Pages

Thursday, May 16, 2019

'We get out-recruited' for cyber talent





 




The Hill


May 10, 2019


House Democratic chairmen on Friday reintroduced a bill to protect U.S. election systems against cyberattacks, including requiring President Trump to produce a “national strategy for protecting democratic institutions.” The Election Security Act is aimed at reducing risks posed by cyberattacks by foreign entities or other actors against U.S. election systems. The national strategy from President Trump would “protect against cyber attacks, influence operations, disinformation campaigns, and other activities that could undermine the security and integrity of United States democratic institutions.” The bill is sponsored by House Homeland Security Committee Chairman Bennie Thompson (D-Miss.), House Administration Committee Chairwoman Zoe Lofgren (D-Calif.) and Rep. John Sarbanes (D-Md.), the chairman of the Democracy Reform Task Force.


 




The Hill


May 10, 2019


Lawmakers on Friday introduced a resolution to require members and employees of the House of Representatives to undergo annual cybersecurity and information technology training. The Congressional Cybersecurity Training Resolution, sponsored by Reps. Kathleen Rice (D-N.Y.) and John Katko (R-N.Y.), would require the chief administrative officer of the House to carry out annual cyber and IT training for House members, officers and employees. While House employees are already required to undergo this training, Rice in a statement said that “it’s past time” House members be “held to the same standard.” “Cyberattacks continue to pose a growing and vexing threat at nearly every level of government and Congressional Offices are no exception,” Rice said. “If we want to effectively counter those threats, then we need to make sure Members of Congress are equipped with the tools and knowledge to play an active role in this fight."


 




FCW


May 9, 2019


Lawmakers and policy experts are demonstrating increased interest in open source technology as a means to solving longstanding challenges and road blocks around election security. State and local governments rely on proprietary software and hardware from a small handful of private vendors to power their voting machines, voter registration systems and other technologies. Those vendors have historically been reluctant or unwilling to allow third-party audits of their products, and when outside researchers have gotten their hands on voting machines or probed commonly used software like voter registration systems, they've found extensive and worrying cybersecurity vulnerabilities in nearly every model. That reluctance has led to a number of projects that have sprouted up over the past year from organizations aiming to disrupt the status quo. One such organization, Voting Works, was created last year in partnership with the non-profit Center for Democracy and Technology and seeks to build "secure, usable, affordable and open-source voting machines" that will help to restore trust in the modern election system.


 




The Hill


May 8, 2019


Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.) announced Wednesday that they will lead the newly established Cyberspace Solarium Commission (CSC), a group of government and industry officials working to create a report on how to defend the U.S. in cyberspace. The CSC, established by the 2019 National Defense Authorization Act (NDAA), will hold “regular information-gathering hearings” to review cyber threats, with the goal of creating a report that includes “strategic recommendations” to prevent cyberattacks in a changing global landscape, according to the chairmen. As stated in the 2019 NDAA, the CSC has until Sept. 1 to send its report to Congress and multiple federal agencies. King and Gallagher said the rollout of the report will also include hearings to discuss the report’s findings involving congressional committees on defense, intelligence and homeland security.


 




FCW


May 8, 2019


Congress wants more cyber warriors, but they're hard to hold onto, according to Acting Defense Secretary Patrick Shanahan. Testifying May 8 on the 2020 defense budget before the Senate Appropriations Subcommittee on Defense, Shanahan said he's happy to invest in more cyber scholarship programs, training ranges and red team capabilities, but keeping cyber specialists onboard is the real challenge. "Our biggest challenge with the red teams is keeping the people," Shanahan said, "We get out-recruited." Sen. Jerry Moran (R-Kan.) suggested Shanahan and the Defense Department lean more on the National Guard, which has members who often work for tech companies full-time and serve on the weekends, to bolster cyber warrior capabilities.


 




Bloomberg Law


May 7, 2019


Equifax Inc. and other large credit reporting agencies would face mandatory penalties for consumer data breaches under a bicameral Democratic bill. The agencies could face fines of $100 for each person who had one piece of personal information compromised, and an additional $50 for each additional piece of information compromised, under the legislation by Democratic presidential contender Elizabeth Warren (D-Mass.), Sen. Mark Warner (D-Va.), and Reps. Elijah Cummings (D-Md.) and Raja Krishnamoorthi (D-Ill.). The bill comes as lawmakers increasingly are focused on data privacy issues. Equifax would have had to pay at least $1.5 billion in penalties for its 2017 data breach if the legislation had been law then, the lawmakers said in a statement. The breach, revealed in September 2017, exposed the personal information of more than 143 million people. “Our bill would hold companies like Equifax accountable for failing to protect consumer data, compensate consumers injured by these breaches, and help ensure that these breaches never happen again,” Warren said in a May 7 statement.


 




Orlando Sentinel


May 6, 2019


When U.S. Sen. Bill Nelson was castigated by his Republican challenger, Gov. Rick Scott, last year for saying Russian hackers had broken into Florida voting systems, Nelson’s colleague, Marco Rubio, was aware of the breach. But Rubio couldn’t defend Nelson because a spokesman for the senator said he wasn’t allowed to divulge classified information. Rubio, R-Miami, declined to be interviewed for this story. Nelson, D-Orlando, warned last year about successful hacking attempts in 2016 but said he could not identify which county or counties had been penetrated, saying the information was classified. No other senator backed him up, and Scott and fellow Republicans attacked Nelson for what GOP campaign emails called his “alarming claims” and “extremely reckless behavior.”


 


 


ADMINISTRATION


 




Gov Info Security


May 10, 2019


The FBI and the Department of Homeland Security have issued a joint warning about new malware called "Electricfish." Investigators suspect it was developed by the advanced persistent threat group Hidden Cobra, which has been linked to North Korea. A warning released by the U.S. Computer Emergency Readiness Team on Thursday does not indicate if any organizations have sustained an attack from Hidden Cobra, also known as the Lazarus Group, using the Electricfish malware. Because investigators were able to reverse-engineer some of the code, however, there's a possibility it is operating in the wild and has been used in some way by the group.


 




Nextgov


May 10, 2019


The vast majority of the 2020 presidential candidates aren’t taking advantage of a basic email security tool that could help prevent phishing attacks, industry researchers found. Only three of the 24 declared candidates in the 2020 presidential race are fully enforcing Domain-based Message Authentication, Reporting and Conformance, or DMARC, a security protocol that protects against email spoofing, according to a blog post published Friday by the security firm Valimail. By failing to use the tool, candidates could leave themselves vulnerable to the types of phishing attacks that exposed thousands of the Democratic National Committee’s internal emails during the 2016 election.


 




Fifth Domain




U.S. Cyber Command is reconsidering how it buys and develops the tools cyber warriors need. The Joint Cyber Warfighting Architecture (JCWA), was established by Cyber Command within the last year to guide capability development priorities. Cyber is unique within the Department of Defense in that from an operational perspective nearly all aspects are joint. This means in the traditional warfighting realm, the services are responsible for manning, training and equipping for a certain function, infantry or fighter pilots, for example. While those forces are part of a theater-wide campaign plan beneath a combatant command, they are still deployed under their own services. In cyber, by contrast, the services don’t own any of the offensive cyber teams or capabilities. While developed by the services, they are deployed by Cyber Command in support of combatant commands through Joint Force Headquarters.


 




Nextgov


May 10, 2019


The number of high-risk security incidents involving tax preparers and software jumped by 50 percent from 2017 to 2018, from 212 to 336. But, despite the growing number of citizens filing taxes digitally and the rise in incidents, the IRS remains largely powerless to police third-party providers, according to a watchdog report. “Federal law and guidance require that the Internal Revenue Service protect the confidentiality, integrity, and availability of the sensitive financial and taxpayer information that resides on its systems,” a new Government Accountability Office report states. “However, taxpayer information held by third-party providers—such as paid tax return preparers and tax preparation software providers—generally falls outside of these requirements, according to IRS officials.” The scope of the problem is large, as last year, 90 percent of taxes were filed digitally through a third party—either a tax accountant or online service. The agency has issued a list of 140 security controls based off of standards set by the National Institute of Standards and Technology. However, those controls are voluntary and currently only a third of providers follow them.


 




FCW


May 9, 2019


The new cyber workforce executive order looks to make it easier for employees to take on cybersecurity roles within government, but agency IT officials point out the measure has limitations. Shane Barney, chief information security officer of the United States Citizenship and Immigration Services, said the order still leaves the challenge of keeping employees in the building. "What I'm not sure how much will get addressed with the executive order is, what about retention?" he said at a May 9 event hosted by Government CIO. "Where government is unbelievably good, is we can bring in fresh talent … then we'll train them like there's no tomorrow" before they get hired by the private sector. Barney said government use "some really great things" like cyber pay and progressing up the general schedule as incentives for retaining some employees, but he still sees employees, after the training and experience provided by government, head out the door.


 




CyberScoop


May 9, 2019


The federal Election Assistance Commission has appointed Jerome Lovato, a former Colorado state election official, as head of the commission’s program for testing and certifying voting systems, according to a commission email obtained by CyberScoop. Lovato replaces Ryan Macias, who was filling the role in an acting capacity and will step down this month. The crucial EAC program works with the country’s top voting equipment vendors to certify and decertify voting system hardware and software. Lovato’s appointment, which was first reported by Politico, comes as the commission prepares to help secure the 2020 election, a vote that U.S. officials have warned will be targeted by foreign adversaries. Senators are expected to raise those issues next week at an EAC oversight hearing next week.


 




Federal News Network




Each of the three military departments would be given the discretion to appoint a new senior, Senate-confirmed official to handle information technology issues under a legislative proposal the Pentagon is preparing to send to Capitol Hill. The Army, Navy and Air Force have all signed onto the proposal, but its chief proponent is the Department of the Navy. It is the successor to Navy officials’ earlier attempt to internally restructure their bureaucracy and designate a new Assistant Secretary of the Navy for Information Management. The legislative proposal differs from the previous effort in that it would let each of the military departments add a fifth assistant secretary without doing away with any of the others. But the basic idea is the same: the Navy believes it needs an IT and data management official who is both at the most senior levels of its organizational chart and who is focused on those issues full time.


 




The Washington Post


May 7, 2019


In the wake of a military cyberoperation that defense officials have credited with helping safeguard last year’s midterm elections, the Pentagon’s Cyber Command is hunting inside other countries’ networks for threats and to gain insights to thwart foreign interference in the 2020 campaign, officials said. Code-named Synthetic Theology, last year’s operation leveraged new authorities, granted by the president and Congress, enabling U.S. agencies to become more aggressive in foreign cyberspace in defense of the nation. Though the operation has ended, Cybercom is continuing its close relationship with the National Security Agency and working to build partnerships with other nations, other U.S. agencies and American industry, senior Cybercom officials said Tuesday in their first extensive public briefing on efforts to combat election interference and other threats. “Our goal is to have no interference in our elections,” said Air Force Maj. Gen. Tim Haugh, who heads the command’s cyber national mission force. “We’re going to support [the Department of Homeland Security ] and FBI in the missions they’ve been assigned. But ideally, no foreign actor is going to target our electoral process.”


 




FCW




What if clicking an email phishing link could get you fired? Cyber hygiene is such a problem for the Navy that the service is considering sanctions for personnel who lack basic cyber hygiene. "One of the biggest problems we have quite frankly is one of the least costly to address, which is just hygiene. And that's an education campaign to make sure our people understand how critical cybersecurity is," the Navy's number two, Thomas Modly, told reporters following his keynote address at the Sea Air Space conference in National Harbor. Modly stressed that something drastic was needed to highlight cyber hygiene importance. Noting that some private companies employ internal phishing campaigns and if an employee can be terminated if they take the bait a certain number of times, Modly said the Navy is looking at punitive measures for users to get them to take cybersecurity seriously.


 




The Baltimore Sun




Baltimore city government computers were infected with ransomware Tuesday, the mayor’s office said, the second time in just over a year that hackers demanding payment disrupted the city’s technology systems. “Employees are working diligently to locate the source and extent of the infection,” said Lester Davis, a spokesman for Democratic Mayor Bernard C. “Jack” Young. Davis said critical systems, including 911 and 311, were not been affected, but that the majority of city servers were shut down. The effects ranged from a City Council committee canceling a hearing on gun violence to water customers being unable to get billing questions answered. By the afternoon, Davis said, city teams had the ransomware quarantined. But the cause and scale of the problem was not clear Tuesday evening and Davis did not know when the affected systems would be back online.


 


 


INDUSTRY


 




Reuters


May 10, 2019


Symantec Corp faces an uphill battle to turn around its business and win investor confidence, analysts said on Friday, after Chief Executive Officer Greg Clark became the fifth top executive in six months to leave the cybersecurity company. Clark's shock departure on Thursday came along with a gloomy set of quarterly results that fell short of expectations on revenue and a warning on profit, triggering a 15 percent slump in the company's shares and erasing more than $2 billion in market cap. At least six brokerages cut their price targets on the stock, which is on track to give up most of its gains this year. "Investors were desperately hoping to see some stabilization for the current quarter, but what they got instead was a number of negative surprises in the form the company's CEO heading out and its struggles to grow sales," Investing.com analyst Haris Anwar said.


 




Gov Info Security


May 9, 2019


Accounting software giant Wolters Kluwer says it's continuing to attempt to recover from a malware attack that disrupted services for users of its cloud-based services. While some online chatter has suggested that ransomware may have been involved, the company has yet to publicly name the strain of malware involved. Wolters Kluwer is a $4.8 billion global information services company based in the Netherlands that develops CCH, a suite of tax and accounting software that's available in both on-premises and software-as-a-service form. "Our customers include 90 percent of U.S. academic medical centers, 93 percent of Fortune 500 companies, 100 percent of the top U.S. accounting firms and 90 percent of the world's top banks," according to the company's 2018 annual report. On Monday, customers of the company's cloud-based products began reporting that they were unable to access CCH software and services, that the company's support site was also unreachable and that the company's customer representatives didn't know what was happening.


 




The Wall Street Journal


May 9, 2019


As companies struggle to fill hundreds of thousands of open cybersecurity jobs around the U.S. they are casting a wider net to find and develop experts, pursuing workers without traditional four-year degrees or formal experience to help them protect computer networks and customer data. Facing a shortage of skilled workers to defend against digital attackers, employers like International Business Machines Corp. and Palo Alto Networks Inc. are pouring millions of dollars into new partnerships with universities and training programs.


 




Nextgov


May 8, 2019


International spies are hammering government networks harder than ever, according to the latest Verizon Data Breach Investigations Report released Wednesday. The 2019 report shows a 168 percent increase year-over-year in the number of government network breaches linked directly to state-sponsored actors. The growth solidifies cyber espionage atop the list of threats to the public sector for the second year in a row. “Cyber-espionage is rampant in the public sector, with state-affiliated actors accounting for 79 percent of all breaches involving external actors,” Verizon analysts wrote in the report. “Privilege misuse and error by insiders account for 30 percent of breaches.” The public sector had 23,399 reported incidents in 2019, with 330 confirmed instances of data being disclosed through a breach. While crimeware (4,758 incidents) and lost or stolen assets (2,820) outpaced other reported incidents, the misuse of privileged credentials topped the list with more than 13,000 incidents.


 




CyberScoop


May 8, 2019


hieves have stolen more than $40 million worth of bitcoin from Binance, one of the world’s largest cryptocurrency exchanges, as part of a “large scale” security incident affecting roughly 2 percent of its bitcoin holdings, the company announced Tuesday. Hackers stole two-factor authentication keys, API data, and “potentially other info” through an attack that combined phishing and viruses, Binance said in a May 7 statement. The result was the withdrawal of 7,000 bitcoin, worth nearly $41 million at the time of the heist, from Binance’s “hot wallet” when the time was right. No user funds were affected by the breach.


 




Ars Technica


May 8, 2019


More than 100 e-commerce sites around the world are infected with malicious code designed to surreptitiously skim payment card data from visitors after they make purchases, researchers reported on Wednesday. Among those infected are US-based websites that sell dental equipment, baby merchandise, and mountain bikes. In total, researchers with China-based Netlab 360 found 105 websites that executed card-skimming JavaScript hosted on the malicious domain magento-analytics[.]com. While the domain returns a 403 error to browsers that try to visit it, a host of magento-analytics[.]com URLs host code that’s designed to extract the name, number, expiration date, and CVV of payment cards that are used to make purchases. The e-commerce sites are infected when the attackers add links that cause the malicious JavaScript to be executed.


 




Gov Info Security


May 8, 2019


A sophisticated nation-state spy network has quietly exploited a backdoor in Microsoft Exchange servers that gave attackers unprecedented access to the emails of at least three targets over five years, security firm ESET warns. Since at least 2014, Turla, an advanced persistent threat group with suspected ties to the Russian government, has exploited malware called LightNeuron to gain access to Exchange servers, according to the ESET report released Tueday. This backdoor allowed the spies to read, modify or block any emails passing through the targeted mail servers, ESET says. The attackers also had the ability to compose new emails and send them under the names of legitimate users, the research shows. The targets of the attack included a ministry of foreign affairs in an Eastern European country, a regional diplomatic organization in the Middle East and an unknown Brazilian organization, ESET says.


 




The Financial Times


May 7, 2019


Orange has made its biggest move into the cyber security market after acquiring Belgian technology company SecureLink in a deal that values the company at €515m including debt. SecureLink, based near Antwerp, is owned by Investcorp and its management and operates in eight European countries. It had €248m of revenue in 2018. It issued a convertible bond on the Oslo stock exchange in February to raise €150m. It is Orange’s largest acquisition since it acquired some Airtel assets in west Africa in 2016 and the second significant cyber security acquisition that Orange has made this year. It acquired UK security company SecureData in February for an undisclosed sum. The French company has identified cyber security and banking as new growth areas for its traditional telecoms business. BT has also targeted security as a growth area within its Global Services division and employs 2,600 workers across the world.


 




AP


May 6, 2019


Microsoft announced an ambitious effort it says will make voting secure, verifiable and more transparent with open-source software. Two of the three top U.S elections vendors have expressed interest in potentially incorporating the software into their voting systems. The software kit is being developed with Galois, an Oregon-based company separately creating a secure voting system prototype under contract with the Pentagon's advanced research agency, DARPA. Dubbed "ElectionGuard," the Microsoft kit will be available this summer, the company says, with early prototypes ready to pilot for next year's general elections. CEO Satya Nadella announced the initiative Monday at a developer's conference in Seattle. Nadella said the program's software would help "modernize all of the election infrastructure everywhere in the world."


 


 


INTERNATIONAL


 




Wired


May 10, 2019


The hack of health insurance giant Anthem Inc. has loomed large in the public consciousness since it first came to light in 2015—not just as one of the biggest breaches of all time, but also as a potential example of the Chinese government's longstanding cyber espionage campaign. Hackers stole names, birth dates, addresses, Social Security numbers, and employment details from 78 million Anthem customers. And for years China was reported to be behind it. But when the Department of Justice unsealed an indictment Thursday evening charging two Chinese nationals for the Anthem attack, any indication of the alleged hackers' motives or affiliation was noticeably absent. The US government accused 32-year-old Fujie Wang and an unnamed codefendant of being “members of a hacking group operating in China” who “used extremely sophisticated techniques to hack into the computer networks of the Victims.” In addition to Anthem, the indictment alleges they were responsible for three other large corporate intrusions, against a basic materials company, a communications firm, and a tech company. But it does not go on to characterize their motivations or goals.


 




Reuters


May 10, 2019


Leading Western industrial powers will for the first time jointly simulate a major cross-border cyber security attack on the financial sector next month, French officials said on Friday. The exercise, organized by the French central bank under France's presidency of the Group of Seven nations (G7), will be based on the scenario of a technical component widely used in the financial sector becoming infected with malware, said Nathalie Aufauvre, the Bank of France's director general for financial stability. Institutions such as the European Central Bank and the Bank of England have already conducted such tests, but the June exercise will be the first across borders at the G7 level, Aufauvre told a cyber security conference at the bank. "Cyber threats are proof that we need more multilateralism and more cooperation between our countries," French Finance Minister Bruno Le Maire told the conference.


 




Vice Motherboard


May 8, 2019


Leading cryptographic experts believe a Russia-designed algorithm pitched to an international standards body contains a flaw that could potentially undermine the security of encrypted data. The Russian delegation who designed the algorithm say the flaw is a coincidence, but multiple people deciding whether the algorithm should become a standard aren't convinced. The algorithm was discussed at a meeting in Tel Aviv in April, a working group of the International Organization for Standardization (ISO), an organization which approves or denies countries hoping to cement their cryptographic algorithms as standards. At the meeting, Russian officials weren’t very happy, according to Dr. Tomer Ashur, a researcher with KU Leuven University who represented the Belgian delegation. Before approving the algorithm, ISO experts said they wanted to wait six more months to better understand the security implications of a newly discovered issue in the algorithm. The delay is occurring because, in January, researcher Léo Perrin published a paper about two Russian algorithms, including the one under consideration, that shared a component called an “S-Box” in cryptography. Perrin is affiliated with Inria, the French national institute for the digital sciences.


 




The New York Times


May 6, 2019


Chinese intelligence agents acquired National Security Agency hacking tools and repurposed them in 2016 to attack American allies and private companies in Europe and Asia, a leading cybersecurity firm has discovered. The episode is the latest evidence that the United States has lost control of key parts of its cybersecurity arsenal. Based on the timing of the attacks and clues in the computer code, researchers with the firm Symantec believe the Chinese did not steal the code but captured it from an N.S.A. attack on their own computers — like a gunslinger who grabs an enemy’s rifle and starts blasting away. The Chinese action shows how proliferating cyberconflict is creating a digital wild West with few rules or certainties, and how difficult it is for the United States to keep track of the malware it uses to break into foreign networks and attack adversaries’ infrastructure.


 




CyberScoop


May 6, 2019


Israel’s military announced Sunday it had launched airstrikes on a building allegedly housing a number of Hamas soldiers that were preparing to launch a cyberattack against Israel. Israel Defense Forces (IDF), which launched the airstrike jointly with the Israel Security Authority, did not detail the alleged cyberattack and other offensive capabilities Hamas was developing, but said it had neutralized the attack before launching the airstrikes. The incident marks the first time a government has publicly announced it has immediately responded to a cyberattack by launching a “kinetic attack,” a military term that describes the use of lethal force. Although this marks a first in cyberwarfare, Paul Rosenzweig, a former deputy assistant secretary for policy at the U.S. Department of Homeland Security, tells CyberScoop it’s not a surprising outcome.


 


 


TECHNOLOGY


 




CyberScoop


May 10, 2019


Whoever came up with “thieves rob banks because that’s where all the money is” needs to add “digital advertising” to the updated version of the adage. Criminals simply don’t need to go through all the trouble of stealing money from well-fortified financial institutions when they can just trick advertisers into directly lining their pockets. With internet ad revenue totaling more than $100 billion in 2018, scammers are following that line of money: ad fraud is set to cost the industry as much as $44 billion annually by 2022. Online ad fraud has become so profitable that malware creators and botnet masters are developing new programs and theft techniques in order to keep making a profit, according to Michael Tiffany, president and co-founder of the bot detection company White Ops.


 




Ars Technica


May 9, 2019


Websites running the Drupal, Joomla, or Typo3 content-management systems are vulnerable to attacks that could possibly execute malicious code until administrators install just-released patches, developers and security researchers warned. The vulnerability resides in the PharStreamWrapper, a PHP component developed and open-sourced by CMS maker Typo3. Indexed as CVE-2019-11831, the flaw stems from a path-traversal bug that allows hackers to swap a site's legitimate phar archive with a malicious one. A phar archive is used to distribute a complete PHP application or library in a single file, in much the way a Java archive file bundles many Java files into a single file.