A 21-year-old New Jersey woman attending college in South Carolina was kidnapped and killed there after mistakenly getting into a stranger’s car that she thought was the Uber ride she had summoned, police announced Saturday evening.
The Columbia, South Carolina police chief provided that and other details in announcing an arrest in the murder of Samantha Josephson of Robbinsville, who went missing early Friday and was found dead later that day. Her father had reported her death on social media early Saturday.
Chief W.H. Holbrook said during a news conference that Stephenson, a student at the University of South Carolina in Columbia, had summoned a car from the ride-sharing app and was waiting for it outside a downtown location in Columbia where she had been out with friends sometime before 2 a.m. on Friday.
Map of the Internet Circe 1973 AD via Jason
The Hill
March 28,
2019
A
bipartisan group of lawmakers introduced legislation Thursday to create an
advisory committee of cyber professionals to help the Department of Homeland
Security (DHS) take on cyber issues. The bill, introduced by Reps. John Katko
(R-N.Y.), Dan Lipinski (D-Ill.), Dan Newhouse (R-Wash.) and Brian Fitzpatrick
(R-Penn.), would create an advisory committee within DHS’s Cybersecurity and Infrastructure
Security Agency (CISA) to offer recommendations on new cybersecurity policies
and programs. The committee would consist of 35 cybersecurity professionals
from state and local governments, as well as industries like healthcare,
energy, transportation and manufacturing. A maximum of three members from each
industry would be allowed on the committee, and members would serve terms of
two years. Katko, the ranking member of the Cybersecurity, Infrastructure
Protection and Innovation subcommittee on the House Homeland Security
Committee, said the bill “takes steps towards equipping the agencies within the
Department of Homeland Security with the necessary tools to respond to evolving
cyber threats.”
CNN
March 27,
2019
bipartisan
bill set to be introduced on Wednesday aims to close what is regarded as a
major gap in congressional cybersecurity and extend the government's
protections to senators and their staffers' personal phones and computers. The
fact that Senate employees, especially those with high security clearance,
enjoy federal security on their work devices but not the ones they purchase themselves
has long been regarded as a glaring oversight by cybersecurity experts. It is
ludicrous to expect individual senators and their staff to defend themselves
from spies and hackers," Bruce Schneier, a security lecturer at Harvard,
said in a statement on the bill. "Hostile foreign intelligence services do
not respect the arbitrary line between work and personal technology."
Nextgov
The federal
government wants to hold defense contractors accountable for the cybersecurity
of their supply chains but that’s no easy feat, experts said Tuesday. Industry
representatives told lawmakers on the Senate Armed Services Committee about
attempting to tackle cyber threats as a federal contractor. Much of the hearing
was focused on one specific issue: increasingly complex levels of supply chains
make it difficult for prime contractor to ensure all subcontractors are
upholding cybersecurity protections. And that ever-lengthening chain increases
the possibility of compromised information or cyberattacks. “I don’t know why
we don’t hold the larger contractors who are responsible for the contract to
make sure the subcontractors they are hiring have protections,” Sen. Joe
Manchin, D-W.V., said. “Somebody has to be held accountable.” The panelists
explained a large part of the problem is that the government frequently does
not have access to the contracts between primes and their subcontractors, or a
prime contractor may know its immediate supplier is but not know the
subcontractors that supplier uses—a loop that can repeat for each
subcontractor.
CyberScoop
March 27,
2019
While the
security of the 2020 election remains a prominent topic in Washington, a group
of Democratic senators is raising alarms about longer-term issues that will
resonate after voters are done choosing a president about 20 months from now.
The three companies that make most of the voting technology used in the U.S.
must be more transparent about their plans to improve their products to meet
current expectations about security and performance, says a letter Wednesday by
Sen. Amy Klobuchar of Minnesota and three other top Democrats. In particular,
the senators say every machine should reliably produce paper records, and the
companies should do far more to upgrade their products. “The integrity of our
elections is directly tied to the machines we vote on — the products that you
make,” says the letter from Klobuchar, Mark Warner of Virginia, Jack Reed of
Rhode Island and Gary Peters of Michigan. “Despite shouldering such a massive
responsibility, there has been a lack of meaningful innovation in the election
vendor industry and our democracy is paying the price.” The senators ask the
top executives of Hart InterCivic, Election Systems & Software and Dominion
Voting Systems 16 detailed questions about their commitment to innovation,
their ability to produce machines that allow voters to easily check their
selections and their adherence to guidelines established by the federal
Elections Assistance Commission for certification and testing of machines.
FCW
March 26,
2019
Cybersecurity
is a key component of the Defense Department's $750 billion budget request for
fiscal year 2020, acting Defense Secretary Patrick Shanahan told legislators on
March 26. Less than $10 billion of that request is explicitly allocated for DOD
cybersecurity efforts. But Shanahan testified before the House Armed Services
Committee that "modernization is the most important thing we can do to
maintain deterrence, create military capability, but that's also what enables
us economically, so they really all tie all together." He also emphasized
the state and local ripple effects that DOD investments create through industry
relationships. Shanahan added that the military must be "an enabler to
unlock diplomatic and new relationships" rather than be a solution unto
itself. While spending on cyber and emerging technologies represents only a
sliver of the overall budget request, he called the investment in such critical
areas "fundamental."
Nextgov
March 26,
2019
Giving
federal regulators more power to monitor and punish credit bureaus could help
prevent massive data breaches like Equifax, according to a congressional
watchdog. In 2017, hackers spent months secretly harvesting data held by
Equifax, one of the country’s three major consumer reporting agencies. By the
time the intrusion was discovered, they’d made off with personal and financial
information on nearly half of all Americans. In a report published Tuesday, the
Government Accountability Office said further empowering regulators at the
Federal Trade Commission and Consumer Financial Protection Bureau could help
prevent similar incidents from occurring in the future. “While companies in
many industries have experienced data breaches, [consumer reporting agencies]
may present heightened risks because of the scope of sensitive information they
possess and because consumers have very limited control over what information
[consumer reporting agencies] hold and how they protect it,” auditors wrote.
“These challenges underscore the importance of appropriate federal oversight of
[consumer reporting agencies] data security.” Under federal law, FTC can
already penalize companies for violating consumer data security standards, but
GAO found its current authorities are ill-equipped to handle breaches on the
scale and scope of Equifax.
ADMINISTRATION
The Wall
Street Journal
March 29,
2019
The FBI has
launched its biggest transformation since the 2001 terror attacks to retrain
and refocus thousands of special agents to combat cyber criminals, whose
threats to lives, property and critical infrastructure has outstripped U.S.
efforts to thwart them. The push comes as federal investigators grapple with an
expanding range of cyber attacks sponsored by foreign adversaries against
businesses or national interests, including Russian election interference and
Chinese cyber thefts from American companies, senior bureau officials said.
Federal
News Network
March 29,
2019
Contractors
not up to date on cybersecurity standards will only get a pass from the Defense
Department for a little longer, leadership says. DoD will begin auditing
companies’ cybersecurity procedures that want to win contracts and it plans to
start within the next 18 months, according to Ellen Lord, DoD undersecretary
for acquisition and sustainment. There will also be new cybersecurity standards
for which companies will have to abide by if they want to work with the military.
“We have set out an objective of coming up with new cybersecurity standards
this year,” Lord said at an Atlantic Council event on March 25 in Washington.
“We’ll have metrics by which to measure them. We’ll have third parties that can
actually audit against them such as International Organization for
Standardization standards we have for quality. We need to them understand: How
do we put cybersecurity into the new networks we are building? How do we make
sure that there aren’t back doors there? How do we make sure that data at rest
stays secure?” The new cybersecurity standards will build off of the already
existing National Institute of Standards and Technology Special Publication
800-171 standards required by the Pentagon.
The New
York Times
In a case
that exposed the government’s embarrassing failure to secure its secrets, a
54-year-old former National Security Agency contractor pleaded guilty on
Thursday to taking classified documents home in a deal likely to put him in
prison for nine years. Harold T. Martin III, who worked in the N.S.A.’s
Tailored Access Operations hacking unit, admitted his guilt more than two years
after his arrest in what may be the biggest breach of classified information in
history. F.B.I. agents who swarmed his modest home south of Baltimore in 2016
found stacks of documents and electronic storage devices stashed in his car,
his home and even a garden shed. But investigators never found proof that Mr.
Martin, who was working on a doctorate in information systems at the time of
his arrest, had shared the stolen secrets with anyone else, though there is
evidence he may have considered doing so. Wearing a gray jail jersey with white
stripes and a neatly trimmed beard, Mr. Martin stood and answered the judge’s
questions in a clear, calm voice. “It’s time we closed this Pandora’s box,” the
defendant said at one point, his most extensive statement in court.
FCW
March 28,
2019
Officials
say a pair of newly created entities established by the federal government to
reduce cybersecurity risks to the technology supply chain are designed to be
complementary, but the partial government shutdown complicated and delayed
efforts to sync up the dual efforts. Last year, the Department of Homeland
Security stood up a supply chain task force composed of representatives from
federal agencies, private-sector technology companies and industry groups. Nine
months later, Congress passed the Secure Technology Act, a law that creates a
new Federal Acquisition Supply Chain Security Council to build greater
cybersecurity resilience into federal procurement and acquisition rules. While
both bodies are focused on shoring up vulnerabilities in the technology supply
chain, representatives from DHS and the Office of the Director of National
Intelligence said at a March 27 event hosted by the Atlantic Council that work
streams for both efforts will feed into and complement, not duplicate, one
another.
Fifth
Domain
March 28,
2019
A new Army
unit will help the service operate against enemies such as Russia and China on
a daily basis but will do so below the level of conflict. In addition, the new
group could help set the stage for more traditional kinetic battles. The
Intelligence, Information, Cyber, Electronic Warfare and Space detachment
(I2CEWS) — a battalion sized unit described as the “brain” of the Army’s
multidomain task force — will integrate all the capabilities within its
namesake under a single formation. “They must be present in the competition
phase. That’s when they can do their best work … and set the stage if we do go
from competition to crisis you are prepared,” said Gen. Robert Brown, commander
of Army Pacific, where the multidomain task force is focused. “Quite honestly,
we were not present in the competition phase and certainly, China and Russia
are. It’s good to be able to be there to make sure we can compete and prepare
for what happens.” Previously, officials described the I2CEWS as teams that
would focus on a specific geographic region, either in the Pacific or Europe,
and would take on different forms based on their area of emphasis. Brown,
speaking March 27 at the AUSA Global Force Symposium in Huntsville, Alabama,
noted that there is now a constant state of “continuous geopolitical hyper
competition.”
Gov Info
Security
March 28,
2019
The
computer systems the U.S. Department of the Treasury uses to track the nation's
debt have serious security flaws that could allow unauthorized access to a
wealth of federal data, according to a pair of audits released this week by the
Government Accountability Office. The audits are part of an annual review of
the federal deficit that the GAO undertakes. As of Sept. 30, 2018, U.S. debt
stood at about $21.5 trillion. To keep track of all that money, including what
the federal government owes to its creditors, the Treasury Department relies on
IT systems at various agencies, including the Bureau of the Fiscal Service and
the Federal Reserve Banks. Within those two agencies, GAO inspectors found a
combination of new and old security flaws that could provide unauthorized
access to these various systems. The flaws included issues with configuration
management and faulty access controls, which could cause disruptions and impede
the Treasury's Department's ability to oversee and manage the national debt.
While the specific issues of these security flaws remain confidential, the GAO
recommends that the Bureau of the Fiscal Service and the Federal Reserve Banks
immediately begin addressing them.
Nextgov
The Air
Force is taking one of the longest, most difficult, critical aspects of
cybersecurity and IT deployment in the public sector and fast-tracking the
process. Last week, Air Force Undersecretary Matthew Donovan signed a memo
authorizing officials to grant IT systems an authority to operate—the
designation certifying the application is reasonably secure from
cyberattacks—on an expedited timetable. Obtaining an ATO is often an arduous
process that can take months, especially for military systems that are constant
targets for bad actors worldwide. During pilot tests earlier this year,
officials at the Air Operations Center used the Fast-Track ATO process to
certify a system in just one week, according to Frank Konieczny, the Air
Force’s chief technology officer. Prior to developing the fast-track process,
the Air Force relied on the Risk Management Framework, a schema developed by
the National Institute for Standards and Technology to establish a baseline
cybersecurity posture. However, that largely led to check-the-box compliance
rather than real security, Konieczny said during a panel Tuesday at the RSA
Federal Summit.
FCW
The
Continuous Diagnostics and Mitigation program will spend the next two years
focusing on standing up its new risk scoring algorithm, transitioning smaller
agencies onto a shared services platform and making program data more useful
and actionable for federal agencies and overseers. CDM Program Manager Kevin
Cox outlined the Department of Homeland Security's goals for the program over
the next two years at a March 27 technology conference hosted by the Advanced
Technology Academic Research Center. The program's new risk scoring algorithm,
AWARE, will have a "soft rollout" in October, keeping tabs on basic
agency metrics like vulnerability management, patching and configuration. Down
the line, Cox said, DHS wants AWARE to drill down to the individual system
level. However, another DHS cybersecurity program, the Government Cybersecurity
Architecture Review, which is designed to look at agency-specific
vulnerabilities through the eyes of a hostile attacker, recommended the program
focus on lower hanging fruit first. Cox said there's little point focusing on
higher level attack vectors when "the front door is wide open"
because agencies are still skimping on the fundamentals.
AP
March 26,
2019
Amid
growing national concerns about election security, Tennessee's three largest
counties plan to begin using voting machines that produce a verifiable paper
trail in time for the presidential primaries in March 2020, whether the
Republican-led state requires it or not. Tennessee is one of only 14 states
without a statutory requirement of a paper record of all ballots — regarded by
most election security experts as crucial to ensuring accurate vote-counting.
But election officials in the three Tennessee counties switching to paper-trail
machines say they aren't worried about the paperless technology. Rather, they
just want to be sure voters trust the process. "Now, you've got an issue
of voter confidence and public perception, factors which cannot be ignored, at least
by election commissions," said Elections Administrator Clifford Rodgers in
Knox County, one of the Tennessee local governments looking to switch. He said
he's doing so "reluctantly" and predicted problems with printers and
scanners. The others are Shelby County, anchored by Memphis, and Davidson
County, encompassed by Nashville. Knox, Shelby and Davidson account for 1.3
million of Tennessee's 4.16 million registered voters.
KPIX 5
March 25,
2019
The
Department of Homeland Security and the FBI are investigating after a hacker
attempted to access the election internet system for the Contra Costa County
Clerk and Recorder’s office. Clerk and Recorder Joseph Canciamilla said the
spearphishing attack happened March 18. A hacker sent an email to an election
staffer disguised as a contact the employee had emailed in the past.
Canciamilla said the email was “sophisticated” and appeared to be authentic. He
said he believed it was a targeted attack aimed at accessing the department’s email
system. But he said security protocols quickly intercepted the threat. “We have
to assume that it was designed specifically with the intent to do damage to our
specific system and it wasn’t just a random phishing expedition,” he said.
Nextgov
March 25,
2019
The
Homeland Security Department is funding a new immersive cyber-training platform
equipped with simulation-based scenarios and exercises aimed at protecting the
nation’s energy sector. The department’s Science and Technology Directorate
announced it’s awarding $5.9 million to the Norwich University Applied Research
Institute to expand a training tool used by the financial services sector to
organizations in the energy sector. Distributed Environment for Critical
Infrastructure Decision-Making Exercises, or DECIDE, is an interactive platform
that allows players to practice cyber-threat response tactics in an immersive
online environment before real-life crises occur. “DHS S&T is committed to
investing in the security of our nation’s critical infrastructure, and that
includes ensuring that organizations are properly trained to recognize and
respond to potential cyber threats,” William Bryan, senior official performing
the duties of the undersecretary for science and technology, said in a
statement. “We are excited to soon make this proven platform available to even
more of our private sector partners.”
AP
March 24,
2019
Special
counsel Robert Mueller did not find evidence that President Donald Trump’s
campaign “conspired or coordinated” with Russia to influence the 2016
presidential election but reached no conclusion on whether Trump obstructed
justice, Attorney General William Barr declared Sunday. That brought a hearty
claim of vindication from Trump but set the stage for new rounds of political
and legal fighting. Trump, pleasure tinged with resentment after two years of
investigations , declared “complete and total exoneration. “It’s a shame that
our country has had to go through this. To be honest, it’s a shame that your
president has had to go through this,” he said. But Democrats demanded to see
the full Mueller report and insisted that even the summary by the president’s
attorney general hardly put him in the clear. Mueller’s conclusions, summarized
by Barr in a four-page letter to Congress, represented a victory for Trump on a
key question that has hung over his presidency from the start: Did his campaign
work with Russia to defeat Democrat Hillary Clinton? That was further good news
for the president on top of the Justice Department’s earlier announcement that
Mueller had wrapped his investigation without new indictments.
INDUSTRY
Ars
Technica
March 29,
2019
Attack code
was published on Friday that exploits a critical vulnerability in the Magento
e-commerce platform, all but guaranteeing it will be used to plant payment card
skimmers on sites that have yet to install a recently released patch.
PRODSECBUG-2198 is a SQL injection vulnerability that attackers can exploit
with no authentication required. Hackers could exploit the flaw to take
administrative control of administrator accounts, assuming the hackers can
download user names and password hashes and crack the hashes. From there,
attackers could install the backdoors or skimming code of their choice. A
researcher at Web security firm Sucuri said Thursday that company researchers reverse-engineered
an official patch released Tuesday and successfully created a working
proof-of-concept exploit.
Bleeping
Computer
March 29,
2019
The
personal information of roughly 3.1 million Toyota customers may have been
leaked following a security breach of multiple Toyota and Lexus sales
subsidiaries, as detailed in a breach notification issued by the car maker
today. As detailed in a press release published on Toyota'a global newsroom,
unauthorized access was detected on the computing systems of Tokyo Sales
Holdings, Tokyo Tokyo Motor, Tokyo Toyopet, Toyota Tokyo Corolla, Nets Toyota
Tokyo, Lexus Koishikawa Sales, Jamil Shoji (Lexus Nerima), and Toyota West
Tokyo Corolla. "It turned out that up to 3.1 million items of customer
information may have been leaked outside the company. The information that may
have been leaked this time does not include information on credit cards,"
says the data breach notification.
Vice
Motherboard
March 29,
2019
Hackers
working for a surveillance company infected hundreds of people with several
malicious Android apps that were hosted on the official Google Play Store for
months, Motherboard has learned. In the past, both government hackers and those
working for criminal organizations have uploaded malicious apps to the Play
Store. This new case once again highlights the limits of Google’s filters that
are intended to prevent malware from slipping onto the Play Store. In this
case, more than 20 malicious apps went unnoticed by Google over the course of
roughly two years. Motherboard has also learned of a new kind of Android
malware on the Google Play store that was sold to the Italian government by a
company that sells surveillance cameras but was not known to produce malware
until now. Experts told Motherboard the operation may have ensnared innocent
victims as the spyware appears to have been faulty and poorly targeted. Legal
and law enforcement experts told Motherboard the spyware could be illegal.
E&E
News
March 28,
2019
Last month,
hackers tied computers into knots at a small Colorado water utility. It wasn't
the first time the Fort Collins-Loveland Water District and its wastewater
counterpart had been hit by "ransomware," a type of malware that
encrypts victims' computer files and demands online payment to unlock them.
While operations weren't harmed, the infection prompted the water district to
switch out its information technology service provider and call in the FBI. The
case, first reported by the Coloradoan, remains under active investigation.
FCLWD and the South Fort Collins Sanitation District treat and distribute water
to 45,000 customers in northern Colorado. Colorado water officials aren't alone
in their cybersecurity woes. The nation's nearly 70,000 water and wastewater
utilities are struggling to keep their heads above a rising tide of online
threats, based on interviews with security experts and water company operators.
Ars Technica
March 28,
2019
Office
Depot and a partner company tricked customers into buying unneeded tech support
services by offering PC scans that gave fake results, according to the Federal
Trade Commission. Consumers paid up to $300 each for unnecessary services. The
FTC yesterday announced that Office Depot and its software supplier,
Support.com, have agreed to pay a total of $35 million in settlements with the
agency. Office Depot agreed to pay $25 million while Support.com will pay the
other $10 million. The FTC said it intends to use the money to provide refunds
to wronged consumers. Between 2009 and 2016, Office Depot and OfficeMax offered
computer scans inside their stores using a "PC Health Check" software
application created and licensed by Support.com. "Defendants bilked
unsuspecting consumers out of tens of millions of dollars from their use of the
PC Health Check program to sell costly diagnostic and repair services,"
the FTC alleged in a complaint that accuses both companies of violating the FTC
Act's prohibition against deceptive practices. As part of the settlements,
neither company admitted or denied the FTC's allegations. The FTC filed its
complaint against the companies in US District Court for the Southern District
of Florida, while at the same time unveiling the settlements with each company.
The Washington Post
March 27,
2019
In the
latest of a string of security actions, Microsoft has seized 99 websites it
says were used by Iranian hackers to launch cyberattacks against government
agencies, businesses and users in Washington, according to a company blog post
and court records unsealed Wednesday. Microsoft obtained a federal judge’s
approval on March 15 to disable the websites that it detected and had been
tracking for six years, run by a threat group the company has dubbed
Phosphorus, and that other researchers call Ajax Security Team, APT 35 and
Charming Kitten, the company said. The sites were used in a years-long
“spear-phishing” campaign that targeted corporations and government agencies,
as well as activists and journalists, particularly those involved in advocating
and reporting on issues related to the Middle East, according to Microsoft. In
the attacks, hackers send out emails and social media posts with the aim of
infiltrating computer systems by tricking victims into visiting phony websites
with malicious software that appear authentic.
Gov Info Security
March 27,
2019
Norsk Hydro
reports that a March 18 ransomware attack has already cost the aluminum
manufacturer more than 350 million Norwegian krone ($40 million), and the
company continues to bring its systems back online. Those costs mostly reflect
revenue losses, but they also include the cost of recovery and IT and security
services, says Norsk Hydro, the second-largest employer in Norway that has
operations around the world. A little over a week after the ransomware attack
was first reported, the majority of the company's manufacturing facilities and
systems have returned to normal, although the firm's Extruded Solutions division
is running at 70 percent to 80 percent of capacity, the company reported
Tuesday. That division produces extruded and rolled aluminum products for the
company. Most of the financial losses from the attack stem from the lack of
production within that unit, which has facilities in several countries. Norsk
Hydro's four other divisions are running normally, although some require
greater manual operations.
Insurance Journal
March 27,
2019
What the
insurance industry has done for auto and building safety products, insurance
broker Marsh wants to extend to cybersecurity products. That is, recommend the
cybersecurity products that are the most effective. The program, named Cyber
Catalyst, calls on leading cyber insurers to evaluate cybersecurity products
they consider effective in reducing cyber risk, thereby giving organizations
some guidance in navigating the cybersecurity marketplace of more than 3,000
providers. “This is a proven model for the insurance industry,” said Thomas
Reagan, Cyber Practice Leader for Marsh, describing it as “applying knowledge
and experience about the economic consequences of risk” to support better
decision making and behaviors. “This is like seat belts or air bags or building
sprinklers.” According to Reagan, the program is a response to the two most
common questions clients ask brokers when it comes to cyber. “The first one is,
‘What cybersecurity products and services should I use, particularly the one
that may not be on my radar?'” he said “And then the second question is, ‘If I
use them, what value will those products and services have for my insurer and
for my insurance program?'”
Ars Technica
March 26,
2019
People who
find security vulnerabilities commonly run into difficulties when reporting
them to the responsible company. But it's less common for such situations to
turn into tense trade-show confrontations—and competing claims of assault and
blackmail. Yet that's what happened when executives at Atrient—a casino
technology firm headquartered in West Bloomfield, Michigan—stopped responding
to two UK-based security researchers who had reported some alleged security
flaws. The researchers thought they had reached an agreement regarding payment
for their work, but nothing final ever materialized. On February 5, 2019, one
of the researchers—Dylan Wheeler, a 23-year-old Australian living in the
UK—stopped by Atrient's booth at a London conference to confront the company’s
chief operating officer. What happened next is in dispute. Wheeler says that
Atrient COO Jessie Gill got in a confrontation with him and yanked off his
conference lanyard; Gill insists he did no such thing, and he accused Wheeler
of attempted extortion. The story is practically a case study in the problems
that can arise with vulnerability research and disclosure.
WIRED
March 26,
2019
In
December, Mastercard announced that it was working to develop an international
digital identity scheme which could be used as a flexible verifier for
financial transactions, government interactions, or online services. The idea
of a secure, decentralized, universal ID has become a sort of holy grail in the
age of rapid digital interactions and rampant identity fraud. Mastercard's
initial announcement was met with some skepticism from privacy-minded
observers. Now, the company is releasing more details in a new 24-page report
on how its platform will be set up and what the tool will offer. But you still
can't try it yet. Mastercard envisions a platform in which consumers have
control of their identity information and it is stored locally on their
devices, rather than in a centralized system that Mastercard would need to
defend. The ID would be set up through a bank or other participating
institution that already holds identity information about the individual. And
people would manage their enrollment and interact with their universal ID
through that institution's secure mobile app.
SC Magazine
March 26,
2019
Multinational
law firm DLA Piper was hit in the crossfire of a Russia-back ransomware attack
which wiped out systems and costs the firm 15,000 hours of extra overtime for
its IT staff. The attack resulted in a dispute with its insurance firm Hiscox
with the law firm claiming its insurers failed to pay out for the damages and
costs associated with the attack which may amount to several million pounds,
according to The Times. Hiscox is reportedly refusing to pay for the The
NotPetya attack because of the “act of war” exclusion clause commonly found in
insurance policies after the U.K. government officially stated that the Russian
military was “almost certainly” behind the NotPetya attack.
Ars Technica
March 26,
2019
Huawei
MateBook systems that are running the company's PCManager software included a
driver that would let unprivileged users create processes with superuser
privileges. The insecure driver was discovered by Microsoft using some of the
new monitoring features added to Windows version 1809 that are monitored by the
company's Microsoft Defender Advanced Threat Protection (ATP) service. The
interesting part of the story is how Microsoft found the bad driver in the
first place. Microsoft Defender ATP does not rely solely on signature-based
endpoint antimalware to detect known threats; it also uses heuristics that look
for behavior that appears suspicious, even if no particular malware has been
identified. Windows itself notices certain actions taken by software and
reports them to the Defender ATP cloud service, and machine learning-based
algorithms look for anomalies in these reports.
Vice Motherboard
March 25,
2019
Researchers
at cybersecurity firm Kaspersky Lab say that ASUS, one of the world’s largest
computer makers, was used to unwittingly install a malicious backdoor on
thousands of its customers’ computers last year after attackers compromised a
server for the company’s live software update tool. The malicious file was
signed with legitimate ASUS digital certificates to make it appear to be an
authentic software update from the company, Kaspersky Lab says. ASUS, a
multi-billion dollar computer hardware company based in Taiwan that
manufactures desktop computers, laptops, mobile phones, smart home systems, and
other electronics, was pushing the backdoor to customers for at least five
months last year before it was discovered, according to new research from the
Moscow-based security firm. The researchers estimate half a million Windows
machines received the malicious backdoor through the ASUS update server,
although the attackers appear to have been targeting only about 600 of those
systems. The malware searched for targeted systems through their unique MAC
addresses. Once on a system, if it found one of these targeted addresses, the
malware reached out to a command-and-control server the attackers operated,
which then installed additional malware on those machines.
CNBC
March 25,
2019
Two
20-something computer hackers exposed a security bug in the Tesla Model 3 that
allowed them to hack into the electric car's internal web browser. Instead of
getting in trouble, they walked away with their own Model 3, along with a total
of $375,000 in prize money. Richard Zhu and Amat Cama are the hacking duo known
as team Flouroacetate, and the pair of computer security researchers recently
dominated Pwn2Own, an annual competition that attracts some of the world's top
hackers. Zhu and Cama identified a JIT (or "just-in-time") bug in the
Model 3's web browser that allowed them to hack into the car's system and write
a message on the car's dashboard display screen, the Zero Day Initiative said
in a blog post. For their effort, the pair was allowed to keep the car and they
also won $35,000 just for that one hack. (The Model has a starting price of
$35,000.)
60 Minutes
March 24,
2019
Tonight
we'll take you inside the growing, shadowy global market of cyber espionage. We
looked specifically at a controversial Israeli company called the NSO Group,
valued at nearly a billion dollars, that says it developed a hacking tool that
can break into just about any smartphone on Earth. NSO licenses this software,
called Pegasus, to intelligence and law enforcement agencies worldwide, so they
can infiltrate the encrypted phones and apps of criminals and terrorists.
Problem is this same tool can also be deployed by a government to crush
dissent. And so it is that Pegasus has been linked to human rights abuses,
unethical surveillance, and even to the notoriously brutal murder of the Saudi
Arabian critic Jamal Khashoggi. Headquartered in the Israeli city of Herzliya,
NSO Group operates in strict secrecy. But co-founder and CEO, Shalev Hulio, has
been forced out of the shadows and not into a good light, accused of selling
Pegasus to Saudi Arabia despite its abysmal record on human rights.
INTERNATIONAL
Vice
March 29,
2019
Michail
Fiodorov thought he had everything under control. Months before Ukranians were
set to go to the polls to elect their next president, the 28-year-old campaign
manager had his staff trained, robust security practices in place, and servers
he’d sourced in the U.S. to prevent hackers from taking them down. But all that
preparation was erased within minutes of launching the website for his boss,
comedian turned surprise front-runner Volodymyr Zelensky. Before Zelensky could
even tweet a link to the site, a cyberattack overwhelmed the website's servers
with 5 million simultaneous requests, knocking all operations offline. Nearly
three months later, and with Sunday’s election looming, Zelensky leads in
almost all the polls, despite what Fiodorov says has been a near-constant
bombardment of cyberattacks and disinformation.
The New
York Times
March 28,
2019
A British
review of Huawei found “significant” security problems with the Chinese
company’s telecommunications equipment, a conclusion that supports a United
States effort to ban it from next-generation wireless networks. The British
report, released on Thursday, said there were “underlying defects” in Huawei’s
software engineering and security processes that governments or independent
hackers could exploit, posing risks to national security. While the report did
not call for an outright ban of Huawei equipment, it was endorsed by the
country’s top cybersecurity agency. The conclusions buttress the Trump
administration’s push to convince its allies that Huawei, the world’s largest
maker of telecommunications equipment, creates grave risks to national
security. The White House has accused Huawei of being an arm of the Chinese
government that can be used for spying or to sabotage communications networks,
a charge that Huawei has vehemently denied.
Bloomberg
March 28,
2019
The country
that shares a bigger border with Russia than the rest of the European Union
combined is ramping up its defenses against the threat of foreign meddling in
its April 14 election. Finland has always had a love-hate relationship with its
much bigger neighbor. A history of tension and bloody confrontations has given
way to a strong trading partnership, and the country’s diplomatic role as a
bridge between Russia and the West is one reason why its capital was picked for
last year’s summit between Donald Trump and Vladimir Putin. But with evidence
of Russian interference in Western politics mounting, the euro area’s
northernmost member state remains on high alert. Social media influence
campaigns or direct cyber attacks are already thought to have impacted key
votes such as the U.S. election in 2016 and the U.K’s Brexit referendum. “One
shouldn’t be gullible,” Antti Hakkanen, justice minister in Finland’s caretaker
government, said in an interview in Helsinki. “We’ll need to be prepared to
ward off election interference if it becomes necessary. The risk is real.”
Reuters
March 27,
2019
EU nations
will be required to share data on 5G cybersecurity risks and produce measures
to tackle them by the end of the year, the European Commission said on Tuesday,
shunning U.S. calls to ban China's Huawei Technologies across the bloc. The aim
is to use tools available under existing security rules plus cross-border
cooperation, the bloc's executive body said, leaving it to individual EU
countries to decide whether they want to ban any company on national security
grounds. Austria, Belgium, Czech Republic, France, Germany, Greece, Hungary,
Ireland, the Netherlands, Lithuania and Portugal are all preparing to auction
5G licenses this year while six other countries will do so next year.
CyberScoop
March 26,
2019
A notorious hacking group experts have tied to the North Korean
government has targeted an Israeli defense company, according to new research
outlining what appears to be one of the group’s first attacks on an Israeli
entity. The unnamed company makes products used in the military and aerospace
industries, and the hackers could have been after commercial secrets or more
traditional espionage, according to ClearSky, the cybersecurity firm that
exposed the operation. The suspected culprit is Lazarus Group, an industry term
for a broad set of hackers associated with Pyongyang. “We cannot be sure what
the objective of the attackers [was],” Eyal Sela, head of threat
intelligence at ClearSky, told CyberScoop in an email. “[It] could be
industrial/commercial espionage but could be military espionage, for example.”
Reuters
March 26,
2019
A computer
virus infected the Spanish Defence Ministry's intranet this month with the aim
of stealing high tech military secrets, El País newspaper said on Tuesday,
citing sources leading the investigation as suspecting a foreign power behind
the cyberattack. A Defence Ministry spokesman said the ministry would not
comment. El País said the virus was apparently introduced via email and was
first spotted at the beginning of March. However, it could have gone undetected
for months in an intranet with more than 50,000 users. Although the network
does not carry classified information, the paper said its sources were
concerned about a wider infection to other networks with the purpose of
accessing information related to secret military technology.
Second flaw
found in Swiss election system could change 'valid votes into nonsense,'
researchers say
CyberScoop
March 25,
2019
Researchers
have uncovered a second security flaw in the electronic voting system employed
by the Swiss government. The vulnerability involves a problem with the
implementation of a cryptographic protocol used to generate decryption proofs,
a weakness that could be leveraged “to change valid votes into nonsense that
could not be counted,” researchers Sarah Jamie Lewis, Olivier Pereira and
Vanessa Teague wrote in a paper published Monday. This disclosure comes weeks
after the same team of researchers announced they had uncovered a flaw in the
e-voting system that could allow hackers to replace legitimate votes with
fraudulent ones. Swiss Post, the country’s national postal service, which
developed the system along with Spanish technology maker Scytl, said earlier
this month that first vulnerability had been resolved.
TECHNOLOGY
CyberScoop
March 28,
2019
A new
strain of malicious software affecting Android devices is capable of phishing
credentials and automating bank transactions for more than 100 banks and 32
virtual currency apps, according to new research from security firm Group-IB.
The malware, dubbed Gustuff, is aimed at top international banks including Bank
of America, Wells Fargo, Chase, Capital One, and others, researchers found. It
also is designed to steal from cryptocurrency apps like Bitcoin Wallet and
Coinbase, and can phish usernames and passwords from PayPal, Western Union,
Walmart, eBay and WhatsApp, according to researchers at Group-IB.
WIRED
March 27,
2019
Widespread
adoption of the web encryption scheme HTTPS has added a lot of green
padlocks—and corresponding data protection—to the web. All of the popular sites
you visit every day likely offer this defense, called Transport Layer Security,
or TLS, which encrypts data between your browser and the web servers it
communicates with to protect your travel plans, passwords, and embarrassing
Google searches from prying eyes. But new findings from researchers at Ca'
Foscari University of Venice in Italy and Tu Wien in Austria indicate that a
surprising number of encrypted sites still leave these connections exposed. In analysis
of the web's top 10,000 HTTPS sites—as ranked by Amazon-owned analytics company
Alexa—the researchers found that 5.5 percent had potentially exploitable TLS
vulnerabilities. These flaws were caused by a combination of issues in how
sites implemented TLS encryption schemes and failures to patch known bugs, (of
which there are many) in TLS and its predecessor, Secure Sockets Layer. But the
worst thing about these flaws is they are subtle enough that the green padlock
will still appear.
Ars Technica
March 27,
2019
A critical
vulnerability in the WinRAR file-compression utility is under active attack by
a wide range of bad actors who are exploiting the code-execution flaw to
install password stealers and other types of malicious software. In one
campaign, according to a report published by researchers from security firm
FireEye, attackers are spreading files that purport to contain stolen data. One
file, titled leaks copy.rar, contains email addresses and passwords that were
supposedly compromised in a breach. Attackers claim another file, cc.rar,
contains stolen credit card data. Other files have names including zabugor.rar,
ZabugorV.rar, Combolist.rar, Nulled2019.rar, and IT.rar. Hidden inside the
files are payloads from a variety of different malware families.
ZDNet
March 23,
2019
A group of
academics from South Korea have identified 36 new vulnerabilities in the
Long-Term Evolution (LTE) standard used by thousands of mobile networks and
hundreds of millions of users across the world. The vulnerabilities allow
attackers to disrupt mobile base stations, block incoming calls to a device,
disconnect users from a mobile network, send spoofed SMS messages, and
eavesdrop and manipulate user data traffic. They were discovered by a
four-person research team from the Korea Advanced Institute of Science and
Technology Constitution (KAIST), and documented in a research paper they intend
to present at the IEEE Symposium on Security and Privacy in late May 2019.
