Wednesday, September 25, 2019

Hacker Who Revealed Soccer Secrets Is Charged With 147 Crimes

“No matter how corrupt, greedy, and heartless our government, our corporations, our media, and our religious & charitable institutions may become, the music will still be wonderful.”
― Kurt Vonnegut

“It's not what you don't know that kills you, it's what you know for sure that ain't true.” 
- Mark Twain



Aussie esports is booming  So is corruption



How Legal Professionals Must Lead in the Age of Machines


Law Technology Today – “…Today, legal professionals, of course, spend much of their day interacting with computers. A desktop or laptop computer is the hearth of our workspace, where we do simple tasks like email, as well as complex tasks like using sophisticated systems to analyze data collections. We use our mobile phones, tablets, and ever-present digital assistants like Siri, Alexa, and more powerful tools like IBM’s Watson. Computers now assist us at trial—and they may soon drive us to the courthouse. Of course, some of this technology, like email, has been around for decades. But the newest forms of technology, especially those casually being dubbed “AI,” now encroaches on the home territory of what legal professionals do: think. So what will legal professionals do in 10, 40, or 100 years?…”


  • Former White House press secretary Sean Spicer made his “Dancing With the Stars” debut Monday night. How’d it go? Uh, not so good, as The Daily Beast’s Matt Wilstein writes in this brutal review.
  • For my money, “The Far Side” is the greatest cartoon strip of all time. Too bad it ended in 1995. But Comicbook.com’s Russ Burlingame writes that the classic Gary Larson strip could be making a comeback.
  • The Tampa Bay Times’ Ashley Dye, who has just more than 1,500 Twitter followers, put out a journalistic tweet that got more than 116,000 likes and over 24,000 retweets. They then wrote a really smart column about it.
  • Shut Up, Franzen
  • Medium – The Discovery Dark Ages: How Filter Bubbles, Dark Patterns, and Algorithms Propagating Bias Impede the Spread of Knowledge – “… Change can be a good thing. Now, that said, there are ways in which search engines are being used to deliver results nowadays, regardless of whether people want them or not, and even if they should be desirable sources in the first place, which are not the best ones, in terms of relevance, quality, and accuracy. Discovery systems are a means to an end, and in this case, when a superior means emerges, there’s simply no reason not to jettison the old way of doing things. This requires some adaptability on our part, and a willingness to unlearn habitual yet inefficient procedures in favor of better ones….There is consequentially a growing disjoint between how non-librarians prefer to find information and the ways that some of us insist are still the best. Yet we cannot retreat to the reference desk and simply shake our heads at students who are off using Wikipedia. It’s proven much more productive, in this case, to educate people about the benefits and vulnerabilities of relying upon Wikipedia for research….”



AP
September 19, 2019
A key Senate panel on Thursday approved $250 million to help states beef up their election systems, freeing up the money after Senate Majority Leader Mitch McConnell came under criticism from Democrats for impeding separate election security legislation. The Kentucky Republican announced in a floor speech in advance of the Appropriations Committee vote that he would support the funding, which had bipartisan support on the funding panel. McConnell still isn’t yielding in his opposition to more ambitious Democratic steps such as requiring backup paper ballots as a backstop against potential hacks of election systems. He said the Trump administration has “made enormous strides” in protecting the nation’s voting infrastructure. The committee approved the money on a bipartisan voice vote. The panel’s top Democrat, Patrick Leahy, said “funding election security grants is a matter of national security.” The House approved $600 million earlier this year, though there is considerable money left in the pipeline from earlier appropriations.

Nextgov
September 19, 2019
A pair of lawmakers demanded the Trump administration’s new national security adviser reinstate an executive-level cybersecurity position that his predecessor John Bolton eliminated last year. Soon after President Trump tapped the State Department chief hostage negotiator Robert O’Brien to take over as national security adviser on Tuesday, Sen. Mark Warner, D-Va., and Rep. Bennie Thompson, D-Miss., called on O’Brien to restore the White House cybersecurity coordinator. Bolton eliminated the position in May 2018 under the rationale of reducing bureaucracy within the National Security Council. The move was largely criticized by cyber experts who saw the job, which oversees government cyber protections, international cyber negotiations and general U.S. cyber policy, as too complex to be subsumed into broader White House operations. In a statement on Wednesday, Warner, the top Democrat on the Senate Intelligence Committee, said Bolton’s decision “showed a lack of seriousness in tackling the immediate national security threats facing our country.” Thompson, the chairman of the House Homeland Security Committee, echoed the sentiment. “Despite concerns raised when the position was eliminated last year, the White House has done little to address the vacuum left behind,” Thompson said Wednesday in a statement. “There is no reason that the White House should have allowed this position to be eliminated.”

CyberScoop
September 18, 2019
The U.S. Election Assistance Commission has told lawmakers that it will not de-certify certain voting systems that use outdated Microsoft Windows systems, a disclosure that highlights the challenge of keeping voting equipment secure after a vendor ceases offering support for a product. While a voting system would fail certification if it were running software that wasn’t supported by a vendor, the act of de-certifying the system is cumbersome and “has wide-reaching consequences, affecting manufacturers, election administration at the state and local levels, as well as voters,” EAC commissioners wrote in a letter to the Committee on House Administration that CyberScoop obtained. To pass certification, voting vendors must meet a series of specifications outlined in the Voluntary Voting Systems Guidelines (VVSG), a set of standards that the EAC has been slow to update. In response to questions from the committee’s staff, EAC commissioners said the laborious de-certification process can be initiated if there is credible information that a voting system no longer complies with the guidelines. However, in the case of Election Systems & Software, the country’s largest voting vendor, for example, the EAC said it didn’t have “grounds to decertify any ES&S product that uses software that is no longer supported by a third-party vendor.” The commissioners also said that there is no stipulation for how far into the future operating systems must support security patches for them to be certified.

CyberScoop
September 18, 2019
Cyberwarfare and information operations now are the primary ways in which countries assert themselves on the world stage, Sen. Mark Warner said in a speech Tuesday, pointing to a new geopolitical reality in which traditional military strength may be less urgent. The Virginia Democrat portrayed hacking, social media manipulation, and other digital techniques as affordable options for smaller countries that don’t have the financial resources to invest in modern military hardware like tanks and fighter jets. U.S. leaders need to more urgently recognize this transition, he said, and prioritize processes and technology that stifle future attempts from adversaries to interfere in U.S. elections and markets. Warner, vice chairman of the Senate Intelligence Committee, for years has urged Congress to authorize more funding for cybersecurity. “I worry at times we may be spending too much time [and] resources on 20th century stuff when increasingly conflict in the 21st century will be cyber, will be misinformation, disinformation,” Warner told reporters after a speech at the Federal Election Commission.

Gov Info Security
September 16, 2019
As cybercriminals adopt new methods to steal and manipulate victims' identities, the U.S. financial services industry needs to rethink how to protect customers' information using emerging technologies, such as artificial intelligence, security experts testified at a recent U.S. House committee hearing. The U.S. House Financial Services Committee held the hearing Thursday to learn more about how adopting new technologies can help fight ID theft - and how threat actors are already using these same technologies to further expand their crimes. Security experts told the committee that financial services companies, as well as government agencies, need to adopt AI to counter new threats to identity such as "deep fakes," which uses advanced imaging technology and machine learning to convincingly superimpose video images, and "synthetic identities," where cybercriminals use stolen information to attempt to mimic a person to carry out identify-related frauds. "Artificial intelligence is only enhancing cybercriminal's arsenal. AI can be used more quickly to find vulnerabilities in a bank's software and used to impersonate someone's voice or face in a phishing scam," says Rep. Bill Foster, D-Ill., who chaired the hearing.

The New York Post
September 15, 2019
GOP Sen. Ben Sasse warned of a doomsday scenario in which China wipes out US satellites to cripple the military’s GPS and communications systems in a cyber war that takes place in outer space. “​​China has envisioned a lot of game theory that has them sort of blowing up everything in the near-space early in a conflict, which would take away lots of things like GPS​,” the Nebraska lawmaker told ​John Catsimatidis ​on his AM ​970 ​radio show in an interview that aired Sunday. “It would be absolutely disastrous​.”​​ S​asse, a member of the Senate Intelligence Committee and the newly created Cyber Commission, said the country isn’t doing “nearly enough” to protect Americans from “emerging cyber threats from Russia, from North Korea, from Iran, but especially from China.”​ ​”I’ve been pushing Washington to get serious about these threats and to draft a badly needed cyber playbook. Because we don’t have either offensive or defensive doctrine​,” he said. ​


ADMINISTRATION

Nextgov
September 20, 2019
The Homeland Security Department wants to offer its cybersecurity personnel more competitive pay, and it needs help setting those rates. The department recently began seeking vendors to support the Cybersecurity Workforce Strategic Compensation Program, an enterprisewide effort to bring salaries for the agency’s cyber positions more in line with those in the private sector. By offering employees more competitive pay, the initiative looks to address the shortage of cyber expertise plaguing Homeland Security and other federal agencies. Salary caps, lengthy onboarding and rigid career ladders have historically made it hard for the government to recruit and retain cyber experts, but with digital threats on the rise, agencies are looking for ways to make cyber jobs more attractive.  In a request for information published Tuesday, the department asked vendors to discuss how they would approach developing a new compensation structure and ensuring pay levels remain on par with those in industry. Interested teams must also include information on any IT systems they would use to support the program and their past experience with managing salary and workforce management.

FCW
September 20, 2019
When John Bolton was named National Security Adviser last year, one of his first official acts was to eliminate the White House Cybersecurity Coordinator position, arguing it was duplicative and unnecessary. With Bolton out and Robert O'Brien named as his successor, speculation has drifted to whether the position might be restored. Whether that indeed happens or not, the Department of Homeland Security's top cyber official told reporters during a Sept. 19 briefing in Maryland that his own agency was seeking to take up that mantle, or at least parts of it. "I think that Congress … in standing up CISA, recognized that there needs to be a federal lead for cybersecurity. I think that's the role we're trying to play" at DHS, Cybersecurity and Infrastructure Security Agency Director Chris Krebs said. "Don't take the lack of a coordinator for a lack of coordination," Krebs told reporters. He pointed to the diversity of agencies that sent speakers and representatives as an example of how the federal government has naturally moved towards greater cooperation on cybersecurity.

Nextgov
September 20, 2019
When taxpayers use online systems, the IRS really wants to make sure the people accessing information are who they say they are. The agency has implemented a number of authentication tools over the years—with varying degrees of success—and is now looking at behavioral analytics as an option. The IRS announced a sole-source contract to BioCatch for a proof-of-concept that would incorporate behavioral analytics for the agency’s eAuthentication system. BioCatch’s technology tracks how a user interacts with their device and the agency’s apps to continually verify their identity. “BioCatch collects behavioral metrics—i.e., left/right handedness, pressure—while a user is interacting with eAuth without impacting user experience and establishes a profile for the user,” IRS contracting officers wrote in the statement of work. “Once this profile is established, this data is used to detect fraud on subsequent login attempts and to prevent account takeover during the user’s session.”

Fifth Domain
September 19, 2019
After years of department officials hedging on the proper role of the Pentagon for election security, Defense Secretary Mark Esper on Thursday pledged that the department will consider the issue a core part of its mission in the future. “Moving forward, I consider election security an enduring mission for the Department of Defense,” Esper said in prepared remarks for the 2nd Annual National Cybersecurity Summit. “Our adversaries will continue to target our democratic processes — this is a reality of the world we live in today. Guarding against these threats requires constant vigilance.” That is a far cry from 2017, when a top department official went to Congress and argued that the DoD should not be charged with such a mission. But lessons from 2018 — when the Pentagon played a role in safeguarding the midterms — appears to have convinced the secretary that election security falls within the department purview.

FCW
September 19, 2019
The Air Force has been undergoing a months-long cybersecurity review and is ready to deliver it to the deputy defense secretary, said a senior Air Force intelligence director. Lt. Gen. Veralinn Jamieson, the Air Force's deputy chief of staff for Intelligence, Surveillance, Reconnaissance, and Cyber Effects Operations, said the branch was preparing results of an internal cybersecurity audit for the deputy defense secretary. "We've been doing a cyber review just like the Navy has done, just like the Army is doing, and we're about to brief that out here shortly to the deputy secretary of defense on our capabilities and how we're going to get after [vulnerabilities]," she said speaking at a the Air Force Association's Air Space Cyber conference at National Harbor on Sept. 18. "Because unless we protect our power projection platforms, we really don't have them." The news comes as the Air Force gets a new confirmed secretary. The Senate confirmed Barbara Barrett, a former Aerospace Corp. chief, Sept. 18. During her confirmation hearing Sept. 12, Barrett said she would support an extensive cybersecurity review of the Air Force, modeled on the Navy's comprehensive cybersecurity review completed earlier this year.

Fifth Domain
September 19, 2019
With less than two weeks until the National Security Agency new cybersecurity directorate officially starts its work, the organization’s leader said she plans to take a “come together” approach in its first 60 days in order to make the group as effective as possible. The directorate’s leader, Anne Neuberger, said Sept. 18 at the Cybersecurity and Infrastructure Security Agency’s summit that her team will be made up of people with a variety of backgrounds, drawing from threat intelligence professionals, emerging technologies experts and nuclear command and control staff, totaling “several thousand” people. Because of the size and diversity of backgrounds, the first step, she said, is to create “one community, one culture internally.” Diversity, she said, will be her group’s strength. “We’re integrating that to operationalize intelligence to defend against threats,” Neuberger said, who noted that she’ll be working closely with the Department of Homeland Security and FBI. Neuberger, who previously led the Russia small group at the NSA, said her latest group will be “transforming to work in the unclassified space.” “We recognize that using threat intelligence, making it useful and effective, needs to be done in the way network defenders need,” Neuberger said. “And that’s where we’ll be transforming.”

Nextgov
September 18, 2019
Cybersecurity pros in government and industry need to get a broader community of people engaged in fighting digital threats, but “selling fear” shouldn’t be their primary strategy, according to the Homeland Security Department’s cyber chief. As director of the Cybersecurity and Infrastructure Security Agency, Chris Krebs has made it a priority to get more outside groups involved in his agency’s cyber efforts. He attributes the successful defense of the 2018 midterm elections to those partnerships, and in the run-up to the 2020 race and beyond, Krebs wants the broader cybersecurity community to follow CISA’s lead. During a speech at the agency’s second annual Cybersecurity Summit, Krebs called on industry and government experts to do more to help society grapple with the growing array of digital threats targeting governments, private companies and everyday citizens. Those efforts can take in a wide variety of shapes, he said, from helping more small- and medium-size businesses bolster their networks to supporting cybersecurity education for high school and college students. “We’ve got to do more to extend our capabilities to float all boats,” Krebs said. He also noted outreach efforts would also go a long way in addressing the shortage of cybersecurity personnel that today is plaguing both government and the private sector.

Wired
September 17, 2019
When the Air Force showed up at the Defcon hacker conference in Las Vegas last month, it didn’t come empty-handed. It brought along an F-15 fighter-jet data system—one that security researchers thoroughly dismantled, finding serious vulnerabilities along the way. The USAF was so pleased with the result that it has decided to up the ante. Next year, it’s bringing a satellite. That’s a promise from Will Roper, assistant secretary of the Air Force for acquisition, technology, and logistics. While sending elite hackers after an orbiting satellite—and its ground station—might sound ambitious, it’s in keeping with Roper’s commitment to fundamentally changing how his branch of the military attacks its cybersecurity challenges. “We have to get over our fear of embracing external experts to help us be secure. We are still carrying cybersecurity procedures from the 1990s,” says Roper. “We have a very closed model. We presume that if we build things behind closed doors and no one touches them, they’ll be secure. That might be true to some degree in an analog world. But in the increasingly digital world, everything has software in it.”

The Hill
September 16, 2019
Colorado on Monday became the first state in the U.S. to ban the use of QR codes on ballots, citing cybersecurity concerns associated with the use of these codes in tabulating votes. Colorado Secretary of State Jena Griswold (D) noted in announcing the change that cybersecurity experts have raised concerns around the security of using the QR codes on ballots. Griswold also cited findings by U.S. intelligence that Russian operatives attempted to interfere in the 2016 presidential election as a reason to enhance cybersecurity of elections. Currently, residents in Colorado make their choices on a ballot-marking device, which then prints a physical ballot that includes both a QR code embedded with the voter’s choices and a read-out for the voter to verify their choices. The votes are then tabulated by a machine that scans the QR codes, which officials say have the potential to be changed by hackers and be different than the votes cast. Colorado will now require that votes only be counted based on human-verifiable information, specifically the marked ovals on the printed ballot, and not based on the counting of votes embedded in QR codes.


INDUSTRY

CyberScoop
September 20, 2019
Microsoft said Friday it will offer state and local election officials free security support for Windows 7 operating systems used in voting systems through 2020. “We want to make sure that Windows 7 end-of-life doesn’t…become a barrier to having a secure and safe election,” Jan Neutze, head of Microsoft’s cybersecurity and democracy team, said in announcing the news. “It’s the right thing to do,” he said at a conference hosted by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. Microsoft has long planned to stop providing security updates for Windows 7 users in general in January 2020, but was allowing users to pay for those updates through January 2023. But the offer of free services through next year’s U.S. presidential election is an additional effort to make it easier to update operating software used in voting systems, such as the election management systems that format ballots. Some systems that support voting in the U.S. still rely on Windows 7, which is not nearly as straightforward to update on those machines as it is on a personal computer. Patches require installation and testing to verify that they will not disrupt a voting system.

Ars Technica
September 20, 2019
In 2017 and 2018, hackers compromised systems running the Click2Gov self-service bill-payment portal in dozens of cities across the United States, a feat that compromised 300,000 payment cards and generated nearly $2 million of revenue. Now, Click2Gov systems have been hit by a second wave of attacks that’s dumping tens of thousands of records onto the Dark Web, researchers said on Thursday. The new round of attacks began in August and have so far hit systems in eight cities, six of which were compromised in the previous episode, researchers with security firm Gemini Advisory said in a post. Many of the hacked portals were running fully up-to-date systems, which raises questions about precisely how the attackers were able to breach them. Click2Gov is used by utilities, municipalities, and community-development organizations to pay bills and parking tickets as well as make other kinds of transactions. “The second wave of Click2Gov breaches indicates that despite patched systems, the portal remains vulnerable,” Gemini Advisory researchers Stas Alforov and Christopher Thomas wrote. “It is thus incumbent upon organizations to regularly monitor their systems for potential compromises in addition to keeping up to date on patches.

Gov Info Security
September 20, 2019
Decommissioned domains that were part of the pervasive Magecart web-skimming campaigns are being put to use by other cybercriminals who are re-activating them for other scams, including malvertising, according to researchers at RiskIQ, a San Francisco-based cybersecurity firm. The success of the Magecart credit card attacks, which victimized hundreds of thousands of sites, millions of users and such major corporations as British Airways, Forbes, Ticketmaster and Newegg over the last 18 months, has led more cybercriminals to leverage Magecart's tools, the researchers note in a report released Thursday. Magecart appears to be a loose association of about a dozen different groups. Its campaigns have been well-documented by RiskIQ and other cybersecurity firms. In its report, RiskIQ has outlined the indications of compromise associated with the attacks, including the malicious domains that the threat actors used to "inject web-skimming JavaScript into browsers or as a destination for the skimmed payment information," the report states. Many of those malicious domains have been permanently sinkholed. But others have been decommissioned by the registrar, held for a while and then put back into the pool of available domains.

Ars Technica
September 20, 2019
On September 19, in a conference room at the Pelican Hill Resort in Newport Beach, California, Crown Sterling CEO Robert Grant, COO Joseph Hopkins, and a pair of programmers staged a demonstration of Grant's claimed cryptography-cracking algorithm. Before an audience that a Crown Sterling spokesperson described as "approximately 100 academics and business professionals," Grant and Hopkins had their minions generate two pairs of 256-bit RSA encryption keys and then derive the prime numbers used to generate them from the public key in about 50 seconds. The code was on an Apple MacBook Pro. Grant claimed that the work could be used to "decrypt" a 512-bit RSA key in "as little as five hours" using what Grant described as "standard computing." The demonstration only raises more skepticism about Grant's work and about Crown Sterling's main thrust—an encryption product called Time AI that Grant claims will use the time signature of AI-generated music to generate "quantum-entangled" keys. Grant's efforts to show how weak long-cracked versions of RSA are was met with what can only be described as derision by a number of cryptography and security experts.

CyberScoop
September 19, 2019
Voting-equipment vendors are preparing to formally ask security researchers for ideas on building a coordinated vulnerability disclosure (CVD) program, the next step in the industry’s gradual move to work more closely with ethical hackers. The Elections Industry-Special Interest Group, which includes the country’s three largest voting-systems vendors, will this week release the request for information (RFI), Chris Wlaschin, vice president of systems security at one of those vendors, Election Systems & Software, told CyberScoop. “We all feel that sense of urgency to adopt this sooner than later,” Wlaschin said. Since January, the voting vendor group, which is part of the IT-Information Sharing and Analysis Center (IT-ISAC), a broader industry association, has held biweekly meetings to begin hashing out what a CVD program to find and fix software bugs might look like. Other industries have adopted such programs, which can raise the bar for security in an industry and establish trust with independent security experts. Some security researchers have criticized the elections-infrastructure sector for being slow to embrace ethical hacking. Wlaschin said the Special Interest Group has been searching for a program that will account for the idiosyncrasies of the elections-infrastructure industry, including the far-flung nature of voting equipment across thousands of jurisdictions.

ZDNet
September 19, 2019
Cyberattacks are now considered by most execs to be the top business concern, far outranking economic uncertainty, brand damage, and regulation, according to a survey by insurance consultancy Marsh and tech giant Microsoft. The global survey of over 1,500 business leaders illustrates the rapid change in business leaders' perceived risks to their organizations and shows that having a cyber insurance policy is now more common than two years ago. In 2017, Marsh and Microsoft found that 62% of respondents saw cyberattacks as a top-five risk, whereas this year 79% do. The share of respondents who see cyber attacks as the number one risk has also risen from 6% to 22% over two years. This year, the second most widely considered top-five risk is economic uncertainty, followed by brand damage, regulation, and loss of key personnel.

Ars Technica
September 19, 2019
If you've noticed an uptick of spam that addresses you by name or quotes real emails you've sent or received in the past, you can probably blame Emotet. It's one of the world's most costly and destructive botnets—and it just returned from a four-month hiatus. Emotet started out as a means for spreading a bank-fraud trojan, but over the years it morphed into a platform-for-hire that also spreads the increasingly powerful TrickBot trojan and Ryuk ransomware, both of which burrow deep into infected networks to maximize the damage they do. A post published on Tuesday by researchers from Cisco's Talos security team helps explain how Emotet continues to threaten so many of its targets.

The Wall Street Journal
September 18, 2019
Huawei Technologies Co. has been suspended from membership in a global trade group of companies, governments and experts set up to tackle computer security breaches and share information about vulnerabilities. The Forum of Incident Response and Security Teams, called “First,” was set up in the 1990s to encourage international cooperation in addressing and preventing hacking incidents. It has grown into a sort of informal first responder to big global hacks and cybersecurity incidents.

Ars Technica
September 18, 2019
A previously undocumented attack group with advanced hacking skills has compromised 11 IT service providers, most likely with the end goal of gaining access to their customers' networks, researchers from security firm Symantec said on Wednesday. The group, dubbed Tortoiseshell, has been active since at least July 2018 and has struck as recently as July of this year, researchers with the Symantec Attack Investigation Team said in a post. In a testament to Tortoiseshell’s skill, the new group used both custom and off-the-shelf hacking tools. At least two of the 11 compromises successfully gained domain admin level access to the IT providers’ networks, a feat that gave the group control over all connected machines. Tortoiseshell's planning and implementation of the attacks was also notable. By definition, a supply chain attack is hacking that compromises trusted software, hardware, or services used by targets of interest. These types of attacks require more coordination and work. Taken together, the elements suggest that Tortoiseshell is likely a skilled group. “The most advanced part of this campaign is the planning and the implementation of the attacks themselves,” a member of Symantec’s research team wrote in an email. “The attacker had to have multiple objectives achieved in an operational fashion in order to compromise the true targets which would have relationships with the IT provider.”

Reuters
September 18, 2019
Malaysia's Malindo Air, a subsidiary of Indonesia's Lion Group, said on Wednesday it was investigating a data breach involving the personal details of its passengers. Malindo Air's statement followed a report by Moscow-based cybersecurity firm Kaspersky Lab that the details of around 30 million passengers of Malindo and fellow Lion Group subsidiary Thai Lion Air were posted in online forums. The report said the leaked information included passengers' passport details, addresses and phone numbers. Lion Group and Thai Lion Air could not immediately be reached for comment. Malindo Air said it was notifying authorities internationally about the incident and advised customers with online frequent flyer accounts to change their passwords. It declined to provide more detail on its investigation, including how many customers were affected, but said it did not store any customer payment details on its servers.

Ars Technica
September 16, 2019
Developers of the LastPass password manager have patched a vulnerability that made it possible for websites to steal credentials for the last account the user logged into using the Chrome or Opera extension. The vulnerability was discovered late last month by Google Project Zero researcher Tavis Ormandy, who privately reported it to LastPass. In a write-up that became public on Sunday, Ormandy said the flaw stemmed from the way the extension generated popup windows. In certain situations, websites could produce a popup by creating an HTML iframe that linked to the Lastpass popupfilltab.html window rather than through the expected procedure of calling a function called do_popupregister(). In some cases, this unexpected method caused the popups to open with a password of the most recently visited site.


INTERNATIONAL

The New York Times
September 20, 2019
A computer hacker whose efforts revealed often troubling practices that shape the multi-billion-dollar global soccer industry was charged with 147 crimes this week by Portugal’s national prosecutor. For four years between 2015 and his arrest in Hungary in January, the hacker, Rui Pinto, a 30-year-old from Portugal, sowed anxiety in the soccer world by publishing hundreds of internal documents onto an internet platform he set up called Football Leaks. Pinto later collaborated with a European media consortium led by the German newsmagazine Der Spiegel to disseminate even more documents. The information Football Leaks made public — including player contracts, internal team financial documents and confidential emails — pulled back the curtain on the murky world of soccer finance, led to criminal tax prosecutions of several top players and even helped prompt officials in the United States to reopen a sexual assault investigation involving the Portuguese star Cristiano Ronaldo.

SC Magazine
September 20, 2019
The UK’s National Cyber Security Centre has published a report warning UK universities that "state espionage will continue to pose the most significant threat to the long-term health of both universities and the UK itself". It said that phishing attacks and malware pose the most immediate, disruptive threat, but the longer-term threat comes from nation states intent on stealing research for strategic gain. The report said that academic institutions should "adopt security-conscious policies and access controls" to mitigate risks, "as well as to ensure potentially sensitive or high-value research is separated rather than stored in one area". The assessment found that the open and outward-looking nature of the universities sector, while allowing collaboration across international borders, also eases the task of a cyber-attacker. The report highlighted an example of this in an attack from last year attributed to Iranian actors in which they were able to steal the credentials of their victims after directing them to fake university websites.

NBC
September 17, 2019
The Trump administration is weighing a range of options for a retaliatory action against Iran, including a cyberattack or physical strike on Iranian oil facilities or Revolutionary Guard assets, U.S. officials and others briefed on the deliberations told NBC News. In a national security meeting on Monday, U.S. military leaders provided President Donald Trump with a menu of possible actions against Iran. But the president, seeking a narrowly focused response that wouldn't draw the U.S. into broader military conflict with Iran, asked for more options, people briefed on the meeting said. That could entail a strike by Saudi Arabia, whose oil facilities were hit Sunday in an unprecedented attack, that the U.S. would support with intelligence, targeting information and surveillance capabilities — but without the U.S. actually firing any weapons at Iran, one person familiar with the planning said.

CyberScoop
September 17, 2019
As loyalties among Afghanistan’s Islamic extremists continue to shift, the U.S. military may be poised to rely more heavily on offensive cyber capabilities to target one group in particular — the dispersed but still active membership of ISIS, according to one military cyber commander. Joint Task Force ARES, the outfit charged with running joint and coalition cyber-operations against ISIS, is working to uncover information about how the terrorist group continues to operate in Afghanistan, the deputy commander said Monday. “JTF-ARES is in or around where ISIS is operating,” Brig. Gen. Len Anderson said during a question and answer at an Atlantic Council event Monday. “We are trying to illuminate the network, trying to figure out how they’re communicating, what they’re using, where the money might be flowing, is there money.” Although the Islamic State’s physical caliphate has been crushed in Iraq and Syria, reporting from the Defense Intelligence Agency this year says the group still has a network of thousands of insurgents in Iraq and Syria, as well as militia in Iraq, Pakistan and Afghanistan. Security experts are concerned that ISIS is gaining momentum in Afghanistan in part because of the Trump administration’s efforts to establish a peace deal with the Taliban, according to the Financial Times.

Bloomberg
September 16, 2019
A Russian hacker at the center of an alleged scheme to steal financial data on more than 80 million JP Morgan Chase & Co. clients will plead guilty later this month, according to a U.S. court filing. Andrei Tyurin, who was extradited last year from the Republic of Georgia, is accused of performing key tasks that netted hundreds of millions of dollars in illicit proceeds from the hack of JPMorgan and other companies. Tyurin has struck a plea agreement with federal prosecutors in New York to resolve the charges and is set to appear for a plea hearing next week. Since he was first brought before a New York judge, hearings in Tyurin’s case have been repeatedly canceled, and previous court filings have said prosecutors and defense lawyers were engaged in plea negotiations. In a filing late Friday, prosecutors from the Manhattan U.S. attorney’s office sought to consolidate Tyurin’s case in New York with one filed in Atlanta, in which he and others were accused of hacking online brokerage E*Trade. At the time of the hacks, the breach was so vast that U.S. authorities suspected it was the work of a state-sponsored cyberattack, with potential ties to Russia’s intelligence agencies. But they ultimately concluded it was the work of a broad criminal enterprise, with the purloined funds fueling other schemes including stock manipulation, online gambling and money laundering.

Reuters
September 15, 2019
Australian intelligence determined China was responsible for a cyber-attack on its national parliament and three largest political parties before the general election in May, five people with direct knowledge of the matter told Reuters. Australia’s cyber intelligence agency - the Australian Signals Directorate (ASD) - concluded in March that China’s Ministry of State Security was responsible for the attack, the five people with direct knowledge of the findings of the investigation told Reuters. The five sources declined to be identified due to the sensitivity of the issue. Reuters has not reviewed the classified report. The report, which also included input from the Department of Foreign Affairs, recommended keeping the findings secret in order to avoid disrupting trade relations with Beijing, two of the people said. The Australian government has not disclosed who it believes was behind the attack or any details of the report.


TECHNOLOGY

AP
September 20, 2019
The call came on a Saturday in July delivering grim news: Many of the computer systems serving the government of LaPorte County, Indiana, had been taken hostage with ransomware. The hackers demanded $250,000. No way, thought County Commission President Vidya Kora. But less than a week later, officials in the county southeast of Chicago agreed to pay a $132,000 ransom, partially covered by $100,000 from their insurance provider. "It was basically an economic decision," Kora said. "How long do you keep all these employees sitting, doing nothing? Whereas if you pay this, we can be back up and running." That's precisely the calculation hackers count on. Now some cybersecurity professionals are concerned that insurance policies designed to limit the damage of ransomware attacks might be encouraging hackers, who see insurers covering increasingly large ransoms and choose to target the type of institutions likely to have coverage. "Once a cybercriminal finds a formula that works for them, they're going to stick to it," said Tyler Moore, a cyber security professor at the University of Tulsa. "If you're a company or a city that has this coverage, the decision of whether to pay is quite clear. It gets more difficult when you take a step back and look at the societal view." This year alone, the average ransom payment climbed from $12,762 at the end of March to $36,295 by the end of June — a 184% jump — according to Coveware, a firm that negotiates on behalf of ransomware victims.

Ars Technica
September 18, 2019
Hackers have found a new way to amplify the crippling effects of denial-of-service techniques by abusing an improperly implemented tool found in almost 1 million network-connected cameras, DVRs, and other Internet-of-things devices. The technique abuses WS-Discovery, a protocol that a wide array of network devices use to automatically connect to one another. Often abbreviated as WSD, the protocol lets devices send user datagram protocol packets that describe the device capabilities and requirements over port 3702. Devices that receive the probes can respond with replies that can be tens to hundreds of times bigger. WSD has shipped with Windows since Vista and is one of the ways the operating system automatically finds network-based printers.

ZDNet
September 18, 2019
Malware that mines cryptocurrency has made a comeback over the summer, with an increased number of campaigns being discovered and documented by cyber-security firms. The primary reason for this sudden resurgence is the general revival of the cryptocurrency market, which saw trading prices recover after a spectacular crash in late 2018. Monero, the cryptocurrency of choice of most crypto-mining malware operations, was one of the many cryptocurrencies that were impacted by this market slump. The currency also referred to as XMR, has gone down from an exchange rate that orbited around $300 - $400 in late 2017 to a meager $40 - $50 at the end of 2018. But as the Monero trading price recovered throughout 2018, tripling its value from $38 at the start of the year, to nearly $115 over the summer, so have malware campaigns.