The power that you and I have
over and between each other,
strong as steel,
powers our destiny,
propelling us to feel.
“Dawn breaks over the horizon. It moves across the sea, soaring over the empty beach….It reaches the top of the hill and lingers there, gray and hazy for a moment, before suddenly plunging down the far side. It sweeps over houses, streets, trees, and flowers asleep on balconies. Down in the valleys it seems to dance, lightly, discreetly. It seeps into the forest and spills across the lake where no one ventures now since Adele drowned there four years, five months, and thirteen days ago.”
~ from the opening paragraph of bathroom reading pile
over and between each other,
strong as steel,
powers our destiny,
propelling us to feel.
“Dawn breaks over the horizon. It moves across the sea, soaring over the empty beach….It reaches the top of the hill and lingers there, gray and hazy for a moment, before suddenly plunging down the far side. It sweeps over houses, streets, trees, and flowers asleep on balconies. Down in the valleys it seems to dance, lightly, discreetly. It seeps into the forest and spills across the lake where no one ventures now since Adele drowned there four years, five months, and thirteen days ago.”
~ from the opening paragraph of bathroom reading pile
The pernicious social dynamics of the internet. We overshare about our personal lives and fail to understand those of others. Narcissism spreads; empathy vanishes
Joachim Ronneberg, serving behind enemy lines in his native Norway during the German occupation, in 1943 blew up a plant producing heavy water, or D2O, a hydrogen-rich substance that was key to the later development of atomic bombs.
Bring me the head of the dog': How the man behind Khashoggi murder ran killing via Skype
ZDNet
The Czech
Security Intelligence Service (BIS) has intervened and taken down servers that
have been used by Hezbollah operatives to target and infect users around the
globe with mobile malware. "I can not comment on the details, but I can
confirm that BIS has played a significant role in identifying and uncovering
the hackers' system," said Michal Koudelka, BIS Director. "We
identified the victims and traced the attack to its source facilities," Koudelka
added. "Hacker servers have been shut down." BIS said the servers
were located in the Czech Republic, and the agency was "almost
certain" they were operated by Hezbollah, an Islamist political party and
militant group based in Lebanon, which the US and fellow NATO countries have
labeled as a terrorist organization. The Czech intelligence agency said the
servers and the malware distribution campaign appears to have been going on
since the start of 2017.
FROM CJR’S EDITOR: “Trump doesn’t care about a dead journalist because he doesn’t
care about journalism.” Kyle Pope, writing on Jamal Khashoggi and a “sobering realization” about the state of journalism in
the Trump era, said Trump’s blase attitude also explains
why the current president was so reluctant to commemorate the lives of the five
people slain in the Capital Gazette newsroom. Asked Julia Ioffe, nervous about
the administration’s reaction to Khashoggi: “Is this how they’ll behave if something happens to me when I’m reporting
on Russia?” (h/t Jill
Geisler)
BEFORE KHASHOGGI'S KILLING: Crown Prince
Mohammed bin Salman already has swept the kingdom free of press opposition and
dissidents to the monarchy, Washington Post reporter Kevin Sullivan found. Said
one dissident, in self-exile in London: “He is trying to silence everyone. There
are no human rights defenders still free in Saudi Arabia. They are all behind
bars.”
Pirate Hunters with Robert Kurson
The Art of Manliness | 0:39 | Listen Later
Interview with Robert Kurson, author of the book “Pirate Hunters: Treasure, Obsession, and the Search for a Legendary Pirate Ship”. Tells the story of two treasure hunters risking their lives and fortune to find a sunken pirate ship. In the process, they uncovered the story of one of the greatest pirates to ever live during the Golden Age of Piracy. Discusses why pirates are so appealing, why two guys would risk millions of dollar to find a pirate ship and the legendary story of the pirate who captained the sunken ship.
Interview with Robert Kurson, author of the book “Pirate Hunters: Treasure, Obsession, and the Search for a Legendary Pirate Ship”. Tells the story of two treasure hunters risking their lives and fortune to find a sunken pirate ship. In the process, they uncovered the story of one of the greatest pirates to ever live during the Golden Age of Piracy. Discusses why pirates are so appealing, why two guys would risk millions of dollar to find a pirate ship and the legendary story of the pirate who captained the sunken ship.
Why now?
Hidden Brain | 0h 52m | Listen Later
Uses social science to explain the changes in our minds and culture that allowed the #MeToo movement to gain traction now after previous allegations of sexual misconduct went nowhere
Uses social science to explain the changes in our minds and culture that allowed the #MeToo movement to gain traction now after previous allegations of sexual misconduct went nowhere
Bassem Youssef: The Bravery to Speak Out
The James Altucher Show | 1h 10m | Listen Later
Interview with Bassem Youssef, an Egyptian surgeon, who took to YouTube during the revolution to report what was really happening, quickly garnering an audience of 30m. With satire and comedy to defuse the tension, he told a story that changed lives.
Interview with Bassem Youssef, an Egyptian surgeon, who took to YouTube during the revolution to report what was really happening, quickly garnering an audience of 30m. With satire and comedy to defuse the tension, he told a story that changed lives.
The Iliad
In Our Time | | 0h 48m Listen Later
Melvyn Bragg and guests discuss the great epic poem attributed to Homer, telling the story of an intense episode in the Trojan War. It is framed by the wrath of the Greek hero Achilles, insulted by his leader Agamemnon and withdrawing from the battle that continued to rage, only returning when his close friend Patroclus is killed by the Trojan hero Hector.
Melvyn Bragg and guests discuss the great epic poem attributed to Homer, telling the story of an intense episode in the Trojan War. It is framed by the wrath of the Greek hero Achilles, insulted by his leader Agamemnon and withdrawing from the battle that continued to rage, only returning when his close friend Patroclus is killed by the Trojan hero Hector.
Commons staff go public to end bullying culture
James Belich – The Black Death
The Edge of Humanity
Waking Up with Sam Harris | Listen Later
Interview with Yuval Noah Harari about his book “21 Lessons for the 21st Century.” Discusses the importance of meditation, the primacy of stories, the need to revise our fundamental assumptions about human civilisation, threats to liberal democracy, a world without work, universal basic income, the virtues of nationalism and the implications of AI and automation.
Interview with Yuval Noah Harari about his book “21 Lessons for the 21st Century.” Discusses the importance of meditation, the primacy of stories, the need to revise our fundamental assumptions about human civilisation, threats to liberal democracy, a world without work, universal basic income, the virtues of nationalism and the implications of AI and automation.
FCW
October 16,
2018
It's no
secret the internet of things is plagued by security gaps. Devices are shipped
with hard-coded passwords and operating systems and firmware that can't be
updated over the air. Not only are unsecured IoT devices vectors for leaking
user data, but they can also be harnessed by botnet operators to conduct
large-scale cyberattacks, such as the Mirai attacks of 2016. So far, no U.S.
agency or entity has taken the lead on developing standard or guidelines for
IoT security. The Consumer Product Safety Commission is looking at physical
threats posted by connected devices but has bowed out of the data security
piece. The National Institute of Standards and Technology is accepting comments
on a draft guidance that calls out various risks posed by the IoT ecosystem and
possible ways to mitigate those risks. Sen. Mark Warner (D-Va.), the vice
chairman of the Senate Select Intelligence Committee, is concerned about
cybersecurity risks posed by the IoT ecosystem, and he thinks federal
purchasing power can influence manufacturers to build better security into
their devices.
ADMINISTRATION
Gov Info
Security
October 19,
2018
Before
marketing their medical devices, manufacturers should prepare a
"cybersecurity bill of materials" that lists components that could be
susceptible to vulnerabilities, according to a draft of updated Food and Drug
Administration premarket guidance. In addition to releasing the proposed
guidance this week, the FDA announced a formalized agreement with the
Department of Homeland Security to implement a new framework for greater
collaboration between the two agencies for addressing cybersecurity in medical
devices. "From my vantage point, it looks like everyone in the medical
device security community is happy to see stronger premarket recommendations
and a more formal relationship between the FDA and DHS," says Ben Ransford,
CEO and co-founder of healthcare cybersecurity firm Virta Labs. "Clear
delegations of responsibility make incident response easier."
The Hill
October 19,
2018
Officials
are speaking out about the security of election systems amid fears cyberattacks
could deter Americans from voting. Claims of voter suppression traditionally
center around practices like voter roll purges and ID laws. There is no
evidence that votes were altered in the Russian attack on the 2016 elections
but experts say the concept of a cyberattack alone has left some Americans worried
about whether their ballots count. Making sure voters feel secure going to the
polls has "been priority No. 1 for us," said Matt Dietrich, the
public information officer for the Illinois state board of elections, which was
breached by Russian hackers ahead of the 2016 election. A survey of registered
voters released this week by security provider OpenVPN showed 60 percent of
respondents didn’t believe that the U.S. election system is secure, and 63
percent think the country hasn’t done enough to protect the system for future
elections. With both parties promising a “wave” in the midterms, officials said
letting voters know their ballots will be counted — and counted accurately — is
essential before polls open in November.
Nextgov
Only about
76 percent of civilian government websites are protected by advanced encryption
tools more than eight months after a Homeland Security Department deadline,
according to figures shared by the department. That’s an improvement from just
54 percent of government sites that were protected by the encryption tools when
the deadline initially passed in February, but far below the 100 percent
compliance Homeland Security called for in a binding operational directive in
October last year. That directive ordered agencies to adopt HTTPS protection
for their websites, which encrypts users’ navigation within a web domain and is
connoted with a lock icon to the left of a web address.
CyberScoop
October 18,
2018
Director of
National Intelligence Dan Coats told CyberScoop on Thursday that he’s seen no
evidence of Chinese actors tampering with motherboards made by Super Micro
Computer, becoming the latest national security official to question a
Bloomberg report that stated the company was the victim of a supply chain hack.
“We’ve seen no evidence of that, but we’re not taking anything for granted,”
Coats told CyberScoop. “We haven’t seen anything, but we’re always watching.”
The comments came before a speech Coats delivered at CyberTalks, where the director
touched on supply chain threats as one facet the administration is focused on
when it comes to cybersecurity threats. “Be aware of supply chain threats,”
Coats said in his speech. “Understand that cyberthreats to your supply chain
are an insidious problem that can jeopardize the integrity of your products.”
The remarks come after a cover story in Bloomberg Businessweek stated that
Chinese intelligence agents placed malicious microchips on motherboards used in
servers supplied by Super Micro Computing Inc. Those chips reportedly set up a
backdoor into networks of some 30 companies, including Apple and Amazon Web
Services. Since the story was released, numerous experts in both the public and
private sector have called the details into question.
Nextgov
October 18,
2018
The federal
government’s technology modernization campaign is inseparable from efforts to
shore up government cybersecurity, federal Chief Information Officer Suzette
Kent said Thursday. In many cases, government technology systems were designed
years or even decades ago, before the government was deeply concerned about
cybersecurity and before hackers were so focused on digitally compromising
government systems, Kent said during a CyberTalks event sponsored by the media
company CyberScoop. Updating those systems can benefit agencies by making their
work faster, easier and cheaper. It can also make securing the systems far
easier, Kent said. “The way that we become more secure, the way that we protect
our infrastructure is to have a modern infrastructure,” Kent said. For example,
many agencies have adopted cloud-based email systems, which are more secure
than legacy email systems, Kent said.
CyberScoop
October 18,
2018
The U.S.
government’s new and reportedly more muscular approach to conducting offensive
cyber-operations must carefully consider the potential blowback of such actions
to the private sector, a former senior Department of Homeland Security official
has warned. “DHS needs to be part of the discussion around the cost-benefit
analysis to bring the private sector point of view because we know the private
sector often bears the brunt of the retaliation that comes in the wake of more
aggressive activity,” Suzanne Spaulding said Wednesday at the Atlantic Council.
Asked what public indication there would that those concerns are being
addressed, Spaulding, who served as a DHS undersecretary under President Barack
Obama, said the answer lies in the private sector. Private companies will have
a sense of “whether their equities were adequately considered” before a U.S.
government decision to conduct offensive operations, Spaulding said during a
panel discussion. “And my guess is they’ll let us know.” For years, foreign hackers
have targeted U.S. companies in multiple sectors, and a surge in U.S.
government hacking against foreign adversaries could invite retaliation against
any number of multibillion-dollar American firms.
Politico
October 17,
2018
The
Democratic National Committee has spent 14 months staffing up with tech talent
from Silicon Valley, training staff to spot suspicious emails and giving the
FBI someone to talk to if it spots signs of hackers targeting the party. The
first concrete sign of success may come in a few weeks, if the Democrats make
it through the November midterm elections unscathed. But Raffi Krikorian, the
DNC’s chief technology officer, is already pointing to one significant
accomplishment — what he calls a massive overhaul of digital security at the
committee and its sister organizations. That would be a big leap from September
2015, when the FBI’s first attempt to alert the party to a suspected Russian
cyberattack reached a DNC IT contractor who thought it was a prank. Such a
major flub would not happen now, said Krikorian, whose résumé includes senior
roles at Uber and Twitter. “It would be surprising if a week went by and I
didn’t hear from one of the three-letter agencies in my inbox,” Krikorian told
Politico during an interview at the committee’s headquarters. Representatives
of the bureau and other federal agencies have “been in our building to ask how
they can help or what information we might be able to coordinate on in the
future.”
Reuters
October 17,
2018
Public
companies that fail to tighten their cyber security controls could be violating
federal law, the U.S. Securities and Exchange Commission (SEC) said on Tuesday.
The regulator’s warning came in the form of a report on its investigation to assess
whether nine companies that had been victims of cyber-related frauds had
sufficient internal accounting controls in place as required by law. It focused
on so-called “business email compromises” in which cyber criminals pose as
company executives to dupe staff into sending company funds to bank accounts
controlled by the hackers. The Federal Bureau of Investigation estimates such
scams had led to $5 billion in losses since 2013, the SEC said. The fraud did
not include any sophisticated design, but rather used technology to detect the
human vulnerabilities in the control system, the report said. “We did not
charge the nine companies we investigated, but our report emphasizes that all
public companies have obligations to maintain sufficient internal accounting
controls and should consider cyber threats when fulfilling those obligations,”
Stephanie Avakian, Co-Director of the SEC Enforcement Division, said in a
statement.
AP
October 17,
2018
A federal
judge declined Tuesday to order election officials in Tennessee’s largest
county to perform rigorous safeguards to its voting systems ahead of early voting
for the November elections. U.S. District Judge Thomas Parker denied a request
for an order requiring that the Shelby County Election Commission ask the U.S.
Department of Homeland Security to perform risk and vulnerability assessments
on electronic voting systems. A petition for a temporary restraining order was
made by attorney Carol Chumney, who represents a group of voters in a lawsuit
seeking to preserve the integrity of the November election. The suit filed last
week alleges the outdated touchscreen voting machines used by Shelby County are
insecure because they do not produce a voter-verifiable paper trail, and
security checks and other safeguards are needed to protect the system from
outside manipulation. Chumney also asked that officials require voting systems
vendor Election Systems & Software to install advanced security sensors on
their system, allow an outside expert to review election security procedures,
and permit candidates’ poll watchers to observe collection of memory cards and vote
tabulation. Parker ruled that it was not the role of the federal court to tell
county officials how to conduct elections.
Federal
News Network
October 16,
2018
One year
after the Homeland Security Department issued Binding Operational Directive
18-01, Thomas McDermott, deputy assistant secretary for Cyber Policy, said the
department is seeing “significant progress” in agency compliance. BOD 18-01
required agencies to adopt Domain-Based Message Authentication, Reporting and
Comformance (DMARC), a protocol that authenticates an organization’s emails.
When DHS issued BOD 18-01 on Oct. 16, 2017, around 20 percent of federal
agencies were using DMARC in some fashion, whether to flag, quarantine or
reject malicious messages. Current analysis performed by cybersecurity company
Proofpoint shows 74 percent of agencies have published DMARC records, and 60.5
percent are fully compliant with BOD 18-01.
Nextgov
October 16,
2018
Various
data on up to 35 million U.S. voters as many as 19 states is for sale online,
according to a new report from a pair of cyber security research firms. But the
Department of Homeland Security says that’s nothing new: much of the data is
either public or available for purchase from state and local governments. An
Oct. 15 report from cybersecurity research firms Anomali Labs and Intel471
makes a big claim: “To our knowledge this represents the first reference on the
criminal underground of actors selling or distributing lists of 2018 voter
registration data, including USvoters’ personally identifiable information and
voting history.” It says that on Oct. 5, voter registration records for Texas,
Georgia, and at least 17 more states were offered for sale on the popular dark
web hacking forum “Raid Forums” by a “known illicit vendor”: a figure
named “Downloading,” a likely alias for an administrator on the forum. The data
purportedly includes names, addresses, voting history, and “other data” according
to the statement. The price? Cheap, starting at $150 for some states and
reaching as high as $12,500. “DHS is aware of the report. It is important to
note that much of information purportedly being sold is available in most
states either publicly or commercially,” a DHS spokesman said in an email
“It does not appear that this data is indicative of a successful breach of
state or local election infrastructure.”
The Hill
October 16,
2018
The
Department of Homeland Security’s (DHS) top cyber official said Tuesday that a
report on an increased number of cyberattacks on election infrastructure points
to a rise in reporting the attempted hacks and not necessarily a spike in the
attacks themselves. Christoper Krebs, the head of the National Protection and
Programs Directorate (NPPD), said at an event on election security hosted by
The Bridge that the report on a DHS assessment "seems to indicate that
there’s been an uptick in activity" when it comes to cyberattacks on the
election systems. "It’s not an uptick in activity," he continued,
saying state and local election officials have gotten better at sharing
information about cyber activities targeting election systems like voter
registration databases since the 2016 election, when that kind of information
sharing largely wasn’t happening. “Are we seeing an uptick? I don’t know if we
are,” Krebs said. “I think we’re seeing a consistent and persistent level of
activity.”
Ars
Technica
October 16,
2018
A
21-year-old Kentucky man who previously admitted to creating and selling a
"remote access trojan" (RAT) known as LuminosityLink has been
sentenced to 30 months in federal prison. Colton Grubbs had previously pleaded
guilty to conspiracy to unlawfully accessing computers in the furtherance of a
criminal act, among other crimes. When Grubbs was first charged, he claimed
LuminosityLink was a legitimate tool for system administrators, and he never
intended for it to be used maliciously. He reversed course in a plea agreement
he signed in July 2017. In that document, he admitted for the first time that
he knew some customers were using the software to control computers without
owners' knowledge or permission. Grubbs also admitted emphasizing a wealth of
malicious features in marketing materials that promoted the software. The
malicious features included the ability for LuminosityLink to be installed
without notification, record key presses, surveil targets using their computer
cameras and microphones, view and download computer files, steal names and
passwords used to access websites, use infected computers to mine digital
currencies, use victim computers to launch DDoS attacks, and prevent
anti-malware software from detecting and removing the software. He sold this
software for $40 a pop to more than 6,000 people globally.
AP
October 12,
2018
The
Pentagon on Friday said there has been a cyber breach of Defense Department
travel records that compromised the personal information and credit card data
of U.S. military and civilian personnel. According to a U.S. official familiar
with the matter, the breach could have affected as many as 30,000 workers, but
that number may grow as the investigation continues. The breach could have
happened some months ago but was only recently discovered. The official, who
spoke on condition of anonymity because the breach is under investigation, said
that no classified information was compromised. According to a Pentagon
statement, a department cyber team informed leaders about the breach on Oct. 4.
Lt. Col. Joseph Buccino, a Pentagon spokesman, said the department is still
gathering information on the size and scope of the hack and who did it. “It’s
important to understand that this was a breach of a single commercial vendor
that provided service to a very small percentage of the total population” of
Defense Department personnel, said Buccino.
INDUSTRY
BuzzFeed
October 19,
2018
Apple CEO
Tim Cook, in an interview with BuzzFeed News, went on the record for the first
time to deny allegations that his company was the victim of a hardware-based
attack carried out by the Chinese government. And, in an unprecedented move for
the company, he called for a retraction of the story that made this claim.
Earlier this month Bloomberg Businessweek published an investigation alleging
Chinese spies had compromised some 30 US companies by implanting malicious
chips into Silicon Valley–bound servers during their manufacture in China. The
chips, Bloomberg reported, allowed the attackers to create “a stealth doorway”
into any network running on a server in which they were embedded. Apple was
alleged to be among the companies attacked, and a focal point of the story.
According to Bloomberg, the company discovered some sabotaged hardware in 2015,
promptly cut ties with the vendor, Supermicro, that supplied it, and reported
the incident to the FBI. Apple, however, has maintained that none of this is
true — in a comment to Bloomberg, in a vociferous and detailed company
statement, and in a letter to Congress signed by Apple’s vice president of
information security, George Stathakopoulos. Meanwhile, Bloomberg has stood
steadfastly by its story and even published a follow-up account that furthered
the original’s claims.
ZDNet
October 19,
2018
Apple has
secretly patched a bunch of high-severity bugs reported to it by Google's
Project Zero researchers. The move has resulted in Google's Project Zero once
again calling Apple out for fixing iOS and macOS security flaws without
documenting them in public security advisories. While it's good news that Apple
beat Project Zero's 90-day deadline for patching or disclosing the bugs it
finds, the group's Ivan Fratric recently argued that the practice endangered
users by not fully informing them why an update should be installed. This time
the criticism comes from Project Zero's Ian Beer, who's been credited by Apple
with finding dozens of serious security flaws in iOS and macOS over the years.
Beer posted a blog about several vulnerabilities in iOS 7 he found in 2014 that
share commonalities with several bugs he has found in iOS 11.4.1, some of which
he's now released exploits for. Beer notes that none of the latest issues is
mentioned in the iOS 12 security bulletin even though Apple did fix them. The
absence of information about them is a "disincentive" for iOS users
to patch, Beer argues.
Gov Info
Security
October 19,
2018
Attackers
are continuing to compromise unpatched routers, as well as devices with default
credentials, built by Latvian manufacturer MikroTik. More than 2 million
MikroTik routers appear to be internet-connected. Of those, security experts
say that more than 420,000 appear to have been exploited and infected with
malicious cryptocurrency-mining scripts. In April, MikroTik rapidly patched a
zero-day flaw, designated CVE-2018-14847. Via the flaw, attackers can gain
complete access to a vulnerable router, giving them access to Winbox - a simple
GUI administration utility for MicroTik's RouterOS - as well as Webfig - the
web-based version of the utility. Since then, despite clear and persistent
warnings from security researchers as well as MikroTik, hundreds of thousands
of its routers remain unpatched and are being actively targeted by attackers,
security researchers say.
CyberScoop
October 18,
2018
Influential
national security blog Lawfare has been the target of a distributed
denial-of-service attack since Wednesday, with attackers amplifying their
efforts as security measures are used to stop the traffic barrage. The DDoS
attack knocked the site offline intermittently for a few hours on Wednesday,
Executive Editor Susan Hennessey estimated, but the malicious traffic
stubbornly persisted through Thursday. The attack “increased substantially in
response to preliminary defense measures,” Hennessey told CyberScoop in an
email Thursday. The website appears to have stabilized, she said, despite the
continuous pinging of Lawfare’s site. “Previous attacks have taken us offline
for longer periods, but we now have more sophisticated defenses in place so
size doesn’t necessarily correlate to impact,” said Hennessey, a former
attorney in the National Security Agency’s Office of General Counsel.
The Wall
Street Journal
October 17,
2018
Facebook
Inc. believes that the hackers who gained access to the private information of
30 million of its users were spammers looking to make money through deceptive
advertising, according to people familiar with the company’s internal
investigation. The preliminary findings suggest that the hackers weren’t
affiliated with a nation-state, the people said. Facebook’s security team has
been investigating the incident since Sept. 25, when it discovered that someone
was downloading a large quantity of digital access tokens on the social
network. In several public briefings about the incident, the company has
declined to say who is behind the attack, which it has called the biggest
security breach in its history. When they first announced the attack, Facebook
officials said they may never discover the identities of the hackers. Internal
researchers now believe that the people behind the attack are a group of
Facebook and Instagram spammers that present themselves as a digital marketing
company, and whose activities were previously known to Facebook’s security
team, said the people familiar with the investigation. Facebook has previously
said it was working closely with the Federal Bureau of Investigation on a
criminal probe into the incident.
ZDNet
October 17,
2018
A security
researcher from Colombia has found a way of assigning admin rights and gaining
boot persistence on Windows PCs that's simple to execute and hard to stop --all
the features that hackers and malware authors are looking for from an
exploitation technique. What's more surprising, is that the technique was first
detailed way back in December 2017, but despite its numerous benefits and ease
of exploitation, it has not received either media coverage nor has it been seen
employed in malware campaigns.
Nextgov
October 17,
2018
There’s a
shortage of nearly 3 million cybersecurity professionals worldwide and nearly
500,000 in North America, according to a study released by a major
cybersecurity certification organization Wednesday. Those figures echo a cyber
workforce shortage in the federal government that has bedeviled agencies
struggling to improve the security of their networks. The shortage of qualified
cyber professionals is now the number one job concern for cyber workers,
beating out low budgets and lack of resources, according to the report, which
was compiled by the International Information System Security Certification
Consortium, or (ISC)², a major cyber credentialing organization. The report was
based on a survey of roughly 1,500 respondents across North and South America,
Europe and Asia who work in cybersecurity as at least one-fourth of their
workload.
The Wall
Street Journal
October 16,
2018
Apple Inc.
apologized over the hacking of some Chinese accounts in phishing scams, almost
a week after it emerged that stolen Apple IDs had been used to swipe customer
funds. In its English statement Tuesday, Apple said it found “a small number of
our users’ accounts” had been accessed through phishing scams. “We are deeply
apologetic about the inconvenience caused to our customers by these phishing
scams,” Apple said in its Chinese statement. The incident came to light last
week when Chinese mobile-payment giants Alipay and WeChat Pay said some
customers had lost money. The victims of the scams, Apple said Tuesday, hadn’t
enabled so-called two-factor authentication—a setting that requires a user to
log in with a password and a freshly-generated code to verify their identity.
Ars
Technica
October 16,
2018
Apple,
Google, Microsoft, and Mozilla have announced a unified plan to deprecate the
use of TLS 1.0 and 1.1 early in 2020. TLS (Transport Layer Security) is used to
secure connections on the Web. TLS is essential to the Web, providing the
ability to form connections that are confidential, authenticated, and
tamper-proof. This has made it a big focus of security research, and over the
years, a number of bugs that had significant security implications have been
found in the protocol. Revisions have been published to address these flaws.
The original TLS 1.0, heavily based on Netscape's SSL 3.0, was first published
in January 1999. TLS 1.1 arrived in 2006, while TLS 1.2, in 2008, added new
capabilities and fixed these security flaws. Irreparable security flaws in SSL
3.0 saw support for that protocol come to an end in 2014; the browser vendors
now want to make a similar change for TLS 1.0 and 1.1.
Gov Info
Security
October 16,
2018
Federal
regulators have smacked health insurer Anthem Inc. with a record $16 million
HIPAA settlement in the wake of a cyberattack revealed in 2015, which impacted
nearly 79 million individuals. In announcing the largest-ever HIPAA fine,
regulators noted the insurer failed to take several basic security steps,
including conducting an enterprisewide security risk assessment. The previous
largest HIPAA settlement was $5.55 million paid by Advocate Health Care in
2016. The Department of Health and Human Services' Office for Civil Rights says
Anthem agreed to take "substantial corrective action" to settle
potential HIPAA privacy and security rules violations after a series of
cyberattacks led to the largest U.S. health data breach, exposing electronic
protected health information. "The largest health data breach in U.S.
history fully merits the largest HIPAA settlement in history," says OCR
Director Roger Severino.
The New
York Times
October 15,
2018
Two years
ago, IBM opened one of the nation’s first commercial cybersecurity ranges in
Cambridge, Mass., to let companies practice responding to simulated
cyberattacks. It describes the experience as “a game of Clue mixed with a
Disney roller-coaster ride.” In a windowless bunker packed with a data center,
wall-to-wall monitors, atmospheric controls, dozens of work stations and a
functional TV studio, participants have about four hours to investigate and
respond to a fictional data breach. It’s like an escape room for security
nerds. The experience proved so popular — about 2,000 people, including chief
executives and entire corporate boards, have played IBM’s game, which has an
eight-month waiting list — that IBM decided to build a second range. But this
time, it’s going mobile. The move is a reflection of the extent to which the
threat of cyberattacks has captured the attention of organizations of all
kinds, including the technology companies Facebook and Google, banks, military
installations and those who run industrial control systems, like electricity
and water providers.
INTERNATIONAL
Politico
October 19,
2018
If there
ever was a window for European leaders to name and shame Moscow for carrying
out cyberattacks against networks in the EU, Thursday’s Council meeting would
have been it. They chose to let the chance go by. In joint conclusions after
the EU summit, heads of state denounced aggressive cyber action but stopped
short of signaling a move toward decisive EU deterrence against Russia. While
the United Kingdom and the Netherlands pushed for swift action following an
attack on the Organisation for the Prohibition of Chemical Weapons in The Hague
that was widely attributed to Russia, other countries balked. Italy and France
were among the countries wary about calling Russia out on its alleged hacking
attempts, diplomats said. The final conclusions only repeated pledges made more
than a year ago by EU capitals, leading critics to slam the text as lacking a
sense of urgency to counter a growing threat from the East.
The Washington Post
October 18,
2018
The president of Australia’s top lawyers’ group told a parliamentary
inquiry that proposed cybersecurity laws to force global technology companies
such as Facebook and Google to help police by unscrambling encrypted messages sent
by extremists and other criminals would significantly limit individuals’
privacy and freedom. A parliamentary committee on Friday began examining a bill
introduced last year that is modeled on Britain’s Investigatory Powers Act.
That law has given British intelligence agencies some of the most extensive
surveillance powers in the Western world. The Australian bill would give
security agencies new powers to demand that tech companies help them decrypt
data. Arthur Moses, Law Council of Australia’s president-elect, told the
committee that a secret service officer could be able to use the proposed law
to side-step the need for a warrant to arrange a phone intercept. The bill also
places no time limit on how long a telecommunications employee can be held to
assist law enforcement and security agencies, which is arguably detention,
Moses said.
CyberScoop
October 17,
2018
Ever since
the seminal cyberattacks on the Ukrainian power grid in 2015 and 2016,
researchers have traced the evolution of the broad set of hackers behind the
attacks in an effort to warn organizations the hackers might strike next.
On Wednesday, analysts from cybersecurity company ESET added to that body of
knowledge in revealing a quieter subgroup of those hackers that has targeted
energy companies in Ukraine and Poland. ESET has dubbed the group GreyEnergy, a
derivative of the original group of hackers, which have been known as
BlackEnergy. Whereas BlackEnergy is known for the disruptive 2015 attack on the
Ukrainian grid that cut power for roughly 225,000 people, GreyEnergy has to
date preferred reconnaissance and espionage, according to ESET. The group has
taken screenshots of its possible targets, stolen credentials, and exfiltrated
files.
CyberScoop
October 17,
2018
Cybersecurity
researchers have uncovered remote access tools, or backdoors, linked to an
infamous Vietnamese hacking group with a history of targeting government organizations
and intellectual-property-rich companies. Analysts with cybersecurity company
Cylance say that while investigating a security incident last year, they found
multiple custom backdoors used by the cyber-espionage outfit known as APT32 or
OceanLotus Group. The hackers used command and control protocols that were
tailored to their targets and that supported multiple network communication
methods. “The overall design and development of these threats indicate they
come from a well-funded development team,” research from Cylance published
Wednesday states. “The OceanLotus Group uses an expansive amount of custom
library code that can easily be repurposed for maximum effectiveness against
their next target.”
NBC
October 17,
2018
The
Government Communications Headquarters, Britain's code-breaking, eavesdropping
equivalent to the U.S. National Security Agency, was once so secret an American
journalist was expelled from the country for just naming the agency in a story.
For visitors who know this history, it's somewhat jarring to walk into the
gleaming London offices of Britain's National Cyber Security Centre, a relatively
new agency responsible for protecting Britain from cyberthreats. A sign at the
entrance — just off a major London thoroughfare — proclaims the center a
"part of GCHQ." The cyber center is the answer to a problem Britain
faced that is similar to one bedeviling the U.S.: No single entity was in
charge of cybersecurity. And the best expertise resided in intelligence
agencies, where most of the input and output is highly classified.
ZDNet
October 16,
2018
The Czech
Security Intelligence Service (BIS) has intervened and taken down servers that
have been used by Hezbollah operatives to target and infect users around the
globe with mobile malware. "I can not comment on the details, but I can
confirm that BIS has played a significant role in identifying and uncovering
the hackers' system," said Michal Koudelka, BIS Director. "We identified
the victims and traced the attack to its source facilities," Koudelka
added. "Hacker servers have been shut down." BIS said the servers
were located in the Czech Republic, and the agency was "almost
certain" they were operated by Hezbollah, an Islamist political party and
militant group based in Lebanon, which the US and fellow NATO countries have
labeled as a terrorist organization. The Czech intelligence agency said the
servers and the malware distribution campaign appears to have been going on
since the start of 2017.
Reuters
October 16,
2018
A new NATO
military command center to deter computer hackers should be fully staffed in
2023 and able to mount its own cyber attacks but the alliance is still
grappling with ground rules for doing so, a senior general said on Tuesday.
While NATO does not have its own cyber weapons, the U.S.-led alliance established
an operations center on Aug. 31 at its military hub in Belgium. The United
States, Britain, Estonia and other allies have since offered their cyber
capabilities. "This is an emerging domain and the threat is growing,"
said Major General Wolfgang Renner, a German air force commander who oversees
the new cyber operations center, or CYOC, in Mons. "We have to be
prepared, to be able to execute operations in cyberspace. We have already gone
beyond protection and prevention," he told Reuters during a NATO cyber
conference.
BBC
October 15,
2018
Makers of
smart home devices are to be encouraged to make their gadgets secure against
hack attacks. The UK has published a voluntary code of practice for
manufacturers that shows how they can proof their creations against common
attacks. It aims to stop gadgets being hijacked and used to mount cyber-attacks
- and stamp out designs that let cyber-thieves steal data. Two companies, HP
and Hive Centrica, have already agreed to follow the code. The government
initiative is aimed at makers of small smart gadgets for the home, such as
web-connected doorbells, cameras, toys and burglar alarms - the so-called
internet of things (IoT).
TECHNOLOGY
Ars Technica
October 16,
2018
There’s a
four-year-old bug in the Secure Shell implementation known as libssh that makes
it trivial for just about anyone to gain unfettered administrative control of a
vulnerable server. While the authentication-bypass flaw represents a major
security hole that should be patched immediately, it wasn’t immediately clear
what sites or devices were vulnerable since neither the widely used OpenSSH nor
Github’s implementation of libssh was affected.