“First-generation fact-checking” is no longer good enough. Here’s what comes next Neiman Labs
'Work their guts out': Berejiklian defends parliamentary spending
'Work their guts out': Berejiklian defends parliamentary spending
The Hill
June 20,
2019
A House
committee on Friday advanced legislation that would require election systems
use voter-verified paper ballots to guard against election interference. The
House Administration Committee approved the Securing America’s Federal
Elections Act in a 6-3 party-line vote. Committee Chairwoman Zoe Lofgren
(D-Calif.) told The Hill that the House will vote on the measure sometime next
week. The legislation would establish cybersecurity safeguards, such as
prohibiting machines from being connected to the internet in any way and
outlawing voting machines from being manufactured in a foreign country. The
measure authorizes $600 million in funding for the Election Assistance Commission
to give to states to increase security standards through the fiscal 2020
financial services and general government funding bill. The House
Appropriations Committee approved that spending bill, with the election funds,
earlier this month.
Nextgov
June 20,
2019
Federal
agencies will have to do some extra due diligence before buying smart devices
that can connect to the internet under legislation now before the full House
and Senate for consideration. The Internet of Things Cybersecurity Improvement
Act—introduced by Reps. Robin Kelly, D-Ill., and Will Hurd, R-Texas, and Sens.
Cory Gardner, R-Colo., and Mark Warner, D-Va.—would establish a vulnerability
disclosure process for internet-connected devices and prohibit agencies from
buying such devices from vendors that don’t participate. Both the House and
Senate versions of the bill have passed their respective committees and await
votes of the full chambers. The legislation only covers internet of things
devices, which it defines as those able to connect to the internet and collect,
send or receive data, but “not a general-purpose computing device,” such as
computers, smartphones and mainframes. Under the proposal, the National
Institute of Standards and Technology will be required to establish a
vulnerability disclosure process for devices used by federal agencies, which
those agencies will be required to report through. NIST will have 180 days to
build the program and, subsequently, the Office of Management and Budget and
General Services Administration will have 180 days to issue guidance on how
agencies should report weaknesses they discover.
CyberScoop
June 19,
2019
Federal
workers and the public in general might be mistaken about the security of .zip
files, Sen. Ron Wyden says, and he’s asking the National Institute of Standards
and Technology to issue guidance on the best way to send sensitive files over
the internet. “Many people incorrectly believe password-protected .zip files
can protect sensitive data. Indeed, many password-protected .zip files can be
easily broken with off-the-shelf hacking tools,” the Oregon Democrat writes in
a letter obtained by CyberScoop. “This is because many of the software programs
that create .zip files use weak encryption algorithms by default.” Part of
Wyden’s concerns stem from the fact that although there are two common types of
encryption options available for .zip files, people may be using the weaker
option without realizing it. Those files are more vulnerable to password
crackers, Wyden says, such as Advanced Archive Password Recovery.
Politico
June 19,
2019
A
former aide to Sen. Maggie Hassan (D-N.H.) was sentenced to four years in
prison Wednesday for hacking Senate computers and releasing personal
information online about five Republican senators out of anger spurred by their
roles in the confirmation hearings for Justice Brett Kavanaugh. U.S. District
Court Judge Thomas Hogan said the sentence for Jackson Cosko, 27, was needed to
send a signal that criminal harassment driven by political motives would be
punished severely in an era marked by extreme political polarization. “We
have…a society that has become very vicious,” Hogan said. “It’s very concerning
to the court and unfortunate that you played into that.” In April, Cosko
pleaded guilty to five felonies, admitting that after being fired last year
from his work as a systems administrator on Hassan’s staff, he repeatedly used
a colleague’s key to enter the office, install keylogging equipment that stole
work and personal email passwords, and downloaded a massive trove of data from
Senate systems.
The Hill
June 18,
2019
Republicans
on the House Homeland Security Committee are gearing up to introduce a bevy of
bills aimed at enhancing the Department of Homeland Security's (DHS)
cybersecurity capabilities. The bills are the first glimpse into the new
"American Security Agenda" that committee Republicans plan to pursue
this Congress. Rep. Mike Rogers (R-Ala.), the ranking member of the Homeland
Security Committee, will announce the agenda during remarks Tuesday afternoon
at the International Summit on Borders in Washington, D.C. Rogers will say that
the goal of the agenda is to “take a hard look at the Department’s missions and
act to ensure that DHS is prepared to tackle the emerging threats to our
homeland,” including threats to social media, satellites and theft of
intellectual property. Republican members of the committee plan to introduce
seven pieces of legislation in the coming weeks, with several specifically
focused on cybersecurity.
Fifth
Domain
June 18,
2019
Several
provisions in the Senate’s version of the annual defense policy bill aim to
increase oversight of cyber activities in the Department of Defense, including
a new two-star general officer to serve as the senior military adviser to cyber
policy. The bill, which passed the Senate Armed Services Committee in late May,
adds new positions at the Pentagon to ensure the military’s cyber capabilities
continue to mature. The full text of the legislation was released June 12. One
section of the bill directs the undersecretary of defense for policy to create
a position known as the senior military adviser to cyber policy. This
uniformed official – while concurrently serving as the deputy principal cyber
adviser, an existing position – will advise the undersecretary for policy on
all cyber matters. The official will also work with the Pentagon’s chief
information officer, joint staff, services and combatant commands regarding
cyber policy decisions. In the Pentagon’s current hierarchy, there is already a
similar position: a deputy assistant secretary of defense for cyber policy
within the undersecretary for policy office. The bill also directs each of the
services to designate a principal cyber adviser who will advise the service
secretary on cyber forces, cyber program and other cybersecurity matters. If
approved, this position would be held by a senior civilian.
The Hill
June 18,
2019
Members of
the Senate Commerce security subcommittee examined the impact of banning
Chinese-made drones, or components for drones, during a hearing on Tuesday. The
senators compared the debate on drones to the recent decision by the Department
of Commerce to blacklist Chinese telecommunications giant Huawei in May, a move
that barred U.S. firms from working with the company. Implementation of the ban
was delayed by 90 days to give tech companies more time to prepare for the
change. Huawei has denied it poses a risk to the United States. Drones have
also been seen as potential national security risks in recent weeks following
an industry advisory issued by the Department of Homeland Security in May that
warned companies that Chinese-made drones could breach organizations' networks.
Sen. Dan Sullivan (R-Alaska), the chairman of the security subcommittee, told
reporters after the hearing that the potential risk posed by drones had
similarities to the concerns about Huawei, even though he noted it was not a
“perfect direct analogy.”
Gov Info
Security
June 17,
2019
Some
federal agencies inappropriately continue to rely on knowledge-based
authentication to prevent fraud and abuse even though this method is no longer
trustworthy because so much personal information that's been breached is
readily available to fraudsters, a new U.S. Government Accountability Office
report notes. The report singles out the U.S. Postal Service, the Social
Security Administration, the Department of Veterans Affairs and the Centers for
Medicare and Medicaid Services for continuing to use knowledge-based
authentication. The GAO, however, points out that two other agencies it
examined, the General Services Administration and the Internal Revenue Service,
have adopted new methods of verifying identity. The report suggests that government
agencies should drop knowledge-based authentication and use other forms of
identification that include, for example, asking for submission of a picture of
a driver's license via a cellphone, which could be compared to other documents
on file with the government.
CyberScoop
June 14,
2019
Black Hat
USA has decided to cancel an upcoming keynote speech from Rep. Will Hurd after
criticism of his voting record on women’s rights issues. The choice of the
Texas Republican, a lawmaker with a detailed familiarity with cybersecurity
issues, had drawn the ire of some in the cybersecurity industry because of his
opposition to abortion. Less than 24 hours after TechCrunch published an
article that raised those concerns, Black Hat has scrapped Hurd’s keynote,
which was to take place in August at the organization’s annual Las Vegas event.
TechCrunch was also first to report the cancellation. “Black Hat has chosen to
remove U.S. Representative Will Hurd as our 2019 Black Hat USA Keynote,” Black
Hat, one of the world’s biggest cybersecurity conferences, said in a statement.
“We misjudged the separation of technology and politics. We will continue to
focus on technology and research. However, we recognize that Black Hat USA is
not the appropriate platform for the polarizing political debate resulting from
our choice of speaker.”
ADMINISTRATION
FCW
June 21,
2019
It's no
secret that foreign nations have recognized that one of the best pathways to
hacking and stealing U.S. government technology is by targeting its industrial
base. Foreign countries are targeting and compromising U.S. contractors so
frequently that the Department of Defense asked the National Institute of
Standards and Technology to develop custom security guidance to address the
problem. A draft version of that new guidance publicly released June 19 lays
out 31 new recommendations for contractors to harden their defenses and protect
unclassified (but still sensitive) government data that resides on their
networks from advanced persistent threats (APT) or government-sponsored
hackers. Such data can range from Social Security numbers and other personally
identifying information to critical defense program details. The recommendations
include processes like implementing dual-authorization access controls for
critical or sensitive operations, employing network segmentation where
appropriate, deploying deception technologies and establishing or employing
threat-hunting teams and a security operations center to continuously monitor
system and network activity.
CyberScoop
June 21,
2019
As the U.S.
National Security Agency incorporates machine learning and artificial
intelligence into its defensive cyber operations, officials are weighing
whether cyber operators will have confidence in the algorithms underpinning
those emerging technologies. NSA operators want to say, “is my AI or ML system
explainable?” Neal Ziring, NSA’s Technical Director for Capabilities, told
CyberScoop Thursday. “Contexts where the AI is recommending an action is where
that will be most important.” The intelligence agency still is exploring how
machine learning, an automated method of data analysis, might be used to detect
threats and protect new Internet of Things technology. Given the amount of
information that agency employees need to sort through, machine learning could
help prioritize tasks and decrease the amount of time employees spend on
triage. The NSA aims to use machine learning and artificial intelligence, in
which computers make their own decisions, to more efficiently stop threats, and
eventually leverage those tools in offensive operations. But, if NSA workers
don’t trust the AI or ML protocols that are telling them what to do, any
deployment could be for naught. “Analysts are not going to trust an automated
alert that lands in their lap without understanding how it got there in the
first place,” NSA’s David Hogue said in remarks at a McAfee event this spring.
Gov Info
Security
Hackers
have repeatedly stolen valuable data - including launch codes and flight
trajectories for spacecraft - from NASA's Jet Propulsion Laboratory in recent
years, according to a new inspector general audit, which describes weak
security practices. The audit report released this week by the space agency's Office
of Inspector General finds that over the course of 10 years, the Jet Propulsion
Laboratory, based in Pasadena, California, has been hacked numerous times, with
individuals and nation-state actors stealing data about NASA's critical
missions as well as other sensitive and proprietary information. In 2018, for
example, a hacker used a Raspberry Pi computer to access the lab's network,
stealing 23 files that contained about 500MB of sensitive NASA data, the report
found. In addition to launch codes and flight trajectories, hackers have
attempted to target NASA's research and development on earth science and
advanced space technologies, the audit notes.
The Hill
June 21,
2019
The D.C.
Circuit Court of Appeals on Friday ruled that two groups of federal workers can
move forward with their class action lawsuits against the Office of Personnel
Management (OPM) over a 2015 data breach that exposed the personal information
of 22 million people. According to the appeals court, the data breach left the
plaintiffs vulnerable to identity theft, a substantial and ongoing
"injury" that can be traced back to OPM's failure to adequately
safeguard its systems. Hackers in 2014 began stealing personal information such
as Social Security numbers, birth dates, fingerprints and addresses from OPM,
which functions as the federal government's human resources department. In the
years since, federal workers affected by the breach have reported various types
of identity theft, including credit cards being opened and fraudulent tax
returns in their name, according to the lawsuit. The breach set off a flurry of
lawsuits, which were combined into two complaints in D.C. In 2017, a federal
judge dismissed the complaints, saying plaintiffs lacked sufficient evidence
that they faced a substantial or imminent threat of identity theft. The appeals
court on Friday argued there is evidence the hack left federal workers
vulnerable to identity theft or fraud.
AP
June 20,
2019
A Florida
city agreed to pay $600,000 in ransom to hackers who took over its computer
system, the latest in thousands of attacks worldwide aimed at extorting money
from governments and businesses. The Riviera Beach City Council voted
unanimously this week to pay the hackers' demands, believing the Palm Beach
suburb had no choice if it wanted to retrieve its records, which the hackers
encrypted. The council already voted to spend almost $1 million on new
computers and hardware after hackers captured the city's system three weeks
ago. The hackers apparently got into the city's system when an employee clicked
on an email link that allowed them to upload malware. Along with the encrypted
records, the city had numerous problems including a disabled email system, employees
and vendors being paid by check rather than direct deposit and 911 dispatchers
being unable to enter calls into the computer. The city says there was no delay
in response time. Spokeswoman Rose Anne Brown said Wednesday that the city of
35,000 residents has been working with outside security consultants, who
recommended the ransom be paid. She conceded there are no guarantees that once
the hackers received the money they will release the records. The payment is
being covered by insurance. The FBI on its website says it "doesn't
support" paying off hackers, but Riviera Beach isn't alone: many
government agencies and businesses do.
Fifth
Domain
June 20,
2019
Brig. Gen.
William Hartman is slated to lead U.S. Cyber Command’s Cyber National Mission
Force, according to a June 19 personnel announcement from the Pentagon. The
Cyber National Mission Force plans and conducts cyber operations aimed at
disrupting adversaries. The group works against specific nation-state threats
and aims to engage those enemies as a means of preventing cyber intrusions. It
is often described as having Cyber Command’s best operators. Hartman is
currently the deputy commander of Joint Force Headquarters-Cyber Army, which
plans, directs and oversees cyber teams and operations in the Middle East,
North America and Africa. Hartman takes over for Maj. Gen. Timothy Haugh, who
assumed command of the Cyber National Mission Force in June 2018.
AP
voting
security advocacy group is trying to force a leader of a state election
officials association to release documents on whether she wrongly asserted that
U.S. election systems are safe from hacking. The National Election Defense
Coalition filed a lawsuit Thursday against Indiana Secretary of State Connie
Lawson alleging she's violated state law in denying public record requests
since September for her communications about election security with the
National Association of Secretaries of State. Lawson was the bipartisan
association's 2017-18 president and is currently co-chair of its cybersecurity
committee. The coalition argues that Lawson's public statements have downplayed
the vulnerability of election systems. It pointed to her testimony for a 2017
U.S. Senate intelligence committee hearing on Russian interference in the 2016
election during which she said it was "very important to underscore that
voting machines are not connected to the internet or networked in any
way."
Fifth
Domain
June 20,
2019
A new email
scam impersonating official messages from the Department of Homeland Security
shows how difficult it can be for organizations to protect against phishing
scams. The Cybersecurity and Infrastructure Security Agency released a
notification June 18 about a phishing email that looked like an official alert
from the National Cyber Awareness System. According to the agency, the emails
included an attachment that would download malware if clicked by the user. The
impersonation of official government emails is just another way that bad actors
can take advantage of unsuspecting users and presents another challenge in
teaching users how to avoid falling victim to phishing scams.
AP
A majority
of Americans are concerned that a foreign government might interfere in some
way in the 2020 presidential election, whether by tampering with election
results, stealing information or by influencing candidates or voter opinion, a
new poll shows. The poll from The Associated Press-NORC Center for Public
Affairs Research finds Democrats far more likely to express the highest level
of concern, but Democrats and Republicans alike have at least some concerns
about interference. Overall, half of Americans say they’re extremely or very
concerned about foreign interference in the form of altered election results or
voting systems, even though hackers bent on causing widespread havoc at polling
places face challenges in doing so. An additional quarter is somewhat
concerned. Similarly, about half are very concerned by the prospect of foreign
governments influencing political candidates or affecting voters’ perceptions
of the candidates, along with hacking candidate computer systems to steal
information.
Gov Info
Security
June 19,
2019
A group of
22 state attorneys general, mainly from Democratic-leaning states, are
demanding Congress offer local officials more support - including grants and
equipment standards - to improve election infrastructure security in the run-up
to the 2020 presidential contest. Minnesota Attorney General Keith Ellison is
leading the coalition of attorneys general that sent the letter Tuesday to the
chairmen and vice chairmen of the U.S. Senate Appropriation Committee as well
as Senate Committee on Rules and Administration. In the letter, Ellison writes
that Russia has not only interfered in previous elections, but plans to do so
again in 2020.
The
Washington Post
June 18,
2019
Gov. Larry
Hogan (R) has named Maryland’s first statewide chief information security officer,
part of an effort to boost defenses against cybersecurity threats. John Evans,
who had served as the chief information security officer for the state
Department of Information Technology since October, will lead the newly created
Office of Security Management and chair the Maryland Cybersecurity Coordinating
Council, a panel made up of nearly a dozen agency heads. The council will
create a strategy to implement cybersecurity initiatives, identify
cybersecurity risks and respond to bad actors. Hogan signed an executive order
Tuesday authorizing the new entities and the new position. The effort comes as
Baltimore continues to fend off a powerful ransomware attack that has nearly
paralyzed the city government for the past month, and as government agencies across
the country and around the world work to protect computer networks and
databases from ever-more-sophisticated outside interference.
CBS
June 17,
2019
The U.S.
government filed a memorandum Monday in the Southern District of New York in
the case against Joshua Adam Schulte, a former CIA software engineer accused of
stealing classified national defense information, which then appeared on
WikiLeaks. Schulte filed a motion to end what's known as special administrative
measures (SAMs) while being held at the Metropolitan Correctional Center in
Lower Manhattan. According to the advocacy organization The Center for
Constitutional Rights, SAMs are incredibly restrictive and "prohibit
prisoners who live under them from contact or communication with all but a
handful of approved individuals, and impose a second gag on even those few
individuals." The 30-year-old claims the government cannot regulate his
interactions with his lawyer and that his record doesn't support the
restrictions in place. The government's filing argues that his breaking
"into CIA computer systems" and the theft of "classified
information" which he "transmitted" to WikiLeaks — means he
should have SAMs in place.
CyberScoop
The
Department of Homeland Security has added its voice to a chorus of government
and corporate cybersecurity professionals urging users to patch their systems
for BlueKeep, a critical vulnerability recently reported in old Microsoft
Windows operating systems. DHS’s Cybersecurity and Infrastructure Security
Agency said Monday said it had used the BlueKeep vulnerability to execute
remote code on a test machine operating Windows 2000. The agency released an advisory
reiterating that, like the famed WannaCry ransomware, BlueKeep is “wormable,”
in that malware exploiting the vulnerability could spread to other systems. The
BlueKeep vulnerability, for which Microsoft published an advisory on May 14,
could allow a hacker to abuse the popular Remote Desktop Protocol, which grants
remote access to computers for administrative purposes, to delete data or
install new programs on a system. When it was disclosed, security experts
immediately warned of BlueKeep’s severity, and as of last week, close to 1
million internet-exposed machines were still vulnerable to the flaw, according
to researchers at cybersecurity company BitSight.
AP
June 17,
2019
Florida's
county elections departments will retain $2.3 million in unspent grant money
aimed at stopping cyber-attacks on the state's voting system, Gov. Ron DeSantis
announced Monday. DeSantis announced the unspent money is left over from a $19
million federal grant given last year to combat potential attacks on the
Florida's voting system and was supposed to be returned to the state. It will
be combined with $2.8 million in state funding currently budgeted. The spending
comes after it was disclosed last month that the FBI believes Russian hackers
breached the voter information files of two of Florida's 67 county election
supervisor offices during the 2016 presidential election. Officials do not
believe the vote tabulation system was compromised and say there is no
indication last year's state elections were hacked. He and Secretary of State
Laurel Lee, who oversees elections, vowed to identify and fix any problems
before the March presidential primary. Every Friday, get an exclusive look at
how one of the week’s biggest news stories on “The Daily” podcast came
together.
AP
President
Donald Trump has lashed out at The New York Times, saying it engaged in a
“virtual act of treason” for a story that said the U.S. was ramping up its
cyber-intrusions into Russia’s power grid. The Times reported on Saturday that
the U.S. has bored into Russian utility systems in an escalating campaign meant
to deter future cyber activity by Russia. It comes as the U.S. looks for new
ways to punish Russia’s meddling in the 2016 presidential election and prevent
a recurrence. The Times, in its official public relations account, called
Trump’s accusation “dangerous” and said it had told officials about the story
before it was published and no security issues were raised. The newspaper,
basing its reports on three months of interviews with current and former
government officials, said this campaign was conducted under new cyber
authorities granted by Trump and Congress. But it also reported that two
administration officials believed the president had not been briefed in detail,
fearing he might countermand the action against Russia or reveal sensitive
information to foreign officials. In a pair of tweets sent Saturday night,
Trump asserted the story wasn’t true and denounced reporters as “cowards.”
The New
York Times
The United
States is stepping up digital incursions into Russia’s electric power grid in a
warning to President Vladimir V. Putin and a demonstration of how the Trump
administration is using new authorities to deploy cybertools more aggressively,
current and former government officials said. In interviews over the past three
months, the officials described the previously unreported deployment of
American computer code inside Russia’s grid and other targets as a classified
companion to more publicly discussed action directed at Moscow’s disinformation
and hacking units around the 2018 midterm elections. Advocates of the more
aggressive strategy said it was long overdue, after years of public warnings
from the Department of Homeland Security and the F.B.I. that Russia has
inserted malware that could sabotage American power plants, oil and gas
pipelines, or water supplies in any future conflict with the United States. But
it also carries significant risk of escalating the daily digital Cold War
between Washington and Moscow.
INDUSTRY
CyberScoop
June 20,
2019
Computing
giant Dell released a security advisory Thursday encouraging customers to patch
a software vulnerability the company says could have enabled hackers to access
sensitive information on “several million” machines running Microsoft Windows.
The unnamed issue in Dell’s SupportAssist application could have allowed
outsiders to take over a machine and read the stored physical memory, according
to SafeBreach Labs, a California network security company. Dell released its security
patch to fix this issue on May 28, and a spokesperson says more than 90 percent
of customers have received the update. Dell waited three weeks to go public
with the advisory to allow time for PC Doctor, the third-party supplier behind
the component responsible for the vulnerability, to release its own advisory.
Ars Technica
June 20,
2019
Hackers
exploited a pair of potent zero-day vulnerabilities in Firefox to infect Mac
users with a largely undetected backdoor, according to accounts pieced together
from multiple people. Mozilla released an update on Tuesday that fixed a
code-execution vulnerability in a JavaScript programming method known as
Array.pop. On Thursday, Mozilla issued a second patch fixing a
privilege-escalation flaw that allowed code to break out of a security sandbox
that Firefox uses to prevent untrusted content from interacting with sensitive
parts of a computer operating system. Interestingly, a researcher at Google's
Project Zero had privately reported the code-execution flaw to Mozilla in
mid-April. On Monday, as Mozilla was readying a fix for the array.pop flaw,
unknown hackers deployed an attack that combined working exploits for both
vulnerabilities. The hackers then used the attack against employees of
Coinbase, according to Philip Martin, chief information security officer for
the digital currency exchange.
The Wall
Street Journal
June 20,
2019
When the
National Basketball Association draft takes place in Brooklyn on Thursday, not
all eyes will be on the Barclays Center. Some employees at the nation’s biggest
teams will be watching their computer networks. Cybersecurity has become a
bigger issue in the NBA over the past few years, and big events like the draft
bring a heightened focus on outsmarting hackers, who could use data stolen from
teams to place bets on draft picks.
Ars
Technica
June 19,
2019
Oracle on
Tuesday published an out-of-band update patching a critical code-execution
vulnerability in its WebLogic server after researchers warned that the flaw was
being actively exploited in the wild. The vulnerability, tracked as
CVE-2019-2729, allows an attacker to run malicious code on the WebLogic server
without any need for authentication. That capability earned the vulnerability a
Common Vulnerability Scoring System score of 9.8 out of 10. The vulnerability
is a deserialization attack targeting two Web applications that WebLogic
appears to expose to the Internet by default—wls9_async_response and
wls-wsat.war. The flaw in Oracle's WebLogic Java application servers came to
light as a zero-day four days ago when it was reported by security firm
KnownSec404.
Gov Info
Security
June 19,
2019
In a case
underscoring the potential financial havoc wreaked by data breaches, the
42-year-old parent company of American Medical Collection Agency has filed for
bankruptcy just weeks after disclosing a data breach that affected its largest
clients and millions of patients. In a Monday filing in a New York federal
bankruptcy court, Retrieval-Masters Credit Bureau, which does business as AMCA,
says it's seeking court approval for an "effective transition into Chapter
11 and to provide the best opportunity for a cost-effective and orderly
liquidation." The move comes after the March discovery of a major data
breach, revealed in June. The breach not only caused AMCA's largest clients to
end their business relationships with the Elmsford, New York-based debt
collection agency, but has also resulted in "enormous expenses that were
beyond the ability of [the company] to bear," Russell Fuchs, RMCB's owner
and CEO, says in court documents.
Ars Technica
June 18,
2019
Content
delivery network Cloudflare is introducing a free service designed to make it
harder for browser-trusted HTTPS certificates to fall into the hands of bad
guys who exploit Internet weaknesses at the time the certificates are issued.
The attacks were described in a paper published last year titled Bamboozling
Certificate Authorities with BGP. In it, researchers from Princeton University
warned that attackers could manipulate the Internet’s border gateway protocol
to obtain certificates for domains the attackers had no control over.
Browser-trusted certificate authorities are required to use a process known as
domain control validation to verify that a person requesting a certificate for
a given domain is the legitimate owner.
Wired
June 18,
2019
Data
breaches and exposures have become so common these days, it's difficult to keep
track of them all, much less step back to mull a solution. But, perhaps out of
necessity, researchers from the database giant MongoDB have spent the past two
years developing a new database encryption scheme aimed squarely at reducing
these damaging incidents. Their secret weapon? Radical simplicity. The idea of
encrypting databases in various ways isn't new. But in practice there have been
limitations on where and when data was actually protected. Databases are often
encrypted "server-side," meaning that random strangers can't just
query it for information, but credentialed users can access some or all of the
information in it. But that also means that anyone with full access to the
data—like the database operator and administrators—can decrypt and access
everything. This puts the data at risk to both outside hackers wielding stolen
credentials and rogue insiders who have been granted more access than they
need.
CNN
June 17,
2019
At least
50,000 American license plate numbers have been made available on the dark web
after a company hired by Customs and Border Protection was at the center of a
major data breach, according to CNN analysis of the hacked data. What's more,
the company was never authorized to keep the information, the agency told CNN.
“CBP does not authorize contractors to hold license plate data on non-CBP
systems," an agency spokesperson told CNN. The admission raises questions
about who's responsible when the US government hires contractors to surveil
citizens, but then those contractors mishandle the data. "[CBP] keeps
seeking to amass more information in a way that is concerning from a privacy
and civil liberties standpoint, but also from a security standpoint, given that
they've not demonstrated they can safeguard that information," Neema Singh
Guliani, senior legislative counsel at the American Civil Liberties Union, told
CNN. CBP collects license plate information to track which vehicles cross the
border.
ZDNet
June 17,
2019
A US-based
cyber-security firm has published details about two zero-days that impact two
of Facebook's official WordPress plugins. The details also include
proof-of-concept (PoC) code that allows hackers to craft exploits and launch
attacks against sites using the two plugins. The two zero-days impact
"Messenger Customer Chat," a WordPress plugin that shows a custom
Messenger chat window on WordPress sites, and "Facebook for
WooCommerce," a WordPress plugin that allows WordPress site owners to
upload their WooCommerce-based stores on their Facebook pages. The first plugin
is installed by over 20,000 sites, while the second has a userbase of 200,000
-- with its statistics exploding since mid-April when the WordPress team
decided to start shipping the Facebook for WooCommerce plugin as part of the
official WooCommerce online store plugin itself.
Reuters
June 16,
2019
Huawei’s
American chip suppliers, including Qualcomm and Intel, are quietly pressing the
U.S. government to ease its ban on sales to the Chinese tech giant, even as
Huawei itself avoids typical government lobbying, people familiar with the
situation said. Executives from top U.S. chipmakers Intel and Xilinx Inc
attended a meeting in late May with the Commerce Department to discuss a
response to Huawei’s placement on the black list, one person said. The ban bars
U.S. suppliers from selling to Huawei, the world’s largest telecommunications
equipment company, without special approval, because of what the government
said were national security issues. Qualcomm has also pressed the Commerce
Department over the issue, four people said.
INTERNATIONAL
The New
York Times
June 21, 2019
The Trump
administration added five Chinese entities to a United States blacklist on
Friday, further restricting China’s access to American technology and stoking
already high tensions before a planned meeting between President Trump and
President Xi Jinping of China in Japan next week. The Commerce Department
announced that it would add four Chinese companies and one Chinese institute to
an “entity list,” saying they posed risks to American national security or
foreign policy interests. The move essentially bars them from buying American
technology and components without a waiver from the United States government,
which could all but cripple them because of their reliance on American chips
and other technology to make advanced electronics. The entities are one of
China’s leading supercomputer makers, Sugon; three subsidiaries set up to
design microchips, Higon, Chengdu Haiguang Integrated Circuit and Chengdu
Haiguang Microelectronics Technology; and the Wuxi Jiangnan Institute of
Computing Technology. They lead China’s development of high-performance
computing, some of which is used in military applications like simulating
nuclear explosions, the Commerce Department said.
Politico
June 21, 2019
Top
cybersecurity firms say Iranian hackers have revved up attempts to breach
computer systems in the U.S. as hostilities have spiked between Washington and
Tehran — and they warn that further escalation could be near. CrowdStrike and
FireEye are among the companies that have reported seeing an uptick in recent
weeks for the exploits, which use deceptive emails to try to trick victims into
installing malicious software on their systems. "Any intrusion can be the
first step" toward a broader attack, Ben Read, senior cyber-espionage
analyst for FireEye, told POLITICO on Friday. Read added that the leader of the
latest campaign — an Iranian government-connected hacker group known as APT33
or Refined Kitten — has been linked to destructive attacks using that have
wiped computers at targets like the giant oil and gas company Saudi Aramco.
"Really, we're seeing increased cyber activity that seems to be focused on
the West," said Adam Meyers, vice president of Intelligence at
CrowdStrike. "In early June, mid-June is when it really started to kick
off," he told POLITICO. FireEye offered a similar timeline.
The
Guardian
June 21, 2019
Police have
halted all work with the UK’s largest private forensics provider after a
ransomware attack, in the latest crisis to hit the forensics sector. Eurofins,
which carries out DNA analysis, toxicology, ballistics and computer forensics
work, detected a breach of its system on 2 June. It has emerged that police
have suspended all work with the company, thought to amount to more than 50% of
outsourced case work. Every police force in the country has had a cap placed on
the volume of forensic work they can carry out and a police Gold Group response
has been mounted – a step only taken in the case of major incidents or
emergencies – to manage the increasing backlog. Cases are expected to be
delayed as a result.
Ars Technica
June 20,
2019
If
nation-sponsored hacking was baseball, the Russian-speaking group called Turla
would not just be a Major League team—it would be a perennial playoff
contender. Researchers from multiple security firms largely agree that Turla
was behind breaches of the US Department of Defense in 2008, and more recently
the German Foreign Office and France’s military. The group has also been known
for unleashing stealthy Linux malware and using satellite-based Internet links
to maintain the stealth of its operations. Now, researchers with security firm
Symantec have uncovered evidence of Turla doing something that would be a first
for any nation-sponsored hacking group. Turla, Symantec believes, conducted a
hostile takeover of an attack platform belonging to a competing hacking group
called OilRig, which researchers at FireEye and other firms have linked to the
Iranian government. Symantec suspects Turla then used the hijacked network to
attack a Middle Eastern government OilRig had already penetrated. Not only
would the breach of OilRig be an unprecedented hacking coup, it would also
promise to make the already formidable job of attribution—the term given by
researchers for using forensic evidence found in malware and servers to pin a
hack on a specific group or nation—considerably harder.
The Guardian
June 19,
2019
The report from Agnes Callamard, the UN special rapporteur, sets out in
forensic detail concerns about the behaviour of Saudi Arabia, both before and
after the murder of the dissident journalist Jamal Khashoggi. It also details
the potential threats posed to journalists and academics by the kingdom’s use
of intrusive spyware. This is a threat the Guardian has had to assess with some
seriousness in recent months. Earlier this year, the Guardian was warned it was
being targeted by a cybersecurity unit in Saudi Arabia that had been ordered to
“hack” into the email accounts of journalists investigating the various crises
engulfing the royal court. The potential threat was initially raised by a
source in Riyadh – and this account was later supported by a copy of what
appears to be a confidential internal order. This instructed a technical team
to carry out the “penetration” of the Guardian’s computer servers “in complete
secrecy”.
Reuters
June 18, 2019
A
state-backed cyber-attack could secretly corrupt the records of British
financial institutions over a period of months, posing a risk that banks would
probably struggle to guard against on their own, a senior Bank of England
policymaker said. Banks have focused mainly on stopping service outages, but
the falsification of transaction records and other data was an even bigger
danger, Anil Kashyap told lawmakers on Tuesday. "If you wanted to do
maximum damage, that is what you would probably do if you were a state
actor," he told a parliament committee. Britain's security services have
warned about the risk of cyber-attacks by Russia and other countries, and the
BoE has urged banks to boost their preparedness to avoid disruption to one of
the world's largest financial centres. But British financial institutions might
not be able to guard against this type of attack on their own, Kashyap said.
The
Telegraph
June 17, 2019
Sivan
Rauscher, the chief executive of the Israeli cybersecurity firm SAM Seamless
Network, walked into her company’s Tel Aviv headquarters in early May to find
half the staff missing. Many of her key engineers were gone. The company’s
chief technology officer was nowhere to be found. But Ms. Rauscher was not
surprised at the empty desks. More than two thirds of her staff are alumni of
the Israeli military’s Unit 8200, an elite signals intelligence force akin to
Britain’s GCHQ or the American NSA.
Reuters
June 17, 2019
Iran said
on Monday it had exposed a large cyber espionage network it alleged was run by
the U.S. Central Intelligence Agency (CIA), and that several U.S. spies had
been arrested in different countries as the result of this action. U.S.-Iran
tensions are growing following accusations by U.S. President Donald Trump’s
administration that Tehran last Thursday attacked two oil tankers in the Gulf
of Oman, a vital oil shipping route. Iran denies having any role. The secretary
of Iran’s Supreme National Security Council, Ali Shamkhani, said on Monday:
“One of the most complicated CIA cyber espionage networks that had an important
role in the CIA’s operations in different countries was exposed by the Iranian
intelligence agencies a while ago and was dismantled.” “We shared the
information about the exposed network with our allies that led to the
identification and arrest of CIA intelligence agents,” Shamkhani was quoted as
saying by the state broadcaster IRIB. He did not specify how many CIA agents
were arrested and in what countries.
Reuters
June 17,
2019
The Kremlin
said on Monday that a report in the New York Times newspaper citing sources as
saying the United States had inserted potentially disruptive implants into
Russia's power grid showed a cyber war was, in theory, possible. The New York
Times on Saturday published an article citing current and former unnamed U.S.
government officials talking about the deployment of American computer code
inside Russia’s grid and other targets as a classified companion to more
publicly discussed action directed at Moscow’s disinformation and hacking units
around the 2018 midterm elections. When asked about the report, Kremlin
spokesman Dmitry Peskov said: "...Undoubtedly this information shows the
hypothetical possibility... all signs of cyber war and military cyber action
against the Russian Federation."
TECHNOLOGY
Ars Technica
June 18,
2019
The Linux
and FreeBSD operating systems contain newly discovered vulnerabilities that
make it easy for hackers to remotely crash servers and disrupt communications,
researchers have warned. OS distributors are advising users to install patches
when available or to make system settings that lower the chances of successful
exploits. The most severe of the vulnerabilities, dubbed SACK Panic, can be
exploited by sending a specially crafted sequence of TCP Selective
ACKnowledgements to a vulnerable computer or server. The system will respond by
crashing, or in the parlance of engineers, entering a kernel panic. Successful
exploitation of this vulnerability, tracked as CVE-2019-11477, results in a
remote denial of service (DoS). A second vulnerability also works by sending a
series of malicious SACKs that consumes computing resources of the vulnerable
system. Exploits most commonly work by fragmenting a queue reserved for
retransmitting TCP packets. In some OS versions, attackers can cause what’s
known as an “expensive linked-list walk for subsequent SACKs.” This can result
in additional fragmentation, which has been dubbed “SACK slowness.”
Exploitation of this vulnerability, tracked as CVE-2019-11478, drastically
degrades system performance and may eventually cause a complete DoS.
