Pages

Monday, June 03, 2019

Hunger and Hacker Game: Treasure Trove


Subject: Photo of Woody Harrelson helps facial-recognition system catch beer thief
Source: Tribune Media Wire via WPMT FOX43
https://fox43.com/2019/05/17/photo-of-woody-harrelson-helps-facial-recognition-system-catch-beer-thief/
Clever police work—or an abuse of technology?
When a suspect who looked a lot like a long-haired Woody Harrelson was caught on camera stealing beer from a CVS and the NYPD’s facial-recognition system didn’t provide any matches, a detective used a photo of the actor, according to a report from Georgetown University’s Center on Privacy and Technology.
The study says that instead of the pixelated security footage of the suspect, the detective used a high-quality photo of Harrelson with long hair from 2012’s Hunger Games, and found 11 matches, including a man who was eventually arrested for the crime, the AP reports.
The report says detectives also used a photo of New York Knick JR Smith to search for a man wanted for a Brooklyn assault.
The Georgetown University report—titled “Garbage In, Garbage Out”—is highly critical of the practice of using celebrity photos to find lookalike suspects, as well as the use of artist’s sketches in facial recognition systems, the New York Post reports.

Subject: San Francisco Bans Facial Recognition Technology
Source: The New York Times
https://www.nytimes.com/2019/05/14/us/facial-recognition-ban-san-francisco.html
SAN FRANCISCO — San Francisco, long at the heart of the technology revolution, took a stand against potential abuse on Tuesday by banning the use of facial recognition software by the police and other agencies.
The action, which came in an 8-to-1 vote by the Board of Supervisors, makes San Francisco the first major American city to block a tool that many police forces are turning to in the search for both small-time criminal suspects and perpetrators of mass carnage.
The authorities used the technology to help identify the suspect in the mass shooting at an Annapolis, Md., newspaper last June. But civil liberty groups have expressed unease about the technology’s potential abuse by government amid fears that it may shove the United States in the direction of an overly oppressive surveillance state.
[Facial recognition technology has stoked controversy over the years. Here’s a look back.]
Aaron Peskin, the city supervisor who sponsored the bill, said that it sent a particularly strong message to the nation, coming from a city transformed by tech.
But critics said that rather than focusing on bans, the city should find ways to craft regulations that acknowledge the usefulness of face recognition. “It is ridiculous to deny the value of this technology in securing airports and border installations,” said Jonathan Turley, a constitutional law expert at George Washington University. “It is hard to deny that there is a public safety value to this technology.”
But there is a broader concern. “When you have the ability to track people in physical space, in effect everybody becomes subject to the surveillance of the government,” said Marc Rotenberg, the group’s executive director.
American civil liberties advocates warn that the ability of facial surveillance to identify people at a distance, or online, without their knowledge or consent presents unique risks — threatening Americans’ ability to freely attend political protests or simply go about their business anonymously in public. Last year, Bradford L. Smith, the president of Microsoft, warned that the technology was too risky for companies to police on their own and asked Congress to oversee its use.
[I only saw one reference to WRONG and none to FALSE /pmw1]

Subject: Ari Mahairas and Peter Beshar on AI and 5G security risks
Source: Business Insider
https://www.businessinsider.com/ari-mahairas-and-peter-beshar-on-ai-and-5g-security-risks-2019-5
  • AI and 5G will lead to an explosion in cybersecurity risks, according to an FBI agent and the general counsel of $50 billion professional services firm Marsh & McLennan.
  • Ari Mahairas and Peter Beshar have built a relationship educating the public sector and industry about the risks of cyber attacks, as well as solutions to the threat.
  • New tech will make it easier for bad actors to attack things like internet-connected devices, potentially leading to catastrophic attacks on nuclear power plants, they said.
  • The pair also discussed protecting 5G networks and the growing demand for privacy regulation in Silicon Valley.
“We’re engaged in a race without a finish line,” Beshar says of the threat. “Cyber is a unique threat that poses a threat to both government and industry both sectors have been breached repeatedly. Neither one of us is immune.”
The pair also discussed protecting 5G networks, in the context of concerns over Chinese tech giant Huawei contributing to infrastructure, and the growing demand for privacy regulation in Silicon Valley.

Subject: Prince Harry beat paparazzi using GDPR law, new royal weapon vs. media
Source: Business Insider
https://www.businessinsider.com/prince-harry-beat-paparazzi-using-gdpr-law-new-royal-weapon-vs-media-2019-5
  • Prince Harry won a legal dispute with Splash News, a photo agency which used a helicopter to take pictures inside his home.
  • As well as arguing that they invaded his privacy, the Duke of Sussex also based his case on the photographers having mishandled his personal data under Europe’s new GDPR law.
  • This is an unexpected application of data law, which is more commonly thought of as governing large online databases and spammy mailing lists.
  • It opens a new avenue in the royal family’s never-ending struggle to keep parts of their lives out of the public eye.

Subject: Airbnb scam hits some users, charges them for fake reservations
Source: USA Today
https://www.usatoday.com/story/money/2019/05/19/airbnb-scam-hits-some-users-charges-them-fake-reservations/3732422002/
Airbnb users may want to check their accounts even if they aren’t planning a trip anytime soon – some fellow customers on the rental site have been scammed with reservations they didn’t make.
Account holders have been charged for non-refundable reservations at fake destination homes and in some cases, users report that money was taken from their bank and Paypal accounts.
Airbnb confirms that there have been some occurrences, but said in a statement sent to USA TODAY that “these are isolated incidents and at no point was the Airbnb platform compromised. We have robust systems in place to protect users’ accounts and our team of trust and safety experts work hard to constantly strengthen our defenses.”
Airbnb has resolved a case in which UK-based communications professional Alice Chautard had three non-refundable reservations made in Kiev, Ukraine on her account Saturday and then the hacker cancelled the reservations, and deleted the account that charged her “all within 2 minutes,” she posted on Twitter.
“I travel internationally a lot as a speaker and have loved Airbnb in the past,” she said. But “after this, I’m done with Airbnb not because I was hacked but because it was so difficult to get in touch with anyone, the response I got was subpar and there was no ownership of the issue. I had a credit card on my profile but what about all of the people who have their debit cards linked? Their cash is gone.”

Subject: Age of fraud: Are seniors more vulnerable to financial scams?
Source: Marketplace via WHYY
https://whyy.org/articles/age-of-fraud-are-seniors-more-vulnerable-to-financial-scams/
Not only are older people heavily targeted by scammers, but surprising data suggest that, as we get older, we become more vulnerable to fraud in so many of its forms.
The part that especially floored me is this: Doctors are studying older people who are on the ball, A-OK. People who — when tested — seem to have no diagnosable cognitive impairment, but who may still be at special risk from those who want to take their money, be it strangers or family.
There is brain research about this. In some cases, it’s like a person’s radar for scams goes dark.
Lachs and his colleagues have put a label on what they see as an all-too common condition: “age-associated financial vulnerability.”
“We are learning that there are changes in the aging brain, even in the absence of diseases like Alzheimer’s disease or other neurodegenerative illnesses, that may render older adults vulnerable to financial exploitation.”
In an award-winning paper published by the Brookings Institution, researchers identified a peak age for handling money matters: on average, 53 years old. That astonishing number personally gave me pause now that I am past that summit and, according to that finding, hiking the downward slope myself.
Lawyer and elder rights advocate Marie-Therese Connolly is working on a book about elder abuse to be called “Aging Dangerously”, and worked closely on the drafting and passage, in 2010, of the Elder Justice Act.
A new federal law, the 2017 Elder Abuse Prevention and Prosecution Act, appointed what are called “elder justice coordinators” at U.S. Justice Department offices around the country.
In Florida, a new legal tool makes it much easier for the state’s vulnerable older victims to file paperwork — in the absence of an attorney — to quickly freeze their scammed money without notifying the scammer, a kind of “pause button.”

Subject: DHS warns of ‘strong concerns’ that Chinese-made drones are stealing data
Source: CNNPolitics
https://www.cnn.com/2019/05/20/politics/dhs-chinese-drone-warning/index.html
Washington (CNN)Chinese-made drones may be sending sensitive flight data to their manufacturers in China, where it can be accessed by the government there, the US Department of Homeland Security warned in an alert issued Monday obtained by CNN.
The drones are a “potential risk to an organization’s information,” the alert from DHS’s Cybersecurity and Infrastructure Security Agency states. The products “contain components that can compromise your data and share your information on a server accessed beyond the company itself.”

Subject: Concern Growing Over ‘Nefarious’ Website Offering Individuals’ Personal Information, Reputation Rating
Source: KDKA via CBS Pittsburgh
https://pittsburgh.cbslocal.com/2019/05/20/mylife-website-personal-information-rating-reputation/
PITTSBURGH (KDKA) — Ever Googled yourself?
Were you surprised by what you found?
There are all kinds of websites that try to profit from your personal information.
But there is growing concern over one in particular called MyLife.com.
The California-based website sets itself apart by offering many of those details for free, as well as rating people’s reputations.
In this case, it’s a reputation that you have no say in building. Rather, it’s an arbitrary score assigned to you by the website.
MyLife feeds off the idea that reputation matters.
So how do you remove your profile from MyLife?
Click here for a complete in-depth step-by-step tutorial.
[also other aggregators /pmw1]
KDKA reached out to MyLife for comment, but so far we have not received a response.

Subject: Finland is winning the war on fake news. Other nations want the blueprint
Source: CNN Special Report
https://www.cnn.com/interactive/2019/05/europe/finland-fake-news-intl/
Helsinki, Finland (CNN)  On a recent afternoon in Helsinki, a group of students gathered to hear a lecture on a subject that is far from a staple in most community college curriculums.
Standing in front of the classroom at Espoo Adult Education Centre, Jussi Toivanen worked his way through his PowerPoint presentation. A slide titled “Have you been hit by the Russian troll army?” included a checklist of methods used to deceive readers on social media: image and video manipulations, half-truths, intimidation and false profiles.
The course is part of an anti-fake news initiative launched by Finland’s government in 2014 – two years before Russia meddled in the US elections – aimed at teaching residents, students, journalists and politicians how to counter false information designed to sow division.
The initiative is just one layer of a multi-pronged, cross-sector approach the country is taking to prepare citizens of all ages for the complex digital landscape of today – and tomorrow. The Nordic country, which shares an 832-mile border with Russia, is acutely aware of what’s at stake if it doesn’t.
As the trolling ramped up in 2015, President Sauli Niinisto called on every Finn to take responsibility for the fight against false information. A year later, Finland brought in American experts to advise officials on how to recognize fake news, understand why it goes viral and develop strategies to fight it. The education system was also reformed to emphasize critical thinking.

Subject: Comcast building Amazon Echo-like device, with focus on health care
Source:  CNBC via Philadelphia Business Journal
https://www.bizjournals.com/philadelphia/news/2019/05/21/comcast-working-amazon-echo-like-device-with-a.html
Instead of being able to ask for the definition of a word, to control a smart device or to set reminders, the device will work as a kind of guardian monitoring users’ activities. The report said it would be marketed to people who may need more health assistance, like people with disabilities or senior citizens. Sensors would be able to tell if users are taking more bathroom trips, for example, or sleeping more than normal. Fall detection and emergency phone calls are also planned features, and it will include a personality-like interface like Alexa.
Like many tech-focused corporations, Comcast has shown an increased interest in the health care space, most recently with a joint venture with Independence Health Group. Named Quil, the digital health partnership has built a cloud-based platformaimed at providing both patients and caregivers with personalized content and information related to their individual health care needs. Pilots are set to begin later this year.


The Hill
May 29, 2019
A bipartisan group of House members from New York are raising concerns about Chinese involvement in building New York City subway cars, zeroing in on the potential that the new train cars could be hacked or controlled remotely. The group of 15 lawmakers, led by Reps. Kathleen Rice (D-N.Y.) and John Katko (R-N.Y.), wrote a letter to the New York City Transit Authority and the Metropolitan Transit Authority (MTA) recently to “raise concerns regarding the safety and security” of New York City’s transit system following MTA’s decision to allow a Chinese-owned company to design new rail cars for the city. “As you may be aware, critical infrastructure systems around the country have been increasingly targeted in recent years as part of coordinated hacking attempts and other forms of systematic interference, often stemming directly from foreign governments,” the lawmakers wrote.


ADMINISTRATION

E&E News
May 31, 2019
A blue icon with a cannon in the center is floating on Rita Foster's computer screen at the Department of Energy's technology lab in the Idaho desert. The icon looks like a piece from the board game Stratego, and it stands for the malicious strain of Russian malware called CrashOverride that blacked out parts of Kiev, Ukraine, in 2016. More icons on Foster's screen represent other elements of CrashOverride, including a description of tactics used by the hacker group behind the blackout in Eastern Europe. For a utility operator in the United States, accessing the information behind the icon could be the difference between suffering a major breach at the hands of a sophisticated hacking group and stopping the hackers cold. This is no board game, Foster explained, but rather a first-of-its-kind program that allows utility operators to display and analyze threats on their computer screens. It emerged from a $33 million, five-year research project that teamed DOE national laboratories and private cybersecurity firms with California's three largest investor-owned utilities, Pacific Gas and Electric Co., Southern California Edison Co., and San Diego Gas & Electric Co. Through the project, called California Energy Systems for the 21st Century, or CES-21, utilities can access the growing body of cybersecurity knowledge amassed during investigations of specific hacking campaigns.

CyberScoop
May 30, 2019
In the wake of the Baltimore ransomware attack, a senior adviser at the National Security Agency said Thursday there is no “indefensible” nation-state-built tool that is responsible for the spread of ransomware and network administrators have a responsibility to patch their systems, especially when patches have been released for critical flaws. The comments come after The New York Times reported this past week that RobbinHood, the ransomware strain behind the Baltimore ransomware attack, was able to spread on the city IT infrastructure partly due to its use of a leaked NSA tool known as EternalBlue. The Times report, which cites security experts briefed on the matter, states EternalBlue was discovered as incident response teams fixed the issues that had crippled a number of the city’s online services. “The characterization that there is an indefensible nation-state tool propagating ransomware is simply untrue,” Rob Joyce, a senior adviser at the NSA, said Thursday according to prepared remarks obtained by CyberScoop. “That is not true.”

Nextgov
Thousands of devices from Huawei, ZTE and other foreign makers that were explicitly banned in the National Defense Authorization Act for fiscal 2019 are still operating in government networks, according to new data from the security firm Forescout. The company recently counted 2,712 Huawei and 1,374 ZTE devices currently deployed in the public sector from local, state and federal government clients who opted to share their data. But the NDAA’s Aug. 13 deadline to have those devices removed from federal networks is approaching. “The bottom line is that they are not allowed to have these manufacturers on their networks so they’ll have to get on track to do that by the deadline,”  Katherine Gronberg, Forescout’s vice president of government affairs, told Nextgov. She said Forescout manages millions of federal devices and the number of those prohibited but still being used by the government are only in the thousands.

The Baltimore Sun
May 30, 2019
Baltimore’s information technology office issued a detailed warning that the city was using computer systems that were out of date, highly vulnerable to attack and not backed up, calling them “a natural target for hackers and a path for more attacks in the system.” The warning, in an undated risk assessment obtained by The Baltimore Sun, foreshadowed the attack this month that brought down the city’s network. It specifically highlights the danger posed by ransomware, saying “extortionists are an increasing threat to any internet-connected systems.” Senior city IT officials had said publicly in recent months that the city’s security systems were out of date — they also were struck by ransomware in 2018. But the risk assessment report lays out a specific vulnerability in greater detail. “If and when the systems are materially compromised, it is no doubt that addressing the fallout from the compromise would be a drain on an already tight budget,” the IT office wrote in the risk assessment.

CyberScoop
May 30, 2019
Gen. Paul Nakasone, head of U.S. Cyber Command, has selected the organization’s chief of staff as his top deputy, a decision that coincides with an ongoing effort to fortify digital readiness before the next election. Rear Adm. Ross Myers, who began his role as the command’s chief of staff last May, was confirmed by the Senate last week and is now a Vice Admiral and a three-star Deputy Commander. Nakasone, who is both the commander of Cyber Command and the Director of the National Security Agency, promoted Myers on Memorial Day. Myers has previously served as director of plans and policy at Cyber Command. He also served in several roles for the Joint Chiefs of Staff, including as assistant deputy director for Global Operations and executive assistant to vice chairman of the Joint Chiefs of Staff. He also is a career naval aviator. The number two position has been open since earlier this year, when Lt. Gen. Vincent Stewart retired. Army Maj. Gen. John Morrison, who has been serving as the commander of Fort Gordon and the Army’s Cyber Center of Excellence, will be taking on Myers’ previous position as the command’s chief of staff.

CBS Philly 3
May 30, 2019
Officials are battling a possible cyber attack on Philadelphia’s judicial website. In addition to creating headaches for employees, it’s causing some delays and confusion for those who access the courts. “We’ve been told there’s no end in sight as of right now,” criminal defense attorney Brian Fishman said. There is anxiety and agitation as a cyber shutdown hits its second week for Philadelphia’s courts. Last Thursday, officials with the First Judicial District announced that a computer virus forced them to take the courts’ website, electronic filing system and employee emails offline. Courtrooms, offices and most phone lines continue to operate, but the digital dilemma has certainly slowed down the wheels of justice.

FCW
The U.S. strategy of penalizing norm-busting behavior in cyberspace centers around attribution of individuals and the nations sponsoring attacks. This approach raises concerns that foreign governments will retaliate by outing U.S. intelligence and cyber operators and generates skepticism that the culprits will ever see the inside of a U.S. courtroom. Officials often talk about attribution as the necessary first step on the road to deterring malicious foreign cyber activity. "Investigations and intelligence … are a step toward identifying who is responsible and holding them accountable. That could be through indictments, but it also informs a whole host of whole-of-government actions: sanctions, diplomatic actions, maybe military or other operational activity," said Tonya Ugoretz, deputy assistant director of the FBI's Cyber Division, at a May 29 Aspen Institute event. "I think you see international partners, like-minded countries coalescing around this approach, and we can't have those norms or means of deterrence if we don't have that underlying attribution," Ugoretz said.

Ars Technica
May 29, 2019
Huawei is asking a federal judge in Texas to strike down federal legislation passed last year that banned Huawei—by name—from selling telecommunications equipment to the federal government. Huawei argues that the legislation violates the Constitution's rule against bills of attainder, laws that single out particular people for punishment. Congress passed the most recent National Defense Authorization Act last August; Huawei launched its legal challenge against the law in March. The company filed a motion for summary judgment in the case on Tuesday. This is a motion that asks the judge to rule on the legal merits in the case prior to the discovery phase, when the two parties get to demand documents from one another to help them build their cases. Huawei hopes to avoid discovery because it could drag on for many months while Huawei is frozen out of competing for federal telecommunications business. The ban passed last year empowers the Secretary of Defense to ban companies from supplying equipment to the federal government—or contractors using federal funds—if he determines they have ties to the Chinese government. Companies put on this list have an opportunity to appeal the decision to the courts.

CyberScoop
The risk posed by foreign-made virtual private network (VPN) applications must be accounted for — even if government device users have avoided such apps — because adversaries are interested in exploiting the software, according to a senior Department of Homeland Security official. “Open-source reporting indicates nation-state actors have demonstrated intent and capability to leverage VPN services and vulnerable users for malicious purposes,” Chris Krebs, director of DHS’s Cybersecurity and Infrastructure Security Agency (CISA), wrote in a May 22 letter to Sen. Ron Wyden, D-Ore., obtained by CyberScoop. There is no overarching U.S. policy preventing government mobile device users from downloading foreign VPN apps, according to Krebs. “Even with the implementation of technical solutions, if a U.S. government employee downloaded a foreign VPN application originating from an adversary nation, foreign exploitation of that data would be somewhat or highly likely,” Krebs wrote. “This exploitation could lead to loss of data integrity and confidentiality of communications transmitted over the application.” Exposed phone data would likely include geolocation, contacts, and user history, he added.

The New York Times
For nearly three weeks, Baltimore has struggled with a cyberattack by digital extortionists that has frozen thousands of computers, shut down email and disrupted real estate sales, water bills, health alerts and many other services. But here is what frustrated city employees and residents do not know: A key component of the malware that cybercriminals used in the attack was developed at taxpayer expense a short drive down the Baltimore-Washington Parkway at the National Security Agency, according to security experts briefed on the case. Since 2017, when the N.S.A. lost control of the tool, EternalBlue, it has been picked up by state hackers in North Korea, Russia and, more recently, China, to cut a path of destruction around the world, leaving billions of dollars in damage. But over the past year, the cyberweapon has boomeranged back and is now showing up in the N.S.A.’s own backyard.


INDUSTRY

Gov Info Security
May 31, 2019
Checkers Drive-In Restaurants, which also runs Rally's, says 102 of its 900 U.S. locations were hit with point-of-sale malware, with one California restaurant infected over a more than two-year period starting in December 2015. Checkers, which was acquired by private equity firm Oak Hill Capital Partners in 2017, says it "recently" became aware of the malware and is taking steps to remove it. "After discovering the issue, we quickly engaged leading data security experts to conduct an extensive investigation and coordinated with affected restaurants and federal law enforcement authorities to address the matter," according to a statement from Adam Noyes, who is chief administrative officer and executive vice president of Checkers. Retailers, restaurant chains and hotels have been frequent victims of POS malware, which seeks to collect card details during payment processing. POS systems are attractive targets due to the large volumes of card data that are processed.

Wired
May 31, 2019
Two weeks have passed since Microsoft warned users about a critical vulnerability in a common Windows protocol that could enable a hacker to remotely take over machines without even a click from their owners, potentially allowing an infectious worm to rip through millions of PCs. That bug might be fading from the headlines, but it still lingers in at least 900,000 computers. And that vulnerable herd is getting Microsoft's patch at a glacial pace—as a wave of contagion that will likely soon hit all of them looms. BlueKeep, as the bug has come to be known, is a hackable vulnerability in Microsoft’s Remote Desktop Protocol, or RDP, that affects Windows 7 and earlier as well as older versions of Windows Server. The insecure code was spotted and reported by the UK's National Cybersecurity Center, and Microsoft released a patch on May 14. BlueKeep is so serious—rating 9.8 out of 10 in severity, according to Microsoft—that the company even pushed out a rare patch for Windows XP, which it doesn't otherwise support. Microsoft's director of security incident response compared the potential fallout to WannaCry, the North Korean ransomware worm that caused up to $8 billion in damage when it rampaged across the internet in 2017.

Gov Info Security
May 30, 2019
A security researcher has found a significant flaw in all versions of Docker, an open source container platform, that can give attackers read and write access to all the files within the host system, allowing them to execute arbitrary code. As of now, there's no fix for this particular vulnerability, which has been given the designation of CVE-2018-15664, and some proof-of-concept attacks have already been spotted, Aleksa Sarai, a senior software engineer with SUSE Linux GmbH who spotted the flaw, writes in a Tuesday blog. Still, the Docker community decided to allow Sarai to publish his finding this week while a patch is being developed. Containers, which have grown in popularity with developers over the last several years, are a standardized way to package application code, configurations and dependencies into what's known as an object, according to Amazon Web Services.

CyberScoop
May 30, 2019
New York venture capital and private equity firm Insight Partners has acquired a controlling stake in threat intelligence company Recorded Future for $780 million. The cash deal, announced Tuesday, is the highest sale price ever for a firm that provides clients with threat intelligence about the digital risks they need to mitigate. Recorded Future now works with more than 400 clients, including Bank of America, Target and SC Johnson. The firm previously raised $57.9 million from sources including Insight, and it says this deal will accelerate its growth. “This partnership lays the foundation to take our products and software to the next level to best serve our clients, changing the face of our industry as we drive an intelligence-led strategy to help reduce risk and enable business operations for clients around the globe,” Christopher Ahlberg, CEO and co-founder of Recorded Future, said in the announcement.

Gov Info Security
May 30, 2019
News aggregator Flipboard has initiated a systemwide password reset affecting as many as 150 million users following two database intrusions. The company says it is taking the password reset precaution "even though the passwords were cryptographically protected and not all users' account information was involved." Flipboard engineers discovered the situation on April 23. Flipboard says one intrusion occurred between June 2, 2018, and March 23, 2019, and another over a shorter period, between April 21 and 22 this year. An unauthorized person "accessed and potentially obtained copies of certain databases containing Flipboard user information," the firm says, noting it has notified law enforcement. "In response to this discovery, we immediately launched an investigation and an external security firm was engaged to assist," Flipboard says in an advisory. The data exposed included usernames and passwords that were hashed and salted. For some users, email addresses and tokens used to connect their Flipboard accounts to third-party applications also were exposed. Those tokens have now been invalidated, Flipboard says.

Ars Technica
May 29, 2019
Hackers have been actively exploiting a recently patched vulnerability in some websites that causes the sites to redirect to malicious sites or display misleading popups, security researchers warned on Wednesday. The vulnerability was fixed two weeks ago in WP Live Chat Support, a plugin for the WordPress content management system that has 50,000 active installations. The persistent cross-site scripting vulnerability allows attackers to inject malicious JavaScript into sites that use the plugin, which provides an interface for visitors to have live chats with site representatives. Researchers from security firm Zscaler's ThreatLabZ say attackers are exploiting the vulnerability to cause sites using unpatched versions of WP Live Chat Support to redirect to malicious sites or to display unwanted popups. While the attacks aren't widespread, there have been enough of them to raise concern. "Cybercriminals actively look for new vulnerabilities in popular content management systems such as WordPress and Drupal, as well as popular plugins that are found in many websites," Zscaler's Prakhar Shrotriya wrote in a post. "An unpatched vulnerability in either the CMS or associated plugins provides an entry point for attackers to compromise the website by injecting malicious code and impacting the unsuspecting users visiting these sites."


INTERNATIONAL

The Hill
May 31, 2019
Secretary of State Mike Pompeo reportedly warned German authorities on Friday that the U.S. could withhold some information related to national security if the country adopts 5G wireless networks run by Chinese firm Huawei. Pompeo told reporters after a meeting with Germany's foreign minister that it was "not possible" to mitigate the risk that the Chinese government would be able to obtain data in Huawei's networks, Reuters reported. “They [Germany] will take their own sovereign decisions, [but we] will speak to them openly about the risks ... and in the case of Huawei the concern is it is not possible to mitigate those anywhere inside of a 5G network,” Pompeo said. The Trump administration has actively urged European nations against adopting Huawei technology in recent months, amid worries about security. The U.S. intelligence community says the company's technology and data could be accessed by the Chinese government, claims Huawei denies.

The Hill
May 31, 2019
China is set to establish an “unreliable entity list” of foreign companies and individuals that “seriously damage” Chinese enterprises, a spokesperson for China’s Commerce Ministry announced Friday. The move is seen as retaliation against efforts by the Trump administration to block Chinese telecom company Huawei from doing business in the U.S. “Foreign enterprises, organizations or individuals that fail to comply with market rules, deviate from the spirit of the contract, and impost a blockade or confiscation of Chinese enterprises for non-commercial purposes, which seriously damage the legitimate rights and interests of Chinese enterprises, will be included in the list of ‘unreliable entities,'" the spokesperson said, adding that “specific measures will be announced in the near future.” President Trump signed an executive order earlier this month that allows his administration to block foreign tech companies from doing business in the U.S. if they are deemed a national security threat. Shortly after, the U.S. Department of Commerce added Huawei to its “entity list,” effectively banning the company from buying components from American companies without government approval.

CyberScoop
May 30, 2019
A proposal from a British spy agency to allow law enforcement access to encrypted communications in certain cases “poses serious threats to cybersecurity and fundamental human rights including privacy and free expression,” a group of security researchers, civil liberties groups, and tech giants like Apple, Google, and Microsoft, have warned. In an open letter to GCHQ, the United Kingdom’s signals intelligence agency, the coalition of tech organizations rejected the agency’s suggestion that adding a law enforcement official to a group chat or call would not threaten civil liberties or the security of encrypted messaging services. If implemented, the GCHQ proposal would “undermine the authentication process that enables users to verify that they are communicating with the right people, introduce potential unintentional vulnerabilities, and increase risks that communications systems could be abused or misused,” states the letter, which was made public this week. Other signatories include Human Rights Watch, Reporters Without Borders, the Tor Project, and WhatsApp.

BBC
May 30, 2019
New Zealand's Treasury has admitted that details of its budget - leaked earlier this week - were not stolen by hackers but accidentally made available through its website. The government called in police after parts of its budget were released two days early by the opposition National Party. Treasury Secretary Gabriel Makhlouf said it had been "deliberately hacked". But on Thursday he admitted police had found no evidence of illegal activity. "On the available information, an unknown person or persons appear to have exploited a feature in the website search tool, but ... this does not appear to be unlawful," Mr Makhlouf said in a statement. He said the Treasury had prepared a "clone" website ahead of the budget's release on Thursday. While the cloned site was never online, part of the information was accidentally indexed on the live website. As a result, typing in key search-terms revealed the embargoed budget details.

Defense One
May 29, 2019
For the first time, Russia has granted its highest security rating to a domestically developed operating system, deeming Astra Linux suitable for communications of “special importance” across the military and the rest of the government. The designation clears the way for Russian intelligence and military workers who had been using Microsoft products on office computers to use Astra Linux instead. “There is hope that the domestic OS [operating system] will be able to replace the Microsoft product. Of course, this is good news for the Russian market,” said German Klimenko, former IT advisor to Russian President Vladimir Putin and chairman of the board of Russia’s Digital Economy Development Fund, a venture capital fund run by the government. Klimenko spoke to the Russian newspaper Izvestia on Friday. Although Russian officials used Windows for secure communications, they heavily modified the software and subjected Windows-equipped PCs to lengthy and rigorous security checks before putting the computers in use. The testing and analysis was to satisfy concerns that vulnerabilities in Microsoft operating systems could be patched to prevent hacking from countries like the United States. Such evaluations could take three years, according to the newspaper.

Gov Info Security
May 29, 2019
The United Kingdom has seen the number of data breach notifications more than quadruple since Europe's tough new privacy law went into full force. The EU's General Data Protection Regulation went into full effect on May 25, 2018. For the first time, it began requiring all organizations that suffer a data breach that put Europeans' personal data at risk to notify relevant authorities. The Information Commissioner's Office, which enforces GDPR in the U.K., says that from May 25, 2018, until the beginning of this month, it received 14,072 data breach reports, compared to receiving just 3,311 from April 2017 through April 2018. The increase in data breach notification is a result of mandatory reporting driving better visibility, security experts say. Before last May, most organizations faced no legal obligation to publicly disclose a data breach. Now, however, they do, which means that more data breach discoveries have been coming to light.

The Guardian
May 28, 2019
People accessing the internet at McDonald’s and Westfield in Australia could be targeted for surveillance by police under new encryption legislation, according to the home affairs department. A briefing by the department, obtained under freedom of information, reveals that police can use new powers to compel a broad range of companies including social media giants, device manufacturers, telcos, retailers and providers of free wifi to provide information on users. The Telecommunications Access and Assistance Act, which passed parliament in December, prompted warnings of legislative overreach, particularly due to the large number of offences with a prison sentence of three years, which bring suspects within reach of the new powers. Despite warnings from the tech sector it would harm Australian companies and a promise from Labor to amend the law, the re-election of the Morrison government means it will continue in its current form – at least for this term of parliament.


TECHNOLOGY

Ars Technica
May 30, 2019
Researchers say they’ve discovered an advanced piece of Linux malware that has escaped detection by antivirus products and appears to be actively used in targeted attacks. HiddenWasp, as the malware has been dubbed, is a fully developed suite of malware that includes a trojan, rootkit, and initial deployment script, researchers at security firm Intezer reported on Wednesday. At the time Intezer’s post went live, the VirusTotal malware service indicated Hidden Wasp wasn’t detected by any of the 59 antivirus engines it tracks, although some have now begun to flag it. Time stamps in one of the 10 files Intezer analyzed indicated it was created last month. The command and control server that infected computers report to remained operational at the time this article was being prepared.