Friday, December 07, 2018

Are agencies making the grade on cyber hygiene?

Lesson from the tax court taxpayers behaving badly


Federal Workers Warned Against Talk of ‘Impeachment,’ ‘the Resistance’ - Reason.com: “Employees of the federal government were warned this week that both praising and criticizing the Trump administration while on duty may be considered illegal. Federal workers are specifically barred from “advocating” for or against impeachment and from expressing support for the so-called “resistance” to President Donald Trump. Such expressions could be considered violations of the Hatch Act, a 1939 law that largely prohibits federal workers from engaging in political activity while on the clock or in their official capacity as a government employee. In a memorandum released Tuesday, the Office of Special Counsel (no relation to Robert Mueller’s Russia probe) Hatch Act unit explains what kind of speech should be avoided.



Global Wage Report 2018/19 (IPDF) International Labor Organization 

Auditor-General Report No.15 (2018-19)



Human Services’ Compliance Strategies


Human Services’ Compliance Strategies  Tabling: Thursday 6 December 2018 




The Hill

November 30, 2018

A pair of senators on Friday introduced a bipartisan bill to create a program within the State Department to share information with U.S. global allies about election security. The measure would establish a way for the United States and other countries to share information on the best practices for administering elections, such as combating disinformation campaigns and conducting post-election audits. The bill is a companion to similar bipartisan legislation passed by the House earlier this year. Under the legislation, the new State Department program would offer grants to American nonprofit groups that work on election security to share information with similar groups in other countries.



FCW

November 29, 2018

The House passed the SMART IoT Act on Nov. 28 in a unanimous voice vote, sending the bill  to the Senate with just over two weeks until Congress is set to adjourn. The legislation, introduced by Rep. Robert Latta (R-Ohio), tasks the Department of Commerce with studying the current internet-of-things industry in the United States. The research would look into what companies develop IoT technology, what federal agencies have jurisdiction in overseeing this industry and what regulations have already been developed. The congressman outlined the motivations behind the bill in Nov. 28 remarks from the House floor: "We must equip ourselves and industry with information about what the landscape for federal, public, private, and self-regulatory efforts are in place or underway." Latta's comments did not touch on security concerns surrounding IoT technology.



Federal News Network


With the Democrats taking control of the House starting in January, the likely-incoming chairman of the House Armed Services Emerging Threats and Capabilities Subcommittee is whittling down his priorities for the panel in the next legislative session. The top areas he wants to cover have a common thread that should come as no surprise: Cyber. Rep. Jim Langevin (D-R.I.) was just reelected to his tenth term in Congress, and is poised to take the gavel from current chairman, Rep. Elise Stefanik (R-N.Y.). In an interview with Federal News Network, Langevin said cybersecurity, election security and keeping a watchful eye over the Trump administration’s new defense cyber policy are some of the most important topics the subcommittee will face in the coming year. “We want to make sure they are held accountable and we are properly implementing these new strategies,” Langevin said.




FCW

November 30, 2018

The future federal cybersecurity workforce might already be in place -- almost. The federal government is taking steps to fill high-demand positions in tech by retraining agency employees who currently have no cyber or IT background. The Office of Management and Budget, in partnership with the Department of Education and the CIO Council, is launching an educational program to train current federal employees without an IT background in cyber defense skills. The Federal Cybersecurity Reskilling Academy is "the first of many of the reskilling efforts that the administration is exploring," said Federal CIO Suzette Kent on a briefing with reporters. "One of the best places for us to start is investing in our current federal workforce and taking our existing talent and helping them bridge into areas where we see that demand." The goal of the three-month curriculum, Kent said, is to provide current feds without a cyber or IT background with a mix of live and in-classroom training to help fill tech skills gaps.



Nextgov

November 30, 2018

The White House is losing another cybersecurity lead. The Federal Chief Information Security Officer’s second in command and cybersecurity lead for the Office of the Federal Chief Information Officer, Joshua Moses, had his last day in government Friday, White House officials confirmed. Moses spent the last three and a half years working as cybersecurity chief for the Office of Management and Budget. Prior to that, he served as a program manager at the Defense, Justice and Treasury departments and a senior program evaluator for Amtrak. At OMB, Moses led the development of cybersecurity policy and performance and risk management for the entire federal government. He worked directly under federal CIO Suzette Kent and federal CISO Grant Schneider.



Fifth Domain


A Marine Corps general is now leading the Department of Defense’s cyber offensive against ISIS. Since its creation in 2016, Joint Task Force-Ares has been led by the head of Army Cyber Command. But a U.S. Cyber Command spokesman confirmed to Fifth Domain Nov. 30 that the leader of Marine Corps Forces Cyberspace Command, Maj. Gen. Matthew Glavy, took charge of the task force Sept. 6. Joint Task Force-Ares is the cyber component supporting the joint and coalition efforts to degrade ISIS in Iraq and Syria and sought to deny ISIS’s use of cyberspace for spreading its message and coordinating operations.



Politico

November 29, 2018

The political nonprofit launched by Sen. Bernie Sanders in 2016 lost nearly a quarter-million dollars to an email scam that year, according to new tax documents obtained by POLITICO. Our Revolution “was the victim of a Business E-Mail Compromise scam that took place in December 2016 but was not discovered until January 2017, resulting in the loss of approximately $242,000 via an electronic transfer of funds to an overseas account,” the group disclosed in its tax forms covering the year 2017, which were filed earlier this month. “Our Revolution worked with the Federal Bureau of Investigation, Our Revolution's counsel and an independent cyber-security consultant in an effort to identify the thieves and to recover the funds but, unfortunately, these efforts were unsuccessful.” Our Revolution blamed “an international syndicate of cyber-thieves targeting nonprofit organizations globally” for the incident, which robbed the group of about 7 percent of its total fundraising in 2016. The group said in its tax filing that it "continues to put into place additional safeguards, including both technical and human security measures, procedures and protocols.”



Federal News Network

November 29, 2018

Agencies are supposed to be bolstering their network cybersecurity under continuous diagnostics and mitigation (CDM). But what if they had a single number, like a credit score, that tracked how much progress they’ve made on some of the cyber hygiene steps that lead to CDM? That’s what Kevin Cox, the Department of Homeland Security’s CDM program manager, has in mind. Speaking Wednesday at a Federal Computer Week summit, he shed light on DHS’s Agency-Wide Adaptive Risk Enumeration (AWARE) algorithm, which assigns a score for where each agency stands on configuration management and supporting critical vulnerabilities. “It’s looking at a few key variables and then assigning a score to that agency to help understand how that agency is doing overall with that cyber hygiene process,” Cox said.



CyberScoop

November 29, 2018

U.S. Deputy Attorney General Rod Rosenstein warned technology companies that Americans will not accept a culture in which encryption makes it impossible for law enforcement to investigate crimes, the latest comments in a long effort by the Department of Justice to find a way around end-to-end encryption. In a speech Thursday, Rosenstein urged tech firms to develop technology that keeps users’ data and communication as secure as possible, while also maintaining the ability to provide that information to law enforcement if it’s tied to an investigation. Firms including Apple, WhatsApp and others have introduced end-to-end encryption, a security measure that renders messages unreadable except to the sender and recipient. That type of technology is having “a dramatic impact on our cases, to the significant detriment of public safety,” Rosenstein said.



The New York Times


Two Iranians were behind the ransomware attack that crippled Atlanta’s government for days this year, the Justice Department said in an indictment unsealed on Wednesday, detailing a sophisticated scheme of attacks on hospitals, government agencies and other organizations. The men, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, chose targets with complex yet vulnerable systems — organizations that could afford to pay ransoms and needed to urgently restore their systems back online, prosecutors said. In the case of Atlanta, one of the most sustained and consequential cyberattacks ever launched against a major American city, the pair broke into the city’s computer systems and held their data hostage for about $51,000 worth of the cryptocurrency Bitcoin, prosecutors said. “They deliberately engaged in an extreme form of 21st-century digital blackmail, attacking and extorting vulnerable victims like hospitals and schools, victims they knew would be willing and able to pay,” Brian Benczkowski, the head of the criminal division of the Justice Department, said in a news conference on Wednesday.



Nextgov

November 28, 2018

Federal agencies are in the midst of deploying some $3.2 billion worth of cybersecurity tools purchased through a program managed by the Homeland Security Department and General Services Administration. But some agencies find the money isn’t flowing fast enough and want to supplement their scheduled purchase with their own funding. The Continuous Diagnostics and Mitigation program, or CDM, was established to help federal agencies get access to cybersecurity tools more quickly than they could through traditional contracting methods. That speed element was enhanced when program officials switched to a different acquisition model—called the Dynamic and Evolving Federal Enterprise Network Defense, or CDM DEFEND. The initial awards and acquisitions through CDM DEFEND have been largely successful, according to Jim Piche, the homeland sector director for FEDSIM, an acquisition assistance outfit within GSA. But funding for the program is incremental, which means agencies can only receive tools as they are scheduled to deploy. Additional tools an agency might want to add to its rollout wouldn’t be covered by available CDM funding.



Gov Info Security

November 28, 2018

The U.S. Department of Justice on Tuesday announced that it has indicted eight individuals as part of a multiyear FBI investigation into gangs that allegedly perpetrated digital advertising fraud, in part, via botnets. Charges against the eight men, as revealed in a 13-count indictment unsealed on Tuesday, include hacking, identity theft, money laundering and wire fraud. Three of the men have been arrested abroad; the rest remain at large. "As alleged in court filings, the defendants in this case used sophisticated computer programming and infrastructure around the world to exploit the digital advertising industry through fraud," says Richard P. Donoghue, the U.S. attorney for the Eastern District of New York. The suspects allegedly participated in one or both of two digital ad fraud schemes: Methbot, a data center-based scheme tied to at least $7 million in fraud, and botnet-driven 3ve, which has been tied to at least $29 million in fraud.



The New York Times

November 28, 2018

A new partnership among two prominent Israeli venture capital funds, a handful of major private-sector companies and the city’s economic growth development enterprise is hoping to turn New York City into the nation’s leading center for yet one more major industry: cybersecurity. Cyber NYC, as the project is called, is among the nation’s most ambitious cybersecurity initiatives, which over the next decade could transform New York City into a global leader of cybersecurity innovation and job creation. The multiyear project would simultaneously create a Global Cyber Center in Chelsea, a cybersecurity innovation hub in the SoHo neighborhood of Manhattan and an academic cybepartnership with area colleges, such as Columbia University, New York University and City University of New York. At the same time, major corporations such as Goldman Sachs, Mastercard and PricewaterhouseCoopers also are participating in advisory roles or to assist with the project’s training and hiring.



BuzzFeed

November 27, 2018

It isn’t a matter of if a foreign country outs a hacker who works for the US government. It’s when. Starting near the end of the second Obama administration and rapidly escalating under Trump’s, the US has employed a tactic of “name-and-shame” in which it identifies and charges individuals who were hacking under orders of foreign governments. The idea is that the hackers will be arrested and likely extradited if they ever set foot in a country that’s friendly to the US. As of September, when the Justice Department indicted North Korea’s Park Jin Hyok and accused him of being employed by the government when he helped hack Sony Pictures Entertainment and stole millions from the Bank of Bangladesh, the US has formally accused people of working for all four of its primary adversaries in cyberspace: China, Iran, North Korea, and Russia. To date, none of those countries have returned the favor. But it’s just a matter of time, said Michael Daniel, who served as cybersecurity coordinator during Obama’s second term, when the Justice Department issued the first such indictment in 2014, accusing five members of China’s People’s Liberation Army of hacking Americans.



Fifth Domain

November 27, 2018

It takes roughly seven years, on average, for an idea to lead to a Pentagon contract, but the life cycle for automated equipment is just over three years. The long acquisition process and short lifespan means a Pentagon program that can impulsively scan an enemy’s network has technology that’s already more than two generations old on the first day that it is used. This paradox is highlighted in a new report, “Cyber Acquisition," which describes the Department of Defense’s cyber acquisition process as “too slow,” a “support nightmare” and one that “puts the warfighter at risk.” Because of the delay in acquiring cybersecurity equipment, “the military will be forced to utilize increasingly inferior capabilities,” the paper reads. It will appear in the upcoming Cyber Defense Review, an academic journal.



INDUSTRY



The Washington Post

November 30, 2018

Marriott International, one of the largest hotel chains in the world, revealed Friday that its Starwood reservations database had been hacked and that the personal information of up to 500 million guests could have been stolen. The data breach involved information mined from the database for Starwood properties, which include Sheraton, Westin and St. Regis hotels, among others. An unauthorized party had accessed the database since 2014, company officials said. The breach included names, email addresses, passport numbers and payment information, according to the hotel giant. “We deeply regret this incident happened,” Arne Sorenson, Marriott’s chief executive, said in a news release. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”



Gov Info Security

November 30, 2018

Dell and Dunkin Donuts have both initiated password resets after experiencing separate security incidents that appeared aimed at gaining access to customer accounts. Dell says it detected an incident on Nov. 9 in which attackers sought names, email addresses and hashed passwords. Dunkin Donuts says its issues likely involved the reuse of leaked credentials from other breaches in order to take over DD Perks accounts, the company's rewards and gift card program. As a result, both companies opted for password resets with the hope that customers won't recycle ones that they've already used on other services. Reusing passwords fuels so-called "credential stuffing" attacks, in which attackers use leaked sets of credentials to see what other accounts can be unlocked. The companies say, however, that the impacts of the attacks appear to be limited.



FCW

November 28, 2018

A former top cyber official at the FBI involved in the 2015 San Bernadino shooter investigation said he does not believe the Department of Justice needs weaker laws around encryption to do its job and that doing so would result in unacceptable collateral damage to industry and data security. Robert Anderson, former executive assistant director for the criminal, cyber, response and services branch, said that when he was initially working on the San Bernardino shooting case, he could not understand why Apple was refusing to grant access to the shooter's iPhone. The FBI and intelligence community were worried that more attacks could be on the immediate horizon and faced intense pressure to gain access to the shooter's phone to mine it for leads on future threats. In hindsight, Anderson, currently a principal at the Chertoff Group, called that viewpoint "myopic." After running global information security operations for a number of private-sector companies and dealing with the fallout from countless data breaches, he said he is now convinced that the economic and societal collateral damage from weakening encryption laws would far outweigh any benefits.



Gov Info Security

November 28, 2018

North Carolina-based Atrium Health is notifying 2.65 million individuals of a data breach involving a cyberattack on databases hosted by a third-party billing vendor, AccuDoc. If details are confirmed by federal regulators, the incident would be the largest health data breach reported so far in 2018. In a statement issued Tuesday, Charlotte, N.C.-based Atrium Health - formerly called Carolinas HealthCare System - says certain databases containing billing information belonging to it and its managed locations may have been targeted in the attack on AccuDoc, which provides billing and other services for healthcare providers, including Atrium Health.



CyberScoop

November 28, 2018

CyberGRX, a firm that helps companies assess the risk stemming from their third-party vendors, announced that it raised $30 million in a Series C funding round on Wednesday. The Denver-based company runs an “exchange” whereby its customers — larger enterprises and the smaller firms they do business with — share data meant to help in assessing and managing cyber risk. A number of recent data breaches occurred because of security shortfalls in products like web applications or point-of-sale systems, only to spread to corporate partners’ networks. The service is akin to a credit rating agency that assesses the risk of lending money to a particular entity. The company says it “unites third parties and their customers in the fight against cyber threats,” and that their ability to mitigate supply chain risks improves as more entities join CyberGRX’s exchange.



Ars Technica

November 28, 2018

Audio device maker Sennheiser has issued a fix for a monumental software blunder that makes it easy for hackers to carry out man-in-the-middle attacks that cryptographically impersonate any big-name website on the Internet. Anyone who has ever used the company’s HeadSetup for Windows or macOS should take action immediately, even if users later uninstalled the app. To allow Sennheiser headphones and speaker phones to work seamlessly with computers, HeadSetup establishes an encrypted Websocket with a browser. It does this by installing a self-signed TLS certificate in the central place an operating system reserves for storing browser-trusted certificate authority roots. In Windows, this location is called the Trusted Root CA certificate store. On Macs, it’s known as the macOS Trust Store. The critical HeadSetup vulnerability stems from a self-signed root certificate installed by version 7.3 of the app that kept the private cryptographic key in a format that could be easily extracted. Because the key was identical for all installations of the software, hackers could use the root certificate to generate forged TLS certificates that impersonated any HTTPS website on the Internet. Although the self-signed certificates were blatant forgeries, they will be accepted as authentic on computers that store the poorly secured certificate root.



The Washington Post

November 27, 2018

In early October, Bloomberg Businessweek published one of the year’s most stunning tech stories. Under the headline “The Big Hack,” reporters Jordan Robertson and Michael Riley reported that China had managed to infiltrate top U.S. companies — including server company Super Micro (or Supermicro) and Apple — with a chilling hardware hack carrying implications for the entire U.S. economy. It came under fire immediately, as government officials and the companies themselves either denied the reporting or claimed no familiarity with it. In response, Bloomberg issued a statement that read, in part: “Bloomberg Businessweek’s investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews.” The company can now adjust those numbers a bit. According to informed sources, Bloomberg has continued reporting the blockbuster story that it broke on Oct. 4, including a very recent round of inquiries from a Bloomberg News/Bloomberg Businessweek investigative reporter.



Ars Technica

November 27, 2018

Criminal hackers continue to exploit a feature in Autodesk’s widely used AutoCAD program in an attempt to steal valuable computer-assisted designs for bridges, factory buildings, and other projects, researchers said Tuesday. The attacks arrive in spear-phishing emails and in some cases postal packages that contain design documents and plans. Included in the same directory are camouflaged files formatted in AutoLISP, an AutoCAD-specific dialect of the LISP programming language. When targets open the design document, they may inadvertently cause the AutoLISP file to be executed.



ZDNet

November 27, 2018

A cyber-criminal group known as ScamClub has hijacked over 300 million browser sessions over 48 hours to redirect users to adult and gift card scams, a cyber-security firm has revealed today. The traffic hijacking has taken place via a tactic known as malvertising, which consists of placing malicious code inside online ads. In this particular case, the code used by the ScamClub group hijacked a user's browsing session from a legitimate site, where the ad was showing, and redirected victims through a long chain of temporary websites, a redirection chain that eventually ended up on a website pushing an adult-themed site or a gift card scam. These types of malvertising campaigns have been going on for years, but this particular campaign stood out due to its massive scale, experts from cyber-security firm Confiant told ZDNet today.



CyberScoop

November 27, 2018

Former National Security Agency director Michael Rogers has welcomed the Trump administration’s willingness to use cyber-operations to deter foreign adversaries, adding that the United States’ previous reluctance to do so was counterproductive. “My argument when I was [in government was]: “We want to keep the full range of options and capabilities available,” Rogers said Tuesday at the Center for Strategic and International Studies. “One of the things that frustrated me at times was: Why are we taking one element just straight off the table?” said Rogers, who left the administration in May for the private sector.



INTERNATIONAL



The New York Times

November 29, 2018

Three years ago, President Barack Obama struck a deal with China that few thought was possible: President Xi Jinping agreed to end his nation’s yearslong practice of breaking into the computer systems of American companies, military contractors and government agencies to obtain designs, technology and corporate secrets, usually on behalf of China’s state-owned firms. The pact was celebrated by the Obama administration as one of the first arms-control agreements for cyberspace — and for 18 months or so, the number of Chinese attacks plummeted. But the victory was fleeting. Soon after President Trump took office, China’s cyberespionage picked up again and, according to intelligence officials and analysts, accelerated in the last year as trade conflicts and other tensions began to poison relations between the world’s two largest economies.



Sky News

November 29, 2018

GCHQ has revealed that it doesn't always tell companies if their software is vulnerable to cyber attacks. The UK's government's intelligence and security organisation has said it will sometimes withhold the information to protect "national security interests". GCHQ has made its decision-making process public for the first time. The service has a team of researchers that find flaws in different types of computer software and systems, from the most popular used by millions of people to niche technical kit.



Bloomberg

November 29, 2018

Hackers suspected of ties to Russia’s government targeted Germany with a renewed cyber attack on political institutions, according to the country’s domestic intelligence agency. The agency, known as BfV, said it discovered the infiltration during a probe into a suspected hacker group known as “Snake.” That follows an attack on the German government’s computer networks early this year. Targets included federal lawmakers, military facilities and German embassies, according to news portal Spiegel Online, which said the latest incursion was detected on Nov. 14. “The BfV has been able to detect new attacks as part of its investigation into the cyber-attack campaign ‘Snake,’” a spokeswoman for the agency, known as the Federal Office for the Protection of the Constitution, said by phone. “The victims are mainly in the realm of the state and politics.”



Reuters

November 29, 2018

Moscow’s latest tourist attraction, a cable car over the Moskva River, has been shut the day after it opened because of what the operator said was a cyberattack. The gondola takes passengers from the Sparrow Hills overlooking the Russian capital to the Luzhniki sports stadium where the soccer World Cup final was held this summer. It opened to the public on Tuesday, with rides to be free for the first month, but suddenly halted the next day because of what the operator called a cyberattack on its servers. It said passengers on board at the time had been delivered safely to their destinations, but did not indicate when the cable car might reopen. Tests were due to be completed by Thursday night.



The New York Times

November 28, 2018

You know the messages. They pop up on your computer screen with ominous warnings like, “Your computer has been infected with a virus. Call our toll-free number immediately for help.” Often they look like alerts from Microsoft, Apple or Symantec. Sometimes the warning comes in a phone call. Most people ignore these entreaties, which are invariably scams. But one in five recipients actually talks to the fake tech-support centers, and 6 percent ultimately pay the operators to “fix” the nonexistent problem, according to recent consumer surveys by Microsoft. Law enforcement authorities, working with Microsoft, have now traced many of these boiler rooms to New Delhi, India’s capital and a hub of the global call-center industry. On Tuesday and Wednesday, police from two Delhi suburbs raided 16 fake tech-support centers and arrested about three dozen people. Last month, the Delhi authorities arrested 24 people in similar raids on 10 call centers.



Wired

November 28, 2018

In recent years, hacks against the power grid have gone from a mostly theoretical risk to a real-world problem. Two large-scale blackouts in Ukraine caused by Russian cyberattacks in 2015 and 2016 showed just how feasible it is. But grid hacking comes in less dramatic forms as well—which makes Russia's continued probing of US critical infrastructure all the more alarming. At the CyberwarCon forum in Washington, DC on Wednesday, researchers from threat intelligence firm FireEye noted that while the US grid is relatively well-defended, and difficult to hit with a full-scale cyberattack, Russian actors have nonetheless continued to benefit from their ongoing vetting campaign. "There’s still a concentrated Russian cyber espionage campaign targeting the bulk of the US electrical grid," says FireEye analyst Alex Orleans says. "The grid is still getting hit."



CyberScoop

November 28, 2018

The war in Yemen has been accompanied by a digital conflict in which combatants have used surveillance and cryptocurrency to their strategic advantage, new research shows. “[T]he dynamics of the Yemeni civil war are manifesting themselves online through a struggle over Yemeni access, use, and control of the internet,” Boston-based Recorded Future wrote in a blog post about the research on Wednesday. As the Yemeni conflict gains greater attention in Washington, the research highlights how cyber-operations have become intrinsic to kinetic wars. In Yemen, the internet has become “another front,” Recorded Future threat intelligence analyst Allan Liska told CyberScoop.



The New York Times

November 27, 2018

The messages arrived at a familiar moment of crisis for Mexico’s fragile journalist community — another reporter killed in the line of duty. Javier Valdez, a prominent investigative reporter, had been shot dead only a day earlier. Then came a sudden breakthrough: According to a text message received by his colleagues, his killers had been detained. Despite the tragedy, his co-workers were suspicious. More than 90 percent of murders go unsolved in Mexico. How did the authorities solve the case so soon? More likely, they worried, the text messages were an attempt to infiltrate their smartphones — part of a pattern of hacking attempts involving sophisticated spying technology bought by the Mexican government. They were right.



Gov Info Security

November 27, 2018

Ride-hailing platform Uber Technologies' year-long cover-up of its 2016 data breach continues to bite back. On Tuesday, Uber was slammed with a total of $1.2 million in fines by data protection authorities in both the U.K. and the Netherlands over the company's inadequate information security practices as well as its failure to report a massive data breach to regulators in a timely manner. Regulators say the delayed data breach notification to victims, one year after the incident occurred, left Uber's drivers and customers at increased risk of fraud.



Reuters

November 27, 2018

Britain's Financial Conduct Authority will punish firms that are failing to get the basics right on cyber defences, or whose botched IT projects harm consumers, a senior official at the markets watchdog said on Tuesday. Outages at banks such as TSB have left thousands of customers without banking services and this month British lawmakers opened an investigation into such incidents. "On the basis of the data that the FCA is currently collecting, we see no immediate end in sight to the escalation in tech and cyber incidents that are affecting UK financial services," Megan Butler, the FCA's executive director of supervision, told a Bloomberg event. The watchdog surveyed nearly 300 regulated firms between 2017 and 2018. In the year to October, the firms reported a 138 percent rise in technology outages, and an 18 percent increase in cyber incidents. Under-reporting of incidents is probably still a problem, with many linked to an "over-confidence bias" at banks about managing major IT changes, Butler said.



Haaretz

November 26, 2018

Amnesty International Israel asked the Defense Ministry to revoke cyber firm NSO's defense export license two weeks ago, saying it had been proven that its software had been used in "a series of egregious human rights violations," after a Haaretz investigation revealed that the company offered Saudi Arabia a system for hacking cellphones. "NSO has gone out of control," Amnesty Israel said. Sources in the Defense Ministry agency that oversees defense exports said it was strict about granting licenses according to the law and that they could not discuss the existence of NSO's license for security reasons. Amnesty Israel rejected the response and said it intended to pursue legal action.



TECHNOLOGY



Ars Technica

November 29, 2018

More than 45,000 Internet routers have been compromised by a newly discovered campaign that’s designed to open networks to attacks by EternalBlue, the potent exploit that was developed by, and then stolen from, the National Security Agency and leaked to the Internet at large, researchers said Wednesday. The new attack exploits routers with vulnerable implementations of Universal Plug and Play to force connected devices to open ports 139 and 445, content delivery network Akamai said in a blog post. As a result, almost 2 million computers, phones, and other network devices connected to the routers are reachable to the Internet on those ports. While Internet scans don’t reveal precisely what happens to the connected devices once they’re exposed, Akamai said the ports—which are instrumental for the spread of EternalBlue and its Linux cousin EternalRed—provide a strong hint of the attackers’ intentions.



ZDNet

November 26, 2018

A hacker has gained (legitimate) access to a popular JavaScript library and has injected malicious code that steals Bitcoin and Bitcoin Cash funds stored inside BitPay's Copay wallet apps. The presence of this malicious code was identified last week, but only today have researchers been able to understand what the heavily obfuscated malicious code actually does. The library loading the malicious code is named Event-Stream, a JavaScript npm package for working with Node.js streaming data. This is an extremely popular JavaScript library, with over two million weekly downloads on the npmjs.com repository, but about three months ago, its original author, due to a lack of time and interest, handed its development over to another programmer named Right9ctrl. But according to an eagle-eyed user who spotted issues with Event-Stream last week, Right9ctrl had immediately poisoned the library with malicious code.