Every person who's ever had a job knows that every workplace, starting from huge corporations with cubicle offices and ending with family-owned businesses with three office employees, has its own secrets, big and small. Most of us don't ever find out anything unusual about the secret life going on within our workplace, except for some petty gossip or drama between coworkers. However, on rare occasions, some people just happen to find out something that they were not supposed to know, and then it's up to them what to do with said information.
119 Work Secrets Employees Discovered That They Probably Shouldn't Have ...
Gov Info
Security April 4,
2019
Sen.
Elizabeth Warren, D-Mass, has introduced legislation that would pave the way
for top executives at major corporations to face criminal charges if their
company's wrongdoing leads to harm, such as a major data breach. While business
groups immediately criticized the plan, consumer advocates praised it. The
proposed bill, the Corporate Executive Accountability Act, would allow federal
authorities to bring criminal charges, as well as to seek jail time, against
corporate executives at companies with more $1 billion in annual revenue if the
business is found guilty of criminal behavior or repeatedly violating federal
law. The goal of the legislation is to hold executives more accountable when
their company "harms the health, safety, finances or personal data,"
of American citizens, Warren says in a statement.
NextgovApril 4,
2019
A
bipartisan bill introduced in the Senate Wednesday aims to deter Russia and
other nations from meddling in future U.S. elections. The Defending Elections
from Threats by Establishing Readiness Act, or DETER—introduced by Sens. Marco
Rubio, R-Fla., and Chris Van Hollen, D-Md.—threatens a range retaliatory
actions the government can take if a foreign government meddles in another
election as well as Russia-specific sanctions that can be doled out. The bill
would require the Director of National Intelligence to ascertain whether any
foreign government interfered in any federal election within 60 days of the
election date. The DNI would also have to provide the identities of any senior
political figures who knowingly contributed to interference in a U.S. election.
FCW
A
Department of Homeland Security official told Congress that it is getting
closer to complying with a 2014 law directing the agency to classify and code
its cybersecurity positions. The 2014 Homeland Security and Cybersecurity
Workforce Assessment Act requires DHS to classify and code all IT security
positions as outlined by the Office of Personnel Management, the National
Initiative for Cybersecurity Education and the National Institute of Standards
and Technology to identify its greatest areas of need in cyber human capital.
The law also required DHS to begin annually reporting those needs to Congress
and OPM starting in 2016 in order to inform stakeholders and facilitate further
action. However, a February 2018 audit by the Government Accountability Office
found that the department was well behind schedule identifying and coding its
IT security workforce and had relayed inaccurate information to Congress about
how far along it was in the process.
Gov Info
Security
Several
industry groups have offered suggestions - ranging from better cyber
information sharing to new regulatory "safe harbors" for entities
complying with best practices - to Sen. Mark Warner, D-Va., in response to his
recent request for input on how the healthcare sector can improve its
cybersecurity posture. Warner in February sent letters to four federal agencies
and 12 healthcare associations posing long lists of questions as a prelude to
developing short-term and long-term strategies for improving healthcare
cybersecurity.
FCW
The Air
Force plans to roll out new workforce categories for cyber this summer,
according to Secretary Heather Wilson. Testifying before the House Armed
Services Committee April 2, Wilson said that the Air Force will add seven new
job categories to better facilitate career advancement. "We've been working
for about 18 months on how do we evaluate, how do we promote officers and
develop officers for the future of combat," Wilson said during the
hearing, which focused on the Air Force and Army budget requests. "A cyber
officer doesn't have the same things to do in their careers as a maintenance
officer, and they don't compare to each other … we need to promote to the needs
of the service, and not just promote everybody," Wilson said. The Air
Force is scouring its ranks for cyber talent in hopes of converting maintainers
and logisticians to keyboard warriors.
Nextgov
April 1,
2019
The
Government Accountability Office is doubling down on its recommendation that
Congress reconsider the identity theft insurance it requires federal agencies
to offer after data breaches. In 2017, the office recommended Congress should
let agencies determine the right amount of identity theft insurance coverage.
GAO renewed the recommendation this week after new findings further suggest
that identity theft services do not effectively alleviate all data breach risks
that victims face. GAO reviewed documentation and conducted interviews with
academic, consumer, government and industry experts to “evaluate issues related
to consumers’ options” to address potential harm from data breaches. The agency
found that there’s limited information around actually assessing said options.
“We did not identify any studies that analyzed whether consumers who sign up
for or purchase identity theft services encounter fewer instances of identity
theft or detect instances of financial or other fraud more—or less—rapidly than
consumers who take steps on their own,” the report said. “Views of experts
varied, but most said identity theft services have limitations and would not
address all data breach risks.”
ADMINISTRATION
Nextgov
April 5,
2019
Four
federal regulators that have developed a system for assessing the cybersecurity
vulnerabilities of financial institutions are asking those organizations
whether the system is giving enough bang for the buck. The four agencies—the
Office of the Comptroller of the Currency, the Board of Governors of the
Federal Reserve System, the Federal Deposit Insurance Corporation, or FDIC, and
the National Credit Union Administration—all sit on the Federal Financial
Institutions Examination Council and collectively manage the council’s
Cybersecurity Assessment Tool. The tool itself is more of a framework, by which
financial institutions can assess their cyber risk and ability to mitigate the
fallout of potential cyberattacks. In order to receive such an assessment, the
institutions have to provide a trove of information.
Inside
Cybersecurity
April 5,
2019
The Defense
Department is anticipating enhanced cybersecurity requirements for contractors
working on critical technologies will be published by the National Institute
for Standards and Technology in approximately 60 days, according to a DOD
official. Donald Heckman, DOD's principal deputy chief information officer for
cybersecurity, said the update to NIST Special Publication 800-171 is close to
being finalized. Though it has not yet been published on NIST's website, Heckman
confirmed it has completed an interagency review process.
CyberScoop
The
notorious SamSam ransomware — which extracted over $6 million in payments from
more than 200 victim organizations — forced the FBI to adjust its model for
handling cyberattack investigations, a senior bureau official said Thursday.
Nearly all 56 of the FBI’s field offices responded to SamSam incidents — an
inefficient way of keeping up with the malware, said Tonya Ugoretz, deputy
assistant director of the FBI’s Cyber Division. And so, in an example of how
the FBI is trying to adapt to an era of unceasing cyberthreats to U.S.
businesses, the bureau changed its investigative structure. “We developed a
model whereby when there is a certain type of malicious strain or certain type
of threat actor, we have one office that’s in charge, we have other offices
running supporting investigations that are feeding up into that,” Ugoretz said
at the Cybersecurity Leadership Forum presented by Forcepoint and produced by
CyberScoop and FedScoop. Additionally, FBI headquarters pieces all of that
intelligence together and shares it with other agencies, she said.
AP
April 4,
2019
Georgia’s
Republican Gov. Brian Kemp has quietly signed a wide ranging elections bill
authorizing the statewide purchase of new touchscreen voting machines that
print a paper ballot. He signed it Tuesday, behind closed doors and without
prior announcement, on the final hectic day of Georgia's 2019 legislative
session. The estimated $150 million purchase will be a major step toward
replacing the state's current outdate voting machines, which offer no auditable
paper trail. But some say it's a major step in the wrong direction. Critics,
including several leading cyber security experts, have said the new electronic
ballot markers are hackable and less secure than hand-marked paper ballots.
Nextgov
April 4,
2019
The U.S. is
facing a severe shortage of cybersecurity expertise, and agencies need to
rethink their hiring methods if they want to keep up their digital defenses,
according to the Homeland Security Department’s cyber chief. “There’s not
enough capability to go around,” said Chris Krebs, director of the
Cybersecurity and Infrastructure Security Agency. ”There’s no question there’s
a security consolidation happening—particularly with some of the big tech
companies, the rich are getting richer.” As cyber talent gravitates toward
higher paying, more flexible jobs in the private sector, the government must
look beyond its traditional employee pools, Krebs said Thursday at the
Forcepoint Cybersecurity Leadership Forum. And his agency is already broadening
its sights. In a field like cybersecurity, real-world experience could be just
as valuable as any degree or credential, but the government’s current hiring
process may overlook those with less traditional backgrounds, he said. The
current schedule system also lumps together every cyber specialist into a
single job code, which “doesn’t work” when building a workforce with such a
wide array of specialities, he added. A personnel system set to launch later
this year could help Krebs and other federal tech leaders bring on specialists
who might otherwise fall through the cracks.
Federal
News Network
April 4,
2019
On page 6
of the Navy’s recent report about its cyber readiness, there is a jaw-dropping
confession: “The systems the U.S. relies upon to mobilize, deploy and sustain
forces have been extensively targeted by potential adversaries, and compromised
to such extent that their reliability is questionable.” Bill Evanina, director
of the National Counterintelligence and Security Center in the Office of the
Director of National Intelligence, wants that single sentence in the 80-page
report to sink in for a second. “The Navy’s report on their resilience and
reliability is that watershed moment not only for the Department of Defense but
for all agencies in the federal government, and I would even proffer in the
private sector, to have an honest, internal look at their systems, their data,
their capabilities and their protection mechanisms and where they have
vulnerabilities and how the threats are manifested in their organizations,”
Evanina said after speaking at the Intelligence and National Security Alliance
(INSA) event on supply chain management in Arlington, Virginia, on April 1. “I
think all agencies should take a hard look and say, ‘What can we do that is
similar to this to look at our own processes and protection models?’”
Fifth
Domain
The Air
Force is merging its main cyber and intelligence organizations after years of
discussion and speculation. 24th Air Force, or Air Forces Cyber, will merge
with 25th Air Force — responsible for global intelligence, surveillance and
reconnaissance this summer — according to an April 4 press release. Officials
had been coy about the potential merger when asked directly about it, despite
publicly referencing it as recently as mid-March. The merger follows several
initiatives within the Air Force to integrate cyber and ISR together. “The
synergy between cyber, ISR, [electronic warfare] and [information operations]
will increase unity of effort across these capabilities, resulting in new and
improved options for combatant commanders,” the Air Force’s press release said.
Pro
Publica
Using
specialized software, investigators traced explicit child p*rnography to Todd
Hartman’s internet address. A dozen police officers raided his Los Angeles-area
apartment, seized his computer and arrested him for files including a video of
a man ejaculating on a 7-year-old girl. But after his lawyer contended that the
software tool inappropriately accessed Hartman’s private files, and asked to
examine how it worked, prosecutors dismissed the case. Near Phoenix, police
with a similar detection program tracked underage p*rn photos, including a
4-year-old with her legs spread, to Tom Tolworthy’s home computer. He was
indicted in state court on 10 counts of committing a “dangerous crime against
children,” each of which carried a decade in prison if convicted. Yet when
investigators checked Tolworthy’s hard drive, the images weren’t there. Even
though investigators said different offensive files surfaced on another
computer that he owned, the case was tossed. At a time when at least half a
million laptops, tablets, phones and other devices are viewing or sharing child
p*rnography on the internet every month, software that tracks images to
specific internet connections has become a vital tool for prosecutors.
Increasingly, though, it’s backfiring.
FCW
April 3,
2019
The Office
of Personnel Management issued its final rule to give agencies the authority to
more easily hire for IT and cyber positions. The rule, effective May 3, comes
following the executive order aimed at boosting agency-level authorities in
making hires for high-demand tech positions. "The intended effect of this
change is to enable [CIOs] to hire urgently needed IT professionals more
quickly," it stated. The rule specifies that the authority applies where
agency heads determine a "severe shortage" of IT management
employees. Employees offered jobs under direct hire will be eligible to serve
for a four-year period, with the possibility of a four-year extension. The rule
also stated that no one hired using this authority can be transferred to a non-IT
position. Following the issuance of the rule, OPM said that it will update its
direct hire guidance to emphasize the authority of agency heads, CIOs and human
resources personnel to make sure the authority is used
"appropriately." To educate human resources offices on using direct
hire authority, the rule stated OPM will also hold "interactive
sessions" for hiring managers.
Nextgov
April 2,
2019
The General
Services Administration expanded its cybersecurity service offerings to help
federal agencies and state and local governments to protect their most valuable
data. GSA announced the modernized Highly Adaptive Cybersecurity Services
Special Item Number Tuesday, adding services that can help agencies meet
administrative mandates to secure high-value assets on mission-critical
systems. The HACS SIN debuted on GSA’s IT Schedule 70 contract in 2016 so
agencies can access penetration testing, incident response, cyber hunt and risk
and vulnerability assessments from pre-vetted contractors. “The cybersecurity
market has rapidly evolved since the initial creation of the HACS offerings
just two and a half years ago, and GSA is responding to this evolution by
including key cybersecurity services that were missing from the original SIN,”
said GSA acting Assistant Commissioner Bill Zielinski in a statement.
Gov Info
Security
April 2,
2019
Albany, New
York, is the latest unit of local government hit with ransomware in recent
weeks, following similar attacks reported in Georgia and North Carolina that
crippled government IT systems and disrupted service for local residents. The
latest incident happened on Saturday morning, with Albany officials working
throughout the weekend to restore most services for residents and investigate
the incident. The city's offices had reopened by noon on Monday, with most
public services returned to normal. By Tuesday, city residents could access
marriage licenses and certificates, but birth and death certificates were still
affected by the incident, according to Mayor Kathy Sheehan.
The
Atlanta Journal Constitution
April 2,
2019
It sounds a
bit ironic: a data breach potentially affecting 1.3 million current and former
students, faculty and staff members at Georgia Tech, the world renowned university
with lauded computer science programs. But it happened. The school disclosed
the breach, its second in less than a year, on Tuesday, saying it feared the
exposed information included names, addresses, social security numbers and
birth dates. Tech spokesman John Toon said officials at the school, which
typically has around 30,000 students enrolled, learned in “late March” that a
central database had been accessed by an unknown outside entity. Toon
said Tech immediately corrected the application, but personal information was
likely exposed. “Georgia Tech’s cybersecurity team is conducting a thorough
forensic investigation to determine precisely what information was extracted
from the system,” he said.
Nextgov
The Energy
Department must rapidly develop a comprehensive plan to identify and replace
legacy information technology systems and components, according to a report
from the agency’s inspector general. Between February 2018 and March 2019, the
IG conducted an audit to determine whether Energy is effectively managing the
lifecycle of its legacy IT systems at the department’s headquarters and at
national laboratory sites including the Pacific Northwest National Lab and SLAC
National Accelerator Lab. The review primarily focused on unclassified
information systems and excluded industrial control and national security
systems. The IG could not accurately quantify the exact amount of legacy IT at
all of the sites because most did not track the legacy status of their
inventory systems.
FCW
April 2,
2019
With
proposed cybersecurity funding levels flat for 2020, does the Department of
Homeland Security have the resources to protect federal civilian networks?
While the Trump administration's budget request would boost cybersecurity
spending throughout the federal government to $17.4 billion, funding levels for
cybersecurity operations at DHS would remain more or less flat at $1.9 billion,
including $1.1 billion for the Cybersecurity and Infrastructure Security
Agency. The administration also proposed deep cuts for DHS' Science and
Technology Directorate, the research and development arm that has increasingly
aligned its mission with CISA. Experts and stakeholders interviewed by FCW said
that the cybersecurity mission is expanding at DHS, but funding has not kept up.
CyberScoop
April 1,
2019
The FBI
needs to shore up its internal processes for notifying the victims of
cyberattacks, according to a U.S. Justice Department inspector general’s report
published Monday. There are issues with the quality and completeness of the
data stored in the FBI’s Cyber Guardian system — a tool for disseminating
notifications after security breaches — reports Inspector General Michael E.
Horowitz. Many FBI agents tasked with responding to cybercrimes improperly
handle the work associated with indexing the victims in the bureau’s system, a
problem that could make it more difficult for hacked organizations to recover,
according to the report. “During this audit, we visited six FBI field offices
and discussed the victim notification process with cyber squad Special Agents
and supervisory Special Agents,” the report said. “In our discussions, we found
that 29 of 31 field agents we interviewed do not use the ‘Victim Notification’
lead type when setting leads for victim notification. Five of the agents had
not even heard of it.”
The
Washington Post
April 1,
2019
With just a
year to go before the 2020 Census, the U.S. government is urgently working to
safeguard against hacking and disinformation campaigns as it perfects a plan to
count about 330 million people largely online for the first time. Going digital
is intended to cut costs. But cybersecurity experts say it may also put the
survey at unprecedented risk in a nation embroiled in fallout from Russian
interference in the 2016 election. Any outside attempt to discredit or
manipulate the decennial survey could drive down response rates, imperiling the
integrity of data that help determine a decade’s worth of federal funding,
congressional apportionment and redistricting throughout the country.
CyberScoop
April 1,
2019
The
Department of Homeland Security is trying to replicate a strategy used by the
Department of Defense to protect and defend its networks, and the plan could
soon be used across the entire federal government. DHS is currently assessing
its 16 federated security operations centers (SOCs) to determine which agencies
meet the parameters by which they could offer services to other agencies in
need of various services, according to DHS Chief Information Security Officer
Paul Beckman. “We are trying to figure out how we collectively get our arms
around all those SOCs and how we optimize that,” Beckman told a crowd at the
2019 IT Modernization Summit, presented by FedScoop. Beckman said the process
is following the DOD’s Cybersecurity Service Provider (CSSP) model. That
program assesses which internal security centers hit a number of benchmarks.
When one center is qualified to provide a certain level of security, other
internal agencies can use those centers for their own security operations.
INDUSTRY
Reuters
April 4,
2019
German
drugmaker Bayer has contained a cyber attack it believes was hatched in China,
the company said, highlighting the risk of data theft and disruption faced by
big business. Bayer found the infectious software on its computer networks
early last year, covertly monitored and analyzed it until the end of last month
and then cleared the threat from its systems, the company said on Thursday.
“There is no evidence of data theft,” Bayer said in a statement, though a
spokesman added that the overall damage was still being assessed and that
German state prosecutors had launched an investigation. “This type of attack
points toward the ‘Wicked Panda’ group in China, according to security
experts,” the spokesman added, citing DCSO, a cyber security group set up by
Bayer in 2015 with German partners Allianz, BASF and Volkswagen. Third-party
personal data was also not compromised, the spokesman said. The hackers used
malware called WINNTI, which makes it possible to access a system remotely and
then pursue further exploits from there, said Andreas Rohr of the DCSO.
CNBC
April 4,
2019
The risk of
a devastating cyberattack may be the single greatest danger to the U.S.
financial system, according to J.P. Morgan Chase CEO Jamie Dimon. J.P. Morgan
spends almost $600 million annually to tighten its defenses and ward off a
constant stream of attacks, Dimon said Thursday in his annual letter to
shareholders. But the interconnected nature of the financial system means the
risk never goes away. Indeed, J.P. Morgan was the victim of a large data breach
in 2014 tied to hackers. "The threat of cyber security may very well be
the biggest threat to the U.S. financial system," Dimon said. The bank
spends "a lot of time and effort trying to protect our company in
different ways as part of the ordinary course of running the business,"
Dimon said. "But the financial system is interconnected, and adversaries
are smart and relentless — so we must continue to be vigilant."
E&E
News
April 4,
2019
As
employees at nuclear power plants operated by Entergy Corp. showed up for work
on a Tuesday morning in February 2018, they got a strange warning: Don't turn
on your computers. The electricity giant, which owns and operates eight nuclear
sites from New York to Louisiana, was in the throes of a widespread malware
infection on its corporate system. The culprit? "Crypto-mining"
malware — a tool for hackers to make a quick buck digging for cryptocurrencies
like bitcoin by hijacking a company's computing power. The initial chatter
around the incident made no mention of cryptocurrency mining, and until now it
wasn't known publicly that the year-old incident went beyond Entergy's
corporate headquarters to affect computers at the nuclear sites.
Ars
Technica
April 4,
2019
A wave of
DNS hijacking attacks that abuse Google's cloud computing service is causing
consumer routers to connect to fraudulent and potentially malicious websites
and addresses, a security researcher has warned. By now, most people know that
Domain Name System servers translate human-friendly domain names into the
numeric IP addresses that computers need to find other computers on the
Internet. Over the past four months, a blog post published Thursday said,
attackers have been using Google cloud service to scan the Internet for routers
that are vulnerable to remote exploits. When they find susceptible routers, the
attackers then use the Google platform to send malicious code that configures
the routers to use malicious DNS servers. Troy Mursch, the independent security
researcher who published Thursday's post, said the first wave hit in late
December. The campaign exploited vulnerabilities in four models of D-Link
routers.
AP
April 4,
2019
Some of the
nation’s top research universities are cutting ties with Chinese tech giant
Huawei as the company faces allegations of bank fraud and trade theft. Colleges
including the Massachusetts Institute of Technology, Princeton University and
the University of California, Berkeley, have said they will accept no new
funding from the company, citing the recent federal charges against Huawei
along with broader cybersecurity concerns previously raised by the U.S.
government. The schools are among at least nine that have received funding from
Huawei over the past six years, amounting a combined $10.5 million, according
to data provided by the U.S. Education Department. The data, which is reported
by schools, does not include gifts of less than $250,000. It’s not uncommon for
big companies to provide research dollars to schools in the U.S. and elsewhere.
At MIT, which received a $500,000 gift in 2017, officials announced in a memo
Wednesday they will not approve any new deals with the company and won’t renew
existing ones. The memo ties the decision to recent Justice Department charges
against Huawei, adding that the shift will be revisited “as circumstances
dictate.” Company officials did not immediately respond to a request for
comment.
TechCrunch
April 2,
2019
Arizona
Beverages, one of the largest beverage suppliers in the U.S., is recovering
after a massive ransomware attack last month, TechCrunch has learned. The
company, famous for its iced tea beverages, is still rebuilding its network
almost two weeks after the attack hit, wiping hundreds of Windows computers and
servers and effectively shutting down sales operations for days until incident
response was called in, according to a person familiar with the matter. More
than 200 servers and networked computers displayed the same message: “Your
network was hacked and encrypted.” The company’s name was in the ransom note,
indicating a targeted attack. Notices posted around the office told staff to
hand in their laptops to IT staff. “Do not power on, copy files, or connect to
any network,” read the posters. “Your laptop may be compromised.” It took the
company another five days before the company brought in incident responders to
handle the outbreak, the source said. Many of the back-end servers were running
old and outdated Windows operating systems that are no longer supported. Most
hadn’t received security patches in years.
INTERNATIONAL
BBC
April 5, 2019
A growing
number of cyber-attacks on key installations have successfully put systems out
of action over the past two years, a study has revealed. A survey of security
professionals in six countries, including the UK, by the Ponemon Institute
found 90% had been hit by at least one successful attack. Staff in the
utilities, energy, health and transport sectors were questioned. Experts said
the results are a wake-up call for an industry that often under-reports attacks
and the damage done. Staff tasked with keeping critical infrastructure systems running
often kept details secret for security reasons, they said. The report also
concludes that a lack of resources and intelligence about "relentless and
continuous" cyber-attacks are the industry's biggest concern.
BBC
April 4, 2019
A test of
UK university defences against cyber-attacks found that in every case hackers
were able to obtain "high-value" data within two hours. The tests
were carried out by "ethical hackers" working for Jisc, the agency
providing internet services to the UK's universities and research centres. They
were able to access personal data, finance systems and research networks.
University research projects have been major hacking targets, with more than
1,000 cyber-attacks last year. The simulated attacks, so-called
"penetration testing", were carried out on more than 50 universities
in the UK, with some being attacked multiple times.
Nextgov
April 3, 2019
Cheap
Chinese 5G technology isn’t all that cheap when you factor in the government
time and resources needed to make it safe—or at least safer—to use, a new NATO
Center of Excellence report says. That’s the warning from a new report by the
NATO's Cooperative Cyber Defence Centre of Excellence, or CCDCOE, which notes
the considerable risks of importing next-generation telecom equipment from
Chinese hardware and software maker Huawei. Acknowledging that alliance
governments are unlikely to issue the “blanket bans” sought by U.S. officials,
the report recommends instead a lot more government supervision of what
companies like Huawei are building. U.S. Defense Undersecretary Ellen Lord and
Joint Chiefs Chairman Gen. Joe Dunford have highlighted the risk of Chinese-made
5G equipment, while Secretary of State Mike Pompeo has said that the United
States would have a hard time “partnering” with countries that import it. “If
that equipment is co-located where we have important American systems, it makes
it more difficult for us to partner alongside them” Pompeo said in February.
U.S. lawmakers have expressed concern about Huawei and its opaque relationship
to the Chinese military since at least 2012.
The Washington Post
April 3,
2019
Current and
former Pentagon leaders are warning about the risks to future military
operations posed by allies in Europe and Asia using Chinese technology in their
5G wireless telecommunications networks. In a statement Wednesday, six former
officials note that the immense bandwidth and super-high speeds of the coming
5G systems — up to 100 times faster than current 4G platforms — will make them
attractive for the U.S. military to share data with allies or transfer
information in combat. And they and U.S. defense officials warn that allowing
Chinese firms such as Huawei to outfit these networks poses unacceptable risks
of espionage and disruptive cyberattacks on military operations because of the
firm’s alleged ties to the Chinese government and a 2017 Chinese law that
requires companies, if directed, to cooperate in surveillance activities.
Sky News
April 3,
2019
Iran is being blamed for a wave of cyber attacks that targeted key parts
of the UK's national infrastructure in a major assault just before Christmas.
It is understood that private sector companies, including banks, were also
compromised in what has been described as an "ongoing" campaign. Sky
News has learnt that the Post Office and local government networks were both
hit in coordinated attacks on 23 December. The National Cyber Security Centre
said it was "aware of a cyber incident affecting some UK organisations in
late 2018" and that it was "working with victims and advising on
mitigation measures".
CyberScoop
April 2,
2019
The legal
battle between Russian antivirus maker Kaspersky Lab and the U.S. government
has quieted, but the court of public opinion is still open for arguments.
Countering U.S. officials and critics who say otherwise, Kaspersky Lab on
Tuesday released an analysis arguing that, under Russian law, the company would
not be subject to certain demands from authorities for data. The analysis, done
by Swedish law professor Kaj Hober, contends that Kaspersky Lab does not meet
the Russian legal definition of an organization that disseminates information
on the internet. Under Russian law, such organizations are required to grant
authorities’ requests for metadata. Hober also contended that because Kaspersky
Lab does not make software for the purpose of “receiving, transmitting,
delivering or processing electronic messages” between internet users, the
company would not be obligated to build technical features into products at the
requests of Russian authorities.
Reuters
April 2,
2019
The Dutch
security service advised the government on Tuesday not to use technology from
countries with active cyber-hacking campaigns against the Netherlands, such as
China and Russia. The recommendation came as the Dutch government is weighing
options for a new 5G telecommunications network in the coming years and seeks
to replace its domestic emergency services network, known as C2000. The AIVD
security agency flagged Chinese and Russian attempts at digital espionage as a
major security risk. "It is undesirable for the Netherlands to exchange
sensitive information or for vital processes to depend on the hardware or
software of companies from countries running active cyber programs against
Dutch interests," the AIVD said in its annual report.
CNet
April 2,
2019
The
Australian government's 2019-20 Budget provides funding for a
whole-of-government "cyber uplift". While the numbers weren't
published due to national security reasons, the Budget papers said the funding
would "enhance cybersecurity arrangements for whole-of-government systems
in relation to the 2019 Federal election, and to mitigate potential cyber
threats through enhanced monitoring and response capabilities". This will
include the creation of "cyber sprint teams" under the Australian
Cyber Security Centre (ACSC), as well as a Cyber Security Response Fund.
"The government is bolstering investment in our cyber security strategy to
strengthen the defences of government IT systems to address key security
vulnerabilities and improve our ability to quickly respond to cyber
attacks," the Budget documents said, referring to the Cyber Security
Strategy. The upgrade in government cybersecurity follows the Parliamentary
network attack earlier this year, which also hit political parties.
Reuters
April 1,
2019
A group of
American hackers who once worked for U.S. intelligence agencies helped the
United Arab Emirates spy on a BBC host, the chairman of Al Jazeera and other
prominent Arab media figures during a tense 2017 confrontation pitting the UAE
and its allies against the Gulf state of Qatar. The American operatives worked
for Project Raven, a secret Emirati intelligence program that spied on
dissidents, militants and political opponents of the UAE monarchy. A Reuters
investigation in January revealed Project Raven’s existence and inner workings,
including the fact that it surveilled a British activist and several unnamed
U.S. journalists. The Raven operatives — who included at least nine former
employees of the U.S. National Security Agency and the U.S. military — found
themselves thrust into the thick of a high-stakes dispute among America’s Gulf
allies. The Americans’ role in the UAE-Qatar imbroglio highlights how former
U.S. intelligence officials have become key players in the cyber wars of other
nations, with little oversight from Washington.
The New York Times
March 30,
2019
Jeff Bezos’
security consultant accused the Saudi government of gaining unauthorized access
to the Amazon chief executive’s phone, as part of an effort to harm the world’s
richest man. In an opinion article in The Daily Beast on Saturday, Gavin de
Becker, Mr. Bezos’ security chief, alleged the Saudis wanted to hurt Mr. Bezos
because he owns The Washington Post. The Post has aggressively reported on the
murder of Jamal Khashoggi, one of its columnists, who was killed last year in
Turkey. United States officials have concluded Mr. Khashoggi, who was critical
of Saudi leaders, was killed on the orders of the Saudi crown prince, Mohammed
bin Salman. Mr. de Becker said he had turned over his findings about the Saudis
and their role against Mr. Bezos to law enforcement. “Our investigators and
several experts concluded with high confidence that the Saudis had access to
Bezos’ phone, and gained private information,” Mr. de Becker wrote.
TECHNOLOGY
CyberScoop
April 4,
2019
Roughly 28
million users have downloaded a malicious version of a popular open source
framework that masquerades as the real thing, but in fact gives a hackers a
back door into applications. A compromised version of the website development
tool bootstrap-sass was published to the official RubyGems repository, a hub
where programmers can share their application code. The open source security
firm Snyk alerted developers to the issue Wednesday, advising users to update
their systems away from the infected framework (version 3.2.0.3). “That doesn’t
mean there are something like 27 million apps out there using this,” said Chris
Wysopal, chief technology officer at app security company Veracode. “[But] when
you’re using open source packages to build your applications, you’re inheriting
many of the vulnerabilities. … But bootstrap-sass is a popular component used
by enterprises and startups so there’s potentially thousands of applications
affected by this.”
CyberScoop
April 4,
2019
Scammers
used data centers located in the United States to launch nasty strains of
malware against English-speaking web users, according to Bromium research
published Thursday. The hacking campaign lasted from May 2018 to last month,
and included five families of banking trojans, two families of ransomware and
three forms of malware meant to collect victims’ personal information. The
cybercriminal operation relied on U.S. data centers, with 11 web servers hosted
at BuyVM, a virtual private server company in Nevada. The malware — identified
as Neutrino, IcedID, GandCrab, and Dridex, among others — is estimated to have
stolen millions from international banks. The location alone makes this
operation unusual, Bromium noted, because hackers typically organize in areas
outside the FBI’s reach.
The Washington Post
April 3,
2019
When
Hillary Clinton stumbled and coughed through public appearances during her 2016
presidential run, she faced critics who said that she might not be well enough to
perform the top job in the country. To quell rumors about her medical
condition, her doctor revealed that a CT scan of her lungs showed that she just
had pneumonia. But what if the scan had shown faked cancerous nodules, placed
there by malware exploiting vulnerabilities in widely used CT and MRI scanning
equipment? Researchers in Israel say they have developed such malware to draw
attention to serious security weaknesses in critical medical imaging equipment
used for diagnosing conditions and the networks that transmit those images —
vulnerabilities that could have potentially life-altering consequences if
unaddressed. The malware they created would let attackers automatically add
realistic, malignant-seeming growths to CT or MRI scans before radiologists and
doctors examine them. Or it could remove real cancerous nodules and lesions
without detection, leading to misdiagnosis and possibly a failure to treat
patients who need critical and timely care.
ZDNet
April 3,
2019
This week,
the Apache Software Foundation has patched a severe vulnerability in the Apache
(httpd) web server project that could --under certain circumstances-- allow
rogue server scripts to execute code with root privileges and take over the
underlying server. The vulnerability, tracked as CVE-2019-0211, affects Apache
web server releases for Unix systems only, from 2.4.17 to 2.4.38, and was fixed
this week with the release of version 2.4.39. According to the Apache team,
less-privileged Apache child processes (such as CGI scripts) can execute
malicious code with the privileges of the parent process. Because on most Unix
systems Apache httpd runs under the root user, any threat actor who has planted
a malicious CGI script on an Apache server can use CVE-2019-0211 to take over
the underlying system running the Apache httpd process, and inherently control
the entire machine.
Quanta Magazine
April 2,
2019
Programmers
are human, but mathematics is immortal. By making programming more
mathematical, a community of computer scientists is hoping to eliminate the
coding bugs that can open doors to hackers, spill digital secrets and generally
plague modern society. Now a set of computer scientists has taken a major step
toward this goal with the release today of EverCrypt, a set of digital
cryptography tools. The researchers were able to prove — in the sense that you can
prove the Pythagorean theorem — that their approach to online security is
completely invulnerable to the main types of hacking attacks that have felled
other programs in the past. “When we say proof, we mean we prove that our code
can’t suffer these kinds of attacks,” said Karthik Bhargavan, a computer
scientist at Inria in Paris who worked on EverCrypt. EverCrypt was not written
the way most code is written. Ordinarily, a team of programmers creates
software that they hope will satisfy certain objectives. Once they finish, they
test the code. If it accomplishes the objectives without showing any unwanted
behavior, the programmers conclude that the software does what it’s supposed to
do.
