Wednesday, May 29, 2019

Cyber Crime and Hacking


Pity the precocious? The hyper-intelligent often suffer from boredom, isolation, and depression — and so genius may not be the gift we perceive it  to be  

YOU CAN BET THE CRIMINAL SOCIALIST GOVERNMENT STILL HAS PLENTY: Venezuela’s economic crisis is now so bad that criminals can’t afford to buy bullets.

CLAUDIA ROSETT: Huawei’s An Asset All Right — But It’s Not Our Asset. “Whatever the details of Huawei’s officially private ownership, or the marvels of its innovations and industry, Huawei is for strategic purposes an asset of the globally ambitious despotism that is the government of China. Which makes it dangerous.”
I’ve been calling Huawei a “communist front corporation” for a while now, which seems more apt than ever — and do read the whole thing.




Joint Tax CommitteeFollowing up on my previous post, House Holds Hearing Today On The Tax Gap:  the Joint Committee on Taxation has released Overview Of The Tax Gap(JCX-19-19) (May 08, 2019):
This document ... provides a standard definition of the tax gap, a description of issues relevant to measurement of the tax gap, and a discussion of taxpayer behavioral responses and the effectiveness of measures to increase compliance.  ...
A standard definition of the tax gap is the shortfall between the amount of tax voluntarily and timely paid by taxpayers and the actual tax liability of taxpayers. It measures taxpayers’ failure to accurately report their full tax liabilities on tax returns (i.e., underreporting), pay taxes due from filed returns (i.e., underpayment), or file a required tax return altogether or on time (i.e., non-filing). Estimates of the tax gap provide a picture of the level of overall noncompliance by taxpayers for a particular tax year, and include shortfalls in individual income taxes, corporate income taxes, employment taxes, estate taxes, and excise taxes. The individual behavioral responses to taxation that result in the tax gap raise a set of important policy questions, such as the optimal level of resources to devote to tax administration and the manner in which those resources are best deployed.  

COCAINE DEALER ENJOYS LUXURY SPA BREAK HALF WAY THROUGH HIS NINE-YEAR PRISON SENTENCE.

Venomously malignant. Noxious. Blasphemous. Grotesque. Disgusting. Repulsive. Entirely bestial. Indecent. Being among the critical greetings for Leaves of Grass. Not to omit ithyphallic audacity. Plus garbage.

Profound stupidity. Maniacal raving. Pure nonsense. Among some for the best of Shelley. Which was also called abominable.

No philosopher has ever influenced the attitudes of even the street he lived on. Said Voltaire.

I am not an orphan on the earth, so long as this man lives on it. Said Gorky re Tolstoy.

So difficult and opaque it is, I am not certain what it is I print. Said John Donne's very publisher about the first edition of his verse.

Stories happen only to people who know how to tell them. Said Thucydides.

He never thinks about something; he thinks something. Said Hannah Arendt, re Heidegger.
Realizing that as recently as in the case of Haydn, musicians under the patronage of royalty were still treated as servants - and still wore livery.
He kept bottles of wine at his lodgeing, and many times he would drinke liberally by himselfe to refresh his spirits, and exalt his Muse. Said John Aubrey of Andrew Marvell.
The imagination will not perform until it has been flooded by a vast torrent of reading. Announced Petronius.
The nature of genius is to provide idiots with ideas twenty years later. Said Louis Aragon.
Was he Christian, Jewish or atheist? Samuel Beckett was once asked in a Dublin courtroom. To which: None of the three.
The Shakespeare of the lunatic asylum. An early French critic called Dostoevsky.
Literature is the art of writing something that will be read twice. Said Cyril Connolly.
Kant's irrationally compulsive 3.30PM walk, which it is said he forswore only once in thirty years - on the day when the post brought him a first copy of Rousseau's Emile.
The sound of Paul Desmond's alto saxophone: Like a dry martini, being what Desmond himself said he wanted.
The sign in the window says Pants Pressed Here. But when you bring in your pants, you discover that it is the sign that is for sale. Being Kierkegaard - on the typical obscurity of what normally passes for philosophy.
If you value my work, please, do not knock. Requested a notice on Hermann Hesse's door in Ticino.
A fiend of a book. The action is laid out in Hell - only it seems places and people have English names there. Said Dante Gabriel Rossetti of Wuthering Heights.
It is never difficult to paint, said Dali. It is either easy or impossible.
Thinking with someone else's brain. Schopenhauer called reading.
You have but two topics, yourself and me, and I'm sick of both. Johnson once told Boswell.
A designated area for booksellers existed in the central market in Athens as far back as in the fifth century BC.
Neither Graham Greene nor Evelyn Waugh ever learned to drive a car.
Chopin was buried in Pere Lachaise in Paris - but with Polish earth later sprinkled on the grave.
The only excuse for the suffering that God allows in the world - is that he does not exist. Stendhal said.
Dostoevsky gave me more than any thinker, more even than Gauss. Einstein said.
'Tis such a task as scarce leaves a man time to be good neighbour, an useful friend, nay, to plant a tree, much less to save his soul. Said Pope, re writing well.
A portable fatherland, Heine called the Torah.
When a head and a book collide, and one sounds hollow - is it always the book? Asked Lichtenberg.
Not to be born is far best. Wrote Sophocles.
Not to be born at all would be the best thing. Wrote Theognis, at least a half a century earlier.
The man who has seen a truly beautiful woman has seen God. Said Rumi.
Morningless sleep. Epicurus called death.
Dr Donne's verses are like the peace of God: they pass all understanding. Said James I.
Reality is under no obligation to be interesting. Said Borges.
Like a vile scum on a pond. Pound viewed G K Chesterton.
Borges' vision of Paradise: A kind of library.
The greatest kindness we can show some of the authors of our youth is not to reread them. Said Francois Mauriac.
I'm a poet, I'm life. You're an editor, you're death. Proclaimed Gregory Corso to someone in the White Horse tavern - who shortly commenced punching him through the door and across the sidewalk.
You can tell from my handwriting that I am in the twenty-fourth hour. Not a single thought is born in me that does not have death graven within. Wrote Michaelangelo at eighty-one - himself with eight years remaining.
I've no more sight, no hand, nor pen, nor inkwell. I lack everything. All I still possess is will. Said Goya - nearing eighty.
It is later than you know. Printed Baudelaire onto the face of his clock - after having broken off its hands.
from David Markson's, The Last Novel





FCW

May 23, 2019

The Election Assistance Commission and the Cybersecurity and Infrastructure Security Agency were sharply questioned in hearings this week by lawmakers about human resource decisions. The EAC has just a small handful of employees dedicated to testing and certification of voting machines, and the acting director of testing and certification stepped down earlier this month. While the agency quickly hired a new director and has worked to bring on more personnel, there's concern that EAC staff could be under-resourced heading into the 2020 election cycle and beyond. The agency had nearly 50 full-time employees and a budget of $17 million budget in 2009. Today they have a headcount in the low twenties and a budget of $10 million despite an expanded role in election cybersecurity. Chair Christy McCormick and other commissioners were questioned over a host of perceived staffing and management failures at a May 21 House Administration committee hearing.



The Orlando Sentinel

May 23, 2019

U.S. Reps. Stephanie Murphy and Michael Waltz will file bipartisan legislation to require federal officials to alert Congress and state and local officials when election systems are hacked. The Achieving Lasting Electoral Reforms on Transparency and Security Act, or ALERTS Act, comes in response to Murphy, Waltz and the Florida congressional delegation’s criticism of the FBI following a classified briefing last week. Afterward, the Congress members had demanded the FBI release the names of two counties it says were successfully breached by Russian hackers in 2016. The FBI, which also made Gov. Ron DeSantis sign a non-disclosure agreement not to reveal the counties, said protocol considered the counties as victims and would need their approval to name them. If signed into law, the bill would require federal officials “to promptly alert the appropriate state and local officials and members of Congress” if they have credible evidence of hacking, as well as a reasonable basis to believe voter information could have been altered or affected.



The Hill

May 22, 2019

The Department of Homeland Security (DHS) is asking its cybersecurity-focused employees to consider taking on new roles by volunteering to help with the border crisis. Acting Secretary Kevin McAleenan told House lawmakers Wednesday that employees in the Cybersecurity and Infrastructure Security Agency (CISA) have been asked to consider relocating to the U.S.-Mexico border, but he insisted he would not support sending “critical” cyber staff to the region. “I am aware of the call for volunteers to help address the border crisis, just as we would do in a natural disaster. Our expectation, though, is that CISA would make risk-based decisions on the types of professionals they would free up for this kind of mission and balance against their day jobs and their current focus,” McAleenan said in a response to a question about the volunteer drive from Rep. Jim Langevin (D-R.I.) at a Homeland Security Committee hearing on DHS’ fiscal year 2020 budget request.



AP

May 22, 2019

The hacking of U.S. election systems, including by foreign adversaries, is inevitable, and the real challenge is ensuring the country is resilient enough to withstand catastrophic problems from cyber breaches, government officials said Wednesday. The comments by representatives from the departments of Justice and Homeland Security underscored the challenges for federal and state governments in trying to ward off interference from Russia and other countries in the 2020 election. Special counsel Robert Mueller has documented a sweeping effort by Moscow to meddle in the 2016 election in Donald Trump's favor by hacking Democrats and spreading disinformation online, and FBI Director Chris Wray said in April that the government regarded last November's midterm election was "as just kind of a dress rehearsal for the big show in 2020." Adam Hickey, a deputy assistant attorney general in the Justice Department's national security division, told a House Oversight and Reform subcommittee that hacking was "inevitable." "Systems that are connected to the Internet, if they're targeted by a determined adversary with enough time and resources, they will be breached," Hickey said. "So, we need to be focusing on resilience."



Nextgov

May 21, 2019

The federal government must immediately work to reverse the under-representation of women and racial and ethnic minorities in its cyber workforce by increasing funding across America’s education system and tapping into more inclusive talent streams, lawmakers and a panel of experts said Tuesday. “Right now, the vast majority of the cybersecurity workforce is white and male–only 9% are African American, 4% are Hispanic and 11% are women,” Cybersecurity, Infrastructure Protection and Innovation Subcommittee Chairman Cedric Richmond, D-La., said at a hearing on the cyber talent pipeline in Washington. “Now that I have the gavel, I want to use it to drive home an important point: Diversity is essential for national security, and for cybersecurity.” In his opening statement, Richmond referenced the White House’s recently issued executive order on America’s Cybersecurity Workforce, noting that it was “mostly silent” on diversity. “Officials reportedly explained that they ‘hoped diversity would be a natural byproduct’ of the order,” Richmond said. “This is exactly the type of thinking we cannot afford to have if we are serious about reversing trends.”



Reuters

May 20, 2019

U.S. lawmakers want the State Department and intelligence community to help rein in the sale of surveillance tools by private companies to repressive regimes, according to a letter signed by a bipartisan group of congressmen released on Monday. The effort, led by Democratic Representative Tom Malinowski, is the second request in the last week asking the State Department to provide information about its approval process for U.S. companies that sell offensive cyber capabilities and other surveillance services to foreign governments. The letter to Secretary of State Mike Pompeo and Director of National Intelligence Daniel Coats references a Reuters report in January which showed a U.S. defense contractor provided staff to a United Arab Emirates hacking unit called Project Raven. The UAE program utilized former U.S. intelligence operatives to target militants, human rights activists and journalists in the Middle East as well as American citizens.



ADMINISTRATION



FCW

May 24, 2019

An updated credentialing policy from the White House looks to tap agency-issued identifiers like Social Security numbers to secure digital transactions. A new memo from the Office of Management and Budget directs agencies to set up teams for each agency to govern identity management efforts. It also stresses the importance of making valid identities interoperable across agency boundaries. To that end, the memo directs agencies to accept existing personal identity verification credentials rather than issue new ones and to use PIV credentials as "a method to encrypt information in transit and shared between two or more federal employees or contractors." It also tasks the National Institute of Standards and Technology, the Federal CIO Council and the Federal Privacy Council to collaborate with agencies to pilot alternatives to managing identities. Chih-Wei Yi, a risk and financial advisory principal at Deloitte, said that while "most" of memo consisted of "codifying" best practices in industry, the focus on interoperability would make doing business across agencies easier.



Nextgov

May 24, 2019

Advances in quantum computing could render the government’s strongest encryption systems obsolete, and the Defense Department is trying to get ahead of the curve. The Defense Information Systems Agency is asking security researchers to share ideas for protecting the Pentagon’s IT infrastructure against quantum computers. Though today’s quantum systems are still in their infancy, military officials worry their more powerful successors will be able to easily crack the codes used to secure military networks today. “The exact time of the arrival of the quantum-computing era is unknown,” DISA officials wrote in the solicitation. “However, [the Defense Department] must begin now to prepare its information security systems to be able to resist attacks from large-scale quantum computers.”



CyberScoop


The Federal Election Commission has decided that a nonprofit spinoff of Harvard’s Defending Digital Democracy Project may provide free and low-cost cybersecurity services to political campaigns without violating campaign finance laws, given the fact that there is a “highly unusual and serious threat” posed to U.S. elections by foreign adversaries. The driving force behind the FEC’s advisory opinion, which FEC Chair Ellen Weintraub issued Tuesday, is the fact that there is a “demonstrated, currently enhanced threat of foreign cyberattacks against party and candidate committees,” she writes in the advisory. The nonprofit, Defending Digital Campaigns, has political campaign veterans Matt Rhoades and Robby Mook among its board members, as well as former National Security Agency executive Debora Plunkett. In the ruling, Weintraub notes the FEC’s decision is partly due to the other efforts by the government, primarily to expose and prosecute foreign adversaries, that she indicates have not done enough to protect campaigns and political parties. “[F]oreign cyberattacks, in which the attackers may not have any spending or physical presence in the United States, may present unique challenges to both criminal prosecution and civil enforcement,” she writes.



Nextgov

May 23, 2019

The Environmental Protection Agency has a detailed process for dealing with new cybersecurity weaknesses: develop a plan to remediate with clear goals and milestones, then attack the problem. The only issue: Those plans aren’t being logged, managed or tracked, according to the agency inspector general. The agency created an automated tool for logging vulnerabilities that will take time to remediate and track progress through official plans of action and milestones. According to an inspector general report released Tuesday, many of those plans were never entered into the system, meaning they were never tracked and, in some cases, the vulnerabilities were never patched. Auditors from the Office of the Inspector General found disparate levels of participation from EPA offices. The IG interviewed employees who said their office either doesn’t have a formal process for using the system—despite it being an agencywide requirement—and others who developed independent methods of tracking patching progress. “One information security person indicated that their office … [is] tracking and managing the reported weaknesses on a spreadsheet,” the report states. “The person indicated their office took this action to prevent external parties within the EPA from having oversight of their office’s remediation activities.”



The New York Times

May 22, 2019

More than two weeks ago, hackers seized parts of the computer systems that run Baltimore’s government. It could take months of work to get the disrupted technology back online. That, or the city could give in to the hackers’ ransom demands. “Right now, I say no,” Mayor Bernard Young told local reporters on Monday. “But in order to move the city forward? I might think about it. But I have not made a decision yet.” On May 7, the city discovered that it was a victim of a ransomware attack, in which critical files are encrypted remotely until a ransom is paid. The city immediately notified the F.B.I. and took systems offline to keep the ransomware from spreading, but not before it took down voice mail, email, a parking fines database, and a system used to pay water bills, property taxes and vehicle citations. At least 1,500 pending home sales have been delayed, too, according to a letter from a group of congressional lawmakers in Maryland requesting information on the attack from the directors of the F.B.I. and the Secret Service.



CNN

May 22, 2019

The state of Florida will conduct a cybersecurity review into election security for every county in the state after it was revealed two counties were hacked during the 2016 election, Gov. Rick DeSantis announced Wednesday. The news comes eight days after DeSantis, a Republican, met with the FBI and announced that Russian military intelligence had successfully breached the networks of two Florida counties in the runup to the 2016 presidential election. DeSantis called for the meeting after special counsel Robert Mueller's report on interference in the election said that "at least one" Florida county had been breached. In a letter to Secretary of State Laurel Lee, DeSantis directed her to "immediately initiate a review of the security, particularly the cybersecurity, of our state's election systems and the elections systems of Florida's 67 counties." A spokesperson for Lee, Sarah Revell, told CNN that Lee "applauds" the initiative. Neither office immediately responded to questions about what such a review would entail, or whether its results would be made public.



Ars Technica


In a study of US and European political parties' security postures, researchers at the security-monitoring company SecurityScorecard found that while the Democratic National Committee had made "significant investments" in security since being hacked in 2016, the Democrats still lagged behind the Republican National Committee's defenses. And both parties have problems that could still leak personally identifying information about voters. According to the report, one major US political party was "programmatically leaking" personal information about voters through a voting validation application "which enumerates voter name, date of birth and address via search terms," the researchers noted. The vulnerability was disclosed to the party involved and other "appropriate parties." SecurityScorecard's team looked at the DNC, RNC, Green Party, and Libertarian Party in the US.



Nextgov

May 22, 2019

The Continuous Diagnostics and Mitigation program launched America’s space agency into a new age of cybersecurity, a NASA official said Wednesday. In 2016, the agency began implementing the first phase of CDM, a Homeland Security Department effort to provide agencies with a suite of consistent cybersecurity tools to help them better monitor hacking attempts and other malicious threats. “CDM for us, needless to say, has been a success story,” Willie Crenshaw Jr., NASA’s program executive for CDM and risk management said at an event hosted by FCW in Washington Wednesday. “It has tremendously helped NASA not only implement certain tools across the agency, but it’s also helped change and it is changing the culture and the discussion around cybersecurity overall.” NASA has an immense amount of data and many complex operating systems, making it difficult to know where everything is. But Crenshaw said CDM technology has helped agency insiders better identify all sorts of different assets and discover so many new things. “We know more now than we did three years ago about what’s on NASA’s network,” he said.



FCW


State officials and security experts say security updates contained in the Election Assistance Commission's new Voluntary Voting System Guidelines 2.0 are badly needed, but there is concern that the bureaucratic process the agency has set up to approve and update those standards can't keep up with the pace of technological change. Later this year, the commission is expected to vote to approve a five-page document outlining principles that will guide the development of VVSG 2.0, including a new emphasis on security. That process will be followed up with far more detailed technical guidance and standards that companies will rely on to design their new voting machines. At a May 21 hearing, the commission heard from a number of stakeholders who advised that the agency refrain from requiring a full vote to approve the technical portions of the guidelines, saying it would run counter to the goal of ensuring that voting machine standards account for the latest developments in technology.



AP


A lawsuit challenging Georgia's outdated voting machines and seeking statewide use of hand-marked paper ballots can move forward, a federal judge ruled Tuesday. The lawsuit argues that the paperless touchscreen voting machines Georgia has used since 2002 are unsecure, vulnerable to hacking and unable to be audited. The state's voting system drew national scrutiny during last year's midterm election in which Brian Kemp, a Republican who was the state's chief election officer at the time, narrowly defeated Democrat Stacey Abrams to become Georgia's governor. State lawyers had asked U.S. District Judge Amy Totenberg to dismiss the lawsuit. Totenberg wrote in her order rejecting that request that the state's arguments "completely ignore the reality faced by election officials across the country underscored by Plaintiffs' allegations that electronic voting systems are under unceasing attack."



CyberScoop

May 21, 2019

The malware sample that U.S. Cyber Command uploaded to VirusTotal last week is still involved in active attacks, multiple security researchers tell CyberScoop. Researchers from Kaspersky Lab and ZoneAlarm, a software security company run by Check Point Technologies, tell CyberScoop they have linked the malware with APT28, the same hacking group that breached the Democratic National Committee during the 2016 election cycle. A variant of the malware is being used in ongoing attacks, hitting targets as recently this month. The targets include Central Asian nations, as well as diplomatic and foreign affairs organizations, Kaspersky Lab’s principal security researcher Kurt Baumgartner tells CyberScoop. While ZoneAlarm can’t confirm the targets the attack is focused on, the company detected the specific malware hash in an active attack in the Czech Republic last week, Lotem Finkelsteen, ZoneAlarm’s Threat Intelligence Group Manager, tells CyberScoop. “Although we cannot confirm such an attack, Finkelsteen said, referring to the Kaspersky intelligence, “we think it is possible APT28 manages several efforts simultaneously.”



The Air Force Times


The Air Force is investigating the Navy for a cyber intrusion into its network, according to a memo obtained by Military Times. The bizarre turn of events stems from a decision by a Navy prosecutor to embed hidden tracking software into emails sent to defense attorneys, including one Air Force lawyer, involved in a high-profile war-crimes case of a Navy SEAL in San Diego. The tracking device was an attempt to find out who was leaking information to the editor of Navy Times, a sister publication. A similar tracking device was also sent to Carl Prine, the Navy Times editor, who has written numerous stories about the case. Navy Capt. David Wilson, chief of staff for the Navy’s Defense Service Offices, wrote in the May 19 memo that an Air Force attorney was among the defense lawyers who had received emails with the hidden tracking software, which he described as “malware.” The Air Force defense lawyer reported the tracking device to his information security manager, who concluded the malware was a “splunk tool,” which allowed the sender of the malware to gain “full access to his computer and all files on his computer,” Wilson wrote in the memo, which he sent to the chief of staff for the Navy’s Region Legal Service Offices.



CyberScoop


With the private industrial cybersecurity market thriving, the Department of Homeland Security is continuing to push for closer coordination with experts on the front lines of defending facilities like power plants from hackers. In speeches last week to vendors, security researchers, and state officials, DHS personnel said they wanted to help put companies on a more proactive defensive posture to thwart hacking threats to industrial environments. The department has been working with ICS vendors to test security products before they go to market, but more needs to be done, Jeanette Manfra, assistant director for cybersecurity at DHS’s Cybersecurity and Infrastructure Security Agency, said last Wednesday at Hack the Capitol, an ICS security conference in Washington, D.C. “In this space, unlike really, frankly, any other, we have got to have much more capability to prevent the attacks from happening before they get in there – or at least detect them quickly so we can stop them and mitigate those consequences,” she said. The DHS outreach is a recognition of the expertise and dollars that the private sector has invested in ICS security, and the reality that the vast majority of control systems that underpin key sectors like electricity and manufacturing are not owned by the government.



CNN


President Donald Trump appeared to confirm that the United States had conducted a cyberattack against a Russian entity during last year's midterm elections in an interview aired Sunday on Fox News. "I would rather not say that, but you can believe that the whole thing happened, and it happened during my administration," Trump told Fox News' Steve Hilton when asked about a report that he personally authorized a cyberattack on Russia during the time of the midterms. When pressed as to why he didn't talk about it, Trump said "because they don't like me to talk, intelligence says, 'please don't talk intelligence,' you know sometimes intelligence is good, and sometimes you look at Comey, and you look at Brennan and you look at Clapper, and I'm supposed to believe that intelligence? I never believe that intelligence." The National Security Council did not respond to a CNN request for comment about what specifically the President was referencing.



INDUSTRY



Ars Technica

May 23, 2019

It has been nine days since Microsoft patched the high-severity vulnerability known as BlueKeep, and yet the dire advisories about its potential to sow worldwide disruptions keep coming. Until recently, there was little independent corroboration that exploits could spread virally from computer to computer in a way not seen since the WannaCry and NotPetya worms shut down computers worldwide in 2017. Some researchers felt Microsoft has been unusually tight-lipped with partners about this vulnerability, possibly out of concern that any details, despite everyone’s best efforts, might hasten the spread of working exploit code. Until recently, researchers had to take Microsoft's word the vulnerability was severe. Then five researchers from security firm McAfee reported last Tuesday that they were able to exploit the vulnerability and gain remote code execution without any end-user interaction. The post affirmed that CVE-2019-0708, as the vulnerability is indexed, is every bit as critical as Microsoft said it was. “There is a gray area to responsible disclosure,” the researchers wrote. “With our investigation we can confirm that the exploit is working and that it is possible to remotely execute code on a vulnerable system without authentication."



ZDNet

May 23, 2019

For more than a year, mobile browsers like Google Chrome, Firefox, and Safari failed to show any phishing warnings to users, according to a research paper published this week. "We identified a gaping hole in the protection of top mobile web browsers," the research team said. "Shockingly, mobile Chrome, Safari, and Firefox failed to show any blacklist warnings between mid-2017 and late 2018 despite the presence of security settings that implied blacklist protection." The issue only impacted mobile browsers that used the Google Safe Browsing link blacklisting technology. The research team -- consisting of academics from Arizona State University and PayPal staff -- notified Google of the problem, and the issue was fixed in late 2018.



Ars Technica

May 22, 2019

A serial publisher of Microsoft zeroday vulnerabilities has dropped exploit code for three more unpatched flaws, marking the seventh time the unknown person has done so in the past year. Technical details of the vulnerabilities, along with working proof-of-concept exploits, are the work of someone using the moniker SandBoxEscaper. A local privilege-escalation vulnerability in the Windows Task Scheduler that was disclosed on Tuesday allows an authenticated attacker to gain SYSTEM privileges on an affected system. On Thursday, the person released a privilege escalation code that exploits a bug in the Windows Error Reporting service. Attackers can use it to modify files that would normally be off limits. A third exploit, which was also released Wednesday, works against Internet Explorer 11 and allows attackers to execute a JavaScript that runs with higher system access than is normally permitted by the browser sandbox.



CNBC

May 22, 2019

Moody’s has just slashed its rating outlook on Equifax, the first time cybersecurity issues have been cited as the reason for a downgrade. Moody’s lowered Equifax’s outlook from stable to negative on Wednesday, as the credit monitoring company continues to suffer from the massive 2017 breach of consumer data. “We are treating this with more significance because it is the first time that cyber has been a named factor in an outlook change,” Joe Mielenhausen, a spokesperson for Moody’s, told CNBC. “This is the first time the fallout from a breach has moved the needle enough to contribute to the change.” Equifax could not immediately be reached for comment. The decision is significant because investors increasingly look to ratings firms and insurance companies to adequately predict the longer-term fallout of some of the biggest breaches, a difficult task given the relative lack of historical data on these incidents.



Ars Technica

May 18, 2019

More than 20,000 Linksys wireless routers are regularly leaking full historic records of every device that has ever connected to them, including devices' unique identifiers, names, and the operating systems they use. The data can be used by snoops or hackers in either targeted or opportunistic attacks. Independent researcher Troy Mursch said the leak is the result of a flaw in almost three dozen models of Linksys routers. It took about 25 minutes for the BinaryEdge search engine of Internet-connected devices to find 21,401 vulnerable devices on Friday. A scan earlier in the week found 25,617. They were leaking a total of 756,565 unique MAC addresses. Exploiting the flaw requires only a few lines of code that harvest every MAC address, device name, and operating system that has ever connected to each of them.



INTERNATIONAL



Defense One

May 24, 2019

In the latest signal NATO is adopting a tougher posture against cyber and electronic attacks, Secretary General Jens Stoltenberg this week said that the defensive alliance will not remain purely defensive. Stoltenberg told attendees at the Cyber Defence Pledge conference in London, “We are not limited to respond in cyberspace when we are attacked in cyberspace.”  NATO members have already “agreed to integrate national cyber capabilities or offensive cyber into Alliance operations and missions,” he said. But the parameters of a NATO response to cyber attacks remains undefined. In 2015, Stoltenberg said that a cyber attack against one member nation could trigger an Article 5 collective response by all members. Yet only once has a collective response ever been invoked, at the request of the United States following the attacks of September 11, 2001. NATO is a defensive organization, so what an offensive cyber posture looks like remains something of a mystery. An Article 5 response can take many different forms.



CyberScoop

May 23, 2019

It’s a been a year since private security researchers worked with the FBI to dismantle a 500,000-router-strong botnet that loomed over Ukraine. Lessons learned in that takedown of the “VPNFilter” botnet are still reverberating today in the cybersecurity community, informing defenders about other sets of malicious activity, said Martin Lee, a manager at Cisco Talos, the threat intelligence team that helped uncover the botnet. Lee pointed to the so-called Sea Turtle domain name system hijacking campaign, which Talos detailed last month. Like VPNFilter, the Sea Turtle activity was an example of a state-sponsored attacker abusing internet infrastructure at scale to steal credentials. Data gathered from the VPNFilter investigation, combined with the lesson that state-sponsored actors are willing to subvert core internet infrastructure, has driven home the fact that attackers can exploit critical devices at scale in a way that few people had fully appreciated. “Essentially, [the Sea Turtle perpetrator] is a threat actor trying to do the same kind of activity [as VPNFilter] – conduct man-in-the middle attacks, siphon off user names and passwords – but through a different technique,” said Lee, who is manager for Europe, the Middle East and North Africa, and Asia at Talos’ Outreach division.



The Hill

May 23, 2019

The United Kingdom is preparing to invest 22 million pounds, the equivalent of almost $28 million, to open new cyber operation centers. British Defense Secretary Penny Mordaunt is set to make the announcement during a conference in London at the U.K.’s National Cyber Security Centre. “It’s time to pay more than lip service to cyber," she is expected to say. "We must convince our adversaries their advances simply aren’t worth the cost. The cybersecurity centers will provide the British Army with 24/7 information and analyses on cyber threats and will also aim to give both the British military and allies intelligence on emerging threats. The centers have not yet been built, which will begin early next year, with operations to start in the early 2020s. "Cyber enemies think they can act with impunity. We must show them they can’t," Mordaunt is set to say. "That we are ready to respond at a time and place of our choosing in any domain, not just the virtual world.”



Gov Info Security

May 21, 2019

MuddyWater, a relatively new advanced persistent threat group that is targeting organizations in the Middle East, has changed some of its tactics to avoid detection while continuing to plant backdoors within targeted networks, according to new research from Cisco Talos. In a blog posted Monday, Cisco Talos researchers write that they have "moderate confidence" a new campaign called "BlackWater" is tied to MuddyWater. That campaign, which is mainly focused on targets in Turkey, shows that the group is changing its preferred tactics, techniques and procedures to help avoid detection and bypass certain security controls, the researchers say. And while avoiding endpoint detection helps improve this group's overall operational security, the main goal of BlackWater is still to plant a PowerShell-based backdoor within a target's network and gain remote access, the researchers note. "Due to the relation to MuddyWater and that actor's previous methods, we suspect the larger goal [of BlackWater] was cyberespionage," Matt Valites, threat research manager for Cisco Talos Outreach, tells Information Security Media Group.



Reuters

May 21, 2019

In early 2018, in a complex of low-rise buildings in the Australian capital, a team of government hackers was engaging in a destructive digital war game. The operatives – agents of the Australian Signals Directorate, the nation’s top-secret eavesdropping agency – had been given a challenge. With all the offensive cyber tools at their disposal, what harm could they inflict if they had access to equipment installed in the 5G network, the next-generation mobile communications technology, of a target nation? What the team found, say current and former government officials, was sobering for Australian security and political leaders: The offensive potential of 5G was so great that if Australia were on the receiving end of such attacks, the country could be seriously exposed. The understanding of how 5G could be exploited for spying and to sabotage critical infrastructure changed everything for the Australians, according to people familiar with the deliberations. Washington is widely seen as having taken the initiative in the global campaign against Huawei Technologies Co Ltd, a tech juggernaut that in the three decades since its founding has become a pillar of Beijing’s bid to expand its global influence. Yet Reuters interviews with more than two dozen current and former Western officials show it was the Australians who led the way in pressing for action on 5G; that the United States was initially slow to act; and that Britain and other European countries are caught between security concerns and the competitive prices offered by Huawei.



AP

May 21, 2019

The United States is delaying some restrictions on U.S. technology sales to Chinese tech powerhouse Huawei in what it calls an effort to ease the blow on Huawei smartphone owners and smaller U.S. telecoms providers that rely on its networking equipment. The Trump administration insists the sanctions are unrelated to its escalating trade war with China, and many analysts see it as aimed at pressuring U.S. allies in Europe to accede to Washington’s entreaties to exclude Huawei equipment from their next-generation wireless networks, known as 5G. The U.S. government says that the ban on selling technology to Huawei, the world’s biggest maker of mobile network gear and the No. 2 smartphone brand, will be delayed by 90 days as it applies to existing hardware and software. Shares in tech companies rose Tuesday on the news. The U.S. claims Huawei is a cybersecurity risk and has targeted it against the backdrop of a wider battle with China over economic and technological pre-eminence that has included tariffs on billions worth of trade and limits on business.



TECHNOLOGY



Wired

May 19, 2019

Bluetooth is the invisible glue that binds devices together. Which means that when it has bugs, it affects everything from iPhones and Android devices to scooters and even physical authentication keys used to secure other accounts. The order of magnitude can be stunning: The BlueBorne flaw, first disclosed in September 2017, impacted 5 billion PCs, phones, and IoT units. As with any computing standard, there's always the possibility of vulnerabilities in the actual code of the Bluetooth protocol itself, or in its lighter-weight sibling Bluetooth Low Energy. But security researchers say that the big reason Bluetooth bugs come up has more to do with sheer scale of the written standard—development of which is facilitated by the consortium known as the Bluetooth Special Interest Group. Bluetooth offers so many options for deployment that developers don't necessarily have full mastery of the available choices, which can result in faulty implementations. "One major reason Bluetooth is involved in so many cases is just how complex this protocol is," says Ben Seri, one of the researchers who discovered BlueBorne and vice president of research at the embedded device security firm Armis. "When you look at the Bluetooth standard it’s like 3,000 pages long—if you compare that to other wireless protocols like Wi-Fi, for example, Bluetooth is like 10 times longer. The Bluetooth SIG tried to do something very comprehensive that fits to many various needs, but the complexity means it’s really hard to know how you should use it if you’re a manufacturer."
via Nick Leiserson