Pages

Wednesday, March 13, 2019

As 2020 nears, pressure grows to replace voting machines

*Maroubra beach accident


Manafort hit with new charges moments after 7.5-year prison term imposed

From a wheelchair, Paul Manafort apologised to a judge as he faced sentencing for conspiracy to defraud the United States by illegally lobbying in Ukraine.



The Hill


March 7, 2019


An institutional neglect toward cybersecurity contributed to the massive 2017 data breach at Equifax that compromised sensitive information for more than 145 million Americans, a Senate panel alleged in a new report. The Senate Homeland Security and Governmental Affairs Committee’s Permanent Subcommittee on Investigations on Wednesday night released its conclusions from a probe into the incident and said Equifax failed to take basic steps to protect its security system from vulnerabilities. “Based on this investigation, the Subcommittee concludes that Equifax’s response to the March 2017 cybersecurity vulnerability that facilitated the breach was inadequate and hampered by Equifax’s neglect of cybersecurity,” the panel wrote in its report. “Equifax’s shortcomings are long-standing and reflect a broader culture of complacency toward cybersecurity preparedness.” The report was released the night before Equifax CEO Mark Begor, who joined the company after the data breach, testified before the subcommittee. He apologized to the panel for the incident but took issue with the report’s findings.






FCW


March 6, 2019


The Trump administration's national cybersecurity strategy is a good start but more accountability is needed, the head of the Government Accountability Office told two congressional panels on March 6. Comptroller General Gene Dodaro was on Capitol Hill to present the biennial High Risk List of 35 areas in the federal government vulnerable to fraud, waste, abuse or mismanagement. Cybersecurity across the federal government, remains a critical concern, even with the administration's National Cyber Strategy released last September. The security of critical infrastructure is also an issue. "I give the administration credit for its cybersecurity plan, but there is no implementation plan, definition of responsibilities, or metrics," Dodaro said during the Senate hearing. "There's not enough of a sense of urgency to correct [cybersecurity] problems at agencies or across government," he told the Senate panel. He singled out the elimination of the White House cybersecurity coordinator post at the National Security Council as an area of concern.






Health IT Security


March 4, 2019


The College of Healthcare Information Management Executives recently sent a list of recommendations to the Senate Committee on Health, Education, Labor, and Pensions (HELP), outlining the need to include cybersecurity in policies designed to address the rise in healthcare costs. The Senate HELP committee recently released a request for information to address rising costs to healthcare. CHIME included the need for cybersecurity measures and regulatory changes to support providers in addressing threats to patient data, in its list of recommendations for reducing those costs. For CHIME, while technology and data sharing are “vital to enhancing” care quality and efficiency, any policies to support those digital changes must include cybersecurity measures to protect patient data.








CyberScoop


March 8, 2019


The Democratic National Committee is striving to “make it more expensive for attackers to do their work” as it prepares for a 2020 election, Bob Lord, the committee’s chief security officer, told CyberScoop. It is a simple but proven principle of cybersecurity: Make it harder for hackers to succeed by implementing time-tested basics like two-factor authentication. The question for the DNC is: How do you aggressively broaden adoption of such practices for campaigns and state parties scattered across the country, many which have very limited budgets? That far-flung apparatus is not the chain of command that Lord was used to when he was a cybersecurity executive at companies like Yahoo and Rapid7. “Because we’re a decentralized ecosystem, it presents a number of interesting challenges,” he said in an interview. “I don’t have the ability to order people to do things. Nor can I practically manage all of their systems. But what I can do is try to be a voice that they might not have heard before.”






Defense One


March 7, 2019


The commander of the nation’s top military cybersecurity organizations, the National Security Agency and U.S. Cyber Command, has recommended they split from each other next year, Defense One has confirmed. That’s another delay for an organizational change first planned for in 2016 and since slowed to allow officials time to sort out the authorities for the civilian agency and military command and ensure that both entities can perform well independently. Gen. Paul Nakasone, who leads NSA and CYBERCOM, recommended to former Defense Secretary James Mattis last August that the split be put off until 2020, current and former intelligence officials told Defense One this week. Those officials believe the general’s recommendation will be accepted by Pentagon leaders, though Acting Defense Secretary Patrick Shanahan’s views are not known. A Pentagon spokesman said no official decision has been made.






CyberScoop




Don’t expect U.S. officials to produce a “smoking gun” of public evidence that the Chinese government might be using telecommunications giant Huawei to further its interests in cyberspace, a senior National Security Agency official told CyberScoop. “Everybody is anxious for that smoking gun,” Rob Joyce, senior cybersecurity adviser at NSA, said in an interview. “It is not the case that you’re going to see people bring out and drop that smoking gun on the table … for all sorts of reasons about the way we understand the threat, the way we deal with the Chinese, the way we have to protect the ability to see and maybe defeat or deny that capability going forward.” U.S. officials have long accused Chinese tech companies Huawei and ZTE of being potential vessels for spying. One reason is that under Chinese law, companies are required to cooperate with national intelligence activities. Huawei and ZTE strenuously deny the allegations, saying they operate as competitive companies in the global economy.






Nextgov


March 7, 2019


The Defense Department’s cyber warrior teams are struggling to maintain readiness, according to a congressional auditor. In 2013, the Defense Department began a years-long process to stand up 133 Cyber Mission Force teams of military personnel with elite cyber training to defend critical information networks. The department reached full operating capability before its deadline, but a Government Accountability Office audit released Wednesday found the Cyber Mission Force began experiencing training and readiness issues last year. “As of November 2018, many of the 133 CMF teams that initially reported achieving full operational capability no longer had the full complement of trained personnel, and therefore did not meet Cyber Command’s readiness standards,” the audit said.






AP


March 6, 2019


Time and money are running short for states to replace aging or inadequate voting machines before the 2020 presidential primaries, according to a report released Tuesday. State and local election officials in 31 states say they want to replace their voting equipment before the elections, but the vast majority said they don't have enough money to do so, according to The Brennan Center for Justice at NYU's School of Law. "We basically have this year and then it's too late," said Lawrence Norden, deputy director of the center's Democracy Program and author of the report. It can take months to decide on replacement machines, secure the funding, develop security protocols, train workers and test the equipment. States received $380 million in election security grants from Congress last year, but experts have said that's merely a down payment on what is needed.






FCW


March 6, 2019


Less than a year before the 2020 population count officially begins, the Census Bureau knows it'll be a prime target for cyberattacks. Public perceptions around data confidentiality and the security of a trove of sensitive information have consistently topped the bureau's major risk areas in the decade leading up to  an online census. And with that change in medium -- the bureau expects about 60 percent of responses to be submitted online -- comes novel risks, Census CIO Kevin Smith told FCW at an event hosted by the Poynter Institute and Georgetown University March 5. Because the information, for the first time, will be coming in digitally rather than on paper, Census is now making sure data is encrypted both in transit from respondents and once it's been received by the bureau, he said. And the bureau isn't taking on the cybersecurity lift alone. "We're going through the steps right now with [the Department of Homeland Security] to involve the intelligence community to determine what to put in place," he said. "They offered to provide us with support similar to the 2018 midterm elections."






Wired




The National Security Agency develops advanced hacking tools in-house for both offense and defense—which you could probably guess even if some notable examples hadn't leaked in recent years. But on Tuesday at the RSA security conference in San Francisco, the agency demonstrated Ghidra, a refined internal tool that it has chosen to open source. And while NSA cybersecurity adviser Rob Joyce called the tool a "contribution to the nation’s cybersecurity community" in announcing it at RSA, it will no doubt be used far beyond the United States. You can't use Ghidra to hack devices; it's instead a reverse-engineering platform used to take "compiled," deployed software and "decompile" it. In other words, it transforms the ones and zeros that computers understand back into a human-readable structure, logic, and set of commands that reveal what the software you churn through it does. Reverse engineering is a crucial process for malware analysts and threat intelligence researchers, because it allows them to work backward from software they discover in the wild—like malware being used to carry out attacks—to understand how it works, what its capabilities are, and who wrote it or where it came from. Reverse engineering is also an important way for defenders to check their own code for weaknesses and confirm that it works as intended.






PC Magazine


March 5, 2019


The US government came to this year's RSA cybersecurity show with a key message: Be on guard against China. On Tuesday, officials at the FBI, the NSA and the Department of Homeland Security spoke at the show, and specifically called out China as a major hacking threat that needs to be on the radar of every US business. "I would argue for too long that this country (the US) has actually been under-focused on the counterintelligence threat … that China poses," FBI director Christopher Wray said during his talk at RSA. According to Wray, the US has long been "underfocused" on the Chinese hacking threat, which has sought to steal sensitive intellectual property from US companies. "We have economic espionage investigations in basically all 56 field offices, almost all of which lead back to China. It covers every sector of the economy. It covers academia," he added. Sure, Russia may be getting most of the headlines for hacking crimes, but China may end up becoming the larger problem, according to NSA cybersecurity senior advisor Rob Joyce. That's because the country is focused on building up its capabilities to surpass the US, whereas the Kremlin has focused more on sowing chaos. "You can kind of look at Russia like it's a hurricane: It's fast and hard. And China is like climate change: Long, slow and pervasive," Joyce said during a separate talk with journalists at RSA.






CyberScoop


March 5, 2019


When it comes to protecting the federal government from cyberattacks, simplicity is not that simple. That was the underlying message Monday during multiple panels at RSA Public Sector conference in San Francisco, where government cybersecurity experts and the federal contractors that carry out the government’s cybersecurity operations discussed why things are currently complicated and what it will take to make things easier. The government’s ongoing embrace of the cloud is helping move things in the right direction, but because agencies often follow a hybrid cloud model, watching over a government enterprise is still a highly complex task. Kevin Cox, the program manager for the Department of Homeland Security’s Continuous Diagnostics and Monitoring program, said Monday that it’s a challenge to ascertain exactly how each agency has its enterprise configured.






FCW


March 4, 2019


A Trump administration initiative to retrain federal workers for cybersecurity jobs received more than 1,500 applications, according to the government's top IT official. On March 1, Federal CIO Suzette Kent tweeted out statistics related to the first round of applicants for the government's new Cyber Reskilling Academy. Among the findings: nearly half of the 1,500 applicants were lower-level feds between GS-5 and GS-11 on the government pay scale. Those applicants just completed aptitude assessments, and the Office of Management and Budget is expected to select finalists for the first 25-person cohort April 1 before kicking off a three-month curriculum starting April 15. The pilot is envisioned as a vehicle for transitioning parts of the federal workforce toward high-level cybersecurity work greatly needed in the federal government and countering the looming prospect of automation that could lead to the elimination of lower level, manual-driven data entry and analysis positions.






INDUSTRY






CyberScoop


March 8, 2019


Citrix, a VPN service widely used in the corporate world, revealed Friday that the FBI is investigating a breach to its internal network by “international cyber criminals.” The hackers appear to have “accessed and downloaded business documents,” the company said in a blog post, adding that it doesn’t know specifically what was accessed. There is no sign that the breach has compromised any Citrix product or service, the Florida-based company said. “While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords,” Citrix said. “Once they gained a foothold with limited access, they worked to circumvent additional layers of security.”






Ars Technica


March 7, 2019


Google security officials are advising Windows users to ensure they’re using the latest version 10 of the Microsoft operating system to protect themselves against a “serious” unpatched vulnerability that attackers have been actively exploiting in the wild. Unidentified attackers have been combining an exploit for the unpatched local privilege escalation in Windows with one for a separate security flaw in the Chrome browser that Google fixed last Friday. While that specific exploit combination won’t be effective against Chrome users who are running the latest browser version, the Windows exploit could still be used against people running older versions of Windows. Google researchers privately reported the vulnerability to Microsoft, in keeping with its vulnerability disclosure policy.






FCW


March 7, 2019


A white paper released March 6 by the Cybersecurity Coalition, an industry group led by former White House Senior Cybersecurity Director Ari Schwartz, recommends that organizations and governments adopt coordinated vulnerability disclosure (CVD) frameworks. The paper also suggests placing the Department of Homeland Security or another civilian department in charge of developing a policy framework for federal agencies, and it calls for more federal funding for resources like the Common Vulnerability and Exposures and National Vulnerability Database programs. The Cybersecurity Coalition argues that such policies should be "a standard component" of security programs at governments and private companies and that the U.S. government should promote and encourage broader adoption at home and internationally. The group does not support government bodies acting as arbiters for the private sector, however.






The Wall Street Journal


March 7, 2019


Hackers breached the system that houses applicant information for three U.S. colleges in recent days and demanded thousands of dollars in ransom from prospective students for personal information they claimed to have stolen. The schools include Oberlin College in Ohio, Grinnell College in Iowa and Hamilton College in New York. All three use a system called Slate to track information about students who have applied for admission. Slate is owned by Technolutions Inc.






Vice Motherboard


March 7, 2019


On Thursday, Crowdfense, a company that buys zero day exploits from researchers and then sells them to government agencies, announced it is now offering a total of $15 million to hackers who have particular exploits for sale. Zero days are attacks which take advantage of vulnerabilities that the impacted vendor—Apple, Google—is unaware of. The highest tier of exploit chains for iPhones and certain Android devices can fetch $3 million each. But notably, Crowdfense’s roster of desired hacking tools goes beyond the usual suspects of fully up-to-date phones and desktop devices. Crowdfense is now also buying exploits that can break into internet routers. The reason? Hacking users’ phones, and in particular Apple’s iPhone, is becoming so difficult, and the necessary chain of exploits needed to hack them so rare, that some vendors are starting to look for other devices they can still break into while gathering information on a target.






CNBC


March 5, 2019


Attempted cyberattacks are no longer an "if," but a "when." And, for many companies, hackers will win. In the first half of 2018 alone, more than four billion records were compromised to data breaches. That comes at a heavy price, according to a 2018 study by IBM and the Ponemon Institute. The average data breach cost companies $3.86 million, the study found, and large-scale breaches can hit $350 million. Against that backdrop, companies are eager to hire cybersecurity experts to guard against those risks. The problem: There aren't nearly enough people who can fill those roles. The demand for skilled security professionals is one of the biggest challenges facing the cybersecurity industry today, with 2.93 million positions open and unfilled around the world, according to non-profit IT security organization (ISC)².






The New York Times


March 4, 2019


Ten years ago, Google was hacked by the Chinese military in one of the most startling cyberattacks on an American company by government-affiliated agents. This week, Chronicle, a security start-up owned by Google’s parent company, Alphabet, plans to bring some of what it learned from that incident to other companies through a widely anticipated new product called Backstory. The idea, company executives said, is simple: Backstory will make Alphabet’s vast storage, indexing and search abilities available to other companies, allowing them to search through giant volumes of data, going years back, to trace the back story of a malicious attack. Chronicle is hardly the only company doing this. Dozens of companies promise so-called big data threat intelligence and storage. But many of their customers can’t afford to pay to search through huge amounts of information. Chronicle will charge customers by their number of employees.






Wired


March 4, 2019


When Google's team of ninja bug-hunting researchers known as Project Zero finds a hackable flaw in somebody else's code, they give the company responsible 90 days to fix it before going public with their findings—patched or not. So like clockwork, 94 days after Google alerted Apple to a bug in its MacOS operating system that could allow malware to inject data into the most privileged code running on its computers, Mountain View's hackers are revealing that fresh zero-day vulnerability to the world. On Friday, Google's Project Zero researchers quietly published a forum post outlining a previously unknown vulnerability in MacOS, which they call BuggyCow, in a piece of proof-of-concept demonstration code. The attack takes advantage of an obscure oversight in Apple's protections on its machines' memory to enable so-called privilege escalation, allowing a piece of malware with limited privileges to, in some cases, pierce into deeper, far more trusted parts of a victim's Mac.






Reuters


March 4, 2019


Firefox browser-maker Mozilla is considering whether to block cybersecurity company DarkMatter from serving as one of its internet security gatekeepers after a Reuters report linked the United Arab Emirates-based firm to a cyber espionage program. Reuters reported in January that DarkMatter provided staff for a secret hacking operation, codenamed Project Raven, on behalf of an Emirati intelligence agency. The unit was largely comprised of former U.S. intelligence officials who conducted offensive cyber operations for the UAE government. Former Raven operatives told Reuters that many DarkMatter executives were unaware of the secretive program, which operated from a converted Abu Dhabi mansion away from DarkMatter’s headquarters. While Mozilla had been considering whether to grant DarkMatter the authority to certify websites as safe, two Mozilla executives said in an interview last week that Reuters’ report raised concerns about whether DarkMatter would abuse that authority.






Gov Info Security


March 4, 2019


Four business sectors - hospitals, banks, securities firms and market infrastructure providers - potentially face the most significant financial impact from cyberattacks that could lead to a weakened credit profile, according to a new report from Moody's Investors Service. "In our view, cyber risk is event risk, and we see a rising tide," according to the report from Moody's, a U.S. credit ratings agency. "Digitization continues to increase, supply chains are becoming more complex and attacker sophistication is improving. However, the universe of cyber threat actors remains the same: socially motivated attackers - hacktivists - criminals and nation-states." Moody's research assessed the inherent cyber risk exposure of 35 broad sectors based on two factors: vulnerability to a cyber event or attack and impact in terms of potential disruption of critical business processes, data disclosure and reputational effects. Four sectors - banks, securities firms, market infrastructure providers and hospitals - were classified as having the highest overall cyber risk due to their significant reliance on technology and confidential information for their operations, the Moody's report notes.






INTERNATIONAL






The Washington Post


March 7, 2019


Huawei said Thursday that it has sued the U.S. government to challenge a law that bans federal agencies from buying its telecommunications equipment, opening a new front in the metastasizing global contest between the Chinese technology giant and Washington. In a lawsuit filed in U.S. District Court in Texas, Huawei argued that a section of the 2019 National Defense Authorization Act that prohibits federal agencies and contractors from buying Huawei equipment on national security grounds unfairly punishes the Chinese company. The lawsuit asserts that the prohibition was imposed without due process and with no proof provided that Huawei poses an espionage threat to the United States. The complaint adds a new subplot — in American courts — to the sprawling standoff between the Trump administration and a tech firm seen as an icon of China’s rise into a world power.






BBC


March 7, 2019


Cyber-attacks could turn elections into "tainted exercises" that undermine Western democracies, the foreign secretary has said. In a speech in Glasgow, Jeremy Hunt said authoritarian regimes view democratic elections as "key vulnerabilities" to be targeted. But he stressed there was no evidence of successful interference in UK polls. Mr Hunt called for economic and diplomatic sanctions to be part of the response to attacks. He added that the government was expanding its network of "cyber attaches" - diplomats working with governments around the world to address the problem. Russia, China, Iran and North Korea have all been accused of being behind various hacks and online campaigns in recent years.






The Financial Times


March 7, 2019


The worst cyber attack in Singapore's history, which involved the theft of medical information linked to the prime minister as well as 1.5m patients, was executed by a state-sponsored espionage group called Whitefly, according to Symantec. The US cyber security group said Whitefly was backed by a nation state, but it could not "say for certain by whom the group is funded or from whom they take direction". Symantec's findings are in line with a report published by the Singapore government in January, which said that hackers resembling state-sponsored actors were responsible for the cyber attack at SingHealth, the city state's largest healthcare group. Wednesday's report said that in the 12 months to mid-2018 Whitefly launched attacks against a number of organisations mostly based in Singapore, including multinational corporations with operations in the city state.






AP


March 7, 2019


German authorities published a list of security requirements for telecoms networks Thursday, amid concerns about the possible involvement of China’s Huawei in future 5G infrastructure. The United States has been lobbying for allied countries and companies to block Huawei from providing equipment for fifth-generation cell networks, claiming it could facilitate digital espionage by the Chinese government. Germany has made clear in recent weeks that it doesn’t plan to pre-emptively exclude specific companies from bidding for contracts, but instead wants to set minimum standards that all suppliers have to meet. According to the new guidelines published by Germany’s Economic Ministry and the Federal Network Agency, systems for networks including 5G “may only be sourced from trustworthy suppliers whose compliance with national security regulations and provisions for the secrecy of telecommunications and for data protection is assured.”






The Wall Street Journal


March 6, 2019


Cyberattacks linked to Iranian hackers have targeted thousands of people at more than 200 companies over the past two years, Microsoft Corp. said, part of a wave of computer intrusions from the country that researchers say has hit businesses and government entities around the globe. The campaign, the scope of which hadn’t previously been reported, stole corporate secrets and wiped data from computers. It caused damages estimated at hundreds of millions of dollars in lost productivity and affected oil-and-gas companies, heavy-machinery manufacturers, and more.






Reuters


March 6, 2019


The Czech cyber-security watchdog was not pressured by the United States or anyone else into issuing its warning about the possible security risks posed by Chinese telecoms equipment maker Huawei, Prague’s cyber attache to Washington told Reuters. Rather, its December warning took both the United States and Huawei by surprise, Daniel Bagge, the Washington-based representative for the NUKIB watchdog said in an interview. The United States has urged allies not to use products made by Huawei, the world’s biggest maker of telecoms equipment, saying they could enable Chinese state espionage. No evidence has been produced publicly and Huawei has repeatedly denied the allegations. But several Western countries have restricted, or are considering restricting, the company’s access to their markets, fueling speculation of U.S. pressure. Bagge, however, said NUKIB reached its own conclusions on Huawei and Chinese peer ZTE based on “information from the public domain as well as classified information and information from partners in the intelligence community.”






The Atlantic


March 6, 2019


When Chinese President Xi Jinping and his Czech counterpart, Miloš Zeman, raised a beer from a terrace overlooking the spires of Prague in 2016, they were hailing an era of deepened economic cooperation: Beijing would invest billions of dollars in the Czech Republic, and Zeman, in turn, would tout China as a business partner for Europe. Zeman has been a staunch supporter of Beijing ever since, and in particular of the Chinese telecom giant Huawei Technologies, promoting the company’s efforts to roll out across the Czech Republic cutting-edge wireless technology known as 5G. But Huawei’s role here has come under growing domestic scrutiny in recent months, with the country’s cybersecurity agency labeling it a threat. That has triggered a political dispute that is, in varying forms, playing out across Central Europe and the wider world. It puts the Czech Republic at the center of a geopolitical tug-of-war between the United States, its longtime ally and fellow democracy, and the growing economic heft of China.






Reuters


March 5, 2019


Huawei, in the spotlight over the security risks of its telecom equipment gear, urged governments, the telecoms industry and regulators on Tuesday to work together to create a common set of cybersecurity standards. The call by Huawei Chairman Ken Hu came as the world’s largest telecoms equipment maker opened a cyber security centre in Brussels, allowing its customers and governments to test Huawei’s source code, software and product solutions. The company has similar facilities in Britain, Bonn, Dubai, Toronto and Shenzhen. "The fact is that both the public and private sectors lack a basic common understanding of this issue. As a result, different stakeholders have different expectations and there is no alignment of responsibilities," Hu told a news conference.






Reuters


March 5, 2019


Britain's banks will have to show they could recover from a cyber attack within hours to avoid customer payments being delayed to the next day, the Bank of England said on Tuesday. The BoE said it would hold a pilot cyber stress test of lenders mid-2019 but individual results won't be published. The "severe but plausible" test will look at how banks' could withstand a cyber attack and how quickly they would recover so that payments can continue. The pilot test will look at the payments system of a bank going down, but future tests would also likely include data being corrupted, the BoE's Financial Policy Committee (FPC) said. Banks, which the BoE did not name, will have to show that payments made on the day of the theoretical cyber attack are completed that day.






The Hill


March 4, 2019


A team of cybersecurity researchers said Monday that they have identified a state-sponsored Chinese hacking group that has launched cyberattacks to try to bolster China's navy. Security firm FireEye said in a blog post that the group, which they are calling APT40, has been carrying out cyberattacks since at least 2013 that targeted the engineering, transportation and defense industries. The researchers said that the group is also going after traditional targets for China, including groups tied to elections in Southeast Asia, to try to gain intelligence about the organizations. FireEye noted that those actions are likely linked to Chinese disputes in the South China Sea, as well as China’s massive “Belt and Road Initiative,” which aims to make the country a global superpower in trade. “Despite increased public attention, APT40 continues to conduct cyber espionage operations following a regular tempo, and we anticipate their operations will continue through at least the near and medium term,” the post reads.






The New York Times


March 3, 2019


North Korean hackers who have targeted American and European businesses for 18 months kept up their attacks last week even as President Trump was meeting with North Korea’s leader in Hanoi. The attacks, which include efforts to hack into banks, utilities and oil and gas companies, began in 2017, according to researchers at the cybersecurity company McAfee, a time when tensions between North Korea and the United States were flaring. But even though both sides have toned down their fiery threats and begun nuclear disarmament talks, the attacks persist.






TECHNOLOGY






E&E News


March 7, 2019


On Aug. 4, 2017, at 7:43 p.m., two emergency shutdown systems sprang into action as darkness settled over the sprawling refinery along Saudi Arabia's Red Sea coast. The systems brought part of the Petro Rabigh complex offline in a last-gasp effort to prevent a gas release and deadly explosion. But as safety devices took extraordinary steps, control room engineers working the weekend shift spotted nothing out of the ordinary, either on their computer screens or out on the plant floor. The reasons for the sudden shutdown were still buried under zeros and ones, nestled deep within the code of the compromised Schneider Electric safety equipment. Investigators soon discovered a dangerous hacking tool that would usher in a new chapter in the global cyber arms race, much like the Stuxnet worm that damaged Iranian nuclear centrifuges at the start of the decade. The discovery of the Triton malware, named for the Triconex line of safety systems it triggered, echoed from the ancient Saudi city of Rabigh to a research institute in Moscow, and from California to Tokyo.






The New York Times


March 7, 2019


Going back at least a decade, cars have been targeted by hackers, some who ended up working with the industry, others acting maliciously. But vehicles now carry far more electronic equipment, and autonomous driving, relying on sensors, cameras and radar, is on the horizon, with all kinds of ripe new targets. Concern that cars could be seriously hacked — by criminals, terrorists or even rogue governments — has prompted a new round of security efforts on the part of the auto industry. As far back as 2010, a disgruntled former employee at Texas Auto Center in Austin used a co-worker’s account to log into company software used for car repossession. He disabled over 100 cars, and owners who were up to date on their payments suddenly found their vehicles honking furiously, and unable to start. In 2015, a veteran hacker named Samy Kamkar built a device for under $100 that he said could find, unlock and remotely start any General Motors car equipped with the OnStar communications system. Luckily, Mr. Kamkar was acting as a “white hat,” and not selling his OwnStar device to unscrupulous hackers. “I worked with G.M. to resolve that issue,” he said, and that particular vulnerability is gone. “Cars are getting more secure, but it’s a long cycle to get the necessary new software and hardware installed.”






Wired


March 7, 2019


At the endless booths of this week's RSA security trade show in San Francisco, an overflowing industry of vendors will offer any visitor an ad nauseam array of "threat intelligence" and "vulnerability management" systems. But it turns out that there's already a decent, free feed of vulnerability information that can tell systems administrators what bugs they really need to patch, updated 24/7: Twitter. And one group of researchers has not only measured the value of Twitter's stream of bug data but is also building a piece of free software that automatically tracks it to pull out hackable software flaws and rate their severity. Researchers at Ohio State University, the security company FireEye, and research firm Leidos last week published a paper describing a new system that reads millions of tweets for mentions of software security vulnerabilities, and then, using their machine-learning-trained algorithm, assessed how much of a threat they represent based on how they're described. They found that Twitter can not only predict the majority of security flaws that will show up days later on the National Vulnerability Database—the official register of security vulnerabilities tracked by the National Institute of Standards and Technology—but that they could also use natural language processing to roughly predict which of those vulnerabilities will be given a "high" or "critical" severity rating with better than 80 percent accuracy.