Wednesday, July 24, 2019

New Audit Finds More Security Vulnerabilities at IRS


Gov Info Security
July 19, 2019
The Internal Revenue Services' internal financial reporting systems and IT infrastructure have 14 new security vulnerabilities, along with a long list of previously unresolved deficiencies, according to the U.S. Government Accountability Office. The findings were part of an annual audit of the IRS's financial security control systems, the government watchdog noted in a report released Thursday. The GAO report also includes 20 recommendations for improving security and mitigating flaws and misconfigurations within IRS IT systems. The security recommendations are aimed at safeguarding the IRS' infrastructure and databases, which contains financial data and other personal information on millions of U.S. taxpayers. By extensively using technologies such as encryption and identity and access management tools, the IRS would make it systems less susceptible to cybercrimes, such as identity theft and other financial frauds, the report states.

The Hill
July 18, 2019
A bipartisan group of senators on Thursday introduced legislation to increase cybersecurity training for U.S. high school students involved in the Junior Reserve Officers’ Training Corps (JROTC) in an effort to increase overall cyber defense training. The JROTC Cyber Training Act would direct the secretary of Defense to create a program to enhance the preparation of JROTC high school students for military or civilian careers in cybersecurity and computer science, including internship or research opportunities and funding for training. The bill is sponsored by Sens. Jacky Rosen (D-Nev.), Marsha Blackburn (R-Tenn.), John Cornyn (R-Texas) and Gary Peters (D-Mich.). According to Rosen’s office, the bill has the potential to bring computer science and cybersecurity training to 500,000 students nationwide at 3,400 schools with JROTC programs.

Roll Call
July 18, 2019
The Senate took another small step to improve election security Wednesday evening, even as there is no plan for a broader debate on the floor. As the chamber was closing for the evening, senators passed by unanimous consent a bipartisan bill out of the Senate Judiciary Committee designed to make sure that hacking election systems is actually a federal crime. The bill would amend current law on computer hacking to specify that hacking a computer designated as part of a voting system or for the administration of a federal election is a crime. The legislation was drafted in response to a Justice Department report released last summer that determined “should hacking of a voting machine occur, the government would not, in many conceivable circumstances, be able to use CFAA [The Computer Fraud and Abuse Act] to prosecute the hackers.” Judiciary Chairman Lindsey Graham of South Carolina was the lead Republican supporter of the legislation. He said in a statement that threats of such attacks go well beyond the Russian Federation.

Nextgov
July 17, 2019
The Census Bureau still faces a lengthy list of IT and cybersecurity risks less than a year before the 2020 count, but on Tuesday the agency’s chief told lawmakers that they have the situation under control. “This is a mammoth operation ... there will be risk throughout the 2020 Census,” Director Steven Dillingham said before the Senate Homeland Security Committee. “We’re managing those risks and we’re making progress, and we’ll continue to make progress.” His reassurance came as officials from the Government Accountability Office reiterated longstanding concerns that delayed IT rollouts, shortened security tests and opaque cyber patching processes could leave the decennial census vulnerable to system failures and digital attacks. The office has included the 2020 count on its list of high-risk government programs since 2017. “I don’t think we’re looking at disaster but there’s still a lot of work [that] needs to be done going forward,” Robert Goldenkoff, director of GAO’s strategic issues office, said during the hearing.

Fifth Domain
July 17, 2019
Secretary of Defense nominee Mark Esper, speaking to senators during his July 16 confirmation hearing, shared his feelings that U.S. Cyber Command possesses “exceptional” cyber capabilities, but just as important is a streamlined framework for using them outside U.S. networks. “Maybe as important as our capabilities, last year the administration put out a new [National Security Presidential Memorandum] 13, which really put our cyber capabilities on a more offensive footing, allowing us to lean forward,” Esper said. Under the previous process, approval for cyber operations had to go all the way to the president for approval. NSPM 13 now allows the president to delegate some of those authorities and reorganizes the approval process through the interagency. Esper credited the new process for the successful operations during the 2018 midterm elections that sought to mitigate threats to the democratic process. “I think for those reasons it’s why you saw in the 2018 elections no issues. That’s why I think we’re more and more confident that the 2020 elections will also be” unfettered, he said of NSPM 13.

Nextgov
July 17, 2019
Within a month, the Defense Department—one of the most risk-averse agencies in the federal government—will be trusting other agencies’ assessments of cloud vendors’ security for middle-tier products and services. Every software and service running on a federal network or hosting an agency service must meet a security baseline, certified through an authority to operate, or ATO. The Federal Risk and Authorization Management Program, or FedRAMP, was established to assist with this mandate, but the program has been mired in long wait times and heavy cost burdens for companies applying for authorization. “What was supposed to be an expedited process—six months, maybe costing a quarter of a million dollars—instead, in many cases, took years—and takes years—and can cost companies millions of dollars, the very opposite of what FedRAMP was designed to achieve,” Rep. Gerry Connolly, D-Va., said during a hearing Wednesday held by the House Oversight Subcommittee on Government Operations. “We can’t leverage the potential of cloud computing if the processes are slower than the speed at which the technology itself advances.”

The Hill
July 15, 2019
The House passed legislation by voice vote on Monday intended to increase cybersecurity at the Small Business Administration (SBA) and separately approved a bill to help small businesses defend against cyber attacks. The SBA Cyber Awareness Act, sponsored primarily by Rep. Jason Crow (D-Colo.), would require the SBA to produce an annual report to Congress that assesses the quality of its information technology, and that details any equipment used by the SBA that was manufactured in China. The report would also be required to include details of all cyber risks or incidents faced by the agency since the previous report was submitted. The bill would also require the SBA to notify Congress within seven days of a suspected cyber incident or attack on the agency and concurrently notify individuals and small businesses impacted by this incident within 30 days. The House on Monday also passed the Small Business Development Center Cyber Training Act by voice vote. This legislation, sponsored by Rep. Steve Chabot (R-Ohio), would require counselors at small business development centers to be certified in cybersecurity to assist small businesses in preventing and responding to cyber attacks.

Politico
July 13, 2019
The Trump administration is sending aggressive messages about the United States' willingness to hack its adversaries — alarming lawmakers and experts who fear the president is provoking a global cyberconflict that the U.S. may not be prepared to face. A U.S. cyberattack on Iranian military and intelligence targets last month was one of the most prominent signs of the new approach, which comes after a reported effort to implant hostile computer code in Russia's electrical grid and a temporary takedown of a notorious Kremlin-backed troll operation last fall. To supporters, the tactics are a sign the U.S. may finally be getting out of its defensive crouch in cyberspace — as advocated by hawks such as national security adviser John Bolton. But the moves also lay the potential groundwork for a tit for tat of cyberattacks that could inflict significant damage on bystanders. Targets such as banks, hospitals, oil companies and electric utilities in the U.S. and elsewhere have already proved vulnerable, as seen in recent criminal hacks that paralyzed entities such as Baltimore's city government. Now, both Republican and Democratic members of Congress are pressing the White House for details about its offensive cyber strategies, worried that unchecked operations could be dangerously destabilizing for the U.S. “It’s essential that Congress have its ability to conduct proper oversight. It’s our constitutional responsibility,” Rep. Jim Langevin (D-R.I.) told POLITICO. “I support the administration’s plan to be more forward-leaning in cyberspace, on balance. But with that comes the responsibility to make sure we’re not undermining stability in cyberspace.”


ADMINISTRATION

The New York Times
July 19, 2019
A troubled former National Security Agency contractor who spent two decades stuffing his home, car and garden shed with highly classified documents was sentenced on Friday to nine years in prison in a case that exposed a shocking laxity in security at the N.S.A. and other secret government facilities. Investigators originally feared that the contractor, Harold T. Martin III, might have passed or sold secrets to a foreign power or to a still-mysterious group calling itself the Shadow Brokers, which released dangerous N.S.A. hacking tools online in 2016 and 2017. But they appear to have concluded that his amassing of secrets was a symptom of a quirky, disturbed mind, not evidence that Mr. Martin, a 54-year-old Navy veteran, wanted to betray his country. In March, Mr. Martin pleaded guilty to a single count of willful retention of national defense information. Prosecutors and defense lawyers agreed on the sentence, which was approved by United States District Judge Richard D. Bennett. Mr. Martin’s lawyer, James Wyda, said his client had an “autism spectrum disorder” and had experienced difficulty forming and keeping relationships since childhood. As a result, the lawyer said, he had sought meaning and validation in his work as a contractor at the N.S.A. and other agencies, bringing home documents to work on at night.

Nextgov
July 19, 2019
In executing an enterprisewide approach to cybersecurity, the Cybersecurity and Infrastructure Security Agency is transforming the way the federal government tackles threats across the nation’s cyber landscape, a top security official said Thursday. “We try to be very focused on enterprise risks—how can we take action and how can they be tangible, doable actions, not just these things that are high in the sky, complicated and resource-intensive,” CISA’s Assistant Director for Cybersecurity Jeanette Manfra said at a GovernmentCIO cyber forum in Arlington, Va. Manfra explained that, like most companies, every agency is responsible and accountable for securing its own cyber networks and systems. She said before CISA, the Homeland Security Department and the Office of Management and Budget weren’t thinking of treating all 99 civilian agencies together as an enterprise. Because of this, decisions weren’t being thought through and officials weren’t effectively considering the significance of shared services between the civilian agencies, or the risk management transfers that accompany one agency hosting other agencies’ data and information. Further, they started to see that the connectedness of agencies’ IT infrastructures allowed adversaries to work through indirect entities to target a specific agency they aimed to exploit. “And so that’s where I see [Homeland Security] really filling this [gap] in federal cybersecurity is understanding and helping to manage enterprise risk across all civilian agencies,” she said.

The New York Times
An experienced official will oversee election security intelligence across the government in a newly created senior position, the director of national intelligence announced on Friday as part of an effort to improve coordination and speed response to attacks by foreign governments. Intelligence officials said the new post reflects the reality that influence operations by Russia, China and other countries are likely to continue indefinitely. Shelby Pierson, who worked on intelligence issues surrounding the 2018 midterm elections, was named to the post, which will cover both potential attacks on voting infrastructure and influence campaigns. Administration critics praised the appointment but said it did not obviate the need for a director at the National Security Council to coordinate not just intelligence but also the response to foreign interference campaigns. And critics in Congress warned that President Trump’s skepticism over foreign influence campaigns continues to undermine the government response. Ms. Pierson’s appointment will help intelligence agencies direct resources to election security and “bring the strongest level of support to this critical issue,” said Dan Coats, the director of national intelligence, who called it an “enduring challenge.”

Gov Info Security
July 19, 2019
Business email compromise scams are surging, and they're costing U.S. companies a total of more than $300 million a month, according to a recently released analysis by the U.S. Treasury Department. Manufacturing and construction firms are the hardest hit by this type of fraud, the study notes. The analysis, which the Treasury Department's Financial Crimes Enforcement Network released this week, found that the number of reported business email compromise scams increased to 1,100 per month in 2018, up from 500 incidents each month in 2016. The increasing number of BEC incidents also means that more money is flowing into the coffers of scammers. The Treasury Department report notes that BEC scams cost businesses an average total of $301 million in fraud per month in 2018, up from $110 million in 2016. The overall financial impact of BEC scams, as described in the Treasury Department report, is much higher than earlier estimates from the FBI.

The New Yorker
July 18, 2019
In the weeks before two Japanese and Norwegian oil tankers were attacked, on June 13th, in the Gulf of Oman—acts which the United States attributes to Iran—American military strategists were planning a cyberattack on critical parts of that country’s digital infrastructure. According to an officer involved, who asked to remain anonymous, as Iran ramped up its attacks on ships carrying oil through the Persian Gulf—four tankers had been mined in May—and the rhetoric of the national-security adviser, John Bolton, became increasingly bellicose, there was a request from the Joint Chiefs of Staff to “spin up cyber teams.” On June 20th, hours after a Global Hawk surveillance drone, costing more than a hundred million dollars, was destroyed over the Strait of Hormuz by an Iranian surface-to-air missile, the United States launched a cyberattack aimed at disabling Iran’s maritime operations. Then, in a notable departure from previous Administrations’ policies, U.S. government officials, through leaks that appear to have been strategic, alerted the world, in broad terms, to what the Americans had done.

Nextgov
July 18, 2019
Penetration testing—allowing trusted sources to simulate cyberattacks to assess computer network and system security—is proving to be a vital practice that helps agencies identify risks before bad actors can exploit them, federal security officials said Thursday. “Really critically and importantly, what [penetration testing] has done is given us a much better sense of what are the things we need to focus on and where are the control areas that we really have weaknesses,” Adrian Monza, cyber defense branch chief of the Homeland Security Department’s U.S. Citizen and Immigration Services said at a GovernmentCIO cyber forum in Arlington, Va. Monza explained that he has a number of penetration testers on his team, who he fondly looks to as his internal hackers. Working across a variety of the agency’s systems, Monza said the creativity they bring to recognizing risk has helped insiders find new threats that were never identified before.  “I will tell you that the results that we have seen from that have been just illuminating,” Monza said.

CyberScoop
When U.S. Cyber Command simulated a cyberattack against a seaport last month, military personnel hunted for adversaries who appeared to be using malware against a critical trade hub. It was the latest version of an annual weeklong test known as “Cyber Flag” that teaches cyber staffers better defend against critical infrastructure attacks, military commanders involved in the exercise told reporters in a briefing Tuesday. By imitating an attack that blocked the seaport’s ability to move cargo — potentially affecting international trade — military leaders tested their readiness for a real-world incident and looked for ways to improve their response. The simulation also included officials from throughout the U.S. government and from allied partners to emphasize stronger coordination. “Cyber Flag is the command’s annual tactical exercise series that features teams working on keyboard against a live opposing force,” said Rear Adm. John Mauger, Cyber Command’s director of exercises and training. “The environment is really intended to challenge the teams both as individuals and their knowledge as analysts and operators — but more importantly as a collective team and their ability to work together to achieve mission outcomes while fighting through a contested environment.”

AP
Over six weeks, the vandals kept coming, knocking the school system's network offline several times a day. There was no breach of sensitive data files, but the attacks in which somebody deliberately overwhelmed the Avon Public Schools system in Connecticut still proved costly. Classroom lesson plans built around access to the internet had come to a halt. "The first time I called the FBI, their first question was, 'Well, what did it cost you?'" said Robert Vojtek, the district's technology director. "It's like, 'Well, we were down for three quarters of a day, we have 4,000 students, we have almost 500 adults, and teaching and learning stopped for an entire day.' So how do you put a price tag on that?" The kind of attacks more commonly reserved for banks and other institutions holding sensitive data are increasingly targeting school systems around the country. The widespread adoption of education technology, which generates data that officials say can make schools more of a target for hackers, also worsens an attack's effects when instructional tools are rendered useless by internet outages.

FCW
July 16, 2019
The Defense Information Systems Agency is testing zero-trust networking on the Defense Department's classified network. DISA ultimately wants to move to a zero-trust network environment where access is denied by default and only approved requests are permitted, the agency's Director of Operations David Bennett told reporters on July 16. Bennett told reporters following a July 16 keynote at a FedInsider event that his agency is currently implementing a zero-trust pilot on the Secret Internet Protocol Router Network with U.S. Cyber Command. "It's a proof-of-concept pilot," he said, adding that DISA hopes to expand it as more lessons are learned. "Zero trust is really about figuring out the data and applications and how to put that together and then try to connect it to the rest of the world," he said. In that same vein, Bennett said one of the trickiest issues will be reining in and quantifying the internet of things. He said DISA was "not doing a lot" with IoT right now because it's "a very complicated scenario."

Fifth Domain
July 15, 2019
Pennsylvania’s message was clear: The state was taking a big step to keep its elections from being hacked in 2020. Last April, its top election official told counties they had to update their systems. So far, nearly 60 percent have taken action, with $14.15 million of mostly federal funds helping counties buy brand-new electoral systems. But there’s a problem: Many of these new systems still run on old software that will soon be outdated and more vulnerable to hackers. An Associated Press analysis has found that like many counties in Pennsylvania, the vast majority of 10,000 election jurisdictions nationwide use Windows 7 or an older operating system to create ballots, program voting machines, tally votes and report counts. That’s significant because Windows 7 reaches its “end of life” on Jan. 14, meaning Microsoft stops providing technical support and producing “patches” to fix software vulnerabilities, which hackers can exploit. In a statement to the AP, Microsoft said Friday it would offer continued Windows 7 security updates for a fee through 2023.

CyberScoop
July 15, 2019
Officials in La Porte County, Indiana, agreed to pay $130,000 in bitcoin to alleviate the pain from a ransomware attack that affected two domain controllers, knocking network services offline, according to WSB-TV. While an insurer will cover $100,000 of that fee, the northern Indiana county is the latest local government to pay digital extortionists to unlock a compromised network amid a spree of similar incidents throughout the country. Attackers hit La Porte on July 6, deploying the Ryuk ransomware to disable the city’s computer network, website and email service systems. Versions of Ryuk, which the FBI said has had a “disproportionate impact” on small municipalities, also have been blamed for attacks on Georgia’s court system and on small towns in Florida. In this case, La Porte County leaders told WSB-TV they decided to pay the ransom after a decryption key provided by the FBI was ineffective. The initial ransomware request reportedly was higher, with the FBI negotiators bringing the ultimate fee down to $130,000, according to the local news outlet. Travelers Insurance, which the county enlisted last year, will cover $100,000 of that, county president Vidya Kora told the Michigan City News Dispatch. The FBI doesn’t encourage ransomware victims to pay hackers, but the La Porte incident highlights law enforcement’s struggle in stopping the attacks.

FCW
Army researchers have developed a cyber agility framework – a new way to train defensive cyber operators to thwart attackers. As with a set of rules or an algorithm, application of the framework can help organizations better understand the effectiveness of their cybersecurity efforts. It also serves as a foundation for developing software. "Historically, when dealing with cybersecurity, analysts are looking at screens full of numbers, trying to identify where, and what kind of, cyberattacks are taking place by looking for patterns," Purush Iyer, division chief of network sciences at Army Research Office, which is a part of Army Research Laboratory, told FCW. "The cyber agility framework offers a better way of identifying (and predicting) attacks, by taking into account past history of traffic, and allowing an analyst to concentrate on higher order reasoning. It's a big step in enhancing cybersecurity predictability." In a partnership with the University of Texas, San Antonio (UTSA) and the Army Research Laboratory, cybersecurity researchers developed a set of metrics to help operators measure how well their methods and tactics work during an active intrusion.


INDUSTRY

The Financial Times
July 19, 2019
The Israeli company whose spyware hacked WhatsApp has told buyers its technology can surreptitiously scrape all of an individual’s data from the servers of Apple, Google, Facebook, Amazon and Microsoft, according to people familiar with its sales pitch. NSO Group’s flagship smartphone malware, nicknamed Pegasus, has for years been used by spy agencies and governments to harvest data from targeted individuals’ smartphones. But it has now evolved to capture the much greater trove of information stored beyond the phone in the cloud, such as a full history of a target’s location data, archived messages or photos, according to people who shared documents with the Financial Times and described a recent product demonstration. The documents raise difficult questions for Silicon Valley’s technology giants, which are trusted by billions of users to keep critical personal information, corporate secrets and medical records safe from potential hackers. NSO denied promoting hacking or mass-surveillance tools for cloud services. However, it did not specifically deny that it had developed the capability described in the documents.

Vice Motherboard
July 18, 2019
Artificial intelligence has been touted by some in the security community as the silver bullet in malware detection. Its proponents say it’s superior to traditional antivirus since it can catch new variants and never-before-seen malware—think zero-day exploits—that are the Achilles heel of antivirus. One of its biggest proponents is the security firm BlackBerry Cylance, which has staked its business model on the artificial intelligence engine in its endpoint PROTECT detection system, which the company says has the ability to detect new malicious files two years before their authors even create them. But researchers in Australia say they’ve found a way to subvert the machine-learning algorithm in PROTECT and cause it to falsely tag already known malware as “goodware.” The method doesn’t involve altering the malicious code, as hackers generally do to evade detection. Instead, the researchers developed a “global bypass” method that works with almost any malware to fool the Cylance engine. It involves simply taking strings from a non-malicious file and appending them to a malicious one, tricking the system into thinking the malicious file is benign.

Wired
July 17, 2019
When news appeared in May of the security vulnerability in Windows that would come to be known as BlueKeep, security researchers almost immediately cautioned that the flaw looked like the central ingredient for a destructive worm sure to rampage through the internet. Microsoft issued a series of stark warnings to patch the flaw, which persisted in roughly a million computers. Even the NSA took the rare step of noting the bug's severity. But two months later, the dreaded BlueKeep doomsday has yet to materialize. In fact, its apparent absence has made clear that in an age of hardened operating systems with built-in protections against easy exploitation, the mere existence of a known flaw in software no longer means an immediate open season for hackers. State-sponsored groups may already be using it for quiet intrusions, but low-skilled criminals have yet to use it for wide-scale calamity. But that doesn't mean that a larger wave of BlueKeep exploitation isn't in store if—or when—the secret details of exploiting the Windows vulnerability leak out to a wider audience. On Wednesday, security firm BitSight released the results of a new round of scanning for the BlueKeep flaw, which affects unpatched Windows machines running Windows 7 or earlier. The company found that about 800,000 computers remain vulnerable to the attack—a significant drop from the nearly 1 million unpatched machines BitSight counted in late May, but still enough to cause mayhem if a worm were unleashed.

Ars Technica
July 17, 2019
Microsoft said on Wednesday that it has notified almost 10,000 customers in the past year that they’re being targeted by nation-sponsored hackers. According to a post from Microsoft Corporate Vice President of Customer Security & Trust Tom Burt, about 84% of the attacks targeted customers that were large “enterprise” organizations such as corporations. The remaining 16% of attacks targeted consumer email accounts. Burt said some of the 10,000 customers were successfully compromised while others were only targeted, but he didn’t provide figures. “This data demonstrates the significant extent to which nation-states continue to rely on cyberattacks as a tool to gain intelligence, influence geopolitics, or achieve other objectives,” Burt wrote. Microsoft presented the figures Wednesday at the Aspen Security Forum.

CyberScoop
July 17, 2019
When researchers first found critical vulnerabilities in the firmware of certain Lenovo computer servers, it looked like a fairly straightforward issue. The problem, however, involved far more than the Hong Kong-based PC giant. The vulnerabilities were in the firmware of baseboard management controllers (BMC), the small processors used to remotely manage servers at an organization. The flaws could allow an attacker to run arbitrary code within the BMCs to retain persistent access to a computer system, or to “brick” the BMC entirely, rendering it inoperable. Those facts alone were cause for concern, but specialists at hardware-security company Eclypsium discovered a bigger story. The firmware in question was actually sourced from another company — Ohio-based Vertiv — and it was present in servers made by at least seven other vendors. “That’s when we realized just how complex and vulnerable the BMC supply chain is,” said Jesse Michael, principal security researcher at Eclypsium.

TechCrunch
July 17, 2019
Another clinical lab ensnared in the AMCA data breach has come forward. Clinical Pathology Laboratories (CPL) says 2.2 million patients may have had their names, addresses, phone numbers, dates of birth, dates of service, balance information and treatment provider information stolen in the previously reported breach. Another 34,500 patients had their credit card or banking information compromised. The breach was limited to U.S. residents, the company said. CPL blamed AMCA, which it and other labs used to process payments for their patients, for not providing more details on the breach when it was disclosed in June. “At the time of AMCA’s initial notification, AMCA did not provide CPL with enough information for CPL to identify potentially affected patients or confirm the nature of patient information potentially involved in the incident, and CPL’s investigation is on-going,” said the company in a statement.

ZDNet
July 17, 2019
Microsoft plans to explore using the Rust programming language as an alternative to C, C++, and others, as a way to improve the security posture of its and everyone else's apps. The announcement was made yesterday by Gavin Thomas, Principal Security Engineering Manager for the Microsoft Security Response Center (MSRC). "You're probably used to thinking about the Microsoft Security Response Center as a group that responds to incidents and vulnerabilities," Thomas said. "We are a response organization, but we also have a proactive role, and in a new blog series we will highlight Microsoft's exploration of safer system programming languages, starting with Rust." The end game is to find a way to move developers from the aging C and C++ programming language to so-called "memory-safe languages." Memory-safe languages, such as Rust, are designed from the ground up with protections against memory corruption vulnerabilities, such as buffer overflows, race conditions, memory leaks, use-after free and memory pointer-related bugs.

Wired
July 16, 2019
Two years ago, researchers Billy Rios and Jonathan Butts discovered disturbing vulnerabilities in Medtronic's popular MiniMed and MiniMed Paradigm insulin pump lines. An attacker could remotely target these pumps to withhold insulin from patients, or to trigger a potentially lethal overdose. And yet months of negotiations with Medtronic and regulators to implement a fix proved fruitless. So the researchers resorted to drastic measures. They built an Android app that could use the flaws to kill people. Rios and Butts, who work at the security firm QED Security Solutions, had first raised awareness about the issue in August 2018 with a widely publicized talk at the Black Hat security conference in Las Vegas. Alongside that presentation, the Food and Drug Administration and Department of Homeland Security warned affected customers about the vulnerabilities as did Medtronic itself. But no one presented a plan to fix or replace the devices. To spur a full replacement program, which ultimately went into effect at the end of June, Rios and Butts wanted to convey the true extent of the threat. "We’ve essentially just created a universal remote for every one of these insulin pumps in the world," Rios says. "I don’t know why Medtronic waits for researchers to create an app that could hurt or kill someone before they actually start to take this seriously. Nothing has changed between when we gave our Black Hat talk and three weeks ago."
pointer-related bugs.

CNBC
July 15, 2019
Symantec and Broadcom have ceased deal negotiations, sources tell CNBC’s David Faber. The people familiar with the matter added that Symantec would not accept less than $28 a share. People familiar with the matter added that Broadcom indicated in early conversations that it would be willing to pay $28.25 per share for Symantec, but that following due diligence knocked that figure down below $28. Symantec had surged earlier this month after it was revealed that Broadcom was in advanced talks to acquire the security software vendor. Faber had reported the two sides were negotiating a price and had seen possible synergies of $1.5 billion. Symantec shares dropped 12.8% to $22.30 on Monday. Symantec has been dogged in recent years by management turnover and a softer core business as cloud security companies have captured enterprise market share and as newer companies offer ways to protect mobile devices.


INTERNATIONAL

ZDNet
July 18, 2019
Starting Wednesday, July 17, 2019, the Kazakhstan government has started intercepting all HTTPS internet traffic inside its borders. Local internet service providers (ISPs) have been instructed by the local government to force their respective users into installing a government-issued certificate on all devices, and in every browser. The certificate, once installed, will allow local government agencies to decrypt users' HTTPS traffic, look at its content, encrypt it again with their certificate, and send it to its destination. Kazakh users trying to access the internet since yesterday have been redirected to web pages that contained instructions on how to install the government's root certificate in their respective browsers, may it be a desktop or mobile device.

The New York Times
July 17, 2019
An investigation into the theft of the personal information of nearly every adult in Bulgaria led to the arrest of a 20-year-old computer programmer, the police announced Wednesday, in connection with a breach that underscores the vulnerability of vast troves of digitized information. The authorities acknowledged that Bulgaria’s national tax agency was hacked after a news outlet received an email on Monday with a taunt and a claim of responsibility. The names, addresses, incomes and social security information of as many as five million Bulgarians and foreign residents — in a country of only seven million — had been taken. “The state of your cybersecurity is a parody,” the self-proclaimed hacker emailed. Though the police cautioned that the investigation was in its early stages, some officials suggested that Russia might have been behind the attack, as retaliation for the country’s recent purchase of American-made fighter jets. A lawyer for the suspect denied he played any role in the breach.

Gov Info Security
July 17, 2019
A 20-year-old Dutch man suspected of creating the Rubella Macro Builder toolkit and other malicious tools and distributing them on underground forums has been arrested by Dutch National Police. The man, a Dutch resident whose name is not being released, has not yet been formally charged, police say. Investigators with the Dutch National High-Tech Crime Unit note that they confiscated about €20,000 ($22,400) worth of bitcoins from the man as well as manuals for committing credit fraud and login credentials for "thousands" of systems. Security analysts at McAfee assisted in the investigation, which is ongoing. The suspect was arrested at his computer without incident, Dutch authorities say.

BBC
July 16, 2019
An attempt to defraud thousands of people using a bogus email from a UK airport was one of a range of cyber-attacks prevented last year. The scam used a fake gov.uk address, but the messages were prevented from ever reaching their intended recipients. The details were revealed by GCHQ's National Cyber Security Centre in an annual report. In all, NCSC disclosed it had stopped 140,000 separate phishing attacks. This refers to the attempted online theft of bank details and other sensitive information by impersonating a trustworthy person or organisation. In addition, the agency said it had taken down 190,000 fraudulent sites. This often happened quickly. The centre said that 64% of illegal sites were offline within 24 hours of being discovered and 99.3% eventually went dark.


TECHNOLOGY

Dark Reading
July 18, 2019
An open source white-hat hacking tool that nation-state hacking teams out of China, Iran, and Russia have at times employed to avoid detection has been updated with new features that allow attacks to persist and spread more efficiently. Sean Dillon, creator of the so-called Koadic tool that works like a remote access Trojan (RAT), says the software he first released two years ago at DEF CON can now extract information and intelligence about a targeted Windows environment, more efficiently scrape user credentials, and more easily spread around a network. "It's much more efficient now. It can be used to compromise entire networks in a matter of minutes," says Dillon, who plans to show off Koadic's new features next month at the Black Hat USA Arsenal in Las Vegas. Koadic is basically a RAT based on VBScript and JScript that uses Windows executables such a PowerShell rather than malware, so it mimics a growing trend of sophisticated attackers employing legitimate tools instead of writing or burning their own exploits. The trend, known as "living off the land," also allows attackers to remain under the radar as they run internal Windows tools like PowerShell to hack their way through networks.