Pages

Friday, April 26, 2019

Russians Breached Florida County Computers Before 2016 Election, Mueller Report Says


Historic summit between Kim Jong-un and Vladimir Putin 'fruitful'


Putin has a track record of making world leaders wait for him, but on Wednesday the Russian leader arrived at the venue around half an hour early.









BUY-BACK: The risk of continuing business during a caretaker period.







FCW

April 15, 2019

Twenty-eight members of the House Homeland Security Committee are urging appropriators to boost cyber funding at the Department of Homeland Security above what the White House has requested. In a letter sent to the House Appropriations Committee, the signatories -- including Chairman Bennie Thompson (D-Miss.) and ranking member Mike Rogers (R-Ala.) -- asked for a raise in the spending cap for DHS cyber spending, saying years of flat funding levels at the department will not be enough to "properly resource" the newly established Cybersecurity and Infrastructure Security Agency and its mission. "We urge the committee to break from the status quo and increase the Homeland Security Subcommittee's 302(b) allocation commensurate with the threat," the members wrote. "It is imperative that [the allocation] enable CISA to mature and grow the services it provides to secure federal and critical infrastructure networks."



ADMINISTRATION



The New York Times

April 18, 2019

In the months before the 2016 presidential election, Russia’s military intelligence agency penetrated computer systems in at least one Florida county government and planted malware in systems at a manufacturer of election equipment, the special counsel, Robert S. Mueller III, said in his office’s final report on Russian interference in the election. The report did not cite any evidence that the breaches compromised election results in Florida or elsewhere, and said Mr. Mueller had left further investigation of the incidents to the F.B.I. and the Department of Homeland Security. The disclosure of the suspected breach added to accounts of Russia’s systematic effort to access voter-registration rolls and other election systems outlined last year by American intelligence officials and in federal indictments. The special counsel’s report also cited another attack on computers in Illinois, which had already been reported, while the attack in Florida had not previously been disclosed. The penetration of the election equipment manufacturer, identified elsewhere as VR Systems of Tallahassee, Fla., had been known — but not that malware specifically had been planted. The company makes electronic pollbooks and other devices that help officials run elections, but does not make voting machines.



E&E News

April 18, 2019

U.S. energy regulators are pursuing a risky plan to share with electric utilities a secret "don't buy" list of foreign technology suppliers, according to multiple sources. The move reflects the federal government's growing concern that hackers and foreign spies are targeting America's vital energy infrastructure. And it's also raised new questions about the value of top-secret U.S. intelligence if it can't get into the hands of power industry executives who can act on it to avoid high-risk vendors. Joseph McClelland, director of the Federal Energy Regulatory Commission's Office of Energy Infrastructure Security, told a Department of Energy advisory committee last month that officials are working on "an open-source procurement list" for utilities to use when deciding where to source their software and equipment.



Fifth Domain


The Air Force is creating a cadre of specialized defensive cyber teams that will protect critical Air Force missions and installations. These teams, known as mission defense teams, “have got to be there on the flight team to support mission generation” and will be “no different than the weapons troop or avionics or crew chief,” Ted Uchida, deputy director of operations at Air Combat Command, said April 11 at an event at Langley Air Force Base. The teams are an outgrowth of the service’s communications squadrons, which in the past performed much of the IT and cyber defense at the base or wing level. The new crews differ from the cyber protection teams that the Air Force, and other services, provide to U.S. Cyber Command. They are made possible, in part, because the Air Force is outsourcing the more mundane tasks of IT management on installation’s to industry, freeing these folks to focus on cyber defense. Already, Air Force officials see a need for this skillset. For example, certain mission defense teams could be assigned to defend the avionics in a fighter jet from malware. Uchida said one Air Force staffer recently discovered malware on the memory loader verifier on an F-16 leading officials to ask how it got there and whether it penetrated the aircraft’s primary system. This incident sparked discussions about how to build up of mission defense teams that could focus on protecting weapon systems.



Nextgov

April 16, 2019

When it comes to website security, the federal government is doing something right. U.S. government websites outscored sites from all other sectors in an online trust audit released Tuesday which recognizes excellence in data security, consumer protection and responsible privacy practices. “To put the audit findings in context, almost every sector improved its security and privacy practices, and the record scores reflect that,” Technical Director of the Internet Society’s Online Trust Alliance Jeff Wilbur said in a statement. “The U.S. government in particular made stunning improvements, from near last in 2017 to top of the class in 2018.” The tenth annual Internet Society’s Online Trust Audit and Honor Roll reviewed more than 1,200 consumer-facing websites to identify organizations that place a premium on security and privacy—as well as those that can do better. OTA’s report said the federal government category “surged to the front” of the list, with 91 percent of sites placing on the honor roll. It’s a “dramatic turnaround” from last year when government sites bottomed out at 39 percent recognition on the honor roll list.



FCW

April 16, 2019

The federal government's top IT security chief floated the possibility of new regulations to shore up protections and transparency in the technology supply chain and canvassed industry for feedback. While speaking at a cybersecurity event in Virginia hosted by the Intelligence National Security Alliance, Federal Chief Information Security Officer Grant Schneider questioned whether the U.S. government and suppliers have even worked out a successful model to weigh security risks in purchasing and acquisition. Such a model, he said, would naturally lead individuals, the private sector and federal agencies to discriminate against low-cost, low-security parts and components in favor of costlier, more secure ones. "We're very much looking for feedback on how we do market incentives, where we can focus in the federal government, because I don't believe that the free market is necessarily going to get us there in cybersecurity," Schneider said. "At least, it's not going to get us there fast enough."



CyberScoop

April 16, 2019

A revamped policy framework for offensive U.S. cyber operations is much quicker than its predecessor and has yielded “operational success,” a top White House cybersecurity official said Tuesday. Last August, President Donald Trump rescinded the Obama-era policy, known as Presidential Policy Directive 20, which governed U.S. hacking operations, and replaced it with the new framework. Critics said PPD-20’s intricate interagency process unnecessarily delayed offensive operations, while advocates called it an important mechanism for accounting for all of the potential repercussions of a cyberattack. The new structure “gives more authority to the people who need to actually make those decisions” about offensive operations, Grant Schneider, the federal information security officer, said at an event hosted by the nonprofit Intelligence and National Security Alliance. U.S. officials are focused on ensuring that the Pentagon “has the tools available to leverage offensive cyber capabilities,” he added. The remarks from Schneider, the National Security Council’s top defensive-focused cybersecurity official, were some of his most extensive yet on the new policy and legal framework for green-lighting government cyberattacks.



TechCrunch


A hacker group has breached several FBI-affiliated websites and uploaded their contents to the web, including dozens of files containing the personal information of thousands of federal agents and law enforcement officers, TechCrunch has learned. The hackers breached three sites associated with the FBI National Academy Association, a coalition of different chapters across the U.S. promoting federal and law enforcement leadership and training located at the FBI training academy in Quantico, VA. The hackers exploited flaws on at least three of the organization’s chapter websites — which we’re not naming — and downloaded the contents of each web server. The hackers then put the data up for download on their own website, which we’re also not naming nor linking to given the sensitivity of the data. The spreadsheets contained about 4,000 unique records after duplicates were removed, including member names, a mix of personal and government email addresses, job titles, phone numbers and their postal addresses.



INDUSTRY



Infosecurity Magazine

April 19, 2019

The Weather Channel, based in Atlanta, Georgia, has been hit with a cyber-attack that knocked it off the air for 90 minutes.  On April 18, 2019, the organization took to its Twitter channel to confirm that it had been hit by a "malicious software attack" on its network but as of press time hasn't released any specifics on the attack itself. When the AMHQ show should have started, viewers saw taped programming, Heavy Rescue. AMHQ's Twitter feed also confirmed that it was "experiencing technical difficulties." Around 90 minutes later, the show returned with its anchors informing of the cyber incident. "The Weather Channel, sadly, has been the victim of a malicious software attack today," said anchor Jim Cantore.



CyberScoop

April 18, 2019

Facebook confirmed Thursday that password credentials belonging to millions of Instagram users were stored in an insecure format. The company quietly updated a blog post first published March 21 to say millions of Instagram passwords, not tens of thousands as initially stated, were stored in a readable format accessible by company employees dating back to 2012. The social media company did not specify how many millions of users were affected. “We will be notifying these users as we did the others,” the company said in its update. “Our investigation has determined that these stored passwords were not internally abused or improperly accessed.” Facebook last month said an internal investigation had determined that hundreds of millions of users’ passwords were stored in a format that could have allowed employees to view them. More than 20,000 employees could have accessed information about between 200 million and 600 million users, KrebsOnSecurity reported at the time. 



Axios

April 18, 2019

After years of dire warnings about hackers wreaking havoc on computers that run physical processes in factories and infrastructure, you’d think industrial firms would already have their top cybersecurity officers running cybersecurity at their plants. Today, that’s the case for only 35% of big facilities — but the situation is finally changing. According to a 2018 Gartner report, only 35% of firms had the chief information security officer's (CISO) department or an equivalent in charge of their industrial networks — often referred to as operational technology (OT) as opposed to business systems, the traditional IT. But that number is projected to double by 2021. It's a huge trend in just the last 18 months,” said Amit Yoran, CEO of Tenable and the former director of Homeland Security’s United States Computer Emergency Readiness Team.



Vice Motherboard

April 18, 2019

On July 5, 2015, a vigilante hacker known as Phineas Fisher posted online more than 400 gigabytes of internal data stolen from the servers of the infamous European spyware vendor Hacking Team. That embarrassing breach sparked a slow decline for the company, with key employees leaving, and other companies taking over the market. Four years later, despite the influx of cash from a mysterious Saudi Arabian investor, and what appeared to be a slow but steady recovery, Hacking Team is no more. At the beginning of April, Swiss-Italian company InTheCyber announced that it had acquired a majority stake into Hacking Team, and that it was merging the two companies into a new one called Memento Labs. The goal, according to the new owner of the company, Paolo Lezzi, is to rebuild. That’s why, when we asked if he was worried Phineas Fisher could come back, he laughed. “Right now there’s not much damage to make,” Lezzi said in a phone call. “The company was compromised, and it’s in a tough situation.”



Ars Technica

April 17, 2019

The wave of domain hijacking attacks besetting the Internet over the past few months is worse than previously thought, according to a new report that says state-sponsored actors have continued to brazenly target key infrastructure despite growing awareness of the operation. The report was published Wednesday by Cisco’s Talos security group. It indicates that three weeks ago, the highjacking campaign targeted the domain of Sweden-based consulting firm Cafax. Cafax’s only listed consultant is Lars-Johan Liman, who is a senior systems specialist at Netnod, a Swedish DNS provider. Netnod is also the operator of i.root, one of the Internet’s foundational 13 DNS root servers. Liman is listed as being responsible for the i-root. As KrebsOnSecurity reported previously, Netnod domains were hijacked in December and January in a campaign aimed at capturing credentials. The Cisco report assessed with high confidence that Cafax was targeted in an attempt to re-establish access to Netnod infrastructure.



AP

April 17, 2019

Keir Giles’ first thought was that the man’s cheap-looking suit didn’t seem right for a private equity executive. The man seated in front of him at the London hotel claimed to live in Hong Kong, but didn’t seem overly familiar with the city. Then there was the awkward conversation, which kept returning to one topic in particular: the Russian antivirus firm Kaspersky Lab. He also asked Giles to repeat himself or speak louder so persistently that Giles said he began wondering “whether I should be speaking into his tie or his briefcase or wherever the microphone was.” “He was drilling down hard on whether there had been any ulterior motives behind negative media commentary on Kaspersky,” said Giles, a Russia specialist with London’s Chatham House thinktank who often has urged caution about Kaspersky’s alleged Kremlin connections. “The angle he wanted to push was that individuals — like me — who had been quoted in the media had been induced by or motivated to do so by Kaspersky’s competitors.” The Associated Press has learned that the mysterious man, who said his name was Lucas Lambert, spent several months last year investigating critics of Kaspersky Lab, organizing at least four meetings with cybersecurity experts in London and New York.



CyberScoop

April 17, 2019

A hacking campaign that targeted victims around the world used Blogspot, Pastebin and the link-shortening service Bit.ly to carry out its attacks, according to research published Wednesday by the security vendor Palo Alto Networks. Palo Alto’s Unit 42 research group in March uncovered what it has called the Aggah campaign, a digital crime spree focused on organizations in the U.S., Middle East, Europe and throughout Asia. The group distributes malicious macro-enabled documents which rely on Blogspot posts and multiple Pastebin posts for a command-and-control infrastructure. Researchers suggested the hacking campaign originated with the Gorgon Group, a collective that’s carried out a string of attacks from Pakistan over the past year, though Unit 42 said it’s too soon to directly attribute the Gorgon Group with any level of certainty. “Unfortunately, our current data set does not afford insight into the attackers’ motivation other than to compromise a large number of victims,” Unit 42 stated in a blog post Wednesday. “While a lot of this activity behaviorally appears to be potentially related to the Gorgon Group’s criminal activity, it is currently unclear and requires additional analysis to prove.”



Reuters

April 16, 2019

Indian IT services firm Wipro Ltd said on Tuesday some of its employee accounts may have been hacked due to an advanced phishing campaign and that the company had launched an investigation to contain any potential impact. The Bengaluru-based company was responding to a Reuters query after cyber security blog KrebsOnSecurity said Wipro's systems had been breached and were being used to launch attacks against some of its clients. KrebsOnSecurity, citing anonymous sources, said Wipro's systems were being used to target at least a dozen customer systems. "We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign," Wipro said in an emailed statement. The company also said it had retained an independent forensic firm to assist in the investigation. Wipro did not say which clients, if any, had been compromised.



Wired

April 15, 2019

On Friday, Microsoft sent notification emails to an unknown number of its individual email users—across Outlook, MSN, and Hotmail—warning them about a data breach. Between January 1 and March 28 of this year, hackers used a set of stolen credentials for a Microsoft customer support platform to access account data like email addresses in messages, message subject lines, and folder names inside accounts. By Sunday, it acknowledged that the problem was actually much worse. After tech news site Motherboard showed Microsoft evidence from a source that the scope of the incident was more extensive, the company revised its initial statement, saying instead that for about 6 percent of users who received a notification, hackers could also access the text of their messages and any attachments. Microsoft had previously denied to TechCrunch that full email messages were affected. It may seem odd that a single set of customer support credentials could be the keys to such a massive kingdom. But within the security community, customer and internal support mechanisms are increasingly seen as a potential source of exposure. On the one hand, support agents need enough account or device access to be able to actually help people. But as the Microsoft incident shows, too much access in the wrong hands can cascade into a dangerous situation.



The New York Times

April 15, 2019

Within days of a cyberattack, warehouses of the snack foods company Mondelez International filled with a backlog of Oreo cookies and Ritz crackers. Mondelez, owner of dozens of well-known food brands like Cadbury chocolate and Philadelphia cream cheese, was one of the hundreds of companies struck by the so-called NotPetya cyberstrike in 2017. Laptops froze suddenly as Mondelez employees worked at their desks. Email was unavailable, as was access to files on the corporate network. Logistics software that orchestrates deliveries and tracks invoices crashed. Even with teams working around the clock, it was weeks before Mondelez recovered. Once the lost orders were tallied and the computer equipment was replaced, its financial hit was more than $100 million, according to court documents. After the ordeal, executives at the company took some solace in knowing that insurance would help cover the costs. Or so they thought. Mondelez’s insurer, Zurich Insurance, said it would not be sending a reimbursement check. It cited a common, but rarely used, clause in insurance contracts: the “war exclusion,” which protects insurers from being saddled with costs related to damage from war. Mondelez was deemed collateral damage in a cyberwar.



Ars Technica

April 13, 2019

Over the past three weeks, a trio of critical zeroday vulnerabilities in WordPress plugins has exposed 160,000 websites to attacks that allow criminal hackers to redirect unwitting visitors to malicious destinations. A self-proclaimed security provider who publicly disclosed the flaws before patches were available played a key role in the debacle, although delays by plugin developers and site administrators in publishing and installing patches have also contributed. Over the past week, zeroday vulnerabilities in both the Yuzo Related Posts and Yellow Pencil Visual Theme Customizer WordPress plugins—used by 60,000 and 30,000 websites respectively—have come under attack. Both plugins were removed from the WordPress plugin repository around the time the zeroday posts were published, leaving websites little choice than to remove the plugins. On Friday (three days after the vulnerability was disclosed), Yellow Pencil issued a patch. In-the-wild exploits against Social Warfare, a plugin used by 70,000 sites, started three weeks ago. Developers for that plugin quickly patched the flaw but not before sites that used it were hacked. All three waves of exploits caused sites that used the vulnerable plugins to surreptitiously redirect visitors to sites pushing tech-support scams and other forms of online graft.



INTERNATIONAL



POLITICO

April 18, 2019

Special counsel Robert Mueller’s long-awaited report hammered home a crucial reminder Thursday: The Kremlin mounted a massive online campaign to wreak havoc on U.S. democracy in 2016. It also underscored the urgency of fixing the nation’s election security gaps before 2020 — a task that state and local governments have been slow to take on. "The Russian government interfered in the 2016 presidential election in sweeping and systematic fashion," Mueller wrote in the 448-page document, which lays out new details about a Kremlin-backed plot that compromised Democrats' computer networks and targeted state and local election offices. Mueller wrote that investigators also found evidence of repeated communications — but not "coordination" — between associates of then-candidate Donald Trump and people claiming to have damaging information on Hillary Clinton. The report says one attack — the first attempt by Russia's military intelligence service to compromise Clinton's personal office — came within about five hours of Trump publicly asking "Russia, if you're listening," to find 30,000 emails that had been deleted from the former secretary of state's infamous personal email server.



Wired

April 18, 2019

Nearly three years after the mysterious group called the Shadow Brokers began disemboweling the NSA's hackers and leaking their hacking tools onto the open web, Iran's hackers are getting their own taste of that unnerving experience. For the last month, a mystery person or group has been targeting a top Iranian hacker team, dumping their secret data, tools, and even identities onto a public Telegram channel—and the leak shows no signs of stopping. Since March 25, a Telegram channel called Read My Lips or Lab Dookhtegan—which translates from Farsi as "sewn lips"—has been systematically spilling the secrets of a hacker group known as APT34 or OilRig, which researchers have long believed to be working in service of the Iranian government. So far, the leaker or leakers have published a collection of the hackers' tools, evidence of their intrusion points for 66 victim organizations across the world, the IP addresses of servers used by Iranian intelligence, and even the identities and photographs of alleged hackers working with the OilRig group.



AFP

April 16, 2019

Ecuador said on Monday it has suffered 40 million cyber attacks on the webpages of public institutions since stripping Wikileaks founder Julian Assange of political asylum. Patricio Real, Ecuador's deputy minister for information and communication technologies, said the attacks, which began on Thursday, had "principally come from the United States, Brazil, Holland, Germany, Romania, France, Austria and the United Kingdom," as well as from the South American country itself. Assange was arrested and carried out of Ecuador's embassy in London on Thursday after President Lenin Moreno removed his diplomatic protection following seven years of self-imposed exile in the building. Moreno accused Assange of interfering in the "processes of other states" and "spying."



ZDNet

April 16, 2019

In a document published today, the European Commission has revealed that they don't have any actual evidence of Kaspersky software being used for spying on behalf of the Russian government, as the US government alluded in 2017. The document was the Commission's reply to a series of questions submitted by Gerolf Annemans, a European Parliament member on behalf of Belgium, in March this year. The questions were related to a motion the European Parliament voted in June 2018 that put forward a general strategy and guidelines for an EU-wide joint plan on cyber defense. The document advised EU states to exclude and ban programs and equipment that have been "confirmed as malicious," naming Kaspersky as the only example.



Reuters

April 15, 2019

Belgium's center for cybersecurity has found no evidence that telecoms equipment supplied by Huawei Technology could be used for spying. The agency, which reports to the Belgian prime minister, had been tasked with analyzing the possible threat posed by Huawei, which supplies equipment to Belgian mobile operators Proximus, Orange Belgium and Telenet. "Until now we have not found technical indications that point in the direction of a spying threat," a spokesman for the agency said on Monday. "We are not providing a final report on the matter, but are continuing to look into it."



Computer Weekly

April 15, 2019

The National Cyber Security Centre (NCSC), together with Wayra UK, has launched a national call for 10 startups to join its accelerator programme to develop the next generation of cyber security products. Since its launch in 2017, the government-funded NCSC Cyber Accelerator has mentored and supported the growth of technology startups, with previous participants securing more than £20m in funding. One of the main aims of the NCSC Accelerator is helping entrepreneurs to get into the market and helping the market identify good solutions to real problems. For this fourth cohort of startups, the accelerator is focusing on projects aimed at enhancing cyber security through anticipating the early stages of a cyber attack and enabling action to be taken on real-time threats, vulnerability information and other intelligence.



Reuters

April 15, 2019

The United States will push its allies at a meeting in Prague next month to adopt shared security and policy measures that will make it more difficult for China's Huawei to dominate 5G telecommunications networks, according to people familiar with the matter and documents seen by Reuters. The event and broader U.S. campaign to limit the role of Chinese telecommunications firms in the build out of 5G networks comes as Western governments grapple with the national security implications of moving to 5G, which promises to be at least 100 times faster than the current 4G networks. The issue is crucial because of 5G's leading role in internet-connected products ranging from self-driving cars and smart cities to augmented reality and artificial intelligence. If the underlying technology for 5G connectivity is vulnerable then it could allow hackers to exploit such products to spy or disrupt them. The United States has been meeting with allies in recent months to warn them Washington believes Huawei's equipment could be used by the Chinese state to spy. Huawei Technologies Co Ltd has repeatedly denied the allegations.



TECHNOLOGY



Nextgov

April 18, 2019

Mobile devices and the internet are becoming increasingly ubiquitous in American society, offering more connectivity than ever before. But as those technologies grow more prevalent, researchers say a new divide is emerging between people who can identify and mitigate possible cybersecurity threats and those who cannot. ‘Underserved’ people—including foreign language speakers, senior citizens, and low-income residents—face “higher-than-average risks” of falling victim to cyber attacks compared to their better-served counterparts, according to a report released this week by the University of California, Berkeley Center for Long-Term Cybersecurity. “This cybersecurity gap is a new ‘digital divide’ that needs to be addressed—with urgency—by the public and private sectors alike,” wrote Ahmad Sultan, who led the study. “The report is intended to help city leaders understand how they could better understand this issue in their own cities, and how they might forge public-private partnerships to address cybersecurity concerns at the system level.”