Vice: “The well-known and respected data breach notification website “Have I Been Pwned” is up for sale. Troy Hunt, its founder and sole operator, announced the sale on Tuesday in a blog post where he explained why the time has come for Have I Been Pwned to become part of something bigger and more organized.
Experiment Sam Brownback conducted on Kansas
“To date, every line of code, every configuration and every breached record has been handled by me alone. There is no ‘HIBP team’, there’s one guy keeping the whole thing afloat,” Hunt wrote. “it’s time for HIBP to grow up. It’s time to go from that one guy doing what he can in his available time to a better-resourced and better-funded structure that’s able to do way more than what I ever could on my own.”..
Experiment Sam Brownback conducted on Kansas
CyberScoop
June 7,
2019
In recent
years, Department of Justice agencies have quietly acquired and deployed
hacking tools in support of their law enforcement mission. A handful of
high-profile cases have brought greater scrutiny to those efforts, most notably
in 2016 when the FBI used a contractor to crack the San Bernardino shooter’s
iPhone. Now, a senator is asking Attorney General William Barr for a more
thorough accounting of what law enforcement agencies are doing to protect these
software exploits from foreign intelligence agencies and other adversaries.
“Just as the American people expect the government to protect its nuclear,
chemical, and biological weapons, so too do Americans expect that the
government will protect its cyber arsenal from theft by hackers and foreign spies,”
Sen. Ron Wyden, D-Ore., wrote to Barr in a letter dated June 5. In particular,
the department has invested heavily in tools to break encrypted communications,
as top law enforcement officials have lamented the ability of criminals to “go
dark.” Transnational crime networks “increasingly rely on encrypted
communications to plan and commit crimes, thus forcing the FBI to develop
sophisticated technology and methods to disrupt their activities and dismantle
their organizations,” the FBI said in its fiscal 2020 budget request.
The
South Florida Sun Sentinel
June 7,
2019
The FBI has
rejected a request from U.S. Rep. Ted Deutch to release more information about
the attempts to infiltrate Florida’s election systems in 2016, including the
names of the two counties that were successfully accessed. Deutch, a Democrat
who represents parts of Broward and Palm Beach counties, said Friday he first
made the request during a classified May 16 briefing the FBI held with members
of the Florida congressional delegation about the intrusion. He repeated the
request in a May 23 letter to FBI Director Christopher Wray. “We are grateful
to have received that important information, but I believe much more of this
information can and should be shared with Florida voters and the American
people.” In a June 4 response letter to Deutch, released Friday by the
congressman’s office, the FBI’s acting section chief of the Office of
Congressional Affairs, essentially ignored what Deutch requested. “The FBI’s
Cyber Division (CyD) along with our Office of General Counsel (OGC) provided a
comprehensive briefing to Members of the Florida Delegation on May 16, 2019. We
hope the information conveyed was helpful. Please do not hesitate to contact
the Office of Congressional Affairs if you need any additional information,”
the FBI’s Charles A. Thorley wrote.
FCW
June 5,
2019
The Defense
Department has struggled with recruiting and retaining cyber workers despite
existing rapid-hire authorities. DOD reportedly lost about 4,000 cyber-related
personnel in 2018 and Congress is taking notice in the 2020 National Defense
Authorization Act, which includes a push for more thorough cyber education and
hiring efforts. The 2020 NDAA provides a glimpse into the Democrats defense
tech priorities for the next fiscal year. So far, that means tech recruitment
with an emphasis on diversity and inclusion, and getting policy conversations started
earlier around emerging technologies, such as 5G, artificial intelligence and
software development. "The mark places substantial emphasis on the
maturation of the Department's science and technology initiatives, ranging from
requiring studies on the effects of historically under-funded science and
technology activities to an assessment of essential STEM skill sets required to
support emerging and future warfighter technologies, including an analysis of
the recruiting, retention, and representation of minorities and women in the
current and projected workforce," Rep. Jim Langevin (D-RI), said on June
4.
The Hill
June 5,
2019
Democratic
Sens. Bob Menendez (N.J.) and Cory Booker (N.J.) want answers from
blood-testing company Quest Diagnostics following a recent data breach that
exposed the personal information of an estimated 12 million patients, as
another firm revealed that it also had medical data exposed by the incident.
The breach involved an unauthorized user gaining access to the American Medical
Collection Agency (AMCA), a billing provider for Quest, potentially
compromising Social Security numbers, financial information and personal
medical data. In a Wednesday letter sent to New Jersey-based Quest, the two
senators sought details about how the breach occurred and what steps are being
taken in response. They specifically took issue with news reports saying it
took seven months for the company to publicly disclose the hack.
FCW
June 5,
2019
The
Transportation Security Administration's plans for pipeline security aren't
keeping up with rising threats in cyberspace, according to the Government
Accountability Office. An audit released June 5 found that the agency, which
has primary responsibility for monitoring and securing the nation's 2.7 million
miles of gas and oil pipelines, hasn't updated two plans that formally outline
how agencies and other stakeholders should respond to security incidents in
years. TSA last issued its Pipeline Security and Incident Recovery Protocol
Plan, which outlines roles and responsibilities for federal agencies and the
private sector in the wake of a pipeline security incident, in 2010. Auditors
said the plan hasn't been revised since then to account for the rising
importance of cybersecurity threats to critical infrastructure. A similar
agreement between TSA and the Department of Transportation's Pipeline and
Hazardous Materials Safety Administration (PHMSA) outlining specific roles and
responsibilities for pipeline security hasn't been updated since 2006.
The Hill
June 4,
2019
Rep. Eliot
Engel (D-N.Y.), the chairman of the House Foreign Affairs Committee, placed a
hold Tuesday on the State Department’s notification that it plans to establish
a Bureau of Cyberspace Securities and Emerging Technologies (CSET), calling its
proposed mission too narrow. “While Congress has pursued comprehensive,
bipartisan legislation, the State Department has plowed ahead in its plan to
create a bureau with a much narrower mission focused only on cybersecurity,”
Engel told The Hill in a statement. “This move flies in the face of repeated
warnings from Congress and outside experts that our approach to cyber issues
needs to elevate engagement on economic interests and internet freedoms
together with security.” Engel was likely referring to the Cyber Diplomacy Act,
a bill he co-sponsored along with House Foreign Affairs Ranking Member Michael
McCaul (R-Texas) that would establish an Office of International Cyberspace
Policy at the State Department. Engel added that the hold on the notification
would stand until “the Secretary of State directs his staff to work
constructively with Congress to establish a bureau that ensures the Department
is able to advance the full range of U.S. interests.”
The Hill
June 4,
2019
A House
Appropriations subcommittee approved a bill Monday night that includes $600
million in funding for the Election Assistance Commission (EAC) meant for
states to bolster election security, with the money specifically earmarked for
states to buy voting systems with “voter-verified paper ballots.” The approval
comes as recent remarks by special counsel Robert Mueller emphasizing the
dangers posed by foreign interference in U.S. election systems injected new
life into the election security debate on Capitol Hill. The Senate already
approved a bill Monday night to ban foreign individuals who meddle in U.S.
elections from entering the country. The funds are part of the Financial
Services fiscal 2020 budget, and were approved by voice vote by the House
Appropriations Subcommittee on Financial Services and General Government. The
bill now goes to the full House Appropriations Committee for consideration.
Should the funding bill be signed into law by President Trump, it would be
nearly double the amount of the most recent election security funds states
receive from Congress.
Nextgov
June 3,
2019
Federal
auditors uncovered numerous holes in the Census Bureau’s plans for combating
the significant cybersecurity and tech threats facing the 2020 count, which
could leave officials struggling to respond to disruptions. The Government
Accountability Office found the bureau’s plan for mitigating cybersecurity
risks during the 2020 Census left out many of the defensive tactics officials
previously said they would use to defend IT systems from attack. For example,
the initial plan included no information about how the bureau would gather
threat intelligence from other federal agencies, something officials had long
said they planned to do, auditors said in a report published Friday. After GAO
pointed out the omission, Census officials updated the plan to include threat
sharing activities, but it remains “just one of several [cybersecurity]
services” other agencies are expected to perform on the bureau’s behalf,
auditors said. “If the bureau’s plan for mitigating cybersecurity risks to the
census omits such key activities, then the bureau is limited in its ability to
track and assess those activities, and to hold individuals accountable for
completing activities that could help manage cybersecurity risks,” they wrote.
FCW
June 3,
2019
Members of
the House Armed Services Committee want Congress to be kept in the loop when
the executive branch launches offensive operations in cyberspace. In a
legislative draft of the upcoming National Defense Authorization Act, the House
Armed Services Subcommittee on Intelligence and Emerging Threat Capabilities is
seeking to amend Title 10 of U.S. law to require that the Secretary of Defense
notify congressional defense committees whenever the department engages in
sensitive military cyber operations. The draft bill would also include
additional parameters that further define what offensive or defensive operations
constitute a "sensitive military cyber operation." "The
committee notes that the Department's definition of and threshold for sensitive
military cyber operations notifications is not aligned with the intent of the
committee," the report states. "As military cyber operations increase
in frequency and scope, the committee expects to be continually notified and
kept fully and currently informed, in order to conduct oversight."
The Hill
June 3,
2019
The Senate
cleared legislation on Monday night to block individuals who meddle in U.S.
elections from being able to enter the United States. The legislation, known as
the Defending Elections against Trolls from Enemy Regimes Act (DETER Act),
easily passed the Senate by unanimous consent — a move that any one senator
could have blocked. The bill, spearheaded by Sens. Lindsey Graham (R-S.C.) and
Dick Durbin (D-Ill.), would block individuals from being able to obtain a visa
if they were attempting to or had engaged in "improper interference in
U.S. elections." According to the legislation, that would include
violating voting or campaign finance laws or trying to interfere in elections
or a campaign while under the direction of a foreign government.
FCW
June 3,
2019
House
Democrats plan to allocate $35 million for the Technology Modernization Fund in
the 2020 Financial Services and General Government appropriations bill. That's
quite a bit less than the $150 million sought by the administration in its
budget request, but a significant uptick from the $25 million added to the fund
in 2019. The TMF was authorized by the Modernizing Government Technology Act in
2018. It allows agencies to access money for tech upgrades that are approved by
a board chaired by the federal CIO and including senior tech officials from the
General Services Administration and the Department of Homeland Security and
others who serve on a rotating basis. TMF launched with $100 million in funding
in the 2018 appropriation and was upped by $25 million last year. The original
legislative proposal for TMF would have authorized a $3 billion fund, but the
effort was dramatically scaled back as the bill wended its way through
Congress.
ADMINISTRATION
Nextgov
June 7,
2019
The Defense
Department’s $2.2 billion Joint Regional Security Stack is paramount to providing
improved cybersecurity across the Pentagon and its components, but an audit
released Tuesday suggests its implementation is anything but smooth. The audit,
conducted by the Defense Department inspector general, found numerous
“critical” security vulnerabilities, training woes and poor oversight of JRSS,
which is supposed to eventually provide trusted cyber situational awareness
across the Defense Department, improve its security posture and reduce the
number of access points to its information network. Despite limited success in
reducing more than 2,700 access points across the Army, Navy and Air Force 131,
JRSS isn’t meetings other intended outcomes under the Joint Information
Environment. However, two specific outcomes JRSS is intended to meet are redacted
in the audit.
Fifth
Domain
June 7,
2019
At least
three states reportedly targeted by Russian hackers during the 2016 election
are part of a new group of states working together with the National Governors
Association to enhance cybersecurity as the 2020 election cycle approaches.
Election systems in Arizona, Minnesota and Virginia were targeted by Russian
hackers in 2016, according to data compiled by the Washington Post. In 2017,
the Department of Homeland Security notified 21 states that their election
systems had been targeted by Russian hackers during the last presidential
election cycle, but did not publicly identify the states. Now, the National
Governors Association, a nonpartisan organization that supports governors
across the country, will partner with those states as well as Hawaii, Idaho and
Nevada to develop new cybersecurity practices to “ensure the integrity of
elections in their states.” The organization will work with state officials
from June to December, according to a press release from the association June
5.
The New
York Times
One year
out from the 2020 elections, presidential candidates face legal roadblocks to
acquiring the tools and assistance necessary to defend against the cyberattacks
and disinformation campaigns that plagued the 2016 presidential campaign.
Federal laws prohibit corporations from offering free or discounted
cybersecurity services to federal candidates. The same law also blocks
political parties from offering candidates cybersecurity assistance because it
is considered an “in-kind donation.” The issue took on added urgency this week
after lawyers for the Federal Election Commission advised the commission to
block a request by a Silicon Valley company, Area 1 Security, which sought to
provide services to 2020 presidential candidates at a discount. The commission
questioned Area 1 about its request at a public meeting on Thursday, and asked
the company to refile the request with a simpler explanation of how it would determine
what campaigns qualified for discounted services. Cybersecurity and election
experts say time is running out for campaigns to develop tough protections.
Nextgov
June 6,
2019
The Nuclear
Regulatory Commission is facing a mass exodus of cybersecurity experts in the
years ahead, which could limit its ability to ensure the nation’s nuclear power
plants are safe from digital attacks, an internal watchdog found. Nearly
one-third of NRC’s cybersecurity inspectors will be eligible for retirement by
the end of fiscal 2020, and agency officials worry they aren’t training enough
people to take their place, according to the NRC Inspector General. With
nuclear power stations becoming increasingly popular targets for online
adversaries, the shortage of cyber expertise could leave the agency struggling
to do its job, auditors said. “If staffing levels and skill sets do not align
with cybersecurity inspection workload requirements, NRC’s ability to adapt to
a dynamic threat environment and detect problems with [nuclear power plants’]
cyber security programs could be compromised,” they wrote in a recent report.
Ars
Technica
June 5,
2019
It has been
a month since the City of Baltimore's networks were brought to a standstill by
ransomware. On Tuesday, Mayor Bernard "Jack" Young and his cabinet
briefed press on the status of the cleanup, which the city's director of
finance has estimated will cost Baltimore $10 million—not including $8 million
lost because of deferred or lost revenue while the city was unable to process
payments. The recovery remains in its early stages, with less than a third of
city employees issued new log-in credentials thus far and many city business
functions restricted to paper-based workarounds. "All city services remain
open, and Baltimore is open for business," Mayor Young said at the
briefing, listing off critical services that had continued to function during
the network outage. City Finance Director Henry Raymond called the current
state of systems "not ideal, but manageable"—some emails and phone
services have been restored, and many systems have remained online, but payment
processing systems and other tools used to handle transactions with the city
remain in manual workaround mode. Department of Public Works Director Rudy Chow
warned residents to expect a larger-than-normal water bill in the future, as
the city's smart meters and water billing system are still offline and bills
cannot be generated.
Nextgov
June 5,
2019
The
National Security Agency issued a cybersecurity advisory Wednesday urging
Microsoft Windows users to patch a potentially devastating security flaw called
known as BlueKeep. The NSA advisory says despite public warnings and patches
releases by developer Microsoft on May 14, “Potentially millions of machines
are still vulnerable” to BlueKeep, with legacy platforms including Windows 7,
Windows XP and Server 2003 and 2008 all affected. NSA warns the exploit is
“potentially ‘wormable,’” meaning it could spread without user interaction
across the internet, akin to past self-spreading exploits like WannaCry, which
affected 300,000 machines globally in 2017.
CyberScoop
The State
Department has sent to Congress a long-awaited plan to reestablish a
cybersecurity-focused bureau it says is key to supporting U.S. diplomatic
efforts in cyberspace. The State Department’s new plan, obtained by CyberScoop,
would create the Bureau of Cyberspace Security and Emerging Technologies (CSET)
to “lead U.S. government diplomatic efforts to secure cyberspace and its
technologies, reduce the likelihood of cyber conflict, and prevail in strategic
cyber competition.” The new bureau, with a proposed staff of 80 and projected
budget of $20.8 million, would be led by a Senate-confirmed coordinator and
“ambassador-at-large” with the equivalent status of an assistant secretary of State,
who would report to the Undersecretary of State for Arms Control and
International Security. The idea comes nearly two years after then-Secretary of
State Rex Tillerson announced he would abolish the department’s cybersecurity
coordinator position and put its support staff under the department’s economic
bureau.
Politico
June 5,
2019
A Florida
election software company targeted by Russians in 2016 inadvertently opened a
potential pathway for hackers to tamper with voter records in North Carolina on
the eve of the presidential election, according to a document reviewed by
POLITICO and a person with knowledge of the episode. VR Systems, based in
Tallahassee but with customers in eight states, used what’s known as
remote-access software to connect for several hours to a central computer in
Durham County, N.C., to troubleshoot problems with the company's voter list
management tool, the person said. The software distributes voter lists to
so-called electronic poll books, which poll workers use to check in voters and
verify their eligibility to cast a ballot. The company did not respond to POLITICO's
requests for comment about its practices. But election security experts widely
condemn remote connections to election-related computer systems — not only
because they can open a door for intruders but because they can also give
attackers access to an entire network, depending on how they’re configured.
CyberScoop
A top
federal cybersecurity official said Wednesday the Department of Homeland
Security often lacks a clear picture of state and local governments’ network
security, even as foreign adversaries increase their attempts to disrupt all
levels of the public sector. And while federal agencies are getting better at
working with state and local authorities, they face an ongoing challenge of
staying ahead of an evolving threat landscape. “We don’t have good visibility
in the state and local dot-gov [domain],” Rick Driggers, the deputy assistant
director for cybersecurity at DHS’s Cybersecurity and Infrastructure Agency,
said at FedScoop’s FedTalks event in Washington. Driggers said one of the most
immediate steps state and local governments can take is to enact more robust
information sharing with federal cybersecurity authorities. He said hackers, especially
those backed by foreign governments, have increased their focus on state and
local governments, raising the threat that a local population could suffer the
brunt of a successful cyberattack.
INDUSTRY
Computer
Weekly
June 7,
2019
The cyber
threat landscape has changed fundamentally, with a very real risk of being caught
up in nation state-sponsored activity, says Adam Banks, chief technology and
information officer at Danish transport and shipping giant AP Moller–Maersk,
which ships 20% of the world’s GDP. This is one of the key learnings from the
NotPetya destructive cyber attack in the second quarter of 2017, which cost the
company $350m in lost revenue, he told attendees of InfoSecurity Europe 2019 in
London. “Company boards and audit committees need to understand that this stuff
is real,” said Banks. “NotPetya was explicitly designed to destroy
data-processing capability. This is not ransomware that exists to deprive you
of your data. It exists to destroy your ability to process it.”
Ars
Technica
June 6,
2019
Criminals
in 2017 managed to get an advanced backdoor preinstalled on Android devices
before they left the factories of manufacturers, Google researchers confirmed
on Thursday. Triada first came to light in 2016 in articles published by
Kaspersky, the first of which said the malware was "one of the most
advanced mobile Trojans" the security firm's analysts had ever
encountered. Once installed, Triada's chief purpose was to install apps that
could be used to send spam and display ads. It employed an impressive kit of
tools, including rooting exploits that bypassed security protections built into
Android and the means to modify the Android OS' all-powerful Zygote process.
That meant the malware could directly tamper with every installed app. Triada
also connected to no fewer than 17 command and control servers. In July 2017,
security firm Dr. Web reported that its researchers had found Triada built into
the firmware of several Android devices, including the Leagoo M5 Plus, Leagoo
M8, Nomu S10, and Nomu S20. The attackers used the backdoor to surreptitiously
download and install modules. Because the backdoor was embedded into one of the
OS libraries and located in the system section, it couldn't be deleted using
standard methods, the report said.
The
Washington Post
June 5,
2019
LabCorp, a
medical testing company, said 7.7 million customers had their personal and
financial data exposed through a breach at a third-party billing collections
company. The news came just days after the same contractor, American Medical
Collection Agency, notified Quest Diagnostics about the full scope of a breach
affecting 11.9 million of its patients. That breach allowed an “unauthorized
user” to gain access to financial information, Social Security numbers and
medical data but not lab results. “AMCA has indicated that it is continuing to
investigate this incident and has taken steps to increase the security of its
systems, processes, and data,” LabCorp said in a filing Tuesday with the U.S.
Securities and Exchange Commission. “LabCorp takes data security very
seriously, including the security of data handled by vendors.” The breach did
not reveal information such as which tests were ordered or lab results, LabCorp
said in the filing. But from August 2018 to March, the hacker was able to
access names, birthdays, addresses, phone numbers, dates of service, account
balances and other information.
Ars
Technica
June 5,
2019
For the
past three weeks, security professionals have warned with increasing urgency
that a recently patched Windows vulnerability has the potential to trigger
attacks not seen since the WannaCry worm that paralyzed much of the world in
2017. A demonstration video circulating on the Internet is the latest evidence
to prove those warnings are the real deal. The video shows a module Dillon
wrote for the Metasploit exploit framework remotely connecting to a Windows
Server 2008 R2 computer that has yet to install a patch Microsoft released in
mid May. At about 14 seconds, a Metasploit payload called Meterpreter uses the
getuid command to prove that the connection has highly privileged System
privileges. In the remaining six seconds, the hacker uses the open source
Mimikatz application to obtain the cryptographic hashes of passwords belonging
to other computers on the same network the hacked machine is connected to.
Wired
June 5,
2019
hen Apple
executive Craig Federighi described a new location-tracking feature for Apple
devices at the company's Worldwide Developer Conference keynote on Monday, it
sounded—to the sufficiently paranoid, at least—like both a physical security
innovation and a potential privacy disaster. But while security experts
immediately wondered whether Find My would also offer a new opportunity to
track unwitting users, Apple says it built the feature on a unique encryption
system carefully designed to prevent exactly that sort of tracking—even by
Apple itself. In upcoming versions of iOS and macOS, the new Find My feature
will broadcast Bluetooth signals from Apple devices even when they're offline,
allowing nearby Apple devices to relay their location to the cloud. That should
help you locate your stolen laptop even when it's sleeping in a thief's bag.
And it turns out that Apple's elaborate encryption scheme is also designed not
only to prevent interlopers from identifying or tracking an iDevice from its
Bluetooth signal, but also to keep Apple itself from learning device locations,
even as it allows you to pinpoint yours.
Reuters
June 5,
2019
Norsk Hydro
reported an 82% fall in first-quarter underlying profit on Wednesday as the
Norwegian aluminum producer grappled with a curb on its output in Brazil and
the impact of a cyber attack. The cost of the cyber attack amounted to between
300 million crowns and 350 million crowns in the first quarter, down from a
previous company estimate of up to 450 million Norwegian crowns ($52 million)
given on April 30. Still, the fallout from the attack would be felt in the
second quarter to the tune of an additional 200 million crowns to 250 million
crowns of costs.
Computer
Weekly
June 4,
2019
Cyber
crime, which is the top cyber threat to business, remains widely
under-reported, and only a third of organisations are confident in their
ability to detect and respond to threats, a study reveals. Cyber attack vectors
remain largely the same year over year, attack volume will increase and cyber
crime may be vastly underreported, according to the 2019 State of cybersecurity
study from global IT and cyber security association Isaca. “Under-reporting
cyber crime – even when disclosure is legally mandated – appears to be the
norm, which is a significant concern,” said Greg Touhill, Isaca board director,
president of Cyxtera Federal and the first US Federal CISO. “Half of all survey
respondents believe most enterprises under-report cyber crime, even when it is
required to do so.” The survey of more than 1,500 cyber security professionals
around the world, sponsored by HCL, also reveals that only a third of cyber
security leaders have high levels of confidence in their cyber security team’s
ability to detect and respond to cyber threats.
Gov Info
Security
June 3,
2019
A data
breach at American Medical Collection Agency has affected nearly 12 million
patients who had lab tests performed by Quest Diagnostics. The incident, which
appears to be the biggest health data breach to be revealed so far in 2019,
exposed financial data, Social Security numbers and certain medical information,
the lab test firm reports. In a statement Monday, Secaucus, New Jersey-based
Quest Diagnostics says AMCA, based in Elmsford, New York, informed the lab
testing firm in May that an "unauthorized user" had access to AMCA's
system containing personal information the collections agency received from
various entities, including from Quest. Quest Diagnostics says AMCA provides
billing collections services to revenue cycle management firm Optum360, whichis
is a Quest contractor. "Quest and Optum360 are working with forensic
experts to investigate the matter," Quest Diagnostics says. Optum360 is a
unit of the health insurance company UnitedHealth Group.
Wired
June 3,
2019
Two hours
into his keynote at Apple’s Worldwide Developer's Conference last June, senior
vice president Craig Federighi revealed a new privacy feature in MacOS Mojave
that forces applications to ask the user if they want to "allow" or
"deny" any request to access sensitive components and data, including
the camera or microphone, messages, and browsing history. The audience
dutifully applauded. But when ex-NSA security researcher Patrick Wardle watched
that keynote at his home in Maui a few months later, he had a more dubious
reaction. Over the previous year, he had uncovered a way for malware to
invisibly click through those prompts, rendering them almost worthless as a
security safeguard—not once, but twice. After Wardle had revealed the bugs that
allowed those click attacks—one before the WWDC keynote and another one two
months later—Apple had fixed them. Now Wardle was watching Apple market those
safeguards as an example of its devotion to security in its upcoming operating
system. Yesterday, just ahead of this year's WWDC, he's punched a hole in those
protections for a third time. Exploiting a bug in Mojave, Wardle has shown yet
again that any piece of automated malware can exploit a feature of MacOS known
as "synthetic clicks" to breeze through security prompts, allowing
the attacker to gain access to the computer's camera, microphone, location
data, contacts, messages, and even in some cases to alter its kernel, adding
malicious code to the deepest part of the operating system.
Ars Technica
June 3,
2019
Microsoft
is finally catching on to a maxim that security experts have almost universally
accepted for years: periodic password changes are likely to do more harm than
good. In a largely overlooked post published late last month, Microsoft said it
was removing periodic password changes from the security baseline settings it
recommends for customers and auditors. After decades of Microsoft recommending
passwords be changed regularly, Microsoft employee Aaron Margosis said the
requirement is an “ancient and obsolete mitigation of very low value.” The
change of heart is largely the result of research that shows passwords are most
prone to cracking when they’re easy for end users to remember, such as when
they use a name or phrase from a favorite movie or book. Over the past decade,
hackers have mined real-world password breaches to assemble dictionaries of
millions of words. Combined with super-fast graphics cards, the hackers can
make huge numbers of guesses in off-line attacks, which occur when they steal
the cryptographically scrambled hashes that represent the plaintext user
passwords.
Wired
June 2,
2019
In 1999,
Apple released a slew of new features with Mac OS 9, calling it "the best
internet operating system ever." The idea was to unlock the full potential
of the turquoise plastic iMac G3—the Internet Mac!—released in 1998. But
12-year-old Joshua Hill didn't have an iMac. To take advantage of all the new
connectivity from his parents' mid-'90s Mac Performa, he needed a modem that
would plug into the computer through one of its chunky "serial"
ports. So, naturally, he swapped his holographic Han Solo trading card with a
friend for a 56k modem and started poking around. Twenty years later, his
childhood fascination has led him to unearth a modem configuration bug that's
been in Apple operating systems all these years. And Apple finally patched it
in April. Hill, who is now a vulnerability researcher, is presenting the
20-year-old bug at the Objective by the Sea Mac security conference in Monaco
on Sunday. The flaw could have potentially been exploited by an attacker to get
persistent, remote root access to any Mac, meaning full access and control.
This isn't as bad as it sounds, though, Hill says. The specific exploit string
he developed only works on certain generations of OS X and macOS and Apple has
added protections since 2016's macOS Sierra that made the bug prohibitively
difficult (though still not technically impossible) to exploit in practice.
INTERNATIONAL
Reuters
June 7, 2019
China’s
Huawei Technologies needs to raise its “shoddy” security standards which fall
below rivals, a senior British cyber security official said on Thursday, as the
company came under increasing pressure internationally. The US has led
allegations that Huawei’s equipment can be used by Beijing for espionage
operations, with Washington urging allies to bar the company from 5G networks.
British officials have also raised concerns about security issues but said they
can manage the risks and have seen no evidence of spying. Huawei has repeatedly
denied the allegations against it. “Huawei as a company builds stuff very
differently to their Western counterparts. Part of that is because of how
quickly they’ve grown up, part of it could be cultural – who knows,” said Ian
Levy, Technical Director of Britain’s National Cyber Security Centre, part of
the GCHQ signals intelligence agency. “What we have learnt as a result of that,
the security is objectively worse, and we need to cope with that,” he told a
conference in London.
The New
Zealand Herald
June 7, 2019
The
Government did not correct or clarify the description that the Treasury's
computer system had been "hacked" for an entire day despite being
told by its cybersecurity experts that no hacking had taken place. On the same
day - Wednesday last week, the day before Budget day - the National Party also
refused to reveal how it had obtained confidential Budget information, instead
accusing the Treasury and Finance Minister Grant Robertson of unfairly smearing
National. Robertson said yesterday that the Government was being tight-lipped
because the Treasury had called in the police, but he was also unlikely to want
any further distractions on the eve of the Government's much-hyped Wellbeing
Budget. Instead Prime Minister Jacinda Ardern and Robertson spent that
Wednesday answering questions about hacking from National MPs in the House,
while changing the language to say that the Treasury had been "attacked".
Sc
Magazine
June 6, 2019
"The
biggest threat to our cyber-security is weak cyber-security," said Ciaran
Martin, CEO of the National Cyber Security Centre, UK, speaking at Infosecurity
Europe in London today (6 June). His observation, based on 1,600 cyber-security
breaches from across the past four years, came a day after the Commons Public
Accounts Committee’s warning that the UK is more vulnerable to cyber-attacks
than ever before. The UK, one of the most sophisticated digital economies in
the world with "a brilliant cyber-security industry" is susceptible to
cyber-security threats because of two major factors, said Martin. "There
are structural flaws in the way the internet works, that market forces won’t
fix and therefore some sort of public intervention is necessary."
CyberScoop
June 6,
2019
Undeterred
by the reported dumping of its data online, an Iran-linked hacking group has
been using malicious documents and files to target telecommunications
organizations and impersonate government entities in Iraq, Pakistan, and
Tajikistan, researchers said Thursday. The so-called MuddyWater group has been
carrying out attacks in two stages against the targets, according to research
published by Israeli company ClearSky Cyber Security. The first stage uses lure
documents to exploit a known vulnerability in Microsoft Office that allows for
remote code execution. The second stage lets the attackers communicate with
hacked servers to download an infected file. “This is the first time MuddyWater
has used these two vectors in conjunction,” ClearSky said in its research,
which warned that just three antivirus engines were detecting the malicious
documents analyzed.
BuzzFeed News
June 5,
2019
he European Union’s embassy in Moscow was hacked and had information
stolen from its network, according to a leaked internal document seen by
BuzzFeed News. An ongoing “sophisticated cyber espionage event” was discovered
in April, just weeks before the European Parliament elections — but the
European External Action Service (EEAS), the EU’s foreign and security policy
agency, did not disclose the incident publicly. Russian entities are believed
to be behind the hack, a source, speaking on condition of anonymity, told
BuzzFeed News. The EEAS confirmed an incident had taken place and, asked
whether the EU’s foreign policy chief Federica Mogherini knew about the
incident, said that EEAS hierarchy had been informed.
TECHNOLOGY
CyberScoop
June 7,
2019
It’s a good
time to be in the credit card-stealing business. Hacking associations like
Magecart — a loose collection of at least 12 groups that specialize in skimming
payment data from digital checkout pages — are carrying out more efficient
attacks to walk off with online shoppers’ data. By injecting malicious code
into vulnerable e-commerce systems in anywhere from the payment system Magento
to advertisements and analytics pages, thieves are able to exfiltrate payment
information without detection. Before scammers hit Amazon’s CloudFront content
delivery network last week and Forbes magazine in May, Magecart was best known
for shaking down popular sites like Ticketmaster and British Airways. Each
group relies on different techniques, ranging from exploiting server
vulnerabilities to using unique skimming code and, in the case of Group 5,
which was blamed for the Ticketmaster breach, hacking third-party suppliers.
Gov Info Security
June 7,
2019
A new
botnet dubbed GoldBrute is using brute-force or credential-stuffing methods to
attack vulnerable Windows machines that have exposed Remote Desktop Protocol
connections, according to new research from Morphus Labs. While the end-goal of
the group controlling the botnet is not clear, it appears that GoldBrute is
currently using brute-force methods to attack about 1.5 million Remote Desktop
Protocol servers that have exposed connections to the open internet, Renato
Marinho, the chief research officer with Morphus, writes in blog published
Thursday. A scan using the Shodan search engine shows that there are at least
2.4 million of these exposed Remote Desktop Protocol servers throughout the
world. GoldBrute, however, seems to use its own list as part of the attacks and
keeps expanding as that list grows, Marinho's research shows.
Ars Technica
June 6,
2019
Millions of
Internet-connected machines running the open source Exim mail server may be
vulnerable to a newly disclosed vulnerability that, in some cases, allows
unauthenticated attackers to execute commands with all-powerful root
privileges. The flaw, which dates back to version 4.87 released in April 2016,
is trivially exploitable by local users with a low-privileged account on a
vulnerable system running with default settings. All that's required is for the
person to send an email to "${run{...}}@localhost," where
"localhost" is an existing local domain on a vulnerable Exim
installation. With that, attackers can execute commands of their choice that
run with root privileges.
CyberScoop
June 4,
2019
Digital
thieves who spent more than two months lurking inside the networks of an
Eastern European bank last year used the same techniques as the infamous
cybercriminal gang known as FIN7 or Carbanak, according to new research.
Romanian security vendor Bitdefender said Tuesday its researchers have
uncovered new details about a bank heist in which hackers patiently collected
employee credentials and other data meant to help them access banking data and
control ATM networks. These findings coincide with previous researchers’
suggestion that FIN7 is a relatively large group made of perhaps a dozen
individuals who have been able to weather law enforcement pressure while
updating their hacking tactics.