Wednesday, June 19, 2019

Senators seek answers from Quest Diagnostics after data breach


Vice: “The well-known and respected data breach notification website “Have I Been Pwned” is up for sale. Troy Hunt, its founder and sole operator, announced the sale on Tuesday in a blog post where he explained why the time has come for Have I Been Pwned to become part of something bigger and more organized.
“To date, every line of code, every configuration and every breached record has been handled by me alone. There is no ‘HIBP team’, there’s one guy keeping the whole thing afloat,” Hunt wrote. “it’s time for HIBP to grow up. It’s time to go from that one guy doing what he can in his available time to a better-resourced and better-funded structure that’s able to do way more than what I ever could on my own.”..


Experiment Sam Brownback conducted on Kansas


CyberScoop
June 7, 2019
In recent years, Department of Justice agencies have quietly acquired and deployed hacking tools in support of their law enforcement mission. A handful of high-profile cases have brought greater scrutiny to those efforts, most notably in 2016 when the FBI used a contractor to crack the San Bernardino shooter’s iPhone. Now, a senator is asking Attorney General William Barr for a more thorough accounting of what law enforcement agencies are doing to protect these software exploits from foreign intelligence agencies and other adversaries. “Just as the American people expect the government to protect its nuclear, chemical, and biological weapons, so too do Americans expect that the government will protect its cyber arsenal from theft by hackers and foreign spies,” Sen. Ron Wyden, D-Ore., wrote to Barr in a letter dated June 5. In particular, the department has invested heavily in tools to break encrypted communications, as top law enforcement officials have lamented the ability of criminals to “go dark.” Transnational crime networks “increasingly rely on encrypted communications to plan and commit crimes, thus forcing the FBI to develop sophisticated technology and methods to disrupt their activities and dismantle their organizations,” the FBI said in its fiscal 2020 budget request.

The South Florida Sun Sentinel
June 7, 2019
The FBI has rejected a request from U.S. Rep. Ted Deutch to release more information about the attempts to infiltrate Florida’s election systems in 2016, including the names of the two counties that were successfully accessed. Deutch, a Democrat who represents parts of Broward and Palm Beach counties, said Friday he first made the request during a classified May 16 briefing the FBI held with members of the Florida congressional delegation about the intrusion. He repeated the request in a May 23 letter to FBI Director Christopher Wray. “We are grateful to have received that important information, but I believe much more of this information can and should be shared with Florida voters and the American people.” In a June 4 response letter to Deutch, released Friday by the congressman’s office, the FBI’s acting section chief of the Office of Congressional Affairs, essentially ignored what Deutch requested. “The FBI’s Cyber Division (CyD) along with our Office of General Counsel (OGC) provided a comprehensive briefing to Members of the Florida Delegation on May 16, 2019. We hope the information conveyed was helpful. Please do not hesitate to contact the Office of Congressional Affairs if you need any additional information,” the FBI’s Charles A. Thorley wrote.

FCW
June 5, 2019
The Defense Department has struggled with recruiting and retaining cyber workers despite existing rapid-hire authorities. DOD reportedly lost about 4,000 cyber-related personnel in 2018 and Congress is taking notice in the 2020 National Defense Authorization Act, which includes a push for more thorough cyber education and hiring efforts. The 2020 NDAA provides a glimpse into the Democrats defense tech priorities for the next fiscal year. So far, that means tech recruitment with an emphasis on diversity and inclusion, and getting policy conversations started earlier around emerging technologies, such as 5G, artificial intelligence and software development. "The mark places substantial emphasis on the maturation of the Department's science and technology initiatives, ranging from requiring studies on the effects of historically under-funded science and technology activities to an assessment of essential STEM skill sets required to support emerging and future warfighter technologies, including an analysis of the recruiting, retention, and representation of minorities and women in the current and projected workforce," Rep. Jim Langevin (D-RI), said on June 4.

The Hill
June 5, 2019
Democratic Sens. Bob Menendez (N.J.) and Cory Booker (N.J.) want answers from blood-testing company Quest Diagnostics following a recent data breach that exposed the personal information of an estimated 12 million patients, as another firm revealed that it also had medical data exposed by the incident. The breach involved an unauthorized user gaining access to the American Medical Collection Agency (AMCA), a billing provider for Quest, potentially compromising Social Security numbers, financial information and personal medical data. In a Wednesday letter sent to New Jersey-based Quest, the two senators sought details about how the breach occurred and what steps are being taken in response. They specifically took issue with news reports saying it took seven months for the company to publicly disclose the hack.

FCW
June 5, 2019
The Transportation Security Administration's plans for pipeline security aren't keeping up with rising threats in cyberspace, according to the Government Accountability Office. An audit released June 5 found that the agency, which has primary responsibility for monitoring and securing the nation's 2.7 million miles of gas and oil pipelines, hasn't updated two plans that formally outline how agencies and other stakeholders should respond to security incidents in years. TSA last issued its Pipeline Security and Incident Recovery Protocol Plan, which outlines roles and responsibilities for federal agencies and the private sector in the wake of a pipeline security incident, in 2010. Auditors said the plan hasn't been revised since then to account for the rising importance of cybersecurity threats to critical infrastructure. A similar agreement between TSA and the Department of Transportation's Pipeline and Hazardous Materials Safety Administration (PHMSA) outlining specific roles and responsibilities for pipeline security hasn't been updated since 2006.

The Hill
June 4, 2019
Rep. Eliot Engel (D-N.Y.), the chairman of the House Foreign Affairs Committee, placed a hold Tuesday on the State Department’s notification that it plans to establish a Bureau of Cyberspace Securities and Emerging Technologies (CSET), calling its proposed mission too narrow. “While Congress has pursued comprehensive, bipartisan legislation, the State Department has plowed ahead in its plan to create a bureau with a much narrower mission focused only on cybersecurity,” Engel told The Hill in a statement. “This move flies in the face of repeated warnings from Congress and outside experts that our approach to cyber issues needs to elevate engagement on economic interests and internet freedoms together with security.” Engel was likely referring to the Cyber Diplomacy Act, a bill he co-sponsored along with House Foreign Affairs Ranking Member Michael McCaul (R-Texas) that would establish an Office of International Cyberspace Policy at the State Department. Engel added that the hold on the notification would stand until “the Secretary of State directs his staff to work constructively with Congress to establish a bureau that ensures the Department is able to advance the full range of U.S. interests.”

The Hill
June 4, 2019
A House Appropriations subcommittee approved a bill Monday night that includes $600 million in funding for the Election Assistance Commission (EAC) meant for states to bolster election security, with the money specifically earmarked for states to buy voting systems with “voter-verified paper ballots.” The approval comes as recent remarks by special counsel Robert Mueller emphasizing the dangers posed by foreign interference in U.S. election systems injected new life into the election security debate on Capitol Hill. The Senate already approved a bill Monday night to ban foreign individuals who meddle in U.S. elections from entering the country. The funds are part of the Financial Services fiscal 2020 budget, and were approved by voice vote by the House Appropriations Subcommittee on Financial Services and General Government. The bill now goes to the full House Appropriations Committee for consideration. Should the funding bill be signed into law by President Trump, it would be nearly double the amount of the most recent election security funds states receive from Congress.

Nextgov
June 3, 2019
Federal auditors uncovered numerous holes in the Census Bureau’s plans for combating the significant cybersecurity and tech threats facing the 2020 count, which could leave officials struggling to respond to disruptions. The Government Accountability Office found the bureau’s plan for mitigating cybersecurity risks during the 2020 Census left out many of the defensive tactics officials previously said they would use to defend IT systems from attack. For example, the initial plan included no information about how the bureau would gather threat intelligence from other federal agencies, something officials had long said they planned to do, auditors said in a report published Friday. After GAO pointed out the omission, Census officials updated the plan to include threat sharing activities, but it remains “just one of several [cybersecurity] services” other agencies are expected to perform on the bureau’s behalf, auditors said. “If the bureau’s plan for mitigating cybersecurity risks to the census omits such key activities, then the bureau is limited in its ability to track and assess those activities, and to hold individuals accountable for completing activities that could help manage cybersecurity risks,” they wrote.

FCW
June 3, 2019
Members of the House Armed Services Committee want Congress to be kept in the loop when the executive branch launches offensive operations in cyberspace. In a legislative draft of the upcoming National Defense Authorization Act, the House Armed Services Subcommittee on Intelligence and Emerging Threat Capabilities is seeking to amend Title 10 of U.S. law to require that the Secretary of Defense notify congressional defense committees whenever the department engages in sensitive military cyber operations. The draft bill would also include additional parameters that further define what offensive or defensive operations constitute a "sensitive military cyber operation." "The committee notes that the Department's definition of and threshold for sensitive military cyber operations notifications is not aligned with the intent of the committee," the report states. "As military cyber operations increase in frequency and scope, the committee expects to be continually notified and kept fully and currently informed, in order to conduct oversight."

The Hill
June 3, 2019
The Senate cleared legislation on Monday night to block individuals who meddle in U.S. elections from being able to enter the United States. The legislation, known as the Defending Elections against Trolls from Enemy Regimes Act (DETER Act), easily passed the Senate by unanimous consent — a move that any one senator could have blocked. The bill, spearheaded by Sens. Lindsey Graham (R-S.C.) and Dick Durbin (D-Ill.), would block individuals from being able to obtain a visa if they were attempting to or had engaged in "improper interference in U.S. elections." According to the legislation, that would include violating voting or campaign finance laws or trying to interfere in elections or a campaign while under the direction of a foreign government.

FCW
June 3, 2019
House Democrats plan to allocate $35 million for the Technology Modernization Fund in the 2020 Financial Services and General Government appropriations bill. That's quite a bit less than the $150 million sought by the administration in its budget request, but a significant uptick from the $25 million added to the fund in 2019. The TMF was authorized by the Modernizing Government Technology Act in 2018. It allows agencies to access money for tech upgrades that are approved by a board chaired by the federal CIO and including senior tech officials from the General Services Administration and the Department of Homeland Security and others who serve on a rotating basis. TMF launched with $100 million in funding in the 2018 appropriation and was upped by $25 million last year. The original legislative proposal for TMF would have authorized a $3 billion fund, but the effort was dramatically scaled back as the bill wended its way through Congress.


ADMINISTRATION

Nextgov
June 7, 2019
The Defense Department’s $2.2 billion Joint Regional Security Stack is paramount to providing improved cybersecurity across the Pentagon and its components, but an audit released Tuesday suggests its implementation is anything but smooth. The audit, conducted by the Defense Department inspector general, found numerous “critical” security vulnerabilities, training woes and poor oversight of JRSS, which is supposed to eventually provide trusted cyber situational awareness across the Defense Department, improve its security posture and reduce the number of access points to its information network. Despite limited success in reducing more than 2,700 access points across the Army, Navy and Air Force 131, JRSS isn’t meetings other intended outcomes under the Joint Information Environment. However, two specific outcomes JRSS is intended to meet are redacted in the audit.

Fifth Domain
June 7, 2019
At least three states reportedly targeted by Russian hackers during the 2016 election are part of a new group of states working together with the National Governors Association to enhance cybersecurity as the 2020 election cycle approaches. Election systems in Arizona, Minnesota and Virginia were targeted by Russian hackers in 2016, according to data compiled by the Washington Post. In 2017, the Department of Homeland Security notified 21 states that their election systems had been targeted by Russian hackers during the last presidential election cycle, but did not publicly identify the states. Now, the National Governors Association, a nonpartisan organization that supports governors across the country, will partner with those states as well as Hawaii, Idaho and Nevada to develop new cybersecurity practices to “ensure the integrity of elections in their states.” The organization will work with state officials from June to December, according to a press release from the association June 5.

The New York Times
One year out from the 2020 elections, presidential candidates face legal roadblocks to acquiring the tools and assistance necessary to defend against the cyberattacks and disinformation campaigns that plagued the 2016 presidential campaign. Federal laws prohibit corporations from offering free or discounted cybersecurity services to federal candidates. The same law also blocks political parties from offering candidates cybersecurity assistance because it is considered an “in-kind donation.” The issue took on added urgency this week after lawyers for the Federal Election Commission advised the commission to block a request by a Silicon Valley company, Area 1 Security, which sought to provide services to 2020 presidential candidates at a discount. The commission questioned Area 1 about its request at a public meeting on Thursday, and asked the company to refile the request with a simpler explanation of how it would determine what campaigns qualified for discounted services. Cybersecurity and election experts say time is running out for campaigns to develop tough protections.

Nextgov
June 6, 2019
The Nuclear Regulatory Commission is facing a mass exodus of cybersecurity experts in the years ahead, which could limit its ability to ensure the nation’s nuclear power plants are safe from digital attacks, an internal watchdog found. Nearly one-third of NRC’s cybersecurity inspectors will be eligible for retirement by the end of fiscal 2020, and agency officials worry they aren’t training enough people to take their place, according to the NRC Inspector General. With nuclear power stations becoming increasingly popular targets for online adversaries, the shortage of cyber expertise could leave the agency struggling to do its job, auditors said. “If staffing levels and skill sets do not align with cybersecurity inspection workload requirements, NRC’s ability to adapt to a dynamic threat environment and detect problems with [nuclear power plants’] cyber security programs could be compromised,” they wrote in a recent report.

Ars Technica
June 5, 2019
It has been a month since the City of Baltimore's networks were brought to a standstill by ransomware. On Tuesday, Mayor Bernard "Jack" Young and his cabinet briefed press on the status of the cleanup, which the city's director of finance has estimated will cost Baltimore $10 million—not including $8 million lost because of deferred or lost revenue while the city was unable to process payments. The recovery remains in its early stages, with less than a third of city employees issued new log-in credentials thus far and many city business functions restricted to paper-based workarounds. "All city services remain open, and Baltimore is open for business," Mayor Young said at the briefing, listing off critical services that had continued to function during the network outage. City Finance Director Henry Raymond called the current state of systems "not ideal, but manageable"—some emails and phone services have been restored, and many systems have remained online, but payment processing systems and other tools used to handle transactions with the city remain in manual workaround mode. Department of Public Works Director Rudy Chow warned residents to expect a larger-than-normal water bill in the future, as the city's smart meters and water billing system are still offline and bills cannot be generated.

Nextgov
June 5, 2019
The National Security Agency issued a cybersecurity advisory Wednesday urging Microsoft Windows users to patch a potentially devastating security flaw called known as BlueKeep. The NSA advisory says despite public warnings and patches releases by developer Microsoft on May 14, “Potentially millions of machines are still vulnerable” to BlueKeep, with legacy platforms including Windows 7, Windows XP and Server 2003 and 2008 all affected. NSA warns the exploit is “potentially ‘wormable,’” meaning it could spread without user interaction across the internet, akin to past self-spreading exploits like WannaCry, which affected 300,000 machines globally in 2017.

CyberScoop
The State Department has sent to Congress a long-awaited plan to reestablish a cybersecurity-focused bureau it says is key to supporting U.S. diplomatic efforts in cyberspace. The State Department’s new plan, obtained by CyberScoop, would create the Bureau of Cyberspace Security and Emerging Technologies (CSET) to “lead U.S. government diplomatic efforts to secure cyberspace and its technologies, reduce the likelihood of cyber conflict, and prevail in strategic cyber competition.” The new bureau, with a proposed staff of 80 and projected budget of $20.8 million, would be led by a Senate-confirmed coordinator and “ambassador-at-large” with the equivalent status of an assistant secretary of State, who would report to the Undersecretary of State for Arms Control and International Security. The idea comes nearly two years after then-Secretary of State Rex Tillerson announced he would abolish the department’s cybersecurity coordinator position and put its support staff under the department’s economic bureau.

Politico
June 5, 2019
A Florida election software company targeted by Russians in 2016 inadvertently opened a potential pathway for hackers to tamper with voter records in North Carolina on the eve of the presidential election, according to a document reviewed by POLITICO and a person with knowledge of the episode. VR Systems, based in Tallahassee but with customers in eight states, used what’s known as remote-access software to connect for several hours to a central computer in Durham County, N.C., to troubleshoot problems with the company's voter list management tool, the person said. The software distributes voter lists to so-called electronic poll books, which poll workers use to check in voters and verify their eligibility to cast a ballot. The company did not respond to POLITICO's requests for comment about its practices. But election security experts widely condemn remote connections to election-related computer systems — not only because they can open a door for intruders but because they can also give attackers access to an entire network, depending on how they’re configured.

CyberScoop
A top federal cybersecurity official said Wednesday the Department of Homeland Security often lacks a clear picture of state and local governments’ network security, even as foreign adversaries increase their attempts to disrupt all levels of the public sector. And while federal agencies are getting better at working with state and local authorities, they face an ongoing challenge of staying ahead of an evolving threat landscape. “We don’t have good visibility in the state and local dot-gov [domain],” Rick Driggers, the deputy assistant director for cybersecurity at DHS’s Cybersecurity and Infrastructure Agency, said at FedScoop’s FedTalks event in Washington. Driggers said one of the most immediate steps state and local governments can take is to enact more robust information sharing with federal cybersecurity authorities. He said hackers, especially those backed by foreign governments, have increased their focus on state and local governments, raising the threat that a local population could suffer the brunt of a successful cyberattack.


INDUSTRY

Computer Weekly
June 7, 2019
The cyber threat landscape has changed fundamentally, with a very real risk of being caught up in nation state-sponsored activity, says Adam Banks, chief technology and information officer at Danish transport and shipping giant AP Moller–Maersk, which ships 20% of the world’s GDP. This is one of the key learnings from the NotPetya destructive cyber attack in the second quarter of 2017, which cost the company $350m in lost revenue, he told attendees of InfoSecurity Europe 2019 in London. “Company boards and audit committees need to understand that this stuff is real,” said Banks. “NotPetya was explicitly designed to destroy data-processing capability. This is not ransomware that exists to deprive you of your data. It exists to destroy your ability to process it.”

Ars Technica
June 6, 2019
Criminals in 2017 managed to get an advanced backdoor preinstalled on Android devices before they left the factories of manufacturers, Google researchers confirmed on Thursday. Triada first came to light in 2016 in articles published by Kaspersky, the first of which said the malware was "one of the most advanced mobile Trojans" the security firm's analysts had ever encountered. Once installed, Triada's chief purpose was to install apps that could be used to send spam and display ads. It employed an impressive kit of tools, including rooting exploits that bypassed security protections built into Android and the means to modify the Android OS' all-powerful Zygote process. That meant the malware could directly tamper with every installed app. Triada also connected to no fewer than 17 command and control servers. In July 2017, security firm Dr. Web reported that its researchers had found Triada built into the firmware of several Android devices, including the Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20. The attackers used the backdoor to surreptitiously download and install modules. Because the backdoor was embedded into one of the OS libraries and located in the system section, it couldn't be deleted using standard methods, the report said.

The Washington Post
June 5, 2019
LabCorp, a medical testing company, said 7.7 million customers had their personal and financial data exposed through a breach at a third-party billing collections company. The news came just days after the same contractor, American Medical Collection Agency, notified Quest Diagnostics about the full scope of a breach affecting 11.9 million of its patients. That breach allowed an “unauthorized user” to gain access to financial information, Social Security numbers and medical data but not lab results. “AMCA has indicated that it is continuing to investigate this incident and has taken steps to increase the security of its systems, processes, and data,” LabCorp said in a filing Tuesday with the U.S. Securities and Exchange Commission. “LabCorp takes data security very seriously, including the security of data handled by vendors.” The breach did not reveal information such as which tests were ordered or lab results, LabCorp said in the filing. But from August 2018 to March, the hacker was able to access names, birthdays, addresses, phone numbers, dates of service, account balances and other information.

Ars Technica
June 5, 2019
For the past three weeks, security professionals have warned with increasing urgency that a recently patched Windows vulnerability has the potential to trigger attacks not seen since the WannaCry worm that paralyzed much of the world in 2017. A demonstration video circulating on the Internet is the latest evidence to prove those warnings are the real deal. The video shows a module Dillon wrote for the Metasploit exploit framework remotely connecting to a Windows Server 2008 R2 computer that has yet to install a patch Microsoft released in mid May. At about 14 seconds, a Metasploit payload called Meterpreter uses the getuid command to prove that the connection has highly privileged System privileges. In the remaining six seconds, the hacker uses the open source Mimikatz application to obtain the cryptographic hashes of passwords belonging to other computers on the same network the hacked machine is connected to.

Wired
June 5, 2019
hen Apple executive Craig Federighi described a new location-tracking feature for Apple devices at the company's Worldwide Developer Conference keynote on Monday, it sounded—to the sufficiently paranoid, at least—like both a physical security innovation and a potential privacy disaster. But while security experts immediately wondered whether Find My would also offer a new opportunity to track unwitting users, Apple says it built the feature on a unique encryption system carefully designed to prevent exactly that sort of tracking—even by Apple itself. In upcoming versions of iOS and macOS, the new Find My feature will broadcast Bluetooth signals from Apple devices even when they're offline, allowing nearby Apple devices to relay their location to the cloud. That should help you locate your stolen laptop even when it's sleeping in a thief's bag. And it turns out that Apple's elaborate encryption scheme is also designed not only to prevent interlopers from identifying or tracking an iDevice from its Bluetooth signal, but also to keep Apple itself from learning device locations, even as it allows you to pinpoint yours.

Reuters
June 5, 2019
Norsk Hydro reported an 82% fall in first-quarter underlying profit on Wednesday as the Norwegian aluminum producer grappled with a curb on its output in Brazil and the impact of a cyber attack. The cost of the cyber attack amounted to between 300 million crowns and 350 million crowns in the first quarter, down from a previous company estimate of up to 450 million Norwegian crowns ($52 million) given on April 30. Still, the fallout from the attack would be felt in the second quarter to the tune of an additional 200 million crowns to 250 million crowns of costs.

Computer Weekly
June 4, 2019
Cyber crime, which is the top cyber threat to business, remains widely under-reported, and only a third of organisations are confident in their ability to detect and respond to threats, a study reveals. Cyber attack vectors remain largely the same year over year, attack volume will increase and cyber crime may be vastly underreported, according to the 2019 State of cybersecurity study from global IT and cyber security association Isaca. “Under-reporting cyber crime – even when disclosure is legally mandated – appears to be the norm, which is a significant concern,” said Greg Touhill, Isaca board director, president of Cyxtera Federal and the first US Federal CISO. “Half of all survey respondents believe most enterprises under-report cyber crime, even when it is required to do so.” The survey of more than 1,500 cyber security professionals around the world, sponsored by HCL, also reveals that only a third of cyber security leaders have high levels of confidence in their cyber security team’s ability to detect and respond to cyber threats.

Gov Info Security
June 3, 2019
A data breach at American Medical Collection Agency has affected nearly 12 million patients who had lab tests performed by Quest Diagnostics. The incident, which appears to be the biggest health data breach to be revealed so far in 2019, exposed financial data, Social Security numbers and certain medical information, the lab test firm reports. In a statement Monday, Secaucus, New Jersey-based Quest Diagnostics says AMCA, based in Elmsford, New York, informed the lab testing firm in May that an "unauthorized user" had access to AMCA's system containing personal information the collections agency received from various entities, including from Quest. Quest Diagnostics says AMCA provides billing collections services to revenue cycle management firm Optum360, whichis is a Quest contractor. "Quest and Optum360 are working with forensic experts to investigate the matter," Quest Diagnostics says. Optum360 is a unit of the health insurance company UnitedHealth Group.

Wired
June 3, 2019
Two hours into his keynote at Apple’s Worldwide Developer's Conference last June, senior vice president Craig Federighi revealed a new privacy feature in MacOS Mojave that forces applications to ask the user if they want to "allow" or "deny" any request to access sensitive components and data, including the camera or microphone, messages, and browsing history. The audience dutifully applauded. But when ex-NSA security researcher Patrick Wardle watched that keynote at his home in Maui a few months later, he had a more dubious reaction. Over the previous year, he had uncovered a way for malware to invisibly click through those prompts, rendering them almost worthless as a security safeguard—not once, but twice. After Wardle had revealed the bugs that allowed those click attacks—one before the WWDC keynote and another one two months later—Apple had fixed them. Now Wardle was watching Apple market those safeguards as an example of its devotion to security in its upcoming operating system. Yesterday, just ahead of this year's WWDC, he's punched a hole in those protections for a third time. Exploiting a bug in Mojave, Wardle has shown yet again that any piece of automated malware can exploit a feature of MacOS known as "synthetic clicks" to breeze through security prompts, allowing the attacker to gain access to the computer's camera, microphone, location data, contacts, messages, and even in some cases to alter its kernel, adding malicious code to the deepest part of the operating system.

Ars Technica
June 3, 2019
Microsoft is finally catching on to a maxim that security experts have almost universally accepted for years: periodic password changes are likely to do more harm than good. In a largely overlooked post published late last month, Microsoft said it was removing periodic password changes from the security baseline settings it recommends for customers and auditors. After decades of Microsoft recommending passwords be changed regularly, Microsoft employee Aaron Margosis said the requirement is an “ancient and obsolete mitigation of very low value.” The change of heart is largely the result of research that shows passwords are most prone to cracking when they’re easy for end users to remember, such as when they use a name or phrase from a favorite movie or book. Over the past decade, hackers have mined real-world password breaches to assemble dictionaries of millions of words. Combined with super-fast graphics cards, the hackers can make huge numbers of guesses in off-line attacks, which occur when they steal the cryptographically scrambled hashes that represent the plaintext user passwords.

Wired
June 2, 2019
In 1999, Apple released a slew of new features with Mac OS 9, calling it "the best internet operating system ever." The idea was to unlock the full potential of the turquoise plastic iMac G3—the Internet Mac!—released in 1998. But 12-year-old Joshua Hill didn't have an iMac. To take advantage of all the new connectivity from his parents' mid-'90s Mac Performa, he needed a modem that would plug into the computer through one of its chunky "serial" ports. So, naturally, he swapped his holographic Han Solo trading card with a friend for a 56k modem and started poking around. Twenty years later, his childhood fascination has led him to unearth a modem configuration bug that's been in Apple operating systems all these years. And Apple finally patched it in April. Hill, who is now a vulnerability researcher, is presenting the 20-year-old bug at the Objective by the Sea Mac security conference in Monaco on Sunday. The flaw could have potentially been exploited by an attacker to get persistent, remote root access to any Mac, meaning full access and control. This isn't as bad as it sounds, though, Hill says. The specific exploit string he developed only works on certain generations of OS X and macOS and Apple has added protections since 2016's macOS Sierra that made the bug prohibitively difficult (though still not technically impossible) to exploit in practice.


INTERNATIONAL

Reuters
June 7, 2019
China’s Huawei Technologies needs to raise its “shoddy” security standards which fall below rivals, a senior British cyber security official said on Thursday, as the company came under increasing pressure internationally. The US has led allegations that Huawei’s equipment can be used by Beijing for espionage operations, with Washington urging allies to bar the company from 5G networks. British officials have also raised concerns about security issues but said they can manage the risks and have seen no evidence of spying. Huawei has repeatedly denied the allegations against it. “Huawei as a company builds stuff very differently to their Western counterparts. Part of that is because of how quickly they’ve grown up, part of it could be cultural – who knows,” said Ian Levy, Technical Director of Britain’s National Cyber Security Centre, part of the GCHQ signals intelligence agency. “What we have learnt as a result of that, the security is objectively worse, and we need to cope with that,” he told a conference in London.

The New Zealand Herald
June 7, 2019
The Government did not correct or clarify the description that the Treasury's computer system had been "hacked" for an entire day despite being told by its cybersecurity experts that no hacking had taken place. On the same day - Wednesday last week, the day before Budget day - the National Party also refused to reveal how it had obtained confidential Budget information, instead accusing the Treasury and Finance Minister Grant Robertson of unfairly smearing National. Robertson said yesterday that the Government was being tight-lipped because the Treasury had called in the police, but he was also unlikely to want any further distractions on the eve of the Government's much-hyped Wellbeing Budget. Instead Prime Minister Jacinda Ardern and Robertson spent that Wednesday answering questions about hacking from National MPs in the House, while changing the language to say that the Treasury had been "attacked".

Sc Magazine
June 6, 2019
"The biggest threat to our cyber-security is weak cyber-security," said Ciaran Martin, CEO of the National Cyber Security Centre, UK, speaking at Infosecurity Europe in London today (6 June). His observation, based on 1,600 cyber-security breaches from across the past four years, came a day after the Commons Public Accounts Committee’s warning that the UK is more vulnerable to cyber-attacks than ever before. The UK, one of the most sophisticated digital economies in the world with "a brilliant cyber-security industry" is susceptible to cyber-security threats because of two major factors, said Martin. "There are structural flaws in the way the internet works, that market forces won’t fix and therefore some sort of public intervention is necessary."

CyberScoop
June 6, 2019
Undeterred by the reported dumping of its data online, an Iran-linked hacking group has been using malicious documents and files to target telecommunications organizations and impersonate government entities in Iraq, Pakistan, and Tajikistan, researchers said Thursday. The so-called MuddyWater group has been carrying out attacks in two stages against the targets, according to research published by Israeli company ClearSky Cyber Security. The first stage uses lure documents to exploit a known vulnerability in Microsoft Office that allows for remote code execution. The second stage lets the attackers communicate with hacked servers to download an infected file. “This is the first time MuddyWater has used these two vectors in conjunction,” ClearSky said in its research, which warned that just three antivirus engines were detecting the malicious documents analyzed.

BuzzFeed News
June 5, 2019
he European Union’s embassy in Moscow was hacked and had information stolen from its network, according to a leaked internal document seen by BuzzFeed News. An ongoing “sophisticated cyber espionage event” was discovered in April, just weeks before the European Parliament elections — but the European External Action Service (EEAS), the EU’s foreign and security policy agency, did not disclose the incident publicly. Russian entities are believed to be behind the hack, a source, speaking on condition of anonymity, told BuzzFeed News. The EEAS confirmed an incident had taken place and, asked whether the EU’s foreign policy chief Federica Mogherini knew about the incident, said that EEAS hierarchy had been informed.


TECHNOLOGY

CyberScoop
June 7, 2019
It’s a good time to be in the credit card-stealing business. Hacking associations like Magecart — a loose collection of at least 12 groups that specialize in skimming payment data from digital checkout pages — are carrying out more efficient attacks to walk off with online shoppers’ data. By injecting malicious code into vulnerable e-commerce systems in anywhere from the payment system Magento to advertisements and analytics pages, thieves are able to exfiltrate payment information without detection. Before scammers hit Amazon’s CloudFront content delivery network last week and Forbes magazine in May, Magecart was best known for shaking down popular sites like Ticketmaster and British Airways. Each group relies on different techniques, ranging from exploiting server vulnerabilities to using unique skimming code and, in the case of Group 5, which was blamed for the Ticketmaster breach, hacking third-party suppliers.

Gov Info Security
June 7, 2019
A new botnet dubbed GoldBrute is using brute-force or credential-stuffing methods to attack vulnerable Windows machines that have exposed Remote Desktop Protocol connections, according to new research from Morphus Labs. While the end-goal of the group controlling the botnet is not clear, it appears that GoldBrute is currently using brute-force methods to attack about 1.5 million Remote Desktop Protocol servers that have exposed connections to the open internet, Renato Marinho, the chief research officer with Morphus, writes in blog published Thursday. A scan using the Shodan search engine shows that there are at least 2.4 million of these exposed Remote Desktop Protocol servers throughout the world. GoldBrute, however, seems to use its own list as part of the attacks and keeps expanding as that list grows, Marinho's research shows.

Ars Technica
June 6, 2019
Millions of Internet-connected machines running the open source Exim mail server may be vulnerable to a newly disclosed vulnerability that, in some cases, allows unauthenticated attackers to execute commands with all-powerful root privileges. The flaw, which dates back to version 4.87 released in April 2016, is trivially exploitable by local users with a low-privileged account on a vulnerable system running with default settings. All that's required is for the person to send an email to "${run{...}}@localhost," where "localhost" is an existing local domain on a vulnerable Exim installation. With that, attackers can execute commands of their choice that run with root privileges.

CyberScoop
June 4, 2019
Digital thieves who spent more than two months lurking inside the networks of an Eastern European bank last year used the same techniques as the infamous cybercriminal gang known as FIN7 or Carbanak, according to new research. Romanian security vendor Bitdefender said Tuesday its researchers have uncovered new details about a bank heist in which hackers patiently collected employee credentials and other data meant to help them access banking data and control ATM networks. These findings coincide with previous researchers’ suggestion that FIN7 is a relatively large group made of perhaps a dozen individuals who have been able to weather law enforcement pressure while updating their hacking tactics.