Pages

Friday, April 12, 2019

Sen. Warren Wants CEOs Jailed After Big Breaches

Maserati-driving alleged Dark Web dealer facing more drug import charges

Cody Ward, 25, was arrested by Strike Force Royden detectives at his Callala Beach home on the state's South Coast in February.


Every person who's ever had a job knows that every workplace, starting from huge corporations with cubicle offices and ending with family-owned businesses with three office employees, has its own secrets, big and small. Most of us don't ever find out anything unusual about the secret life going on within our workplace, except for some petty gossip or drama between coworkers. However, on rare occasions, some people just happen to find out something that they were not supposed to know, and then it's up to them what to do with said information. 
119 Work Secrets Employees Discovered That They Probably Shouldn't Have ...



Gov Info Security April 4, 2019

Sen. Elizabeth Warren, D-Mass, has introduced legislation that would pave the way for top executives at major corporations to face criminal charges if their company's wrongdoing leads to harm, such as a major data breach. While business groups immediately criticized the plan, consumer advocates praised it. The proposed bill, the Corporate Executive Accountability Act, would allow federal authorities to bring criminal charges, as well as to seek jail time, against corporate executives at companies with more $1 billion in annual revenue if the business is found guilty of criminal behavior or repeatedly violating federal law. The goal of the legislation is to hold executives more accountable when their company "harms the health, safety, finances or personal data," of American citizens, Warren says in a statement.





NextgovApril 4, 2019


A bipartisan bill introduced in the Senate Wednesday aims to deter Russia and other nations from meddling in future U.S. elections. The Defending Elections from Threats by Establishing Readiness Act, or DETER—introduced by Sens. Marco Rubio, R-Fla., and Chris Van Hollen, D-Md.—threatens a range retaliatory actions the government can take if a foreign government meddles in another election as well as Russia-specific sanctions that can be doled out. The bill would require the Director of National Intelligence to ascertain whether any foreign government interfered in any federal election within 60 days of the election date. The DNI would also have to provide the identities of any senior political figures who knowingly contributed to interference in a U.S. election.






FCW




A Department of Homeland Security official told Congress that it is getting closer to complying with a 2014 law directing the agency to classify and code its cybersecurity positions. The 2014 Homeland Security and Cybersecurity Workforce Assessment Act requires DHS to classify and code all IT security positions as outlined by the Office of Personnel Management, the National Initiative for Cybersecurity Education and the National Institute of Standards and Technology to identify its greatest areas of need in cyber human capital. The law also required DHS to begin annually reporting those needs to Congress and OPM starting in 2016 in order to inform stakeholders and facilitate further action. However, a February 2018 audit by the Government Accountability Office found that the department was well behind schedule identifying and coding its IT security workforce and had relayed inaccurate information to Congress about how far along it was in the process.






Gov Info Security




Several industry groups have offered suggestions - ranging from better cyber information sharing to new regulatory "safe harbors" for entities complying with best practices - to Sen. Mark Warner, D-Va., in response to his recent request for input on how the healthcare sector can improve its cybersecurity posture. Warner in February sent letters to four federal agencies and 12 healthcare associations posing long lists of questions as a prelude to developing short-term and long-term strategies for improving healthcare cybersecurity.






FCW




The Air Force plans to roll out new workforce categories for cyber this summer, according to Secretary Heather Wilson. Testifying before the House Armed Services Committee April 2, Wilson said that the Air Force will add seven new job categories to better facilitate career advancement. "We've been working for about 18 months on how do we evaluate, how do we promote officers and develop officers for the future of combat," Wilson said during the hearing, which focused on the Air Force and Army budget requests. "A cyber officer doesn't have the same things to do in their careers as a maintenance officer, and they don't compare to each other … we need to promote to the needs of the service, and not just promote everybody," Wilson said. The Air Force is scouring its ranks for cyber talent in hopes of converting maintainers and logisticians to keyboard warriors.






Nextgov


April 1, 2019


The Government Accountability Office is doubling down on its recommendation that Congress reconsider the identity theft insurance it requires federal agencies to offer after data breaches. In 2017, the office recommended Congress should let agencies determine the right amount of identity theft insurance coverage. GAO renewed the recommendation this week after new findings further suggest that identity theft services do not effectively alleviate all data breach risks that victims face. GAO reviewed documentation and conducted interviews with academic, consumer, government and industry experts to “evaluate issues related to consumers’ options” to address potential harm from data breaches. The agency found that there’s limited information around actually assessing said options. “We did not identify any studies that analyzed whether consumers who sign up for or purchase identity theft services encounter fewer instances of identity theft or detect instances of financial or other fraud more—or less—rapidly than consumers who take steps on their own,” the report said. “Views of experts varied, but most said identity theft services have limitations and would not address all data breach risks.”






ADMINISTRATION






Nextgov


April 5, 2019


Four federal regulators that have developed a system for assessing the cybersecurity vulnerabilities of financial institutions are asking those organizations whether the system is giving enough bang for the buck. The four agencies—the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, or FDIC, and the National Credit Union Administration—all sit on the Federal Financial Institutions Examination Council and collectively manage the council’s Cybersecurity Assessment Tool. The tool itself is more of a framework, by which financial institutions can assess their cyber risk and ability to mitigate the fallout of potential cyberattacks. In order to receive such an assessment, the institutions have to provide a trove of information.






Inside Cybersecurity


April 5, 2019


The Defense Department is anticipating enhanced cybersecurity requirements for contractors working on critical technologies will be published by the National Institute for Standards and Technology in approximately 60 days, according to a DOD official. Donald Heckman, DOD's principal deputy chief information officer for cybersecurity, said the update to NIST Special Publication 800-171 is close to being finalized. Though it has not yet been published on NIST's website, Heckman confirmed it has completed an interagency review process.






CyberScoop




The notorious SamSam ransomware — which extracted over $6 million in payments from more than 200 victim organizations — forced the FBI to adjust its model for handling cyberattack investigations, a senior bureau official said Thursday. Nearly all 56 of the FBI’s field offices responded to SamSam incidents — an inefficient way of keeping up with the malware, said Tonya Ugoretz, deputy assistant director of the FBI’s Cyber Division. And so, in an example of how the FBI is trying to adapt to an era of unceasing cyberthreats to U.S. businesses, the bureau changed its investigative structure. “We developed a model whereby when there is a certain type of malicious strain or certain type of threat actor, we have one office that’s in charge, we have other offices running supporting investigations that are feeding up into that,” Ugoretz said at the Cybersecurity Leadership Forum presented by Forcepoint and produced by CyberScoop and FedScoop. Additionally, FBI headquarters pieces all of that intelligence together and shares it with other agencies, she said.






AP


April 4, 2019


Georgia’s Republican Gov. Brian Kemp has quietly signed a wide ranging elections bill authorizing the statewide purchase of new touchscreen voting machines that print a paper ballot. He signed it Tuesday, behind closed doors and without prior announcement, on the final hectic day of Georgia's 2019 legislative session. The estimated $150 million purchase will be a major step toward replacing the state's current outdate voting machines, which offer no auditable paper trail. But some say it's a major step in the wrong direction. Critics, including several leading cyber security experts, have said the new electronic ballot markers are hackable and less secure than hand-marked paper ballots.






Nextgov


April 4, 2019


The U.S. is facing a severe shortage of cybersecurity expertise, and agencies need to rethink their hiring methods if they want to keep up their digital defenses, according to the Homeland Security Department’s cyber chief. “There’s not enough capability to go around,” said Chris Krebs, director of the Cybersecurity and Infrastructure Security Agency. ”There’s no question there’s a security consolidation happening—particularly with some of the big tech companies, the rich are getting richer.” As cyber talent gravitates toward higher paying, more flexible jobs in the private sector, the government must look beyond its traditional employee pools, Krebs said Thursday at the Forcepoint Cybersecurity Leadership Forum. And his agency is already broadening its sights. In a field like cybersecurity, real-world experience could be just as valuable as any degree or credential, but the government’s current hiring process may overlook those with less traditional backgrounds, he said. The current schedule system also lumps together every cyber specialist into a single job code, which “doesn’t work” when building a workforce with such a wide array of specialities, he added. A personnel system set to launch later this year could help Krebs and other federal tech leaders bring on specialists who might otherwise fall through the cracks.






Federal News Network


April 4, 2019


On page 6 of the Navy’s recent report about its cyber readiness, there is a jaw-dropping confession: “The systems the U.S. relies upon to mobilize, deploy and sustain forces have been extensively targeted by potential adversaries, and compromised to such extent that their reliability is questionable.” Bill Evanina, director of the National Counterintelligence and Security Center in the Office of the Director of National Intelligence, wants that single sentence in the 80-page report to sink in for a second. “The Navy’s report on their resilience and reliability is that watershed moment not only for the Department of Defense but for all agencies in the federal government, and I would even proffer in the private sector, to have an honest, internal look at their systems, their data, their capabilities and their protection mechanisms and where they have vulnerabilities and how the threats are manifested in their organizations,” Evanina said after speaking at the Intelligence and National Security Alliance (INSA) event on supply chain management in Arlington, Virginia, on April 1. “I think all agencies should take a hard look and say, ‘What can we do that is similar to this to look at our own processes and protection models?’”






Fifth Domain




The Air Force is merging its main cyber and intelligence organizations after years of discussion and speculation. 24th Air Force, or Air Forces Cyber, will merge with 25th Air Force — responsible for global intelligence, surveillance and reconnaissance this summer — according to an April 4 press release. Officials had been coy about the potential merger when asked directly about it, despite publicly referencing it as recently as mid-March. The merger follows several initiatives within the Air Force to integrate cyber and ISR together. “The synergy between cyber, ISR, [electronic warfare] and [information operations] will increase unity of effort across these capabilities, resulting in new and improved options for combatant commanders,” the Air Force’s press release said.






Pro Publica




Using specialized software, investigators traced explicit child p*rnography to Todd Hartman’s internet address. A dozen police officers raided his Los Angeles-area apartment, seized his computer and arrested him for files including a video of a man ejaculating on a 7-year-old girl. But after his lawyer contended that the software tool inappropriately accessed Hartman’s private files, and asked to examine how it worked, prosecutors dismissed the case. Near Phoenix, police with a similar detection program tracked underage p*rn photos, including a 4-year-old with her legs spread, to Tom Tolworthy’s home computer. He was indicted in state court on 10 counts of committing a “dangerous crime against children,” each of which carried a decade in prison if convicted. Yet when investigators checked Tolworthy’s hard drive, the images weren’t there. Even though investigators said different offensive files surfaced on another computer that he owned, the case was tossed. At a time when at least half a million laptops, tablets, phones and other devices are viewing or sharing child p*rnography on the internet every month, software that tracks images to specific internet connections has become a vital tool for prosecutors. Increasingly, though, it’s backfiring.






FCW


April 3, 2019


The Office of Personnel Management issued its final rule to give agencies the authority to more easily hire for IT and cyber positions. The rule, effective May 3, comes following the executive order aimed at boosting agency-level authorities in making hires for high-demand tech positions. "The intended effect of this change is to enable [CIOs] to hire urgently needed IT professionals more quickly," it stated. The rule specifies that the authority applies where agency heads determine a "severe shortage" of IT management employees. Employees offered jobs under direct hire will be eligible to serve for a four-year period, with the possibility of a four-year extension. The rule also stated that no one hired using this authority can be transferred to a non-IT position. Following the issuance of the rule, OPM said that it will update its direct hire guidance to emphasize the authority of agency heads, CIOs and human resources personnel to make sure the authority is used "appropriately." To educate human resources offices on using direct hire authority, the rule stated OPM will also hold "interactive sessions" for hiring managers.






Nextgov


April 2, 2019


The General Services Administration expanded its cybersecurity service offerings to help federal agencies and state and local governments to protect their most valuable data. GSA announced the modernized Highly Adaptive Cybersecurity Services Special Item Number Tuesday, adding services that can help agencies meet administrative mandates to secure high-value assets on mission-critical systems. The HACS SIN debuted on GSA’s IT Schedule 70 contract in 2016 so agencies can access penetration testing, incident response, cyber hunt and risk and vulnerability assessments from pre-vetted contractors. “The cybersecurity market has rapidly evolved since the initial creation of the HACS offerings just two and a half years ago, and GSA is responding to this evolution by including key cybersecurity services that were missing from the original SIN,” said GSA acting Assistant Commissioner Bill Zielinski in a statement.






Gov Info Security


April 2, 2019


Albany, New York, is the latest unit of local government hit with ransomware in recent weeks, following similar attacks reported in Georgia and North Carolina that crippled government IT systems and disrupted service for local residents. The latest incident happened on Saturday morning, with Albany officials working throughout the weekend to restore most services for residents and investigate the incident. The city's offices had reopened by noon on Monday, with most public services returned to normal. By Tuesday, city residents could access marriage licenses and certificates, but birth and death certificates were still affected by the incident, according to Mayor Kathy Sheehan.






The Atlanta Journal Constitution


April 2, 2019


It sounds a bit ironic: a data breach potentially affecting 1.3 million current and former students, faculty and staff members at Georgia Tech, the world renowned university with lauded computer science programs. But it happened. The school disclosed the breach, its second in less than a year, on Tuesday, saying it feared the exposed information included names, addresses, social security numbers and birth dates. Tech spokesman John Toon said officials at the school, which typically has around 30,000 students enrolled, learned in “late March” that a central database had been accessed by an unknown outside entity.  Toon said Tech immediately corrected the application, but personal information was likely exposed. “Georgia Tech’s cybersecurity team is conducting a thorough forensic investigation to determine precisely what information was extracted from the system,” he said.






Nextgov




The Energy Department must rapidly develop a comprehensive plan to identify and replace legacy information technology systems and components, according to a report from the agency’s inspector general. Between February 2018 and March 2019, the IG conducted an audit to determine whether Energy is effectively managing the lifecycle of its legacy IT systems at the department’s headquarters and at national laboratory sites including the Pacific Northwest National Lab and SLAC National Accelerator Lab. The review primarily focused on unclassified information systems and excluded industrial control and national security systems. The IG could not accurately quantify the exact amount of legacy IT at all of the sites because most did not track the legacy status of their inventory systems.






FCW


April 2, 2019


With proposed cybersecurity funding levels flat for 2020, does the Department of Homeland Security have the resources to protect federal civilian networks? While the Trump administration's budget request would boost cybersecurity spending throughout the federal government to $17.4 billion, funding levels for cybersecurity operations at DHS would remain more or less flat at $1.9 billion, including $1.1 billion for the Cybersecurity and Infrastructure Security Agency. The administration also proposed deep cuts for DHS' Science and Technology Directorate, the research and development arm that has increasingly aligned its mission with CISA. Experts and stakeholders interviewed by FCW said that the cybersecurity mission is expanding at DHS, but funding has not kept up.






CyberScoop


April 1, 2019


The FBI needs to shore up its internal processes for notifying the victims of cyberattacks, according to a U.S. Justice Department inspector general’s report published Monday. There are issues with the quality and completeness of the data stored in the FBI’s Cyber Guardian system — a tool for disseminating notifications after security breaches — reports Inspector General Michael E. Horowitz. Many FBI agents tasked with responding to cybercrimes improperly handle the work associated with indexing the victims in the bureau’s system, a problem that could make it more difficult for hacked organizations to recover, according to the report. “During this audit, we visited six FBI field offices and discussed the victim notification process with cyber squad Special Agents and supervisory Special Agents,” the report said. “In our discussions, we found that 29 of 31 field agents we interviewed do not use the ‘Victim Notification’ lead type when setting leads for victim notification. Five of the agents had not even heard of it.”






The Washington Post


April 1, 2019


With just a year to go before the 2020 Census, the U.S. government is urgently working to safeguard against hacking and disinformation campaigns as it perfects a plan to count about 330 million people largely online for the first time. Going digital is intended to cut costs. But cybersecurity experts say it may also put the survey at unprecedented risk in a nation embroiled in fallout from Russian interference in the 2016 election. Any outside attempt to discredit or manipulate the decennial survey could drive down response rates, imperiling the integrity of data that help determine a decade’s worth of federal funding, congressional apportionment and redistricting throughout the country.






CyberScoop


April 1, 2019


The Department of Homeland Security is trying to replicate a strategy used by the Department of Defense to protect and defend its networks, and the plan could soon be used across the entire federal government. DHS is currently assessing its 16 federated security operations centers (SOCs) to determine which agencies meet the parameters by which they could offer services to other agencies in need of various services, according to DHS Chief Information Security Officer Paul Beckman. “We are trying to figure out how we collectively get our arms around all those SOCs and how we optimize that,” Beckman told a crowd at the 2019 IT Modernization Summit, presented by FedScoop. Beckman said the process is following the DOD’s Cybersecurity Service Provider (CSSP) model. That program assesses which internal security centers hit a number of benchmarks. When one center is qualified to provide a certain level of security, other internal agencies can use those centers for their own security operations.






INDUSTRY






Reuters


April 4, 2019


German drugmaker Bayer has contained a cyber attack it believes was hatched in China, the company said, highlighting the risk of data theft and disruption faced by big business. Bayer found the infectious software on its computer networks early last year, covertly monitored and analyzed it until the end of last month and then cleared the threat from its systems, the company said on Thursday. “There is no evidence of data theft,” Bayer said in a statement, though a spokesman added that the overall damage was still being assessed and that German state prosecutors had launched an investigation. “This type of attack points toward the ‘Wicked Panda’ group in China, according to security experts,” the spokesman added, citing DCSO, a cyber security group set up by Bayer in 2015 with German partners Allianz, BASF and Volkswagen. Third-party personal data was also not compromised, the spokesman said. The hackers used malware called WINNTI, which makes it possible to access a system remotely and then pursue further exploits from there, said Andreas Rohr of the DCSO.






CNBC


April 4, 2019


The risk of a devastating cyberattack may be the single greatest danger to the U.S. financial system, according to J.P. Morgan Chase CEO Jamie Dimon. J.P. Morgan spends almost $600 million annually to tighten its defenses and ward off a constant stream of attacks, Dimon said Thursday in his annual letter to shareholders. But the interconnected nature of the financial system means the risk never goes away. Indeed, J.P. Morgan was the victim of a large data breach in 2014 tied to hackers. "The threat of cyber security may very well be the biggest threat to the U.S. financial system," Dimon said. The bank spends "a lot of time and effort trying to protect our company in different ways as part of the ordinary course of running the business," Dimon said. "But the financial system is interconnected, and adversaries are smart and relentless — so we must continue to be vigilant."






E&E News


April 4, 2019


As employees at nuclear power plants operated by Entergy Corp. showed up for work on a Tuesday morning in February 2018, they got a strange warning: Don't turn on your computers. The electricity giant, which owns and operates eight nuclear sites from New York to Louisiana, was in the throes of a widespread malware infection on its corporate system. The culprit? "Crypto-mining" malware — a tool for hackers to make a quick buck digging for cryptocurrencies like bitcoin by hijacking a company's computing power. The initial chatter around the incident made no mention of cryptocurrency mining, and until now it wasn't known publicly that the year-old incident went beyond Entergy's corporate headquarters to affect computers at the nuclear sites.






Ars Technica


April 4, 2019


A wave of DNS hijacking attacks that abuse Google's cloud computing service is causing consumer routers to connect to fraudulent and potentially malicious websites and addresses, a security researcher has warned. By now, most people know that Domain Name System servers translate human-friendly domain names into the numeric IP addresses that computers need to find other computers on the Internet. Over the past four months, a blog post published Thursday said, attackers have been using Google cloud service to scan the Internet for routers that are vulnerable to remote exploits. When they find susceptible routers, the attackers then use the Google platform to send malicious code that configures the routers to use malicious DNS servers. Troy Mursch, the independent security researcher who published Thursday's post, said the first wave hit in late December. The campaign exploited vulnerabilities in four models of D-Link routers.






AP


April 4, 2019


Some of the nation’s top research universities are cutting ties with Chinese tech giant Huawei as the company faces allegations of bank fraud and trade theft. Colleges including the Massachusetts Institute of Technology, Princeton University and the University of California, Berkeley, have said they will accept no new funding from the company, citing the recent federal charges against Huawei along with broader cybersecurity concerns previously raised by the U.S. government. The schools are among at least nine that have received funding from Huawei over the past six years, amounting a combined $10.5 million, according to data provided by the U.S. Education Department. The data, which is reported by schools, does not include gifts of less than $250,000. It’s not uncommon for big companies to provide research dollars to schools in the U.S. and elsewhere. At MIT, which received a $500,000 gift in 2017, officials announced in a memo Wednesday they will not approve any new deals with the company and won’t renew existing ones. The memo ties the decision to recent Justice Department charges against Huawei, adding that the shift will be revisited “as circumstances dictate.” Company officials did not immediately respond to a request for comment.






TechCrunch


April 2, 2019


Arizona Beverages, one of the largest beverage suppliers in the U.S., is recovering after a massive ransomware attack last month, TechCrunch has learned. The company, famous for its iced tea beverages, is still rebuilding its network almost two weeks after the attack hit, wiping hundreds of Windows computers and servers and effectively shutting down sales operations for days until incident response was called in, according to a person familiar with the matter. More than 200 servers and networked computers displayed the same message: “Your network was hacked and encrypted.” The company’s name was in the ransom note, indicating a targeted attack. Notices posted around the office told staff to hand in their laptops to IT staff. “Do not power on, copy files, or connect to any network,” read the posters. “Your laptop may be compromised.” It took the company another five days before the company brought in incident responders to handle the outbreak, the source said. Many of the back-end servers were running old and outdated Windows operating systems that are no longer supported. Most hadn’t received security patches in years.






INTERNATIONAL






BBC


April 5, 2019


A growing number of cyber-attacks on key installations have successfully put systems out of action over the past two years, a study has revealed. A survey of security professionals in six countries, including the UK, by the Ponemon Institute found 90% had been hit by at least one successful attack. Staff in the utilities, energy, health and transport sectors were questioned. Experts said the results are a wake-up call for an industry that often under-reports attacks and the damage done. Staff tasked with keeping critical infrastructure systems running often kept details secret for security reasons, they said. The report also concludes that a lack of resources and intelligence about "relentless and continuous" cyber-attacks are the industry's biggest concern.






BBC


April 4, 2019


A test of UK university defences against cyber-attacks found that in every case hackers were able to obtain "high-value" data within two hours. The tests were carried out by "ethical hackers" working for Jisc, the agency providing internet services to the UK's universities and research centres. They were able to access personal data, finance systems and research networks. University research projects have been major hacking targets, with more than 1,000 cyber-attacks last year. The simulated attacks, so-called "penetration testing", were carried out on more than 50 universities in the UK, with some being attacked multiple times.






Nextgov


April 3, 2019


Cheap Chinese 5G technology isn’t all that cheap when you factor in the government time and resources needed to make it safe—or at least safer—to use, a new NATO Center of Excellence report says. That’s the warning from a new report by the NATO's Cooperative Cyber Defence Centre of Excellence, or CCDCOE, which notes the considerable risks of importing next-generation telecom equipment from Chinese hardware and software maker Huawei. Acknowledging that alliance governments are unlikely to issue the “blanket bans” sought by U.S. officials, the report recommends instead a lot more government supervision of what companies like Huawei are building. U.S. Defense Undersecretary Ellen Lord and Joint Chiefs Chairman Gen. Joe Dunford have highlighted the risk of Chinese-made 5G equipment, while Secretary of State Mike Pompeo has said that the United States would have a hard time “partnering” with countries that import it. “If that equipment is co-located where we have important American systems, it makes it more difficult for us to partner alongside them” Pompeo said in February. U.S. lawmakers have expressed concern about Huawei and its opaque relationship to the Chinese military since at least 2012.






The Washington Post


April 3, 2019


Current and former Pentagon leaders are warning about the risks to future military operations posed by allies in Europe and Asia using Chinese technology in their 5G wireless telecommunications networks. In a statement Wednesday, six former officials note that the immense bandwidth and super-high speeds of the coming 5G systems — up to 100 times faster than current 4G platforms — will make them attractive for the U.S. military to share data with allies or transfer information in combat. And they and U.S. defense officials warn that allowing Chinese firms such as Huawei to outfit these networks poses unacceptable risks of espionage and disruptive cyberattacks on military operations because of the firm’s alleged ties to the Chinese government and a 2017 Chinese law that requires companies, if directed, to cooperate in surveillance activities.






Sky News


April 3, 2019


Iran is being blamed for a wave of cyber attacks that targeted key parts of the UK's national infrastructure in a major assault just before Christmas. It is understood that private sector companies, including banks, were also compromised in what has been described as an "ongoing" campaign. Sky News has learnt that the Post Office and local government networks were both hit in coordinated attacks on 23 December. The National Cyber Security Centre said it was "aware of a cyber incident affecting some UK organisations in late 2018" and that it was "working with victims and advising on mitigation measures".






CyberScoop


April 2, 2019


The legal battle between Russian antivirus maker Kaspersky Lab and the U.S. government has quieted, but the court of public opinion is still open for arguments. Countering U.S. officials and critics who say otherwise, Kaspersky Lab on Tuesday released an analysis arguing that, under Russian law, the company would not be subject to certain demands from authorities for data. The analysis, done by Swedish law professor Kaj Hober, contends that Kaspersky Lab does not meet the Russian legal definition of an organization that disseminates information on the internet. Under Russian law, such organizations are required to grant authorities’ requests for metadata. Hober also contended that because Kaspersky Lab does not make software for the purpose of “receiving, transmitting, delivering or processing electronic messages” between internet users, the company would not be obligated to build technical features into products at the requests of Russian authorities.






Reuters


April 2, 2019


The Dutch security service advised the government on Tuesday not to use technology from countries with active cyber-hacking campaigns against the Netherlands, such as China and Russia. The recommendation came as the Dutch government is weighing options for a new 5G telecommunications network in the coming years and seeks to replace its domestic emergency services network, known as C2000. The AIVD security agency flagged Chinese and Russian attempts at digital espionage as a major security risk. "It is undesirable for the Netherlands to exchange sensitive information or for vital processes to depend on the hardware or software of companies from countries running active cyber programs against Dutch interests," the AIVD said in its annual report.






CNet


April 2, 2019


The Australian government's 2019-20 Budget provides funding for a whole-of-government "cyber uplift". While the numbers weren't published due to national security reasons, the Budget papers said the funding would "enhance cybersecurity arrangements for whole-of-government systems in relation to the 2019 Federal election, and to mitigate potential cyber threats through enhanced monitoring and response capabilities". This will include the creation of "cyber sprint teams" under the Australian Cyber Security Centre (ACSC), as well as a Cyber Security Response Fund. "The government is bolstering investment in our cyber security strategy to strengthen the defences of government IT systems to address key security vulnerabilities and improve our ability to quickly respond to cyber attacks," the Budget documents said, referring to the Cyber Security Strategy. The upgrade in government cybersecurity follows the Parliamentary network attack earlier this year, which also hit political parties.






Reuters


April 1, 2019


A group of American hackers who once worked for U.S. intelligence agencies helped the United Arab Emirates spy on a BBC host, the chairman of Al Jazeera and other prominent Arab media figures during a tense 2017 confrontation pitting the UAE and its allies against the Gulf state of Qatar. The American operatives worked for Project Raven, a secret Emirati intelligence program that spied on dissidents, militants and political opponents of the UAE monarchy. A Reuters investigation in January revealed Project Raven’s existence and inner workings, including the fact that it surveilled a British activist and several unnamed U.S. journalists. The Raven operatives — who included at least nine former employees of the U.S. National Security Agency and the U.S. military — found themselves thrust into the thick of a high-stakes dispute among America’s Gulf allies. The Americans’ role in the UAE-Qatar imbroglio highlights how former U.S. intelligence officials have become key players in the cyber wars of other nations, with little oversight from Washington.






The New York Times


March 30, 2019


Jeff Bezos’ security consultant accused the Saudi government of gaining unauthorized access to the Amazon chief executive’s phone, as part of an effort to harm the world’s richest man. In an opinion article in The Daily Beast on Saturday, Gavin de Becker, Mr. Bezos’ security chief, alleged the Saudis wanted to hurt Mr. Bezos because he owns The Washington Post. The Post has aggressively reported on the murder of Jamal Khashoggi, one of its columnists, who was killed last year in Turkey. United States officials have concluded Mr. Khashoggi, who was critical of Saudi leaders, was killed on the orders of the Saudi crown prince, Mohammed bin Salman. Mr. de Becker said he had turned over his findings about the Saudis and their role against Mr. Bezos to law enforcement. “Our investigators and several experts concluded with high confidence that the Saudis had access to Bezos’ phone, and gained private information,” Mr. de Becker wrote.






TECHNOLOGY






CyberScoop


April 4, 2019


Roughly 28 million users have downloaded a malicious version of a popular open source framework that masquerades as the real thing, but in fact gives a hackers a back door into applications. A compromised version of the website development tool bootstrap-sass was published to the official RubyGems repository, a hub where programmers can share their application code. The open source security firm Snyk alerted developers to the issue Wednesday, advising users to update their systems away from the infected framework (version 3.2.0.3). “That doesn’t mean there are something like 27 million apps out there using this,” said Chris Wysopal, chief technology officer at app security company Veracode. “[But] when you’re using open source packages to build your applications, you’re inheriting many of the vulnerabilities. … But bootstrap-sass is a popular component used by enterprises and startups so there’s potentially thousands of applications affected by this.”






CyberScoop


April 4, 2019


Scammers used data centers located in the United States to launch nasty strains of malware against English-speaking web users, according to Bromium research published Thursday. The hacking campaign lasted from May 2018 to last month, and included five families of banking trojans, two families of ransomware and three forms of malware meant to collect victims’ personal information. The cybercriminal operation relied on U.S. data centers, with 11 web servers hosted at BuyVM, a virtual private server company in Nevada. The malware — identified as Neutrino, IcedID, GandCrab, and Dridex, among others — is estimated to have stolen millions from international banks. The location alone makes this operation unusual, Bromium noted, because hackers typically organize in areas outside the FBI’s reach.






The Washington Post


April 3, 2019


When Hillary Clinton stumbled and coughed through public appearances during her 2016 presidential run, she faced critics who said that she might not be well enough to perform the top job in the country. To quell rumors about her medical condition, her doctor revealed that a CT scan of her lungs showed that she just had pneumonia. But what if the scan had shown faked cancerous nodules, placed there by malware exploiting vulnerabilities in widely used CT and MRI scanning equipment? Researchers in Israel say they have developed such malware to draw attention to serious security weaknesses in critical medical imaging equipment used for diagnosing conditions and the networks that transmit those images — vulnerabilities that could have potentially life-altering consequences if unaddressed. The malware they created would let attackers automatically add realistic, malignant-seeming growths to CT or MRI scans before radiologists and doctors examine them. Or it could remove real cancerous nodules and lesions without detection, leading to misdiagnosis and possibly a failure to treat patients who need critical and timely care.






ZDNet


April 3, 2019


This week, the Apache Software Foundation has patched a severe vulnerability in the Apache (httpd) web server project that could --under certain circumstances-- allow rogue server scripts to execute code with root privileges and take over the underlying server. The vulnerability, tracked as CVE-2019-0211, affects Apache web server releases for Unix systems only, from 2.4.17 to 2.4.38, and was fixed this week with the release of version 2.4.39. According to the Apache team, less-privileged Apache child processes (such as CGI scripts) can execute malicious code with the privileges of the parent process. Because on most Unix systems Apache httpd runs under the root user, any threat actor who has planted a malicious CGI script on an Apache server can use CVE-2019-0211 to take over the underlying system running the Apache httpd process, and inherently control the entire machine.






Quanta Magazine


April 2, 2019


Programmers are human, but mathematics is immortal. By making programming more mathematical, a community of computer scientists is hoping to eliminate the coding bugs that can open doors to hackers, spill digital secrets and generally plague modern society. Now a set of computer scientists has taken a major step toward this goal with the release today of EverCrypt, a set of digital cryptography tools. The researchers were able to prove — in the sense that you can prove the Pythagorean theorem — that their approach to online security is completely invulnerable to the main types of hacking attacks that have felled other programs in the past. “When we say proof, we mean we prove that our code can’t suffer these kinds of attacks,” said Karthik Bhargavan, a computer scientist at Inria in Paris who worked on EverCrypt. EverCrypt was not written the way most code is written. Ordinarily, a team of programmers creates software that they hope will satisfy certain objectives. Once they finish, they test the code. If it accomplishes the objectives without showing any unwanted behavior, the programmers conclude that the software does what it’s supposed to do.