Young mum's passport held over alleged $4.8m share scam
Jasmine Vella-Arpaci is allegedly part of a massive identity fraud that has stolen or attempted to steal $4.8 million in shares.
Card fraud becoming 'user-friendly' on black market
A stolen Uber account racked up $1,500 across two continents, revealing a growing economy in stolen payment details.Singapore proposes dropping VAT on cryptocurrencies
The
Inland Revenue Authority of Singapore (IRAS) has released a draft
proposal to exempt cryptocurrencies that are intended to function as a
medium of exchange from Goods and Services Tax.
A recently published U.S. Internal Revenue
Service (IRS) slide describes recommendations on how tax agents should deal
with digital currency users who are not paying taxes. The slide recommends that
agents question crypto users’ friends and family, comb through social media
posts and issue subpoenas to make sure U.S. residents are paying taxes on their
cryptocurrencies.
Amadeus! Amadeus! Pwn meAmadeus! Airline check-in bug may have exposed all y'all boarding passes tospies
Patched IDOR hole would have been child's play to
exploit
MIT Sloan Management Review – By examining cybercrime through a value-chain lens, we can better understand how the ecosystem works and find new strategies for combating it. “…Attackers always seem to be one or two steps ahead of the defenders. Are they more technically adept, or do they have a magical recipe for innovation that enables them to move more quickly? If, as is commonly believed, hackers operated mainly as isolated individuals, they would need to be incredibly skilled and fast to create hacks at the frequency we’ve seen.
An email arrives. It's from the boss. Subject: Hybrid Cloud. You gulp. You get the cloud – but what's this 'hybrid' bit?
MIT Sloan Management Review – By examining cybercrime through a value-chain lens, we can better understand how the ecosystem works and find new strategies for combating it. “…Attackers always seem to be one or two steps ahead of the defenders. Are they more technically adept, or do they have a magical recipe for innovation that enables them to move more quickly? If, as is commonly believed, hackers operated mainly as isolated individuals, they would need to be incredibly skilled and fast to create hacks at the frequency we’ve seen.
An email arrives. It's from the boss. Subject: Hybrid Cloud. You gulp. You get the cloud – but what's this 'hybrid' bit?
TPB homes in on 350 high-risk practitioners | Accountants Daily
FCW
July 12,
2019
Filling the
Defense Department's 12 leadership vacancies is vital for military
accountability to civilians and overall "effectiveness and efficiency of
the department," said Army Chief of Staff Gen. Mark Milley during his
Senate nomination hearing for chairman of the Joint Chiefs of Staff July 11.
Senate Armed Services Committee leaders, Chairman James Inhofe (R - Okla.) and
Ranking Member Jack Reed (D-R.I.), expressed displeasure with DOD's vacancies
-- and lack of presidential nominations -- during the hearing. Milley also
briefly touched on cyber warfare during his testimony. "Good offense is
critical, it is the best defense," he said of cyber operations. "We
also need to improve the network and resilience in defensive capabilities of
the military and the United States at large with the infrastructure."
Milley's written testimony homed in on cybersecurity, advising Cyber Command
and the National Security Agency to continue with the "dual-hatted"
leadership while seeking a cyber- review for the Joint Chiefs. "The current
'dual hat' configuration between U.S. Cyber Command and the National Security
Agency is working well and should be maintained," Milley said, adding that
if confirmed, the issue would be carefully attended and based on the best
military advice.
CyberScoop
July 12,
2019
Almost one
year after President Donald Trump issued a classified memorandum that has made
it easier for the Pentagon to run offense cyber-operations against U.S.
adversaries, lawmakers still haven’t seen the details of the document, and they
want the details from the White House. Thursday evening the House of
Representatives added a provision to the National Defense Authorization Act
that would compel the White House to turn over the memorandum as well as any
others relating to the Pentagon’s cyber-operations. The amendment was part
of an “en bloc” package, meaning both sides accepted by voice vote without
debate, signaling to the White House just how much interest there is — on both
sides of the aisle — in allowing the legislative branch to see the memorandum.
Part of the concern is that with increased authorizations to run offensive
operations against adversaries, the administration runs the risk of escalating
tensions with adversaries in cyberspace without proper Congressional oversight,
according to Rep. Jim Langevin, D-RI, who has been a driving force behind the
amendment.
FCW
July 12,
2019
The heads
of agencies charged with protecting the cybersecurity of electrical
transmission infrastructure told members of the House Energy and Commerce
Committee's Energy Subcommittee that they're addressing supply chain concerns
on a number of fronts. The top managers of the Office of Cybersecurity, Energy
Security, and Emergency Response (CESER); the Federal Energy Regulatory
Commission (FERC); and the North American Electric Reliability Corporation
(NERC) faced questions in a July 12 hearing from lawmakers concerned about
whether gear from Chinese manufacturers Huawei and ZTE are showing up in bulk
power companies' operations. NERC President and CEO Jim Robb said his
organization plans additional action over Huawei/ZTE concerns in the coming
days. NERC first issued a bulletin to grid providers in March in response to
the administration's prohibitions of those companies' products.
The
Washington Post
July 10,
2019
The full
House and Senate were briefed about election security Wednesday by the Trump
administration’s top intelligence, homeland security and cybersecurity
officials as the parties continue to battle over how to protect the 2020
elections against foreign threats. Director of National Intelligence Daniel
Coats; FBI Director Christopher A. Wray; the director of the National Security
Agency and commander of U.S. Cyber Command, Gen. Paul M. Nakasone; and acting
homeland security secretary Kevin McAleenan were among the senior officials who
spoke to the full complement of House members and senators in back-to-back
briefings. They told the lawmakers about the state of election security,
including the new tools the government has equipped itself with to identify and
avert future organized attempts to interfere with federal elections. Democrats
and Republicans left the sessions expressing confidence in the officials’
efforts, even while the parties remain bitterly divided as to whether President
Trump is taking election security seriously enough.
The Hill
July 10,
2019
A pair of
House lawmakers from Florida have introduced new legislation that would require
the Department of Homeland Security (DHS) to notify voters and other parties of
potential breaches to election systems. Reps. Stephanie Murphy (D) and Mike
Waltz (R) introduced their measure following revelations earlier this year that
Russia infiltrated computer networks in two counties in the Sunshine State
ahead of the 2016 presidential election. Members of the Florida congressional
delegation blasted federal agencies in May for their lack of transparency about
the cyberattacks, saying they only received an FBI briefing on the matter when
former special counsel Robert Mueller revealed in his report that the bureau
was investigating a Moscow-led hack into "at least one" Florida
county. The FBI, which informed the Florida delegation that Russia had
infiltrated a second county, has not permitted the members of Congress to
reveal the names of which counties were targeted.
The
Washington Post
July 10,
2019
U.S.
Customs and Border Protection was not informed that a hacker had stolen a huge
cache of sensitive border-surveillance documents until nearly three weeks after
the cyberattack was first discovered, according to a new timeline provided
Wednesday by the subcontractor Perceptics, raising new questions over a breach
that left travelers’ images and license plates open to potential abuse.
Perceptics, the Tennessee-based maker of the U.S. government’s widely used
license-plate scanners, offered a timeline of the breach to The Washington Post
late Wednesday after a CBP official told Congress that a “significant amount of
time” passed before the agency was alerted to the document theft. By that time,
the stolen files — including private images, hardware diagrams and other
sensitive records detailing the surveillance systems of U.S. border checkpoints
— had already been made freely available on a corner of the Internet known as
the “dark web.” Perceptics told The Post that it learned of the breach May 13,
immediately contacted a cyber-forensics firm and reported suspicious emails to
the FBI within 24 hours. The company said it also notified Unisys, the
information-technology giant for whom Perceptics was doing subcontracting work,
during an in-person meeting on May 17, and that it was “told that Unisys would
notify CBP” because the larger company maintained “communication with CBP for
all contractual matters.”
The Hill
July 8,
2019
Sens. Gary
Peters (D-Mich.) and Marco Rubio (R-Fla.) introduced legislation Monday
designed to protect small businesses from cyberattacks by making it easier for
those companies to access tools to protect themselves. The Small Business
Cybersecurity Assistance Act would authorize Small Business Development Centers
(SBDCs) to work with the Department of Homeland Security (DHS) to provide
consulting to small businesses on how to strengthen their cybersecurity
protocols. It would also require DHS to develop materials and programs for
SBDCs to help the small businesses in their area defend against cyberattacks.
Peters and Rubio cited an industry report that found that small businesses
accounted for 43 percent of data breaches in 2018, in touting the need for
legislation.
ADMINISTRATION
CyberScoop
July 12,
2019
The largest
health insurance company in the Pacific Northwest says it will pay $10.4
million to 30 states to settle an investigation into a data breach that compromised
information on more than 10 million people. The settlement, entered into court
Thursday, requires Premera Blue Cross to pay $5.4 million to Washington to
resolve an investigation that determined the company was slow to patch known
security vulnerabilities. Hackers had access to customers’ medical records,
bank account information and Social Security numbers from May 2014 until May
2015. The remaining $5 million will be split between other states. The case is
the latest example of how, in the absence of federal leadership, state
attorneys are taking legal action following large-scale security incidents.
Connecticut and Illinois have opened investigations into the breach this year
at the American Medical Collection Agency, which affected at least 20 million
people. Other state lawsuits have resulted in settlements from Equifax, Uber
and others.
The Hill
July 11,
2019
The Federal
Election Commission (FEC) on Thursday approved a request from a private company
to provide discounted cybersecurity services to political campaigns, saying it
did not violate campaign finance rules. The decision came in response to a
request from Area 1 Security, a California-based company, to offer
cybersecurity services to federal political candidates and political committees
at discounted rates. The FEC, which has jurisdiction over campaign finance for
presidential and congressional elections, decided the arrangement did not
violate campaign contribution rules because the company offers similar
discounted services to nonpolitical clients as well. The decision allows the
company to sell anti-phishing services to federal candidates and political
committees for as little as $1,337 per year, according to the FEC.
Fifth
Domain
The
expected nomination of Vice Adm. Michael Gilday to lead the Navy brings forward
an officer with key cyber experience to the top echelons of military
leadership. Gilday, a career surface warfare officer, lead the Navy’s component
to U.S. Cyber Command, 10th Fleet/Fleet Cyber Command, from July 2016 to June
2018. He would be the first officer to lead a service that has also commanded a
service cyber component. Many in the national security community have said how
modern conflicts will require a “multi-domain” approach, one in which
capabilities from all five domains of warfare, land, sea, air, space and cyber
will be included. Gilday’s cyber experience will help normalize cyber
operations at the Joint Chiefs level.
The NY
Daily News
July 11,
2019
Monroe
College’s computer system was hacked by someone demanding a $2 million ransom
in Bitcoin, the Daily News has learned. A hacker crippled the Bronx-based
school’s computer network by encrypting its files remotely at 6:45 a.m.
Wednesday, authorities said. Police sources say the attack affected each of
Monroe’s campuses in Manhattan, New Rochelle and St. Lucia. Nearly 8,000
students are enrolled at the college. The school’s website was completely
inaccessible after the hack, though its Facebook page is still up. A
spokeswoman for Monroe said emails have also been compromised, but that classes
remain in session. Their payroll system is handled by an outside firm and was
not impacted, she said.
AP
July 11,
2019
A federal
judge has ordered Georgia election officials to allow computer experts and
lawyers to review the databases used to create ballots and count votes. The
ruling came Tuesday in a lawsuit that challenges Georgia’s election system and
seeks statewide use of hand-marked paper ballots. U.S. District Judge Amy
Totenberg gave the state until Friday to turn over electronic copies of the
databases to the plaintiffs’ lawyers and computer experts. The lawsuit was
filed by a group of voters and the Coalition for Good Governance, an election
integrity advocacy organization. It argues that the paperless touchscreen
voting machines Georgia has used since 2002 are unsecure, vulnerable to hacking
and unable to be audited. Lawyers for the plaintiffs have argued that they need
to inspect the databases at issue because they provide the information that is
loaded onto voting machines and then record the cast vote records.
ZDNet
July 11,
2019
The US
Conference of Mayors unanimously adopted yesterday a resolution not to pay any
more ransom demands to hackers following ransomware infections. "Paying
ransomware attackers encourages continued attacks on other government systems,
as perpetrators financially benefit," the adopted resolution reads.
"The United States Conference of Mayors has a vested interest in
de-incentivizing these attacks to prevent further harm," it said.
"NOW, THEREFORE, BE IT RESOLVED, that the United States Conference of
Mayors stands united against paying ransoms in the event of an IT security
breach." The resolution adopted this week at the 87th annual meeting of the
US Conference of Mayors doesn't have any legal binding, but can be used as an
official position to justify administrative actions, for both federal
authorities and taxpayers alike.
Nextgov
The
Homeland Security Department’s Cybersecurity and Infrastructure Security Agency
published security tips Tuesday to educate users on how to best protect
themselves against threats from applications installed on their smartphones and
other personal devices. “When you download an app, it may ask for permission to
access personal information—such as email contacts, calendar inputs, call logs,
and location data—from your device,” the agency warns. “[Y]ou should be aware
that app developers will have access to this information and may share it with
third parties, such as companies who develop targeted ads based on your
location and interests.” According to CISA, it’s imperative that users ensure
they are downloading apps solely from legitimate sources, and specifically on
official app stores. Users should also read the apps’ permissions and privacy
policies (which are frequently extensive and dense).
CyberScoop
July 10,
2019
When U.S.
Cyber Command warned last week that a hacking group was using a Microsoft
Outlook vulnerability previously leveraged by an Iran-linked malware campaign,
it appeared to be signaling just how much the military knows about those
operations. But the alert was significant in other ways: behind-the-scenes
details uncovered by CyberScoop show that it is an example of how the U.S.
government has built up its use of the information-sharing platform VirusTotal
so the private sector gets more information sooner. Along with Cyber Command’s
warning, which also was shared in a tweet, the Department of Homeland Security
(DHS) released its own private warning to industry, CyberScoop has learned. The
department’s traffic light protocol (TLP) alert covered the same threat that
Cyber Command would eventually post to VirusTotal. In going public with the
malicious files, Cyber Command appears to have revealed new information about
how Iran-linked actors leveraged another malware family, known as Shamoon, as
recently as 2017, according to Chronicle, which owns VirusTotal. Not only is it
believed to be the first time Cyber Command has documented Iranian activity in
a VirusTotal upload, but former Pentagon and intelligence officials also say
the specific details of the upload show that the military wants to enhance its
information sharing in a way that supports the cybersecurity mission of the
entire U.S. government.
Nextgov
As more
everyday items like toasters, TVs and thermostats become connected to the
internet, the rules for keeping those devices secure must be able to evolve as
quickly as the technology itself, experts said Tuesday. Congress and government
regulators have spent years debating the best strategies for securing the
billions of network-connected devices that permeate virtually every corner of
the physical world. Last month, the National Institute of Standards and
Technology published guidelines managing security on the internet of things,
and lawmakers have introduced multiple bills over the past year meant to secure
connected devices purchased by federal agencies. While today most people agree
the tech should follow a set of minimum security standards, experts fear
regulations that are “overly prescriptive” could hinder security rather than
help. “It’s hard to tell manufacturers a discrete set of things you should do
till the end of time for all devices, because [that guidance] is based on
today,” Michael Fagan, a cyber specialist at NIST, said on a panel hosted by
the Telecommunications Industry Association. “We don’t know where devices will
go in the future.” During the event, Fagan and other industry cyber experts
warned legislation that mandates specific protections might not even be
applicable to tomorrow’s tech because it’s based on the use cases and threats
facing the tools today. The internet of things is changing so rapidly, and its
evolution is so unpredictable, that even basic rules like requiring devices to
come with changeable passwords could quickly become “stale,” they said.
CyberScoop
July 9,
2019
The U.S.
Coast Guard has issued a safety alert encouraging mariners to follow basic
cybersecurity protocols after a ship bound for the East Coast experienced a
“significant cyber incident” in February. The Coast Guard said the deep draft
ship was traveling to the Port of New York and New Jersey from international
waters earlier this year when it experienced an incident affecting its
shipboard network. An interagency team of specialists responded, finding that
“malware significantly degraded the functionality of the onboard computer
system,” though the boat’s essential controls were not affected, the Coast
Guard said Monday. The shipboard network had been used to conduct official
business, like updating electronic charts, managing cargo information and
communicating with onshore resources. The warning comes as maritime traffic has
become a prominent venue for ongoing tensions between Iran and Saudi Arabia and
its allies, including the United States. In March, the FBI privately notified
industry of cyberthreats to U.S. commercial and military vessels.
The
Philadelphia Inquirer
July 9,
2019
Pennsylvania
Gov. Tom Wolf announced a $90 million bond issue Tuesday to fund a statewide
voting machine upgrade effort that he ordered more than a year ago to ensure
that every vote cast creates a paper trail that can be checked by voters and
audited. Republicans who control the state legislature pushed back immediately,
questioning the legality of Wolf’s maneuver. The new money would cover around
60 percent of the estimated $150 million cost for the state’s 67 counties, and
answer to months of uncertainty over funding. “Everybody in this building
recognizes that we’ve got to support the counties,” Wolf said. “This cannot be
an unfunded mandate.” House Appropriations Committee Chairman Stan Saylor (R.,
York), however, called it an “executive overreach.” “So far, the governor has
not stated his legal authority to bond $90 million without legislative
approval,” he said in a statement.
AP
July 8,
2019
Federal
agents descended on the suburban Maryland house with the flash and bang of a
stun grenade, blocked off the street and spent hours questioning the homeowner
about a theft of government documents that prosecutors would later describe as
“breathtaking” in its scale. The suspect, Harold Martin, was a contractor for
the National Security Agency. His arrest followed news of a devastating
disclosure of government hacking tools by a mysterious internet group calling
itself the Shadow Brokers. It seemed to some that the United States might have
found another Edward Snowden, who also had been a contractor for the agency.
“You’re a bad man. There’s no way around that,” one law enforcement official
conducting the raid told Martin, court papers say. “You’re a bad man.” Later
this month, about three years after that raid, the case against Martin is
scheduled to be resolved in Baltimore’s federal court. But the identity of the
Shadow Brokers, and whoever was responsible for a leak with extraordinary
national security implications, will remain a public mystery even as the case
concludes.
Nextgov
The
National Security Agency is failing to live up to government standards for
cybersecurity, leaving the spy agency potentially vulnerable to digital
attacks, according to an internal watchdog. The NSA Inspector General on Monday
revealed the organization, which collects and analyzes some of the government’s
of the most sensitive intelligence, doesn’t always follow its own rules for
keeping that information secure. Auditors also found the agency held onto some
of that data for longer than the law permits and failed to implement
protections against insider threats. The report, which summarizes dozens of IG
audits and investigations conducted between October 2018 and March 2019, offers
a rare glimpse inside an agency whose inner workings are usually sealed off
from the public.
The
Boston Globe
July 8,
2019
Government
watchdogs say it is “shortsighted” for Governor Gina M. Raimondo’s
administration to eliminate the state’s first cabinet-level cybersecurity
officer position at a time when cyberattacks are on the rise and the 2020
presidential election is on the horizon. In April 2017, the administration
trumpeted the hiring of Mike Steinmetz as the state’s first cybersecurity
officer and its homeland security adviser, saying that “in the ever-changing
technology ecosystem, it is imperative that Rhode Island stay up to speed.” But
the administration slashed his $184,446 salary from the budget and at the end
of June Steinmetz left to join a Providence venture capital firm.
Administration officials said Steinmetz had recently completed a “Rhode Island
State Cybersecurity Strategy” and that other parts of state government would
now handle cybersecurity and homeland security duties. John M. Marion,
executive director of Common Cause Rhode Island, said the move runs counter to
efforts by other states to bolster election cybersecurity. With the 2020
election approaching, the state’s Board of Elections lacks in-house
cybersecurity expertise, he said.
The New
York Times
Audrey
Sikes, city clerk of Lake City, Fla., has a thing for documents: She does not
like losing them. It falls to Ms. Sikes, as official custodian of records for
this city of 12,000 people about an hour west of Jacksonville, to maintain Lake
City’s archives. She keeps a log of public record requests and has spreadsheets
that track things like property deeds and building permits. She spent years
digitizing all the papers of a city that incorporated before the Civil War.
“It’s everything I do,” Ms. Sikes said. Did. More than 100 years’ worth of
municipal records, from ordinances to meeting minutes to resolutions and City
Council agendas, have been locked in cyberspace for nearly a month, hijacked by
unidentified hackers who encrypted the city’s computer systems and demanded
more than $460,000 in ransom. Weeks after the city’s insurer paid the ransom,
the phones are back on and email is once again working, but the city has still
not recovered all of its files. There is a possibility that thousands of pages
of documents that had been painstakingly digitized by Ms. Sikes and her team
will have to be manually scanned, again. Every Friday, get an exclusive look at
how one of the week’s biggest news stories on “The Daily” podcast came
together. “It puts us years and years and years behind,” Ms. Sikes said.
INDUSTRY
ZDNet
July 12,
2019
Japan-based
cryptocurrency exchange Bitpoint announced it lost 3.5 billion yen (roughly $32
million) worth of cryptocurrency assets after a hack that happened late
yesterday, July 11. The exchange suspended all deposits and withdrawals this
morning to investigate the hack, it said in a press release. In a more detailed
document released by RemixPoint, the legal entity behind Bitpoint, the company
said that hackers stole funds from both of its "hot" and
"cold" wallets. This suggests the exchange's network was thoroughly
compromised. Hot wallets are used to store funds for current transactions,
while the cold wallets are offline devices storing emergency and long-term
funds. Bitpoint reported the attackers stole funds in five cryptocurrencies,
including Bitcoin, Bitcoin Cash, Litecoin, Ripple, and Ethereal. The exchange
said it detected the hack because of errors related to the remittance of Ripple
funds to customers. Twenty-seven minutes after detecting the errors, Bitpoint
admins realized they had been hacked, and three hours later, they discovered
thefts from other cryptocurrency assets.
Reuters
July 11,
2019
China's ZTE
opened a cybersecurity lab in Brussels on Wednesday, aiming to boost
transparency four months after bigger telecoms equipment rival Huawei did the
same to allay concerns about spying. Chinese vendors of network gear are being
scrutinized by the United States and some of its allies who believe the
equipment could be used by Beijing to spy on customers if deployed in 5G
networks, which are beginning to be built around the world. Huawei, the world's
biggest maker of telecoms network gear, has been blacklisted by the U.S.
government, meaning that U.S. companies need special approval - which they are
unlikely to get - to export products to the Chinese company. Huawei has denied
the U.S. allegations. ZTE, which is not blacklisted, said its new cyber lab
would allow customers, regulators and other stakeholders to review its source
code and documents and to carry out software testing to simulate hacking
attacks.
TechCrunch
July 10,
2019
Apple has
released a silent update for Mac users removing a vulnerable component in Zoom,
the popular video conferencing app, which allowed websites to automatically add
a user to a video call without their permission. The Cupertino, Calif.-based
tech giant told TechCrunch that the update — now released — removes the hidden
web server, which Zoom quietly installed on users’ Macs when they installed the
app. Apple said the update does not require any user interaction and is
deployed automatically. The video conferencing giant took flack from users
following a public vulnerability disclosure on Monday by Jonathan Leitschuh, in
which he described how “any website [could] forcibly join a user to a Zoom
call, with their video camera activated, without the user’s permission.” The
undocumented web server remained installed even if a user uninstalled Zoom.
Leitschuh said this allowed Zoom to reinstall the app without requiring any user
interaction.
The Wall
Street Journal
July 10,
2019
Cybersecurity-software
company McAfee LLC is planning to return to the public markets, joining a
record rush of initial public offerings. McAfee and its owners are meeting with
bankers this week to discuss plans for a listing that could come as soon as
this year, according to people familiar with the matter. An IPO could raise at
least $1 billion and value McAfee at more than $5 billion, one of the people
said. There is no guarantee the company will successfully stage an IPO or
achieve that valuation.
Gov Info
Security
July 10,
2019
Security
researchers have uncovered a new vulnerability in a Siemens software platform
that helps maintain industrial control systems for large critical
infrastructure facilities, such as nuclear power plants. If exploited, an
attacker could gain access to these systems for espionage or cause widespread physical
damage, researchers at the security firm Tenable warned in a blog published
Tuesday. The vulnerability is in the same Siemens software platform used by the
originators of Stuxnet to help spread that malware against Iran's nuclear
facilities nearly a decade ago. Earlier this month, Siemens issued a patch for
the vulnerability, dubbed CVE-2019-10915. Joe Bingham, a senior research
engineer with Tenable, tells Information Security Media Group that the
vulnerability apparently has not been exploited in the wild. Tenable and
Siemens are urging organizations that use this software for industrial control
systems to apply the patch as soon as possible.
Ars Technica
July 10,
2019
Whitehats
used a novel denial-of-service hack to score a key victory against ransomware
criminals. Unfortunately, the blackhats have struck back by updating their
infrastructure, leaving the fight with no clear winner. Researchers at security
firm Intezer performed the DoS technique against ransomware dubbed QNAPCrypt, a
largely undetected strain that, as its name suggests, infects network storage
devices made by Taiwan-based QNAP Systems and possibly other manufacturers. The
hack spread by exploiting secure shell, (or SSH) connections that used weak
passwords. The researchers’ analysis found that each victim received a unique
bitcoin wallet for sending ransoms, a measure that was most likely intended to
prevent the attackers from being traced. The analysis also showed that
QNAPCrypt only encrypted devices after they received the wallet address and a
public RSA key from the command-and-control server. Intezer researchers soon
noticed two key weaknesses in that process. The weaknesses allowed the
researchers to write a script that could emulate an unlimited number of
simulated infections. After spoofing infections for nearly 1,100 devices from
15 separate campaigns, the whitehats exhausted the supply of unique bitcoin
wallets the attackers had pre-generated. As a result, the campaigns were
disrupted, since devices are only encrypted after they receive the wallet.
Wired
July 9,
2019
After
initially saying that it wouldn't issue a full fix for a vulnerability
disclosed on Monday, the video conferencing service Zoom has changed course.
The company now tells WIRED that it will push a patch on Tuesday to alter
Zoom's functionality and eliminate the bug. You should update Zoom now. The
Zoom controversy stems from the service's slippery video streaming settings
that launch instantly on Macs when users join a call. Late Monday evening, the
company published an extensive statement defending the practice and addressing
other bugs found by security researcher Jonathan Leitschuh. But it declined to
fully address the concern that an attacker could distribute a malicious Zoom
call URL, trick users into clicking it, and then open a channel to their lives
when their webcam automatically activated. Zoom originally said that it would
adjust the settings by which a user chooses to launch video by default with
every call.
CyberScoop
July 9,
2019
A flaw in
the firmware of anesthesia and respiratory devices made by General Electric
could allow a hacker to change the composition of gases dispensed by the
equipment, putting patients at risk, cybersecurity researchers warned Tuesday.
“If exploited, this vulnerability could directly impact the confidentiality,
integrity and availability of device components,” CyberMDX, the health care
security company that discovered the issue, said in a statement. For the
vulnerability to be exploited, a hacker would need access to a hospital’s
network and for the machines to be connected to a terminal server, or one that
allows enterprises to connect to multiple systems, according to CyberMDX. But
with that access, an attacker could not only alter gas composition, the
researchers said, but also silence alarms on the equipment and change dates and
timestamps that document a patient’s surgery. “Once the integrity of time and
date settings has been compromised, you no longer have reliable audit trails,”
said Elad Luz, head of research at CyberMDX. “That’s a very serious problem for
any medical center.” The vulnerability is in versions 7100 and 7900 of GE’s
Aestiva and Aespire anesthesia devices. The Department of Homeland Security
amplified the warning in a separate advisory on Tuesday that encouraged users
to report any malicious activity related to the vulnerability.
INTERNATIONAL
Politico
July 11, 2019
Europe's
cybersecurity authorities are struggling to pick their next chief of the
beefed-up EU Cybersecurity Agency — and time is running out. The EU Agency for
Cybersecurity, formerly known as ENISA, got more powers under the new
"Cybersecurity Act," a landmark regulation that came into force at
the end of last month. The agency will in coming years draft certification
schemes to better protect internet-connected devices, boost the security of 5G
telecom networks and raise security standards for cloud providers, among other
things. Current Executive Director Udo Helmbrecht's second term ends in
mid-October and his replacement is chosen by the management board, which
includes the national EU cybersecurity authorities as well as representatives
of the European Commission. But a selection procedure that should have ended
last March has run into trouble. POLITICO spoke to more than half a dozen
people close to the process who said the Commission had run into problems
drafting its shortlist, and that national agencies are very sensitive about the
selection — leading to a slow and painstaking appointment process.
Reuters
July 9, 2019
Firefox
browser maker Mozilla is blocking the United Arab Emirates’ government from
serving as one of its internet security gatekeepers, citing Reuters reports on
a UAE cyber espionage program. Mozilla said in a statement on Tuesday it was
rejecting the UAE’s bid to become a globally recognized internet security
watchdog, empowered to certify the safety of websites for Firefox users.
Mozilla said it made the decision because cybersecurity firm DarkMatter would
have administered the gatekeeper role and it had been linked by Reuters and
other reports to a state-run hacking program. Reuters reported in January that
Abu Dhabi-based DarkMatter provided staff for a secret hacking operation,
codenamed Project Raven, on behalf of an Emirati intelligence agency. The unit
was largely comprised of former U.S. intelligence officials who conducted
offensive cyber operations for the UAE government.
Gov Info
Security
July 9, 2019
Britain's
privacy watchdog has previewed a suggested fine of £99 million ($125 million)
under the EU's General Data Protection Regulation against hotel giant Marriott
for its failure to more rapidly detect and remediate a data breach that
persisted for four years. The massive data breach exposed approximately 339
million customer records globally, of which about 30 million related to
residents of 31 countries in the European Economic Area and 7 million to U.K.
residents, Britain's Information Commissioner's Office said on Tuesday. The ICO
enforces the country's data protection laws, including GDPR. The previewed GDPR
fine was first revealed on Tuesday when Marriott International, based in
Bethesda, Maryland, said in a filing with the U.S. Securities and Exchange
Commission that "the U.K. Information Commissioner's Office (ICO) has communicated
its intent to issue a fine in the amount of £99,200,396 against the company in
relation to the Starwood guest reservation database incident that Marriott
announced on November 30, 2018."
The New York Times
July 8,
2019
The British
authorities said on Monday that they intended to order British Airways to pay a
fine of nearly $230 million for a data breach last year, the largest penalty
against a company for privacy lapses under a new European data protection law.
Poor security at the airline allowed hackers to divert about 500,000 customers
visiting the British Airways website last summer to a fraudulent site, where
names, addresses, login information, payment card details, travel bookings and
other data were taken, according to the Information Commissioner’s Office, the
British agency in charge of reviewing data breaches. In a statement British Airways
said it was “surprised and disappointed” by the agency’s finding and would
dispute the judgment. The penalty signals a new era for companies that
experience large-scale data breaches. Frustrated that businesses were not doing
enough to protect people’s online information, European policymakers last year
adopted a new law, the General Data Protection Regulation, known as G.D.P.R.,
which allows regulators in each European Union country to issue fines of up to
4 percent of a company’s global revenue for a breach. And by acting against an
iconic British brand, officials showed that enforcement would not be limited to
American-based tech companies, which have been seen as a primary target.
TECHNOLOGY
Ars Technica
July 11,
2019
Website
drive-by attacks that try to booby trap visitors’ routers are alive and well,
according to antivirus provider Avast, which blocked more than 4.6 million of
them in Brazil over a two-month span. The attacks come from compromised
websites or malicious ads that attempt to use cross-site request forgery
attacks to change the domain name system settings of visitors’ routers. When
successful, the malicious DNS settings redirect targets to websites that spoof
Netflix and a host of banks. Over the first half of the year, Avast software
detected more than 180,000 routers in Brazil that had hijacked DNS settings,
the company reported. The attacks work when routers use weak administrative
passwords and are vulnerable to CSRF attacks. Attackers use the malicious DNS
settings to phish passwords, display malicious ads inside legitimate webpages,
or use a page visitor’s computer to mine cryptocurrencies.
ZDNet
July 10,
2019
The Caps
Lock, Num Lock, and Scroll Lock LEDs on a keyboard can be used to exfiltrate
data from a secure air-gapped system, academics from an Israeli university have
proved. The attack, which they named CTRL-ALT-LED, is nothing that regular
users should worry about but is a danger for highly secure environments such as
government networks that store top-secret documents or enterprise networks
dedicated to storing non-public proprietary information. The attack requires
some pre-requisites, such as the malicious actor finding a way to infect an
air-gapped system with malware beforehand. CTRL-ALT-LED is only an exfiltration
method. But once these prerequisites are met, the malware running on a system
can make the LEDs of an USB-connected keyboard blink at rapid speeds, using a
custom transmission protocol and modulation scheme to encode the transmitted
data. A nearby attacker can record these tiny light flickers, which they can
decode at a later point, using the same modulation scheme used to encode it.
The research team behind this exfiltration method says it tested the
CTRL-ALT-LED technique with various optical capturing devices, such as a
smartphone camera, a smartwatch's camera, security cameras, extreme sports
cameras, and even high-grade optical/light sensors.