpreter. “I did not betray the U.S.A.,” he said. “I did not send the
information to anyone. I did not make a profit.”
CyberScoop
September 24,
2018
While the
Department of Homeland Security has looked to step up its use of drones to
patrol the U.S.-Mexico border, lax security policies have left the collected
data vulnerable to hackers and insider threats, a new audit finds. IT systems
used by the Customs and Border Protection to share drone-gathered data are “at
increased risk of compromise by trusted insiders and external sources” because
of security shortcomings, a DHS inspector general report states. “Continuous
monitoring to facilitate effective security incident handling, reporting, and
remediation was lacking, while system maintenance and oversight of contractor
personnel were inconsistent,” the report says. The IG investigation comes as
DHS has sought more advanced drone technology to surveil border areas. In July
2016, for example, the department asked industry for proposals for small and
easily deployable commercial drones.
BuzzFeed
September 23,
2018
The good news
is that the thousands of county and municipal governments that administer
elections across the US have a variety of effective cybersecurity programs
available to them, free of charge. The bad news is that the vast majority don't
use any of them. In the complex debate about US election security, the focus
tends to be on campaigns, parties, states, voting equipment manufacturers, and
national trends. But the literal administration of elections, like the printing
of ballots, coordinating poll workers, and organizing polling places, falls to
more than 10,000 county clerks and local municipalities, according to the
nonprofit organization Verified Voting. And those are the people the Department
of Homeland Security would like to sign up for its cybersecurity program.
“There should not be any counties left out, because they can sign up for cyber
hygiene scanning,” Jeanette Manfra, DHS’s top cybersecurity official, told
BuzzFeed News. “They absolutely have the ability to be a partner. They might
not know about it, so we’ve got to keep working to get the message out,” Manfra
said.
INDUSTRY
The
Washington Post
September
28, 2018
Facebook
said Friday that hackers had stolen information that could have allowed them to
take over 50 million user accounts, in the latest mishap for the social media
company, which has spent months struggling to regain the confidence of
policymakers and the public. The company said that as many as 90 million
Facebook users — out of a total of 2.2 billion — will have to log back into
their accounts as a result of the breach. Notifications will appear at the top
of the Facebook news feed for the 50 million users who were directly affected,
executives said on a call with reporters. The hackers were able to gain access
to profile information, such as users' names, hometowns and genders, Facebook
said. It is possible they could have had access to more information, but
Facebook said its investigation is in the early stages. No credit card
information was exposed, Facebook executives said, and so far there is no
evidence the attackers sought to access private messages or post fraudulent
messages from the accounts. “This is a serious issue, and we’re committed to
addressing it,” said Facebook chief executive Mark Zuckerberg. “This
underscores that there are constant attacks from people who are trying to take
over accounts or steal information from people in our community.”
E&E
News
September
27, 2018
North
American grid regulators share the U.S. government's misgivings about
Moscow-based cybersecurity company Kaspersky Lab, according to a confidential
alert sent to the power sector last year. On Oct. 5, 2017, the North American
Electric Reliability Corp. issued a rare "Level 2" cybersecurity
recommendation — one of just three such warnings since 2013 — covering power
utilities' potential use of Kaspersky anti-virus software, sources confirmed to
E&E News. NERC is responsible for setting and enforcing security rules for
the bulk U.S. power grid. Bill Lawrence, NERC's vice president and chief
security officer, said the regulator based its supply chain security alert on
dialogue with the departments of Energy and Homeland Security and the Federal
Energy Regulatory Commission, the independent federal agency that gets final
say over grid security standards. NERC declined to comment on the contents of
the document, which is restricted from public disclosure under the
"Traffic Light Protocol."
SC Media
September
27, 2018
A report
covering connected car security from 2016-2017 has found the number of
vulnerabilities has decreased in number and likelihood, but more work needs to
be done baking in security during the design phase and applying industry best
practices in the future. IOActive’s research, which follows up on a similar
report issued in 2016, included a look at threat modeling, attack vectors and
attack methodologies to come up with a series of potential vulnerabilities and
then the listing the likelihood they could be implemented by a malicious actor.
The good news from the report is the number of vulnerabilities found have
decreased as has the impact they can have on a system. In 2018 10 percent were
rated as potentially having a critical impact, down 15 points from the 2016
report, while the number of medium and low impact issues increased to 52
percent of the total. A greater focus on cybersecurity at the factory level is
credited for this change.
ZDNet
September
27, 2018
Google
launched today a new set of services for enterprise customers of VirusTotal, a
website that lets users test suspicious files and URLs against an aggregate of
multiple antivirus scanning engines at the same time. This collection of new
tools is part of the new VirusTotal Enterprise service, which Google described
as "the most significant upgrade in VirusTotal's 14-year history." As
the name implies, this new service is specifically aimed at enterprise
customers and is an expansion of VirusTotal's current Premium Services. Google
says VirusTotal Enterprise consists of existing VirusTotal capabilities, but
also new functionality, such as improved threat detection and a faster search
system that uses a brand new interface that unifies capabilities in VirusTotal's
free and paid sites.
The San
Diego Union-Tribune
September
26, 2018
The Port of
San Diego said Wednesday it is investigating a highly sophisticated
cybersecurity threat to its technology systems that is currently affecting the
public agency’s ability to process park permits and records requests, and
perform other business services. The digital assault is similar, in some ways,
to a ransomware attack that was launched against the city of Atlanta in March,
security analysts say. The hackers were able to shut down many services,
including people’s ability to pay traffic tickets and water bills. The
attackers — who sought bitcoins as ransom — also temporarily knocked out
wireless communications at the Atlanta airport. The San Diego Harbor Police
Department, the law enforcement arm of the Port, is also affected by the attack
and is said to be using alternative technology systems. “The Port of San Diego
has experienced a serious cybersecurity incident that has disrupted the
agency's information technology systems,” CEO Randa Coniglio said in a
statement. “The Port has mobilized a team of industry experts and local,
regional, state and federal partners to minimize impacts and restore system
functionality, with priority placed on public safety-related systems.”
CyberScoop
September
26, 2018
Ridehailing
company Uber will pay $148 million across all 50 states and Washington, D.C.,
as part of a settlement stemming from a data breach that revealed sensitive
information on 57 million of the company’s users. The breach took place in
October 2016 and revealed names, email addresses, phone numbers and U.S.
driver’s license numbers. The company paid the hackers $100,000 to stay quiet
and delete the data. Several attorneys general released statements after the
settlement was announced, with each state getting a varying amount.
ZDNet
September
26, 2018
A new
academic study published today reveals that Android-based password managers
have a hard time distinguishing between legitimate and fake applications,
leading to easy phishing scenarios. The study looked at how password managers
work on modern versions of the Android OS, and which of the OS features
attackers can abuse to collect user credentials via phishing attacks carried
out via fake, lookalike apps. What the research team found was that password
managers, initially developed for desktop browsers, aren't as secure as their
desktop versions. The problem comes from the fact that mobile password managers
have a hard time associating a user's stored website credentials with a mobile
application and then creating a link between that website and an official app.
Reuters
September
26, 2018
Cyber-security
firm Darktrace said on Wednesday it has raised $50 million in its latest
funding round led by European private equity firm Vitruvian Partners LLP,
valuing the company at $1.65 billion. The series E funding round also included
existing investors KKR & Co Inc and TenEleven Ventures. The company,
founded in 2013, has raised a total of $229 million so far. Chief Executive
Officer Nicole Eagan told Reuters that the latest funds will be used to
increase headcount. Darktrace employs 750 people at present and expects to end
fiscal 2019 with 1,000 employees. Eagan said the company does not plan to go
public at the moment, nor is it looking forward to any deals. Darktrace
differentiates itself in using advanced machine learning and mathematics
developed at the University of Cambridge to identify abnormalities in a
company's IT network that might be an attack.
Fifth
Domain
September
25, 2018
For years
the secretive market for zero-day exploits — unpatched bugs in software or
hardware — thrived in the dark corners of the internet. But vulnerability sales
have been all but driven off the dark web, according to experts, and now
operate in the open. The cyber intelligence firm FireEye has only recorded
three zero-day sellers on the dark web so far this year, Jared Semrau, a
vulnerability and exploitation manager at the firm, told Fifth Domain. That
compares to the peak of at least 32 zero-day sellers in that marketplace in
2013, Semrau said. He explained the drop-off as being caused by a combination
of “people being cautious and exploit developers selling on the dark web likely
being wrapped up in arrests.” Semrau also said that manufacturers have
increased their bug-bounty programs, offering payouts for hackers to report
rather than reveal exploits, which has contributed to the slowdown in
black-market sales. Years ago it was challenging for some to sell or acquire
zero-day exploits, said Amit Serper, head of security research at the
cybersecurity firm Cybereason. “Now it has changed. That’s the whole point of a
bug-bounty program.”
The Hill
September
25, 2018
Cyber
criminals are ratcheting up efforts to target devices with cryptocurrency
malware, according to a new report. Cybersecurity firm McAfee found that the
use of cryptocurrency mining malware increased by 86 percent during the second
quarter of 2018. The increase continues a trend that has already escalated over
the past few months. Christiaan Beek, the lead scientist and senior principal
engineer with McAfee Advanced Threat Research, said that in the past few years
devices like internet routers have emerged as possible targets for
cryptomining. Bitcoin has a $232 billion market, and approximately $1.5 billion
worth of cryptocurrency has been stolen in the past two years, according to
McAfee.
CBS News
September
24, 2018
Cybersecurity
is "job one" for businesses, consumers and governments around the
world today, and technology companies are "the first line of
defense," according to Microsoft president Brad Smith. "The security
engineers who work at our company – we have 3,500 of them – are the first
responders when things go wrong. It has fundamentally changed the role we need
to play and really elevated the responsibility we need to fulfill," Smith
said Monday on "CBS This Morning." Asked about the threat China poses
to the U.S. in terms of cybersecurity, Smith pointed to the broader picture.
"There are plenty of governments that are worried about each other these
days. I don't think that this is a problem that one can use to point at a
single government. I think it's one that we need to think about from a global
perspective. We need stronger technology, we need people to implement the
technology we provide, and we also need stronger international laws in this
space as well," Smith said. He noted Microsoft announced last month that
it had uncovered new Russian hacking attempts targeting U.S. political groups
ahead of the 2018 midterm elections, claims Moscow denied.
INTERNATIONAL
CyberScoop
September 28,
2018
esearchers
with cybersecurity company ESET have discovered a malware campaign that is able
to compromise a device’s firmware component, which they say in a report
published Thursday is the first known instance of such an attack in the wild.
ESET says that it found attributes in the malware that link it to the prominent
Russian hacking group APT28. The malware, dubbed LoJax, can “serve as a key to
the whole computer” by infecting the Unified Extensible Firmware Interface
(UEFI) of a device, according to the report. ESET explains that firmware
rootkits like LoJax have in the past been demonstrated in theory and are
suspected to be in use by some governments, but haven’t been observed in the
wild. This kind of malware is hard to detect and has advanced persistence
properties, as it’s able to survive a complete operating system reinstall and
even a hard drive replacement. If LoJax sounds familiar, that’s because it
mimics the the persistence methods of the legitimate LoJack anti-theft software,
which itself was co-opted into being used in APT28 malware.
AP
September
27, 2018
European Union lawmakers appear set this month to demand audits of
Facebook by Europe's cybersecurity agency and data protection authority in the
wake of the Cambridge Analytica scandal. A draft resolution submitted Thursday
to the EU Parliament's civil liberties and justice committee urged Facebook to
accept "a full and independent audit of its platform investigating data
protection and security of personal data." The assembly summoned Facebook
CEO Mark Zuckerberg in May to testify about allegations that political consulting
firm Cambridge Analytica used the data of millions of Facebook users to target
voters during political campaigns, including the one that brought U.S.
President Donald Trump to office. Claude Moraes, the chairman of the EU
parliamentary committee who drafted the resolution, said the probes "need
to be done." "Not only have Facebook's policies and actions
potentially jeopardized citizens' personal data, but then they have also had an
impact on electoral outcomes and on the trust citizens pose in digital
solutions and platforms," Moraes said. The committee aims to adopt the
resolution, which will almost certainly be modified, by Oct. 10 and put it to
the full assembly for endorsement in late October, well ahead of EU elections
next May.
The
Strait Times
September 27,
2018
A server
exploited by hackers to ultimately reach SingHealth's critical system, leading
to Singapore's worst data breach in June, had not received the necessary
security software updates for more than a year. Servers are typically patched
several times a month. This server became one of the many pathways hackers
exploited, as it fell through the cracks of Integrated Health Information
Systems' (IHiS) oversight, the Committee of Inquiry (COI) heard on Thursday
(Sept 27). At the COI hearing into the breach, Mr Tan Aik Chin, a senior
manager of cancer service registry and development at the National Cancer
Centre Singapore (NCCS), testified that he became the "convenient"
custodian of the server in question. On paper, he was not supposed to manage
the server, but he had been doing so in practice since 2014.
Defense One
September
27, 2018
Estonia’s
new ambassador-at-large for cyber security, Heli Tiirmaa-Klaar, recently
explained to the Wall Street Journal that “compared to many other security
fields, in cyber we have reached maybe 10 percent of total readiness to
understand the threats, to respond to threats and also to prevent the threat or
maybe deter the threat. We have lots of room for development.” She’s right;
just look at the most basic of metrics: How do governments count cyber attacks?
How do they classify them? The problems — imprecision of language, and a lack
of policy — can be seen in a trio of official quotes from a single month last
year. On Jan. 7, French Defense Minister Jean-Yves Le Drian warned that 2016
had seen 24,000 cyberattacks against French defense targets, and that the
attacks were doubling every year. On Jan. 8, the Financial Times reported off
an interview with EU security commissioner Sir Julian King that “there were 110
separate attempts to hack the European Commission’s servers in 2016, a 20
percent rise on the year before.” And on Jan. 19, NATO Secretary General Jens
Stoltenberg told Die Welt that “there was a monthly average of 500 threatening
cyber attacks last year against NATO infrastructure that required intensive
intervention from our experts. That’s an increase of 60 percent compared to
2015.”
AP
September
26, 2018
Taking
center stage at the United Nations, President Donald Trump on Wednesday accused
China of trying to interfere in the upcoming U.S. congressional elections
because it opposes his tough trade policies. The White House provided scant
evidence of anything akin to the level of Russia's meddling in the 2016
presidential election. "They do not want me or us to win because I am the
first president ever to challenge China on trade," Trump said as he
chaired the U.N. Security Council for the first time. He made his accusation
against the backdrop of the special counsel's investigation into Russian
interference in the last election to help him and amid concerns that this
November's elections also could be vulnerable. Asked later what evidence he
had, Trump said there was "plenty" but didn't immediately provide
details, suggesting that some of the material was classified. Instead, he
zeroed in on China's propaganda efforts to flood the heartland with ads and
statements against Trump's billions of dollars in punishing tariffs.
CyberScoop
September
26, 2018
VPNFilter,
the malware framework that co-opted half a million networking devices into a
botnet earlier this year, has “even greater capabilities” than previously
documented, new research shows. Talos, Cisco’s threat intelligence unit, said
it recently found seven more VPNFilter modules that “add significant
functionality to the malware,” whose botnet loomed over Ukraine ahead of a key
soccer match in late May as well as an important public holiday in that
country. Among the newly discovered capabilities of VPNFilter are the ability
to exploit endpoint devices via compromised network gear, plus “data filtering
and multiple encrypted tunneling capabilities to mask command and control and
data exfiltration traffic,” Talos researcher Edmund Brumaghin wrote in a blog
post Wednesday. The VPNFilter-enabled botnet had the ability to “brick” or
disable hundreds of thousands of devices, so researchers and U.S. law
enforcement urgently sought to raise awareness of and mitigate the threat.
The
Financial Times
September
24, 2018
Tesco is in
line to face the biggest fine on record from the UK financial watchdog for a
cyber-related fraud. The Financial Conduct Authority and Tesco’s banking arm
are locked in negotiations over a penalty for the incident that took place in
late 2016, with regulators considering a fine as high as £30m, according to
people familiar with the situation. But Tesco Bank is hoping the matter will be
resolved with a fine of under £20m, another person familiar with the
discussions told the Financial Times. It is typical for the FCA and a company
to negotiate an eventual penalty even in a case where the company under
investigation accepts the regulator’s findings of fact. A sustained cyber
attack on Tesco Bank in November 2016 forced the company to repay £2.5m of
losses to 9,000 customers in a heist described at the time as “unprecedented”
by regulators. The FCA looked into whether Tesco Bank had left its customers
exposed to fraud because it had issued sequential debit-card numbers, a
practice most lenders avoid.
TECHNOLOGY
Ars Technica
September
27, 2018
Today, six
prominent information-security experts who took part in DEF CON's Voting
Village in Las Vegas last month issued a report on vulnerabilities they had
discovered in voting equipment and related computer systems. One vulnerability
they discovered—in a high-speed vote-tabulating system used to count votes for
entire counties in 23 states—could allow an attacker to remotely hijack the
system over a network and alter the vote count, changing results for large
blocks of voters. "Hacking just one of these machines could enable an
attacker to flip the Electoral College and determine the outcome of a
presidential election," the authors of the report warned. The machine in
question, the ES&S M650, is used for counting both regular and absentee
ballots. The device from Election Systems & Software of Omaha, Nebraska, is
essentially a networked high-speed scanner like those used for scanning standardized-test
sheets, usually run on a network at the county clerk's office. Based on the QNX
4.2 operating system—a real-time operating system developed and marketed by
BlackBerry, currently up to version 7.0—the M650 uses Iomega Zip drives to move
election data to and from a Windows-based management system. It also stores
results on a 128-megabyte SanDisk Flash storage device directly mounted on the
system board. The results of tabulation are output as printed reports on an
attached pin-feed printer.
Wired
September
24, 2018
By now it’s
hopefully been drilled into you to enable two-factor authentication on your
online accounts, giving you more protection than a password alone. And while
the most ubiquitous second factor is a numeric code sent to your smartphone via
an app, physical tokens that you plug into your computer have become
increasingly popular. And now they're angling to make passwords obsolete. On
Monday, the hardware authentication company Yubico is announcing a new
generation of its physical YubiKey tokens that support password-less login. The
Series 5 YubiKeys get this streamlined mojo from FIDO2, a new version of an
open source standard that facilitates secure authentication. As companies like
Microsoft adopt the standard over the next few months, all you'll need for a
secure log-in is to plug in and tap your new YubiKey. That's it.
The New York Times
September
22, 2018
Ask any
hacker who’s been around long enough, and there’s a good chance you’ll hear an
archetypal story, tinged with regret, about the first time his or her real
identity was publicly disclosed. After enjoying years of online anonymity, the
hacker known as Grifter was unmasked by a less-than-scrupulous spouse. “Hey,
Neil!” his wife called out at him, absent-mindedly, from across a crowded room,
while accompanying him (for the very first time) at a hacking conference. “My
beautiful wife, she outed me in front of the entire hacker community,” he said
with a laugh. Dead Addict’s version of the story involves an employer who
pushed him to apply for a patent — for which he was required to provide his
full legal name. “The people who later doxxed me,” he said, using a term for
publishing private information about someone, usually with malicious intent,
“pointed to that patent.” Nico Sell managed to stay “ungoogleable,” she said,
until around 2012, when, acting as chief executive of a secure-messaging company,
Wickr, she felt she needed to become more of a public figure — if reluctantly.
“My co-founders and I, we all drew straws,” she said, “and that was that.”