Pages

Wednesday, April 03, 2019

A rogue’s gallery of bad actors is exploiting that critical WinRAR flaw


The most violent group of people who ever lived: Horse-riding Yamnaya tribe who used their huge height and muscular build to brutally murder and invade their way across Europe than 4,000 years ago Daily Mail (original).



A 21-year-old New Jersey woman attending college in South Carolina was kidnapped and killed there after mistakenly getting into a stranger’s car that she thought was the Uber ride she had summoned, police announced Saturday evening.
The Columbia, South Carolina police chief provided that and other details in announcing an arrest in the murder of Samantha Josephson of Robbinsville, who went missing early Friday and was found dead later that day. Her father had reported her death on social media early Saturday.
Chief W.H. Holbrook said during a news conference that Stephenson, a student at the University of South Carolina in Columbia, had summoned a car from the ride-sharing app and was waiting for it outside a downtown location in Columbia where she had been out with friends sometime before 2 a.m. on Friday.

David Newbury went through his fathers papers in the atic: look what he found!

Internet Map 1973
Map of the Internet Circe 1973 AD via Jason 


The Hill

March 28, 2019

A bipartisan group of lawmakers introduced legislation Thursday to create an advisory committee of cyber professionals to help the Department of Homeland Security (DHS) take on cyber issues. The bill, introduced by Reps. John Katko (R-N.Y.), Dan Lipinski (D-Ill.), Dan Newhouse (R-Wash.) and Brian Fitzpatrick (R-Penn.), would create an advisory committee within DHS’s Cybersecurity and Infrastructure Security Agency (CISA) to offer recommendations on new cybersecurity policies and programs. The committee would consist of 35 cybersecurity professionals from state and local governments, as well as industries like healthcare, energy, transportation and manufacturing. A maximum of three members from each industry would be allowed on the committee, and members would serve terms of two years. Katko, the ranking member of the Cybersecurity, Infrastructure Protection and Innovation subcommittee on the House Homeland Security Committee, said the bill “takes steps towards equipping the agencies within the Department of Homeland Security with the necessary tools to respond to evolving cyber threats.”



CNN

March 27, 2019

bipartisan bill set to be introduced on Wednesday aims to close what is regarded as a major gap in congressional cybersecurity and extend the government's protections to senators and their staffers' personal phones and computers. The fact that Senate employees, especially those with high security clearance, enjoy federal security on their work devices but not the ones they purchase themselves has long been regarded as a glaring oversight by cybersecurity experts. It is ludicrous to expect individual senators and their staff to defend themselves from spies and hackers," Bruce Schneier, a security lecturer at Harvard, said in a statement on the bill. "Hostile foreign intelligence services do not respect the arbitrary line between work and personal technology."



Nextgov


The federal government wants to hold defense contractors accountable for the cybersecurity of their supply chains but that’s no easy feat, experts said Tuesday. Industry representatives told lawmakers on the Senate Armed Services Committee about attempting to tackle cyber threats as a federal contractor. Much of the hearing was focused on one specific issue: increasingly complex levels of supply chains make it difficult for prime contractor to ensure all subcontractors are upholding cybersecurity protections. And that ever-lengthening chain increases the possibility of compromised information or cyberattacks. “I don’t know why we don’t hold the larger contractors who are responsible for the contract to make sure the subcontractors they are hiring have protections,” Sen. Joe Manchin, D-W.V., said. “Somebody has to be held accountable.” The panelists explained a large part of the problem is that the government frequently does not have access to the contracts between primes and their subcontractors, or a prime contractor may know its immediate supplier is but not know the subcontractors that supplier uses—a loop that can repeat for each subcontractor.



CyberScoop

March 27, 2019

While the security of the 2020 election remains a prominent topic in Washington, a group of Democratic senators is raising alarms about longer-term issues that will resonate after voters are done choosing a president about 20 months from now. The three companies that make most of the voting technology used in the U.S. must be more transparent about their plans to improve their products to meet current expectations about security and performance, says a letter Wednesday by Sen. Amy Klobuchar of Minnesota and three other top Democrats. In particular, the senators say every machine should reliably produce paper records, and the companies should do far more to upgrade their products. “The integrity of our elections is directly tied to the machines we vote on — the products that you make,” says the letter from Klobuchar, Mark Warner of Virginia, Jack Reed of Rhode Island and Gary Peters of Michigan. “Despite shouldering such a massive responsibility, there has been a lack of meaningful innovation in the election vendor industry and our democracy is paying the price.” The senators ask the top executives of Hart InterCivic, Election Systems & Software and Dominion Voting Systems 16 detailed questions about their commitment to innovation, their ability to produce machines that allow voters to easily check their selections and their adherence to guidelines established by the federal Elections Assistance Commission for certification and testing of machines.



FCW

March 26, 2019

Cybersecurity is a key component of the Defense Department's $750 billion budget request for fiscal year 2020, acting Defense Secretary Patrick Shanahan told legislators on March 26. Less than $10 billion of that request is explicitly allocated for DOD cybersecurity efforts. But Shanahan testified before the House Armed Services Committee that "modernization is the most important thing we can do to maintain deterrence, create military capability, but that's also what enables us economically, so they really all tie all together." He also emphasized the state and local ripple effects that DOD investments create through industry relationships. Shanahan added that the military must be "an enabler to unlock diplomatic and new relationships" rather than be a solution unto itself. While spending on cyber and emerging technologies represents only a sliver of the overall budget request, he called the investment in such critical areas "fundamental."



Nextgov

March 26, 2019

Giving federal regulators more power to monitor and punish credit bureaus could help prevent massive data breaches like Equifax, according to a congressional watchdog. In 2017, hackers spent months secretly harvesting data held by Equifax, one of the country’s three major consumer reporting agencies. By the time the intrusion was discovered, they’d made off with personal and financial information on nearly half of all Americans. In a report published Tuesday, the Government Accountability Office said further empowering regulators at the Federal Trade Commission and Consumer Financial Protection Bureau could help prevent similar incidents from occurring in the future. “While companies in many industries have experienced data breaches, [consumer reporting agencies] may present heightened risks because of the scope of sensitive information they possess and because consumers have very limited control over what information [consumer reporting agencies] hold and how they protect it,” auditors wrote. “These challenges underscore the importance of appropriate federal oversight of [consumer reporting agencies] data security.” Under federal law, FTC can already penalize companies for violating consumer data security standards, but GAO found its current authorities are ill-equipped to handle breaches on the scale and scope of Equifax.



ADMINISTRATION



The Wall Street Journal

March 29, 2019

The FBI has launched its biggest transformation since the 2001 terror attacks to retrain and refocus thousands of special agents to combat cyber criminals, whose threats to lives, property and critical infrastructure has outstripped U.S. efforts to thwart them. The push comes as federal investigators grapple with an expanding range of cyber attacks sponsored by foreign adversaries against businesses or national interests, including Russian election interference and Chinese cyber thefts from American companies, senior bureau officials said.



Federal News Network

March 29, 2019

Contractors not up to date on cybersecurity standards will only get a pass from the Defense Department for a little longer, leadership says. DoD will begin auditing companies’ cybersecurity procedures that want to win contracts and it plans to start within the next 18 months, according to Ellen Lord, DoD undersecretary for acquisition and sustainment. There will also be new cybersecurity standards for which companies will have to abide by if they want to work with the military. “We have set out an objective of coming up with new cybersecurity standards this year,” Lord said at an Atlantic Council event on March 25 in Washington. “We’ll have metrics by which to measure them. We’ll have third parties that can actually audit against them such as International Organization for Standardization standards we have for quality. We need to them understand: How do we put cybersecurity into the new networks we are building? How do we make sure that there aren’t back doors there? How do we make sure that data at rest stays secure?” The new cybersecurity standards will build off of the already existing National Institute of Standards and Technology Special Publication 800-171 standards required by the Pentagon.



The New York Times


In a case that exposed the government’s embarrassing failure to secure its secrets, a 54-year-old former National Security Agency contractor pleaded guilty on Thursday to taking classified documents home in a deal likely to put him in prison for nine years. Harold T. Martin III, who worked in the N.S.A.’s Tailored Access Operations hacking unit, admitted his guilt more than two years after his arrest in what may be the biggest breach of classified information in history. F.B.I. agents who swarmed his modest home south of Baltimore in 2016 found stacks of documents and electronic storage devices stashed in his car, his home and even a garden shed. But investigators never found proof that Mr. Martin, who was working on a doctorate in information systems at the time of his arrest, had shared the stolen secrets with anyone else, though there is evidence he may have considered doing so. Wearing a gray jail jersey with white stripes and a neatly trimmed beard, Mr. Martin stood and answered the judge’s questions in a clear, calm voice. “It’s time we closed this Pandora’s box,” the defendant said at one point, his most extensive statement in court.



FCW

March 28, 2019

Officials say a pair of newly created entities established by the federal government to reduce cybersecurity risks to the technology supply chain are designed to be complementary, but the partial government shutdown complicated and delayed efforts to sync up the dual efforts. Last year, the Department of Homeland Security stood up a supply chain task force composed of representatives from federal agencies, private-sector technology companies and industry groups. Nine months later, Congress passed the Secure Technology Act, a law that creates a new Federal Acquisition Supply Chain Security Council to build greater cybersecurity resilience into federal procurement and acquisition rules. While both bodies are focused on shoring up vulnerabilities in the technology supply chain, representatives from DHS and the Office of the Director of National Intelligence said at a March 27 event hosted by the Atlantic Council that work streams for both efforts will feed into and complement, not duplicate, one another.



Fifth Domain

March 28, 2019

A new Army unit will help the service operate against enemies such as Russia and China on a daily basis but will do so below the level of conflict. In addition, the new group could help set the stage for more traditional kinetic battles. The Intelligence, Information, Cyber, Electronic Warfare and Space detachment (I2CEWS) — a battalion sized unit described as the “brain” of the Army’s multidomain task force — will integrate all the capabilities within its namesake under a single formation. “They must be present in the competition phase. That’s when they can do their best work … and set the stage if we do go from competition to crisis you are prepared,” said Gen. Robert Brown, commander of Army Pacific, where the multidomain task force is focused. “Quite honestly, we were not present in the competition phase and certainly, China and Russia are. It’s good to be able to be there to make sure we can compete and prepare for what happens.” Previously, officials described the I2CEWS as teams that would focus on a specific geographic region, either in the Pacific or Europe, and would take on different forms based on their area of emphasis. Brown, speaking March 27 at the AUSA Global Force Symposium in Huntsville, Alabama, noted that there is now a constant state of “continuous geopolitical hyper competition.”



Gov Info Security

March 28, 2019

The computer systems the U.S. Department of the Treasury uses to track the nation's debt have serious security flaws that could allow unauthorized access to a wealth of federal data, according to a pair of audits released this week by the Government Accountability Office. The audits are part of an annual review of the federal deficit that the GAO undertakes. As of Sept. 30, 2018, U.S. debt stood at about $21.5 trillion. To keep track of all that money, including what the federal government owes to its creditors, the Treasury Department relies on IT systems at various agencies, including the Bureau of the Fiscal Service and the Federal Reserve Banks. Within those two agencies, GAO inspectors found a combination of new and old security flaws that could provide unauthorized access to these various systems. The flaws included issues with configuration management and faulty access controls, which could cause disruptions and impede the Treasury's Department's ability to oversee and manage the national debt. While the specific issues of these security flaws remain confidential, the GAO recommends that the Bureau of the Fiscal Service and the Federal Reserve Banks immediately begin addressing them.



Nextgov


The Air Force is taking one of the longest, most difficult, critical aspects of cybersecurity and IT deployment in the public sector and fast-tracking the process. Last week, Air Force Undersecretary Matthew Donovan signed a memo authorizing officials to grant IT systems an authority to operate—the designation certifying the application is reasonably secure from cyberattacks—on an expedited timetable. Obtaining an ATO is often an arduous process that can take months, especially for military systems that are constant targets for bad actors worldwide. During pilot tests earlier this year, officials at the Air Operations Center used the Fast-Track ATO process to certify a system in just one week, according to Frank Konieczny, the Air Force’s chief technology officer. Prior to developing the fast-track process, the Air Force relied on the Risk Management Framework, a schema developed by the National Institute for Standards and Technology to establish a baseline cybersecurity posture. However, that largely led to check-the-box compliance rather than real security, Konieczny said during a panel Tuesday at the RSA Federal Summit.



FCW


The Continuous Diagnostics and Mitigation program will spend the next two years focusing on standing up its new risk scoring algorithm, transitioning smaller agencies onto a shared services platform and making program data more useful and actionable for federal agencies and overseers. CDM Program Manager Kevin Cox outlined the Department of Homeland Security's goals for the program over the next two years at a March 27 technology conference hosted by the Advanced Technology Academic Research Center. The program's new risk scoring algorithm, AWARE, will have a "soft rollout" in October, keeping tabs on basic agency metrics like vulnerability management, patching and configuration. Down the line, Cox said, DHS wants AWARE to drill down to the individual system level. However, another DHS cybersecurity program, the Government Cybersecurity Architecture Review, which is designed to look at agency-specific vulnerabilities through the eyes of a hostile attacker, recommended the program focus on lower hanging fruit first. Cox said there's little point focusing on higher level attack vectors when "the front door is wide open" because agencies are still skimping on the fundamentals.



AP

March 26, 2019

Amid growing national concerns about election security, Tennessee's three largest counties plan to begin using voting machines that produce a verifiable paper trail in time for the presidential primaries in March 2020, whether the Republican-led state requires it or not. Tennessee is one of only 14 states without a statutory requirement of a paper record of all ballots — regarded by most election security experts as crucial to ensuring accurate vote-counting. But election officials in the three Tennessee counties switching to paper-trail machines say they aren't worried about the paperless technology. Rather, they just want to be sure voters trust the process. "Now, you've got an issue of voter confidence and public perception, factors which cannot be ignored, at least by election commissions," said Elections Administrator Clifford Rodgers in Knox County, one of the Tennessee local governments looking to switch. He said he's doing so "reluctantly" and predicted problems with printers and scanners. The others are Shelby County, anchored by Memphis, and Davidson County, encompassed by Nashville. Knox, Shelby and Davidson account for 1.3 million of Tennessee's 4.16 million registered voters.



KPIX 5

March 25, 2019

The Department of Homeland Security and the FBI are investigating after a hacker attempted to access the election internet system for the Contra Costa County Clerk and Recorder’s office. Clerk and Recorder Joseph Canciamilla said the spearphishing attack happened March 18. A hacker sent an email to an election staffer disguised as a contact the employee had emailed in the past. Canciamilla said the email was “sophisticated” and appeared to be authentic. He said he believed it was a targeted attack aimed at accessing the department’s email system. But he said security protocols quickly intercepted the threat. “We have to assume that it was designed specifically with the intent to do damage to our specific system and it wasn’t just a random phishing expedition,” he said.



Nextgov

March 25, 2019

The Homeland Security Department is funding a new immersive cyber-training platform equipped with simulation-based scenarios and exercises aimed at protecting the nation’s energy sector. The department’s Science and Technology Directorate announced it’s awarding $5.9 million to the Norwich University Applied Research Institute to expand a training tool used by the financial services sector to organizations in the energy sector. Distributed Environment for Critical Infrastructure Decision-Making Exercises, or DECIDE, is an interactive platform that allows players to practice cyber-threat response tactics in an immersive online environment before real-life crises occur. “DHS S&T is committed to investing in the security of our nation’s critical infrastructure, and that includes ensuring that organizations are properly trained to recognize and respond to potential cyber threats,” William Bryan, senior official performing the duties of the undersecretary for science and technology, said in a statement. “We are excited to soon make this proven platform available to even more of our private sector partners.”



AP

March 24, 2019

Special counsel Robert Mueller did not find evidence that President Donald Trump’s campaign “conspired or coordinated” with Russia to influence the 2016 presidential election but reached no conclusion on whether Trump obstructed justice, Attorney General William Barr declared Sunday. That brought a hearty claim of vindication from Trump but set the stage for new rounds of political and legal fighting. Trump, pleasure tinged with resentment after two years of investigations , declared “complete and total exoneration. “It’s a shame that our country has had to go through this. To be honest, it’s a shame that your president has had to go through this,” he said. But Democrats demanded to see the full Mueller report and insisted that even the summary by the president’s attorney general hardly put him in the clear. Mueller’s conclusions, summarized by Barr in a four-page letter to Congress, represented a victory for Trump on a key question that has hung over his presidency from the start: Did his campaign work with Russia to defeat Democrat Hillary Clinton? That was further good news for the president on top of the Justice Department’s earlier announcement that Mueller had wrapped his investigation without new indictments.



INDUSTRY



Ars Technica

March 29, 2019

Attack code was published on Friday that exploits a critical vulnerability in the Magento e-commerce platform, all but guaranteeing it will be used to plant payment card skimmers on sites that have yet to install a recently released patch. PRODSECBUG-2198 is a SQL injection vulnerability that attackers can exploit with no authentication required. Hackers could exploit the flaw to take administrative control of administrator accounts, assuming the hackers can download user names and password hashes and crack the hashes. From there, attackers could install the backdoors or skimming code of their choice. A researcher at Web security firm Sucuri said Thursday that company researchers reverse-engineered an official patch released Tuesday and successfully created a working proof-of-concept exploit.



Bleeping Computer

March 29, 2019

The personal information of roughly 3.1 million Toyota customers may have been leaked following a security breach of multiple Toyota and Lexus sales subsidiaries, as detailed in a breach notification issued by the car maker today. As detailed in a press release published on Toyota'a global newsroom, unauthorized access was detected on the computing systems of Tokyo Sales Holdings, Tokyo Tokyo Motor, Tokyo Toyopet, Toyota Tokyo Corolla, Nets Toyota Tokyo, Lexus Koishikawa Sales, Jamil Shoji (Lexus Nerima), and Toyota West Tokyo Corolla. "It turned out that up to 3.1 million items of customer information may have been leaked outside the company. The information that may have been leaked this time does not include information on credit cards," says the data breach notification.



Vice Motherboard

March 29, 2019

Hackers working for a surveillance company infected hundreds of people with several malicious Android apps that were hosted on the official Google Play Store for months, Motherboard has learned. In the past, both government hackers and those working for criminal organizations have uploaded malicious apps to the Play Store. This new case once again highlights the limits of Google’s filters that are intended to prevent malware from slipping onto the Play Store. In this case, more than 20 malicious apps went unnoticed by Google over the course of roughly two years. Motherboard has also learned of a new kind of Android malware on the Google Play store that was sold to the Italian government by a company that sells surveillance cameras but was not known to produce malware until now. Experts told Motherboard the operation may have ensnared innocent victims as the spyware appears to have been faulty and poorly targeted. Legal and law enforcement experts told Motherboard the spyware could be illegal.



E&E News

March 28, 2019

Last month, hackers tied computers into knots at a small Colorado water utility. It wasn't the first time the Fort Collins-Loveland Water District and its wastewater counterpart had been hit by "ransomware," a type of malware that encrypts victims' computer files and demands online payment to unlock them. While operations weren't harmed, the infection prompted the water district to switch out its information technology service provider and call in the FBI. The case, first reported by the Coloradoan, remains under active investigation. FCLWD and the South Fort Collins Sanitation District treat and distribute water to 45,000 customers in northern Colorado. Colorado water officials aren't alone in their cybersecurity woes. The nation's nearly 70,000 water and wastewater utilities are struggling to keep their heads above a rising tide of online threats, based on interviews with security experts and water company operators.



Ars Technica

March 28, 2019

Office Depot and a partner company tricked customers into buying unneeded tech support services by offering PC scans that gave fake results, according to the Federal Trade Commission. Consumers paid up to $300 each for unnecessary services. The FTC yesterday announced that Office Depot and its software supplier, Support.com, have agreed to pay a total of $35 million in settlements with the agency. Office Depot agreed to pay $25 million while Support.com will pay the other $10 million. The FTC said it intends to use the money to provide refunds to wronged consumers. Between 2009 and 2016, Office Depot and OfficeMax offered computer scans inside their stores using a "PC Health Check" software application created and licensed by Support.com. "Defendants bilked unsuspecting consumers out of tens of millions of dollars from their use of the PC Health Check program to sell costly diagnostic and repair services," the FTC alleged in a complaint that accuses both companies of violating the FTC Act's prohibition against deceptive practices. As part of the settlements, neither company admitted or denied the FTC's allegations. The FTC filed its complaint against the companies in US District Court for the Southern District of Florida, while at the same time unveiling the settlements with each company.



The Washington Post

March 27, 2019

In the latest of a string of security actions, Microsoft has seized 99 websites it says were used by Iranian hackers to launch cyberattacks against government agencies, businesses and users in Washington, according to a company blog post and court records unsealed Wednesday. Microsoft obtained a federal judge’s approval on March 15 to disable the websites that it detected and had been tracking for six years, run by a threat group the company has dubbed Phosphorus, and that other researchers call Ajax Security Team, APT 35 and Charming Kitten, the company said. The sites were used in a years-long “spear-phishing” campaign that targeted corporations and government agencies, as well as activists and journalists, particularly those involved in advocating and reporting on issues related to the Middle East, according to Microsoft. In the attacks, hackers send out emails and social media posts with the aim of infiltrating computer systems by tricking victims into visiting phony websites with malicious software that appear authentic.



Gov Info Security

March 27, 2019

Norsk Hydro reports that a March 18 ransomware attack has already cost the aluminum manufacturer more than 350 million Norwegian krone ($40 million), and the company continues to bring its systems back online. Those costs mostly reflect revenue losses, but they also include the cost of recovery and IT and security services, says Norsk Hydro, the second-largest employer in Norway that has operations around the world. A little over a week after the ransomware attack was first reported, the majority of the company's manufacturing facilities and systems have returned to normal, although the firm's Extruded Solutions division is running at 70 percent to 80 percent of capacity, the company reported Tuesday. That division produces extruded and rolled aluminum products for the company. Most of the financial losses from the attack stem from the lack of production within that unit, which has facilities in several countries. Norsk Hydro's four other divisions are running normally, although some require greater manual operations.



Insurance Journal

March 27, 2019

What the insurance industry has done for auto and building safety products, insurance broker Marsh wants to extend to cybersecurity products. That is, recommend the cybersecurity products that are the most effective. The program, named Cyber Catalyst, calls on leading cyber insurers to evaluate cybersecurity products they consider effective in reducing cyber risk, thereby giving organizations some guidance in navigating the cybersecurity marketplace of more than 3,000 providers. “This is a proven model for the insurance industry,” said Thomas Reagan, Cyber Practice Leader for Marsh, describing it as “applying knowledge and experience about the economic consequences of risk” to support better decision making and behaviors. “This is like seat belts or air bags or building sprinklers.” According to Reagan, the program is a response to the two most common questions clients ask brokers when it comes to cyber. “The first one is, ‘What cybersecurity products and services should I use, particularly the one that may not be on my radar?'” he said “And then the second question is, ‘If I use them, what value will those products and services have for my insurer and for my insurance program?'”



Ars Technica

March 26, 2019

People who find security vulnerabilities commonly run into difficulties when reporting them to the responsible company. But it's less common for such situations to turn into tense trade-show confrontations—and competing claims of assault and blackmail. Yet that's what happened when executives at Atrient—a casino technology firm headquartered in West Bloomfield, Michigan—stopped responding to two UK-based security researchers who had reported some alleged security flaws. The researchers thought they had reached an agreement regarding payment for their work, but nothing final ever materialized. On February 5, 2019, one of the researchers—Dylan Wheeler, a 23-year-old Australian living in the UK—stopped by Atrient's booth at a London conference to confront the company’s chief operating officer. What happened next is in dispute. Wheeler says that Atrient COO Jessie Gill got in a confrontation with him and yanked off his conference lanyard; Gill insists he did no such thing, and he accused Wheeler of attempted extortion. The story is practically a case study in the problems that can arise with vulnerability research and disclosure.



WIRED

March 26, 2019

In December, Mastercard announced that it was working to develop an international digital identity scheme which could be used as a flexible verifier for financial transactions, government interactions, or online services. The idea of a secure, decentralized, universal ID has become a sort of holy grail in the age of rapid digital interactions and rampant identity fraud. Mastercard's initial announcement was met with some skepticism from privacy-minded observers. Now, the company is releasing more details in a new 24-page report on how its platform will be set up and what the tool will offer. But you still can't try it yet. Mastercard envisions a platform in which consumers have control of their identity information and it is stored locally on their devices, rather than in a centralized system that Mastercard would need to defend. The ID would be set up through a bank or other participating institution that already holds identity information about the individual. And people would manage their enrollment and interact with their universal ID through that institution's secure mobile app.



SC Magazine

March 26, 2019

Multinational law firm DLA Piper was hit in the crossfire of a Russia-back ransomware attack which wiped out systems and costs the firm 15,000 hours of extra overtime for its IT staff. The attack resulted in a dispute with its insurance firm Hiscox with the law firm claiming its insurers failed to pay out for the damages and costs associated with the attack which may amount to several million pounds, according to The Times. Hiscox is reportedly refusing to pay for the The NotPetya attack because of the “act of war” exclusion clause commonly found in insurance policies after the U.K. government officially stated that the Russian military was “almost certainly” behind the NotPetya attack.



Ars Technica

March 26, 2019

Huawei MateBook systems that are running the company's PCManager software included a driver that would let unprivileged users create processes with superuser privileges. The insecure driver was discovered by Microsoft using some of the new monitoring features added to Windows version 1809 that are monitored by the company's Microsoft Defender Advanced Threat Protection (ATP) service. The interesting part of the story is how Microsoft found the bad driver in the first place. Microsoft Defender ATP does not rely solely on signature-based endpoint antimalware to detect known threats; it also uses heuristics that look for behavior that appears suspicious, even if no particular malware has been identified. Windows itself notices certain actions taken by software and reports them to the Defender ATP cloud service, and machine learning-based algorithms look for anomalies in these reports.



Vice Motherboard

March 25, 2019

Researchers at cybersecurity firm Kaspersky Lab say that ASUS, one of the world’s largest computer makers, was used to unwittingly install a malicious backdoor on thousands of its customers’ computers last year after attackers compromised a server for the company’s live software update tool. The malicious file was signed with legitimate ASUS digital certificates to make it appear to be an authentic software update from the company, Kaspersky Lab says. ASUS, a multi-billion dollar computer hardware company based in Taiwan that manufactures desktop computers, laptops, mobile phones, smart home systems, and other electronics, was pushing the backdoor to customers for at least five months last year before it was discovered, according to new research from the Moscow-based security firm. The researchers estimate half a million Windows machines received the malicious backdoor through the ASUS update server, although the attackers appear to have been targeting only about 600 of those systems. The malware searched for targeted systems through their unique MAC addresses. Once on a system, if it found one of these targeted addresses, the malware reached out to a command-and-control server the attackers operated, which then installed additional malware on those machines.



CNBC

March 25, 2019

Two 20-something computer hackers exposed a security bug in the Tesla Model 3 that allowed them to hack into the electric car's internal web browser. Instead of getting in trouble, they walked away with their own Model 3, along with a total of $375,000 in prize money. Richard Zhu and Amat Cama are the hacking duo known as team Flouroacetate, and the pair of computer security researchers recently dominated Pwn2Own, an annual competition that attracts some of the world's top hackers. Zhu and Cama identified a JIT (or "just-in-time") bug in the Model 3's web browser that allowed them to hack into the car's system and write a message on the car's dashboard display screen, the Zero Day Initiative said in a blog post. For their effort, the pair was allowed to keep the car and they also won $35,000 just for that one hack. (The Model has a starting price of $35,000.)



60 Minutes

March 24, 2019

Tonight we'll take you inside the growing, shadowy global market of cyber espionage. We looked specifically at a controversial Israeli company called the NSO Group, valued at nearly a billion dollars, that says it developed a hacking tool that can break into just about any smartphone on Earth. NSO licenses this software, called Pegasus, to intelligence and law enforcement agencies worldwide, so they can infiltrate the encrypted phones and apps of criminals and terrorists. Problem is this same tool can also be deployed by a government to crush dissent. And so it is that Pegasus has been linked to human rights abuses, unethical surveillance, and even to the notoriously brutal murder of the Saudi Arabian critic Jamal Khashoggi. Headquartered in the Israeli city of Herzliya, NSO Group operates in strict secrecy. But co-founder and CEO, Shalev Hulio, has been forced out of the shadows and not into a good light, accused of selling Pegasus to Saudi Arabia despite its abysmal record on human rights.



INTERNATIONAL



Vice

March 29, 2019

Michail Fiodorov thought he had everything under control. Months before Ukranians were set to go to the polls to elect their next president, the 28-year-old campaign manager had his staff trained, robust security practices in place, and servers he’d sourced in the U.S. to prevent hackers from taking them down. But all that preparation was erased within minutes of launching the website for his boss, comedian turned surprise front-runner Volodymyr Zelensky. Before Zelensky could even tweet a link to the site, a cyberattack overwhelmed the website's servers with 5 million simultaneous requests, knocking all operations offline. Nearly three months later, and with Sunday’s election looming, Zelensky leads in almost all the polls, despite what Fiodorov says has been a near-constant bombardment of cyberattacks and disinformation.



The New York Times

March 28, 2019

A British review of Huawei found “significant” security problems with the Chinese company’s telecommunications equipment, a conclusion that supports a United States effort to ban it from next-generation wireless networks. The British report, released on Thursday, said there were “underlying defects” in Huawei’s software engineering and security processes that governments or independent hackers could exploit, posing risks to national security. While the report did not call for an outright ban of Huawei equipment, it was endorsed by the country’s top cybersecurity agency. The conclusions buttress the Trump administration’s push to convince its allies that Huawei, the world’s largest maker of telecommunications equipment, creates grave risks to national security. The White House has accused Huawei of being an arm of the Chinese government that can be used for spying or to sabotage communications networks, a charge that Huawei has vehemently denied.



Bloomberg

March 28, 2019

The country that shares a bigger border with Russia than the rest of the European Union combined is ramping up its defenses against the threat of foreign meddling in its April 14 election. Finland has always had a love-hate relationship with its much bigger neighbor. A history of tension and bloody confrontations has given way to a strong trading partnership, and the country’s diplomatic role as a bridge between Russia and the West is one reason why its capital was picked for last year’s summit between Donald Trump and Vladimir Putin. But with evidence of Russian interference in Western politics mounting, the euro area’s northernmost member state remains on high alert. Social media influence campaigns or direct cyber attacks are already thought to have impacted key votes such as the U.S. election in 2016 and the U.K’s Brexit referendum. “One shouldn’t be gullible,” Antti Hakkanen, justice minister in Finland’s caretaker government, said in an interview in Helsinki. “We’ll need to be prepared to ward off election interference if it becomes necessary. The risk is real.”



Reuters

March 27, 2019

EU nations will be required to share data on 5G cybersecurity risks and produce measures to tackle them by the end of the year, the European Commission said on Tuesday, shunning U.S. calls to ban China's Huawei Technologies across the bloc. The aim is to use tools available under existing security rules plus cross-border cooperation, the bloc's executive body said, leaving it to individual EU countries to decide whether they want to ban any company on national security grounds. Austria, Belgium, Czech Republic, France, Germany, Greece, Hungary, Ireland, the Netherlands, Lithuania and Portugal are all preparing to auction 5G licenses this year while six other countries will do so next year.



CyberScoop

March 26, 2019

A notorious hacking group experts have tied to the North Korean government has targeted an Israeli defense company, according to new research outlining what appears to be one of the group’s first attacks on an Israeli entity. The unnamed company makes products used in the military and aerospace industries, and the hackers could have been after commercial secrets or more traditional espionage, according to ClearSky, the cybersecurity firm that exposed the operation. The suspected culprit is Lazarus Group, an industry term for a broad set of hackers associated with Pyongyang. “We cannot be sure what the objective of the attackers [was],”  Eyal Sela, head of threat intelligence at ClearSky, told CyberScoop in an email. “[It] could be industrial/commercial espionage but could be military espionage, for example.”



Reuters

March 26, 2019

A computer virus infected the Spanish Defence Ministry's intranet this month with the aim of stealing high tech military secrets, El País newspaper said on Tuesday, citing sources leading the investigation as suspecting a foreign power behind the cyberattack. A Defence Ministry spokesman said the ministry would not comment. El País said the virus was apparently introduced via email and was first spotted at the beginning of March. However, it could have gone undetected for months in an intranet with more than 50,000 users. Although the network does not carry classified information, the paper said its sources were concerned about a wider infection to other networks with the purpose of accessing information related to secret military technology.



CyberScoop

March 25, 2019

Researchers have uncovered a second security flaw in the electronic voting system employed by the Swiss government. The vulnerability involves a problem with the implementation of a cryptographic protocol used to generate decryption proofs, a weakness that could be leveraged “to change valid votes into nonsense that could not be counted,” researchers Sarah Jamie Lewis, Olivier Pereira and Vanessa Teague wrote in a paper published Monday. This disclosure comes weeks after the same team of researchers announced they had uncovered a flaw in the e-voting system that could allow hackers to replace legitimate votes with fraudulent ones. Swiss Post, the country’s national postal service, which developed the system along with Spanish technology maker Scytl, said earlier this month that first vulnerability had been resolved.



TECHNOLOGY



CyberScoop

March 28, 2019

A new strain of malicious software affecting Android devices is capable of phishing credentials and automating bank transactions for more than 100 banks and 32 virtual currency apps, according to new research from security firm Group-IB. The malware, dubbed Gustuff, is aimed at top international banks including Bank of America, Wells Fargo, Chase, Capital One, and others, researchers found. It also is designed to steal from cryptocurrency apps like Bitcoin Wallet and Coinbase, and can phish usernames and passwords from PayPal, Western Union, Walmart, eBay and WhatsApp, according to researchers at Group-IB.



WIRED

March 27, 2019

Widespread adoption of the web encryption scheme HTTPS has added a lot of green padlocks—and corresponding data protection—to the web. All of the popular sites you visit every day likely offer this defense, called Transport Layer Security, or TLS, which encrypts data between your browser and the web servers it communicates with to protect your travel plans, passwords, and embarrassing Google searches from prying eyes. But new findings from researchers at Ca' Foscari University of Venice in Italy and Tu Wien in Austria indicate that a surprising number of encrypted sites still leave these connections exposed. In analysis of the web's top 10,000 HTTPS sites—as ranked by Amazon-owned analytics company Alexa—the researchers found that 5.5 percent had potentially exploitable TLS vulnerabilities. These flaws were caused by a combination of issues in how sites implemented TLS encryption schemes and failures to patch known bugs, (of which there are many) in TLS and its predecessor, Secure Sockets Layer. But the worst thing about these flaws is they are subtle enough that the green padlock will still appear.



Ars Technica

March 27, 2019

A critical vulnerability in the WinRAR file-compression utility is under active attack by a wide range of bad actors who are exploiting the code-execution flaw to install password stealers and other types of malicious software. In one campaign, according to a report published by researchers from security firm FireEye, attackers are spreading files that purport to contain stolen data. One file, titled leaks copy.rar, contains email addresses and passwords that were supposedly compromised in a breach. Attackers claim another file, cc.rar, contains stolen credit card data. Other files have names including zabugor.rar, ZabugorV.rar, Combolist.rar, Nulled2019.rar, and IT.rar. Hidden inside the files are payloads from a variety of different malware families.



ZDNet

March 23, 2019

A group of academics from South Korea have identified 36 new vulnerabilities in the Long-Term Evolution (LTE) standard used by thousands of mobile networks and hundreds of millions of users across the world. The vulnerabilities allow attackers to disrupt mobile base stations, block incoming calls to a device, disconnect users from a mobile network, send spoofed SMS messages, and eavesdrop and manipulate user data traffic. They were discovered by a four-person research team from the Korea Advanced Institute of Science and Technology Constitution (KAIST), and documented in a research paper they intend to present at the IEEE Symposium on Security and Privacy in late May 2019.