Wednesday, October 24, 2018

That was then, this is now


The power that you and I have
over and between each other,
strong as steel,
powers our destiny,
propelling us to feel.



Dawn breaks over the horizon. It moves across the sea, soaring over the empty beach….It reaches the top of the hill and lingers there, gray and hazy for a moment, before suddenly plunging down the far side. It sweeps over houses, streets, trees, and flowers asleep on balconies. Down in the valleys it seems to dance, lightly, discreetly. It seeps into the forest and spills across the lake where no one ventures now since Adele drowned there four years, five months, and thirteen days ago.”
~ from the opening  paragraph of bathroom reading pile




The pernicious social dynamics of the internet. We overshare about our personal lives and fail to understand those of others. Narcissism spreads; empathy  vanishes 


Joachim Ronneberg, serving behind enemy lines in his native Norway during the German occupation, in 1943 blew up a plant producing heavy water, or D2O, a hydrogen-rich substance that was key to the later development of atomic bombs.


Bring me the head of the dog': How the man behind Khashoggi murder ran killing via Skype

'Bring me the head of the dog': How the man behind Khashoggi murder ran killing via Skype

ZDNet
The Czech Security Intelligence Service (BIS) has intervened and taken down servers that have been used by Hezbollah operatives to target and infect users around the globe with mobile malware. "I can not comment on the details, but I can confirm that BIS has played a significant role in identifying and uncovering the hackers' system," said Michal Koudelka, BIS Director. "We identified the victims and traced the attack to its source facilities," Koudelka added. "Hacker servers have been shut down." BIS said the servers were located in the Czech Republic, and the agency was "almost certain" they were operated by Hezbollah, an Islamist political party and militant group based in Lebanon, which the US and fellow NATO countries have labeled as a terrorist organization. The Czech intelligence agency said the servers and the malware distribution campaign appears to have been going on since the start of 2017.


FROM CJR’S EDITOR: “Trump doesn’t care about a dead journalist because he doesn’t care about journalism.” Kyle Pope, writing on Jamal Khashoggi and a “sobering realization” about the state of journalism in the Trump era, said Trump’s blase attitude also explains why the current president was so reluctant to commemorate the lives of the five people slain in the Capital Gazette newsroom. Asked Julia Ioffe, nervous about the administration’s reaction to Khashoggi: “Is this how they’ll behave if something happens to me when I’m reporting on Russia?” (h/t Jill Geisler)

BEFORE KHASHOGGI'S KILLING: Crown Prince Mohammed bin Salman already has swept the kingdom free of press opposition and dissidents to the monarchy, Washington Post reporter Kevin Sullivan found. Said one dissident, in self-exile in London: “He is trying to silence everyone. There are no human rights defenders still free in Saudi Arabia. They are all behind bars.”

 




Pirate Hunters with Robert Kurson


The Art of Manliness | 0:39 | Listen Later 
Interview with Robert Kurson, author of the book “Pirate Hunters: Treasure, Obsession, and the Search for a Legendary Pirate Ship”. Tells the story of two treasure hunters risking their lives and fortune to find a sunken pirate ship. In the process, they uncovered the story of one of the greatest pirates to ever live during the Golden Age of Piracy. Discusses why pirates are so appealing, why two guys would risk millions of dollar to find a pirate ship and the legendary story of the pirate who captained the sunken ship.



Why now?


Hidden Brain  | 0h 52m | Listen Later 
Uses social science to explain the changes in our minds and culture that allowed the #MeToo movement to gain traction now after previous allegations of sexual misconduct went nowhere

Bassem Youssef: The Bravery to Speak Out


The James Altucher Show | 1h 10m | Listen Later 
Interview with Bassem Youssef, an Egyptian surgeon, who took to YouTube during the revolution to report what was really happening, quickly garnering an audience of 30m. With satire and comedy to defuse the tension, he told a story that changed lives.
Britain fell for a neoliberal con trick – even the IMF says so Guardian 



The Iliad


In Our Time | | 0h 48m Listen Later 
Melvyn Bragg and guests discuss the great epic poem attributed to Homer, telling the story of an intense episode in the Trojan War. It is framed by the wrath of the Greek hero Achilles, insulted by his leader Agamemnon and withdrawing from the battle that continued to rage, only returning when his close friend Patroclus is killed by the Trojan hero Hector.

Commons staff go public to end bullying culture



James Belich – The Black Death


The Edge of Humanity

Waking Up with Sam Harris | Listen Later 
Interview with Yuval Noah Harari about his book “21 Lessons for the 21st Century.” Discusses the importance of meditation, the primacy of stories, the need to revise our fundamental assumptions about human civilisation, threats to liberal democracy, a world without work, universal basic income, the virtues of nationalism and the implications of AI and automation.


FCW
October 16, 2018
It's no secret the internet of things is plagued by security gaps. Devices are shipped with hard-coded passwords and operating systems and firmware that can't be updated over the air. Not only are unsecured IoT devices vectors for leaking user data, but they can also be harnessed by botnet operators to conduct large-scale cyberattacks, such as the Mirai attacks of 2016. So far, no U.S. agency or entity has taken the lead on developing standard or guidelines for IoT security. The Consumer Product Safety Commission is looking at physical threats posted by connected devices but has bowed out of the data security piece. The National Institute of Standards and Technology is accepting comments on a draft guidance that calls out various risks posed by the IoT ecosystem and possible ways to mitigate those risks. Sen. Mark Warner (D-Va.), the vice chairman of the Senate Select Intelligence Committee, is concerned about cybersecurity risks posed by the IoT ecosystem, and he thinks federal purchasing power can influence manufacturers to build better security into their devices.


ADMINISTRATION

Gov Info Security
October 19, 2018
Before marketing their medical devices, manufacturers should prepare a "cybersecurity bill of materials" that lists components that could be susceptible to vulnerabilities, according to a draft of updated Food and Drug Administration premarket guidance. In addition to releasing the proposed guidance this week, the FDA announced a formalized agreement with the Department of Homeland Security to implement a new framework for greater collaboration between the two agencies for addressing cybersecurity in medical devices. "From my vantage point, it looks like everyone in the medical device security community is happy to see stronger premarket recommendations and a more formal relationship between the FDA and DHS," says Ben Ransford, CEO and co-founder of healthcare cybersecurity firm Virta Labs. "Clear delegations of responsibility make incident response easier."

The Hill
October 19, 2018
Officials are speaking out about the security of election systems amid fears cyberattacks could deter Americans from voting. Claims of voter suppression traditionally center around practices like voter roll purges and ID laws. There is no evidence that votes were altered in the Russian attack on the 2016 elections but experts say the concept of a cyberattack alone has left some Americans worried about whether their ballots count. Making sure voters feel secure going to the polls has "been priority No. 1 for us," said Matt Dietrich, the public information officer for the Illinois state board of elections, which was breached by Russian hackers ahead of the 2016 election. A survey of registered voters released this week by security provider OpenVPN showed 60 percent of respondents didn’t believe that the U.S. election system is secure, and 63 percent think the country hasn’t done enough to protect the system for future elections. With both parties promising a “wave” in the midterms, officials said letting voters know their ballots will be counted — and counted accurately — is essential before polls open in November.

Nextgov
Only about 76 percent of civilian government websites are protected by advanced encryption tools more than eight months after a Homeland Security Department deadline, according to figures shared by the department. That’s an improvement from just 54 percent of government sites that were protected by the encryption tools when the deadline initially passed in February, but far below the 100 percent compliance Homeland Security called for in a binding operational directive in October last year. That directive ordered agencies to adopt HTTPS protection for their websites, which encrypts users’ navigation within a web domain and is connoted with a lock icon to the left of a web address.

CyberScoop
October 18, 2018
Director of National Intelligence Dan Coats told CyberScoop on Thursday that he’s seen no evidence of Chinese actors tampering with motherboards made by Super Micro Computer, becoming the latest national security official to question a Bloomberg report that stated the company was the victim of a supply chain hack. “We’ve seen no evidence of that, but we’re not taking anything for granted,” Coats told CyberScoop. “We haven’t seen anything, but we’re always watching.” The comments came before a speech Coats delivered at CyberTalks, where the director touched on supply chain threats as one facet the administration is focused on when it comes to cybersecurity threats. “Be aware of supply chain threats,” Coats said in his speech. “Understand that cyberthreats to your supply chain are an insidious problem that can jeopardize the integrity of your products.” The remarks come after a cover story in Bloomberg Businessweek stated that Chinese intelligence agents placed malicious microchips on motherboards used in servers supplied by Super Micro Computing Inc. Those chips reportedly set up a backdoor into networks of some 30 companies, including Apple and Amazon Web Services. Since the story was released, numerous experts in both the public and private sector have called the details into question.

Nextgov
October 18, 2018
The federal government’s technology modernization campaign is inseparable from efforts to shore up government cybersecurity, federal Chief Information Officer Suzette Kent said Thursday. In many cases, government technology systems were designed years or even decades ago, before the government was deeply concerned about cybersecurity and before hackers were so focused on digitally compromising government systems, Kent said during a CyberTalks event sponsored by the media company CyberScoop. Updating those systems can benefit agencies by making their work faster, easier and cheaper. It can also make securing the systems far easier, Kent said. “The way that we become more secure, the way that we protect our infrastructure is to have a modern infrastructure,” Kent said. For example, many agencies have adopted cloud-based email systems, which are more secure than legacy email systems, Kent said.

CyberScoop
October 18, 2018
The U.S. government’s new and reportedly more muscular approach to conducting offensive cyber-operations must carefully consider the potential blowback of such actions to the private sector, a former senior Department of Homeland Security official has warned. “DHS needs to be part of the discussion around the cost-benefit analysis to bring the private sector point of view because we know the private sector often bears the brunt of the retaliation that comes in the wake of more aggressive activity,” Suzanne Spaulding said Wednesday at the Atlantic Council. Asked what public indication there would that those concerns are being addressed, Spaulding, who served as a DHS undersecretary under President Barack Obama, said the answer lies in the private sector. Private companies will have a sense of “whether their equities were adequately considered” before a U.S. government decision to conduct offensive operations, Spaulding said during a panel discussion. “And my guess is they’ll let us know.” For years, foreign hackers have targeted U.S. companies in multiple sectors, and a surge in U.S. government hacking against foreign adversaries could invite retaliation against any number of multibillion-dollar American firms.

Politico
October 17, 2018
The Democratic National Committee has spent 14 months staffing up with tech talent from Silicon Valley, training staff to spot suspicious emails and giving the FBI someone to talk to if it spots signs of hackers targeting the party. The first concrete sign of success may come in a few weeks, if the Democrats make it through the November midterm elections unscathed. But Raffi Krikorian, the DNC’s chief technology officer, is already pointing to one significant accomplishment — what he calls a massive overhaul of digital security at the committee and its sister organizations. That would be a big leap from September 2015, when the FBI’s first attempt to alert the party to a suspected Russian cyberattack reached a DNC IT contractor who thought it was a prank. Such a major flub would not happen now, said Krikorian, whose résumé includes senior roles at Uber and Twitter. “It would be surprising if a week went by and I didn’t hear from one of the three-letter agencies in my inbox,” Krikorian told Politico during an interview at the committee’s headquarters. Representatives of the bureau and other federal agencies have “been in our building to ask how they can help or what information we might be able to coordinate on in the future.”

Reuters
October 17, 2018
Public companies that fail to tighten their cyber security controls could be violating federal law, the U.S. Securities and Exchange Commission (SEC) said on Tuesday. The regulator’s warning came in the form of a report on its investigation to assess whether nine companies that had been victims of cyber-related frauds had sufficient internal accounting controls in place as required by law. It focused on so-called “business email compromises” in which cyber criminals pose as company executives to dupe staff into sending company funds to bank accounts controlled by the hackers. The Federal Bureau of Investigation estimates such scams had led to $5 billion in losses since 2013, the SEC said. The fraud did not include any sophisticated design, but rather used technology to detect the human vulnerabilities in the control system, the report said. “We did not charge the nine companies we investigated, but our report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations,” Stephanie Avakian, Co-Director of the SEC Enforcement Division, said in a statement.

AP
October 17, 2018
A federal judge declined Tuesday to order election officials in Tennessee’s largest county to perform rigorous safeguards to its voting systems ahead of early voting for the November elections. U.S. District Judge Thomas Parker denied a request for an order requiring that the Shelby County Election Commission ask the U.S. Department of Homeland Security to perform risk and vulnerability assessments on electronic voting systems. A petition for a temporary restraining order was made by attorney Carol Chumney, who represents a group of voters in a lawsuit seeking to preserve the integrity of the November election. The suit filed last week alleges the outdated touchscreen voting machines used by Shelby County are insecure because they do not produce a voter-verifiable paper trail, and security checks and other safeguards are needed to protect the system from outside manipulation. Chumney also asked that officials require voting systems vendor Election Systems & Software to install advanced security sensors on their system, allow an outside expert to review election security procedures, and permit candidates’ poll watchers to observe collection of memory cards and vote tabulation. Parker ruled that it was not the role of the federal court to tell county officials how to conduct elections.

Federal News Network
October 16, 2018
One year after the Homeland Security Department issued Binding Operational Directive 18-01, Thomas McDermott, deputy assistant secretary for Cyber Policy, said the department is seeing “significant progress” in agency compliance. BOD 18-01 required agencies to adopt Domain-Based Message Authentication, Reporting and Comformance (DMARC), a protocol that authenticates an organization’s emails. When DHS issued BOD 18-01 on Oct. 16, 2017, around 20 percent of federal agencies were using DMARC in some fashion, whether to flag, quarantine or reject malicious messages. Current analysis performed by cybersecurity company Proofpoint shows 74 percent of agencies have published DMARC records, and 60.5 percent are fully compliant with BOD 18-01.

Nextgov
October 16, 2018
Various data on up to 35 million U.S. voters as many as 19 states is for sale online, according to a new report from a pair of cyber security research firms. But the Department of Homeland Security says that’s nothing new: much of the data is either public or available for purchase from state and local governments. An Oct. 15 report from cybersecurity research firms Anomali Labs and Intel471 makes a big claim: “To our knowledge this represents the first reference on the criminal underground of actors selling or distributing lists of 2018 voter registration data, including USvoters’ personally identifiable information and voting history.” It says that on Oct. 5, voter registration records for Texas, Georgia, and at least 17 more states were offered for sale on the popular dark web hacking forum “Raid Forums” by a  “known illicit vendor”: a figure named “Downloading,” a likely alias for an administrator on the forum. The data purportedly includes names, addresses, voting history, and “other data” according to the statement. The price? Cheap, starting at $150 for some states and reaching as high as $12,500. “DHS is aware of the report. It is important to note that much of information purportedly being sold is available in most states either publicly or commercially,” a DHS spokesman said in an email  “It does not appear that this data is indicative of a successful breach of state or local election infrastructure.”

The Hill
October 16, 2018
The Department of Homeland Security’s (DHS) top cyber official said Tuesday that a report on an increased number of cyberattacks on election infrastructure points to a rise in reporting the attempted hacks and not necessarily a spike in the attacks themselves. Christoper Krebs, the head of the National Protection and Programs Directorate (NPPD), said at an event on election security hosted by The Bridge that the report on a DHS assessment "seems to indicate that there’s been an uptick in activity" when it comes to cyberattacks on the election systems. "It’s not an uptick in activity," he continued, saying state and local election officials have gotten better at sharing information about cyber activities targeting election systems like voter registration databases since the 2016 election, when that kind of information sharing largely wasn’t happening. “Are we seeing an uptick? I don’t know if we are,” Krebs said. “I think we’re seeing a consistent and persistent level of activity.”

Ars Technica
October 16, 2018
A 21-year-old Kentucky man who previously admitted to creating and selling a "remote access trojan" (RAT) known as LuminosityLink has been sentenced to 30 months in federal prison. Colton Grubbs had previously pleaded guilty to conspiracy to unlawfully accessing computers in the furtherance of a criminal act, among other crimes. When Grubbs was first charged, he claimed LuminosityLink was a legitimate tool for system administrators, and he never intended for it to be used maliciously. He reversed course in a plea agreement he signed in July 2017. In that document, he admitted for the first time that he knew some customers were using the software to control computers without owners' knowledge or permission. Grubbs also admitted emphasizing a wealth of malicious features in marketing materials that promoted the software. The malicious features included the ability for LuminosityLink to be installed without notification, record key presses, surveil targets using their computer cameras and microphones, view and download computer files, steal names and passwords used to access websites, use infected computers to mine digital currencies, use victim computers to launch DDoS attacks, and prevent anti-malware software from detecting and removing the software. He sold this software for $40 a pop to more than 6,000 people globally.

AP
October 12, 2018
The Pentagon on Friday said there has been a cyber breach of Defense Department travel records that compromised the personal information and credit card data of U.S. military and civilian personnel. According to a U.S. official familiar with the matter, the breach could have affected as many as 30,000 workers, but that number may grow as the investigation continues. The breach could have happened some months ago but was only recently discovered. The official, who spoke on condition of anonymity because the breach is under investigation, said that no classified information was compromised. According to a Pentagon statement, a department cyber team informed leaders about the breach on Oct. 4. Lt. Col. Joseph Buccino, a Pentagon spokesman, said the department is still gathering information on the size and scope of the hack and who did it. “It’s important to understand that this was a breach of a single commercial vendor that provided service to a very small percentage of the total population” of Defense Department personnel, said Buccino.


INDUSTRY

BuzzFeed
October 19, 2018
Apple CEO Tim Cook, in an interview with BuzzFeed News, went on the record for the first time to deny allegations that his company was the victim of a hardware-based attack carried out by the Chinese government. And, in an unprecedented move for the company, he called for a retraction of the story that made this claim. Earlier this month Bloomberg Businessweek published an investigation alleging Chinese spies had compromised some 30 US companies by implanting malicious chips into Silicon Valley–bound servers during their manufacture in China. The chips, Bloomberg reported, allowed the attackers to create “a stealth doorway” into any network running on a server in which they were embedded. Apple was alleged to be among the companies attacked, and a focal point of the story. According to Bloomberg, the company discovered some sabotaged hardware in 2015, promptly cut ties with the vendor, Supermicro, that supplied it, and reported the incident to the FBI. Apple, however, has maintained that none of this is true — in a comment to Bloomberg, in a vociferous and detailed company statement, and in a letter to Congress signed by Apple’s vice president of information security, George Stathakopoulos. Meanwhile, Bloomberg has stood steadfastly by its story and even published a follow-up account that furthered the original’s claims.

ZDNet
October 19, 2018
Apple has secretly patched a bunch of high-severity bugs reported to it by Google's Project Zero researchers. The move has resulted in Google's Project Zero once again calling Apple out for fixing iOS and macOS security flaws without documenting them in public security advisories. While it's good news that Apple beat Project Zero's 90-day deadline for patching or disclosing the bugs it finds, the group's Ivan Fratric recently argued that the practice endangered users by not fully informing them why an update should be installed. This time the criticism comes from Project Zero's Ian Beer, who's been credited by Apple with finding dozens of serious security flaws in iOS and macOS over the years. Beer posted a blog about several vulnerabilities in iOS 7 he found in 2014 that share commonalities with several bugs he has found in iOS 11.4.1, some of which he's now released exploits for. Beer notes that none of the latest issues is mentioned in the iOS 12 security bulletin even though Apple did fix them. The absence of information about them is a "disincentive" for iOS users to patch, Beer argues.

Gov Info Security
October 19, 2018
Attackers are continuing to compromise unpatched routers, as well as devices with default credentials, built by Latvian manufacturer MikroTik. More than 2 million MikroTik routers appear to be internet-connected. Of those, security experts say that more than 420,000 appear to have been exploited and infected with malicious cryptocurrency-mining scripts. In April, MikroTik rapidly patched a zero-day flaw, designated CVE-2018-14847. Via the flaw, attackers can gain complete access to a vulnerable router, giving them access to Winbox - a simple GUI administration utility for MicroTik's RouterOS - as well as Webfig - the web-based version of the utility. Since then, despite clear and persistent warnings from security researchers as well as MikroTik, hundreds of thousands of its routers remain unpatched and are being actively targeted by attackers, security researchers say.

CyberScoop
October 18, 2018
Influential national security blog Lawfare has been the target of a distributed denial-of-service attack since Wednesday, with attackers amplifying their efforts as security measures are used to stop the traffic barrage. The DDoS attack knocked the site offline intermittently for a few hours on Wednesday, Executive Editor Susan Hennessey estimated, but the malicious traffic stubbornly persisted through Thursday. The attack “increased substantially in response to preliminary defense measures,” Hennessey told CyberScoop in an email Thursday. The website appears to have stabilized, she said, despite the continuous pinging of Lawfare’s site. “Previous attacks have taken us offline for longer periods, but we now have more sophisticated defenses in place so size doesn’t necessarily correlate to impact,” said Hennessey, a former attorney in the National Security Agency’s Office of General Counsel.

The Wall Street Journal
October 17, 2018
Facebook Inc. believes that the hackers who gained access to the private information of 30 million of its users were spammers looking to make money through deceptive advertising, according to people familiar with the company’s internal investigation. The preliminary findings suggest that the hackers weren’t affiliated with a nation-state, the people said. Facebook’s security team has been investigating the incident since Sept. 25, when it discovered that someone was downloading a large quantity of digital access tokens on the social network. In several public briefings about the incident, the company has declined to say who is behind the attack, which it has called the biggest security breach in its history. When they first announced the attack, Facebook officials said they may never discover the identities of the hackers. Internal researchers now believe that the people behind the attack are a group of Facebook and Instagram spammers that present themselves as a digital marketing company, and whose activities were previously known to Facebook’s security team, said the people familiar with the investigation. Facebook has previously said it was working closely with the Federal Bureau of Investigation on a criminal probe into the incident.

ZDNet
October 17, 2018
A security researcher from Colombia has found a way of assigning admin rights and gaining boot persistence on Windows PCs that's simple to execute and hard to stop --all the features that hackers and malware authors are looking for from an exploitation technique. What's more surprising, is that the technique was first detailed way back in December 2017, but despite its numerous benefits and ease of exploitation, it has not received either media coverage nor has it been seen employed in malware campaigns.

Nextgov
October 17, 2018
There’s a shortage of nearly 3 million cybersecurity professionals worldwide and nearly 500,000 in North America, according to a study released by a major cybersecurity certification organization Wednesday. Those figures echo a cyber workforce shortage in the federal government that has bedeviled agencies struggling to improve the security of their networks. The shortage of qualified cyber professionals is now the number one job concern for cyber workers, beating out low budgets and lack of resources, according to the report, which was compiled by the International Information System Security Certification Consortium, or (ISC)², a major cyber credentialing organization. The report was based on a survey of roughly 1,500 respondents across North and South America, Europe and Asia who work in cybersecurity as at least one-fourth of their workload.

The Wall Street Journal
October 16, 2018
Apple Inc. apologized over the hacking of some Chinese accounts in phishing scams, almost a week after it emerged that stolen Apple IDs had been used to swipe customer funds. In its English statement Tuesday, Apple said it found “a small number of our users’ accounts” had been accessed through phishing scams. “We are deeply apologetic about the inconvenience caused to our customers by these phishing scams,” Apple said in its Chinese statement. The incident came to light last week when Chinese mobile-payment giants Alipay and WeChat Pay said some customers had lost money. The victims of the scams, Apple said Tuesday, hadn’t enabled so-called two-factor authentication—a setting that requires a user to log in with a password and a freshly-generated code to verify their identity.

Ars Technica
October 16, 2018
Apple, Google, Microsoft, and Mozilla have announced a unified plan to deprecate the use of TLS 1.0 and 1.1 early in 2020. TLS (Transport Layer Security) is used to secure connections on the Web. TLS is essential to the Web, providing the ability to form connections that are confidential, authenticated, and tamper-proof. This has made it a big focus of security research, and over the years, a number of bugs that had significant security implications have been found in the protocol. Revisions have been published to address these flaws. The original TLS 1.0, heavily based on Netscape's SSL 3.0, was first published in January 1999. TLS 1.1 arrived in 2006, while TLS 1.2, in 2008, added new capabilities and fixed these security flaws. Irreparable security flaws in SSL 3.0 saw support for that protocol come to an end in 2014; the browser vendors now want to make a similar change for TLS 1.0 and 1.1.

Gov Info Security
October 16, 2018
Federal regulators have smacked health insurer Anthem Inc. with a record $16 million HIPAA settlement in the wake of a cyberattack revealed in 2015, which impacted nearly 79 million individuals. In announcing the largest-ever HIPAA fine, regulators noted the insurer failed to take several basic security steps, including conducting an enterprisewide security risk assessment. The previous largest HIPAA settlement was $5.55 million paid by Advocate Health Care in 2016. The Department of Health and Human Services' Office for Civil Rights says Anthem agreed to take "substantial corrective action" to settle potential HIPAA privacy and security rules violations after a series of cyberattacks led to the largest U.S. health data breach, exposing electronic protected health information. "The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history," says OCR Director Roger Severino.

The New York Times
October 15, 2018
Two years ago, IBM opened one of the nation’s first commercial cybersecurity ranges in Cambridge, Mass., to let companies practice responding to simulated cyberattacks. It describes the experience as “a game of Clue mixed with a Disney roller-coaster ride.” In a windowless bunker packed with a data center, wall-to-wall monitors, atmospheric controls, dozens of work stations and a functional TV studio, participants have about four hours to investigate and respond to a fictional data breach. It’s like an escape room for security nerds. The experience proved so popular — about 2,000 people, including chief executives and entire corporate boards, have played IBM’s game, which has an eight-month waiting list — that IBM decided to build a second range. But this time, it’s going mobile. The move is a reflection of the extent to which the threat of cyberattacks has captured the attention of organizations of all kinds, including the technology companies Facebook and Google, banks, military installations and those who run industrial control systems, like electricity and water providers.


INTERNATIONAL

Politico
October 19, 2018
If there ever was a window for European leaders to name and shame Moscow for carrying out cyberattacks against networks in the EU, Thursday’s Council meeting would have been it. They chose to let the chance go by. In joint conclusions after the EU summit, heads of state denounced aggressive cyber action but stopped short of signaling a move toward decisive EU deterrence against Russia. While the United Kingdom and the Netherlands pushed for swift action following an attack on the Organisation for the Prohibition of Chemical Weapons in The Hague that was widely attributed to Russia, other countries balked. Italy and France were among the countries wary about calling Russia out on its alleged hacking attempts, diplomats said. The final conclusions only repeated pledges made more than a year ago by EU capitals, leading critics to slam the text as lacking a sense of urgency to counter a growing threat from the East.

The Washington Post
October 18, 2018
The president of Australia’s top lawyers’ group told a parliamentary inquiry that proposed cybersecurity laws to force global technology companies such as Facebook and Google to help police by unscrambling encrypted messages sent by extremists and other criminals would significantly limit individuals’ privacy and freedom. A parliamentary committee on Friday began examining a bill introduced last year that is modeled on Britain’s Investigatory Powers Act. That law has given British intelligence agencies some of the most extensive surveillance powers in the Western world. The Australian bill would give security agencies new powers to demand that tech companies help them decrypt data. Arthur Moses, Law Council of Australia’s president-elect, told the committee that a secret service officer could be able to use the proposed law to side-step the need for a warrant to arrange a phone intercept. The bill also places no time limit on how long a telecommunications employee can be held to assist law enforcement and security agencies, which is arguably detention, Moses said.

CyberScoop
October 17, 2018
Ever since the seminal cyberattacks on the Ukrainian power grid in 2015 and 2016, researchers have traced the evolution of the broad set of hackers behind the attacks in an effort to warn organizations the hackers might strike next.  On Wednesday, analysts from cybersecurity company ESET added to that body of knowledge in revealing a quieter subgroup of those hackers that has targeted energy companies in Ukraine and Poland. ESET has dubbed the group GreyEnergy, a derivative of the original group of hackers, which have been known as BlackEnergy. Whereas BlackEnergy is known for the disruptive 2015 attack on the Ukrainian grid that cut power for roughly 225,000 people, GreyEnergy has to date preferred reconnaissance and espionage, according to ESET. The group has taken screenshots of its possible targets, stolen credentials, and exfiltrated files.

CyberScoop
October 17, 2018
Cybersecurity researchers have uncovered remote access tools, or backdoors, linked to an infamous Vietnamese hacking group with a history of targeting government organizations and intellectual-property-rich companies. Analysts with cybersecurity company Cylance say that while investigating a security incident last year, they found multiple custom backdoors used by the cyber-espionage outfit known as APT32 or OceanLotus Group. The hackers used command and control protocols that were tailored to their targets and that supported multiple network communication methods. “The overall design and development of these threats indicate they come from a well-funded development team,” research from Cylance published Wednesday states. “The OceanLotus Group uses an expansive amount of custom library code that can easily be repurposed for maximum effectiveness against their next target.”

NBC
October 17, 2018
The Government Communications Headquarters, Britain's code-breaking, eavesdropping equivalent to the U.S. National Security Agency, was once so secret an American journalist was expelled from the country for just naming the agency in a story. For visitors who know this history, it's somewhat jarring to walk into the gleaming London offices of Britain's National Cyber Security Centre, a relatively new agency responsible for protecting Britain from cyberthreats. A sign at the entrance — just off a major London thoroughfare — proclaims the center a "part of GCHQ." The cyber center is the answer to a problem Britain faced that is similar to one bedeviling the U.S.: No single entity was in charge of cybersecurity. And the best expertise resided in intelligence agencies, where most of the input and output is highly classified.

ZDNet
October 16, 2018
The Czech Security Intelligence Service (BIS) has intervened and taken down servers that have been used by Hezbollah operatives to target and infect users around the globe with mobile malware. "I can not comment on the details, but I can confirm that BIS has played a significant role in identifying and uncovering the hackers' system," said Michal Koudelka, BIS Director. "We identified the victims and traced the attack to its source facilities," Koudelka added. "Hacker servers have been shut down." BIS said the servers were located in the Czech Republic, and the agency was "almost certain" they were operated by Hezbollah, an Islamist political party and militant group based in Lebanon, which the US and fellow NATO countries have labeled as a terrorist organization. The Czech intelligence agency said the servers and the malware distribution campaign appears to have been going on since the start of 2017.

Reuters
October 16, 2018
A new NATO military command center to deter computer hackers should be fully staffed in 2023 and able to mount its own cyber attacks but the alliance is still grappling with ground rules for doing so, a senior general said on Tuesday. While NATO does not have its own cyber weapons, the U.S.-led alliance established an operations center on Aug. 31 at its military hub in Belgium. The United States, Britain, Estonia and other allies have since offered their cyber capabilities. "This is an emerging domain and the threat is growing," said Major General Wolfgang Renner, a German air force commander who oversees the new cyber operations center, or CYOC, in Mons. "We have to be prepared, to be able to execute operations in cyberspace. We have already gone beyond protection and prevention," he told Reuters during a NATO cyber conference.

BBC
October 15, 2018
Makers of smart home devices are to be encouraged to make their gadgets secure against hack attacks. The UK has published a voluntary code of practice for manufacturers that shows how they can proof their creations against common attacks. It aims to stop gadgets being hijacked and used to mount cyber-attacks - and stamp out designs that let cyber-thieves steal data. Two companies, HP and Hive Centrica, have already agreed to follow the code. The government initiative is aimed at makers of small smart gadgets for the home, such as web-connected doorbells, cameras, toys and burglar alarms - the so-called internet of things (IoT).


TECHNOLOGY

Ars Technica
October 16, 2018
There’s a four-year-old bug in the Secure Shell implementation known as libssh that makes it trivial for just about anyone to gain unfettered administrative control of a vulnerable server. While the authentication-bypass flaw represents a major security hole that should be patched immediately, it wasn’t immediately clear what sites or devices were vulnerable since neither the widely used OpenSSH nor Github’s implementation of libssh was affected.