Gov Info
Security
November 1,
2019
Calling
election security a "national emergency," nearly 100 past and current
Democratic and Republican lawmakers and other government officials have sent a
letter to the Senate calling for passage of stalled legislation. The Thursday
letter, presented by the nonprofit group Issue One, which focuses on reducing
the role of money in politics and "modernizing elections," requests
the Senate approve five bills covering a range of cybersecurity-related issues.
"We are alarmed at the lack of meaningful Congressional action to secure
our elections. The United States cannot afford to sit by as our adversaries
exploit our vulnerabilities," the letter states. "Congress -
especially the Senate - must enact a robust and bipartisan set of policies now.
China, Iran, Russia, and nonstate actors are utilizing every means possible to
manipulate our elections and undermine the faith Americans have in our
democracy. These efforts pose severe threats to our national security."
New York Times, Can Trump Avoid Taxes by Leaving New York? It’s Not So Simple.:
Like a long line of other wealthy New Yorkers, President Trump has decided to establish his legal residence in Florida, apparently at least in part to save money on his taxes.
But changing one’s legal home is not so simple.
The Hill
October 30,
2019
A
bipartisan group of senators on Wednesday introduced legislation intended to
shore up cybersecurity for local governments by providing resources for them to
switch to secure internet domains administered by the federal government. The
bill, dubbed the DOTGOV Online Trust in Government Act, would not require local
governments to switch their domains to .gov, but would require the Department
of Homeland Security to provide resources and assistance to local governments
that do intend to make the switch. Cyber criminals have spoofed local
government websites due to some governments not using .gov addresses, which can
trick individuals or businesses into sharing personal information with what
they think is a secure government website. Most federal and state governments
websites already use the .gov domain, which is administered by the federal
General Services Administration (GSA), but many local governments do not. The
bill is sponsored by Senate Homeland Security and Governmental Affairs
Committee Chairman Ron Johnson (R-Wis.) as well as Sen. Gary Peters (Mich.),
the panel's top Democrat, along with Sens. Amy Klobuchar (D-Minn.) and James
Lankford (R-Okla.).
Fifth
Domain
October 30,
2019
Data
breaches that have troubled the Department of Defense supply chain have
captured the attention of lawmakers on Capitol Hill. In a wide-ranging
confirmation hearing Oct. 29 for DoD CIO Dana Deasy, Sen. Joe Manchin, D-W.V.,
pressed on how the DoD can shore up the cybersecurity shortfalls of subprime
contractors. Manchin said he wants to impose “very, very severe" financial
penalties on prime contractors who don’t oversee the cybersecurity of their
subprime components. Manchin asked Deasy if he supports financial penalties,
but Deasy said that monetary punishment wasn’t something he’s considered so
far. However, the Pentagon’s top IT official did agree that there needed to be
an “intervention.” Prime contractors shouldn’t be allowed to self-assess, Deasy
said. Deasy’s answer wasn’t enough for Manchin, who firmly asserted that
top-tier contractors need to be held accountable for the cybersecurity of
subprimes included in contracts. “We’ve got serious problems there,” Manchin
said. “Someone’s got to be held accountable for this all the way down the food
chain. And that’s where you’re going to have to step in."
FCW
October 29,
2019
Security
researchers showed lawmakers and reporters how easy it is to compromise voting
machines in what has become an annual event at the U.S. Capitol. The
Washington, D.C., version of the Voting Village event at the DefCon security
conference in Las Vegas gives policymakers a hands-on glimpse of the technology
that powers U.S. democracy. This year's report is consistent with prior
exercises: virtually every machine experts can get their hands on can be easily
exploited in a number of different ways. What has changed in recent years, said
Voting Village Co-founder Harri Hursti, is that the community of security
researchers with first-hand experience working with these machines has grown
from less than a dozen to thousands. Even though the annual event has been held
for several years, fresh researchers have discovered of new vulnerabilities and
attack vectors.
The Hill
October 29,
2019
Leaders of
the Blue Dog Coalition on Tuesday urged House and Senate leaders to provide
states with election security funds as part of the ongoing appropriations process.
The coalition, which consists of 26 moderate Democrats, wrote a letter to the
bipartisan leaders of the House and Senate Appropriations committees asking for
their support in including $600 million to be given to states in order to
bolster election security as part of the ongoing appropriations process. “In
light of the proven threat posed by Russia—and possibly other foreign powers—to
our democratic process, we believe the final bill should provide $600 million
or as close to it as possible,” the leaders of the coalition wrote. They also
asked for the House and Senate, when they meet to negotiate the differences
between their versions of appropriations bills, to add language requiring the
funds to go toward improving the cybersecurity of elections, such as providing
cybersecurity training for election officials and moving toward voter-verified
paper ballots. The letter was signed by Reps. Stephanie Murphy (D-Fla.), Tom
O’Halleran (D-Ariz.), Lou Correa (D-Calif.), Anthony Brindisi (D-N.Y.), Kendra
Horn (D-Okla.) and Jeff Van Drew (D-N.J.).
Wired
October 28,
2019
Ransomware
has steadily become one of the most pervasive cyberattacks in the world. And
while high-profile global meltdowns like 2017’s NotPetya strain garner the most
attention, localized attacks have devastating consequences as well. Look no
further than the cities of Atlanta and Baltimore, whose online operations
ground to a halt after ransomware takeovers. Or more recently, Alabama’s DCH
Health Systems, which had to turn away all but the most critical patients from
its three hospitals after hackers seized control of their networks. The attacks
affect communities both large and small. In fact, victims often aren’t even
specifically targeted. Hackers have increasingly focused on so-called managed
service providers, companies that remotely handle IT infrastructure for a wide
range of customers, to get the highest return on their investment. Successfully
compromise one MSP, and you can hit nearly two-dozen local Texas governments,
as one recent example proved. It’s the kind of large-scale problem that would
benefit from a large-scale solution. Yet despite the clear and pervasive
danger, Congress seems stumped. “There’s a gap between the focus and resources
here in Washington and what happens in a town of 200,000 people,”
representative Jim Himes (D-Connecticut) tells WIRED. While Himes, a member of the
House Intelligence Committee, is concerned about the rise in these brazen
attacks, he also sees fundamental limitations in the federal government’s
ability to help stop hyper-local attacks.
FCW
October 28,
2019
A member of
Congress wants Acting White House Chief of Staff Mick Mulvaney to answer for
recent reports that indicate the White House's cybersecurity team has been
gutted. In an Oct. 25 letter, Rep. Ted Lieu (D-Calif.) references an Oct. 17
memo from Dimitrios Vastakis, former Branch Chief of White House Computer
Network titled "Cyber Security Personnel Leaving Office of the
Administration at an Alarming Rate." Vastakis, complains that his Office
of the Chief Information Security Officer had been absorbed into the CIO office
and claims officials White House have been "systematically" targeting
security personnel with “hostile” actions meant to drive them out and objected
to changes in organizational structure that would put the team’s actions under
a White House entity not covered by the Presidential Records Act. The memo,
obtained and first reported on in Axios, claimed that these tactics included
revoking incentives, reducing the scope of duties, reducing access to programs
and buildings and revoking positions with strategic and tactical
decision-making authorities. It notes that these tactics have "forced the
majority of GS-14 and GS-15 OCISO staff to resign."
ADMINISTRATION
CyberScoop
November 1,
2019
The
Pentagon once again is sending cyber personnel overseas to gather intelligence
to help protect the 2020 presidential elections against foreign interference,
the U.S. Embassy in Montenegro announced this week. U.S. European Command and
U.S. Cyber Command are deploying an undisclosed number of defensive cyber
operators to Montenegro in order to gain insights into cyber threats from
adversaries before both the U.S. and Montenegrin elections next year. It’s the
second time in as many years the Department of Defense is going through the
effort as part of a partnership that’s uniquely poised to provide insights on possible
Russian election interference. Montenegro and the U.S. both have been targeted
by the Russian government-linked hacking outfit APT28, or Fancy Bear. If Cyber
Command uncovers similar activity again in Montenegro, those insights could
inform decisions on how to safeguard the U.S. “Montenegro is among the first in
Europe to face unconventional attacks on its democracy and freedom of choice,”
Montenegrin Defense Minister Predrag Boskovic said in a statement. “It is
precisely in the face of new challenges with the United States that we seek a
way, using their resources, to protect democracy in the Western Balkans from
those who would keep this part of Europe in conflicts, setbacks, and economic
decline.”
The Hill
November 1,
2019
Pennsylvania
Gov. Tom Wolf (D) on Thursday signed into law a proposal that provides $90
million for replacing outdated and nonsecure voting machines, along with making
reforms to ways Pennsylvanians can vote. The new law marks a major change for
Pennsylvania’s voting system, allowing mail-in voting and a 50-day period for
voters to mail in ballots ahead of the election, as well as moving the deadline
to register to vote from 30 days prior to the election to 15 days prior. The
law also provides $90 million to assist counties in purchasing new election
machines with paper trails to help increase the security of voting. These funds
will serve to reimburse counties for 60 percent of what they have spent on
replacing older voting equipment with machines that have paper records of
votes, something Pennsylvania’s Department of State ordered them to do last
year. Forty-six Pennsylvania counties, or around 68 percent, have the new
systems in place as of this month.
FCW
October 31,
2019
A Federal
Elections Commission-sanctioned nonprofit group has announced partnerships with
a number of companies to offer free or cheap cybersecurity services to
candidates running for federal office. The group, Defending Digital Campaigns,
announced a suite of services that will be made available to campaigns,
including end-to-end encryption services from Wickr, IT security training
services from Cybrary, email security services from Area1 and managed security
services from GRA Quantum. Michael Kaiser, who was named CEO of the group in
the same announcement, said the services are meant to help campaigns deal with
some of the most common digital threats, from phishing attacks and email
compromise to data theft or loss of campaign donor information, polling data
and other sensitive data. The unique role that these campaigns play as
“elemental pieces” of democracy mean they are going to be the subject of more
targeted and determined attacks from hackers.
Nextgov
October 30,
2019
Winners of
the Energy Department’s CyberForce Competition next month could leave with more
than just medals, trophies or bragging rights for their hacking or defending
success—this year, some who come out on top could secure a job with the federal
government. An Energy executive and national lab insider who have helped pave
the way for the competition’s growth from fewer than 10 teams in 2016 to more
than 100 in 2019 shared insights with Nextgov this week into their work to
shape the unique event into a tool that can help close critical gaps across the
federal workforce. “Our goal is to actually hire some of the winning team
members based on their performance and their understanding of this
environment,” Assistant Secretary for the Office of Cybersecurity, Energy
Security, and Emergency Response Karen Evans said. “So, success to me would be
these professional teams competing, having an understanding and scoring well on
the competition, and then CESER hiring some of them.” The first CyberForce
Competition launched at Argonne National Laboratory four years ago, and since
then has ballooned to 10 times the people competing at 10 national labs across
the United States. Participants will be tasked with maintaining the security of
one of four separate infrastructures, which include an energy distribution
substation, solar energy generation facility, high-performance computing data
center and manufacturing facility. But in 2019, the competition also includes a
professional pilot, through which individuals outside of school—who expressly
want to work for Energy or a national lab in the future—will compete and could
eventually have their scores considered in hiring for future federal positions.
Ars
Technica
October 30,
2019
In a
business park that plays home to a number of tech and cybersecurity firms
situated strategically between Washington, DC, and Baltimore, there's a
two-story building that looks externally like many other office buildings,
remarkable this day only for the food trucks in the parking lot and the stream
of people in camouflage swarming in and out. The building, called DreamPort, is
a collaboration facility leased by US Cyber Command—and on October 18, it was
the location of AvengerCon IV, the latest incarnation of a soldier-led
cybersecurity training event that takes the shape of a community hacking
conference.
Nextgov
October 30,
2019
The Defense
Department is working on a new policy that will require its vendors to obtain a
certification confirming the contractor’s own systems have strong enough
cybersecurity to protect the department’s secrets. A civilian agency
counterpart to that would look very different than what the Pentagon is
developing, according to the second-ranking civilian IT official. While the
government does have a method for certifying the cybersecurity of vendors’
products—through the authority to operate, or ATO, process and the Federal Risk
and Authorization Management Program, or FedRAMP—it does not have a program for
assessing the security of the systems used by the vendors. The Defense
Department’s Cybersecurity Maturity Model Certification, or CMMC, looks to
change that with a set of 18 “key sets of capabilities for cybersecurity,”
according to the draft released in September. A similar program would be useful
in the civilian space but would require a much different framework, Margie
Graves, deputy federal chief information officer, said in answer to a question
at the Professional Services Council’s annual Vision conference. “We, as a
civilian community, cannot adopt DOD rubrics writ-large,” she said. “But there
are some aspects of the civilian agencies—I would say, [the Homeland Security
and Justice departments] and others in the law enforcement among them—that are
similar. We could actually learn from the framework that’s being set up with
DOD on that issue.”
Nextgov
October 28,
2019
One hack
made a county’s emails unreadable. Another disabled a city’s 311 help line amid
a snowstorm. At least three local governments in Ohio and the Cleveland Hopkins
International Airport have all been hit with ransomware attacks in the last
year alone. The next time hackers go after a local government in Ohio, however,
the state will have a new weapon to deploy: the Ohio Cyber Reserve. Gov. Mike
DeWine signed a bill into law Friday that establishes a volunteer “cyber
reserve” of computer and information technology experts who will be able to
assist local governments in the face of a ransomware or cybersecurity attacks.
The reserve will consist of five teams of 10 people spread throughout the state
who will be vetted and trained to respond to cybersecurity emergencies
affecting local governments. The response will be similar to the way the Ohio
National Guard is placed on active duty during a natural disaster, said Maj.
Gen. John C. Harris Jr., the Ohio Adjutant General who oversees the state’s
National Guard.
INDUSTRY
Ars
Technica
November 1,
2019
As many as
2,000 users of NordVPN, the virtual private network service that recently
disclosed a server hack that leaked crypto keys, have fallen victim to
credential-stuffing attacks that allow unauthorized access to their accounts.
In recent weeks, credentials for NordVPN users have circulated on Pastebin and
other online forums. They contain the email addresses, plain-text passwords,
and expiration dates associated with NordVPN user accounts.
Gov Info
Security
November 1,
2019
A trio of
well-known domain name registrars are mandating a password reset after
revealing a breach affecting about 22 million accounts that occurred in late
August. Web.com and two of its brands, Network Solutions and Register.com,
published identical breach notices, noting "that a third party gained
unauthorized access to a limited number of our computer systems." The
incident was discovered on Oct. 16. "Upon discovery of this unauthorized
access, the company immediately began working with an independent cybersecurity
firm to conduct a comprehensive investigation to determine the scope of the
incident, including the specific data impacted," according to the notices.
"We have also reported the intrusion to federal authorities and are
notifying affected customers." The exposed account data, which encompasses
current and former accounts, includes names, addresses, phone numbers, email
addresses and services held by the account owner. The three registrars say
they're notifying victims by email.
ZDNet
November 1,
2019
Yesterday,
on late Halloween night, Google engineers delivered the best scare of the
evening and released an urgent update for the Chrome browser to patch an
actively exploited zero-day. "Google is aware of reports that an exploit
for CVE-2019-13720 exists in the wild," Google engineers said in a blog
post announcing the new v78.0.3904.87 release. The actively-exploited zero-day
was described as a use-after-free bug in Chrome's audio component.
Use-after-free vulnerabilities are memory corruption bugs that occur when an
application tries to reference memory that was previously assigned to it but
has been freed or deleted in the meantime. This usually causes a program to
crash, but can also sometimes lead to other, unintended consequences, such as
code execution scenarios.
Gov Info Security
November 1,
2019
Ransomware
continues to be highly profitable for criminals. For the third quarter of this
year, the average ransom amount paid was $41,198, an increase of 13 percent
compared to the second quarter and a nearly six-fold increase from the third
quarter of 2018, according to ransomware incident response firm Coveware. The
five most-targeted industries in the third quarter were professional services,
the public sector, healthcare, software services and retail. "The rate of
increase has plateaued, reflecting resistance to paying by victims who are
increasingly finding new ways to restore and recreate data, rather than
pay," Coveware says in a new report. "Ryuk continued to make
headlines, and other similar Hermes variants like DopplePaymer and I-Encrypt
became more prevalent, suggesting that threat actors are rotating through
different kits."
CNBC
November 1,
2019
As internet
crimes and abuse stalk the globe, cybersecurity firms are having trouble
attracting and keeping skilled workers to help protect networks. Today some 2.8
million professionals work in cybersecurity around the globe, but an additional
4 million trained workers would be needed to close the skills gap and properly
defend organizations, according to the 2019 ISC2 Cyber Security Workforce
Study. The global nonprofit is the largest association of certified
cybersecurity professionals. The data reveals that in the U.S. alone, nearly a
half million workers would be needed to fill the shortage. “The volume of
attacks and sophistication of attacks from around the world continue to
increase,” said ISC2 CEO David Shearer. “We have nation-state types of attacks,
criminal activity types of attacks and individuals that are just trying to do
fraud and cybercrime. And so as these activities on the web continue to grow,
there continues to be less and less of the qualified people that we need to
conquer those attacks.”
Reuters
October 31,
2019
Senior
government officials in multiple U.S.-allied countries were targeted earlier
this year with hacking software that used Facebook Inc’s WhatsApp to take over
users’ phones, according to people familiar with the messaging company’s
investigation. Sources familiar with WhatsApp’s internal investigation into the
breach said a “significant” portion of the known victims are high-profile
government and military officials spread across at least 20 countries on five
continents. Many of the nations are U.S. allies, they said. The hacking of a
wider group of top government officials’ smartphones than previously reported
suggests the WhatsApp cyber intrusion could have broad political and diplomatic
consequences. WhatsApp filed a lawsuit on Tuesday against Israeli hacking tool
developer NSO Group. The Facebook-owned software giant alleges that NSO Group
built and sold a hacking platform that exploited a flaw in WhatsApp-owned
servers to help clients hack into the cellphones of at least 1,400 users
between April 29, 2019, and May 10, 2019.
E&E
News
October 31,
2019
A Utah
renewable energy developer was hit by a first-of-its-kind cyberattack that
briefly cut contact to a dozen wind and solar farms this spring, according to
documents obtained by E&E News under the Freedom of Information Act. Salt
Lake City-based sPower suffered "denial of service" attacks on March
5 that left grid operators temporarily blinded to generation sites totaling 500
megawatts, the documents show. Hackers did not cause any blackouts or
generation outages, according to sPower, which says it's the biggest private
solar power operator in the United States. The cyberattack took advantage of a
known weakness in Cisco firewalls to trigger a series of five-minute
communications outages over a span of about 12 hours, according to an emergency
report sPower filed with the Department of Energy at the time of the disruption
that was not publicly released. Denial-of-service attacks flood target devices
or websites with bogus traffic to crash them. The cybersecurity incident is the
first confirmed to have caused "interruptions of electrical system
operations," based on DOE records. Experts say the hackers behind the
attack may not have known they were affecting the power grid, based on the fact
that Cisco firewalls are used in a range of industries and are a popular target
of opportunity when left exposed to the internet.
Ars
Technica
October 31,
2019
Nation-sponsored
hackers have a new tool to drain telecom providers of huge amounts of SMS
messages at scale, researchers said. Dubbed "Messagetap" by
researchers from the Mandiant division of security firm FireEye, the recently
discovered malware infects Linux servers that route SMS messages through a
telecom’s network. Once in place, Messagetap monitors the network for messages
containing either a preset list of phone or IMSI numbers or a preset list of
keywords. Messages that meet the criteria are then XOR encoded and saved for
harvesting later. FireEye said it found the malware infecting an undisclosed
telecom provider. The company researchers said the malware is loaded by an
installation script but didn’t otherwise explain how infections take place.
The New
York Times
October 30,
2019
Two men
pleaded guilty in federal court in San Jose, Calif., to charges of computer
hacking and an extortion conspiracy on Wednesday, capping a thorny legal saga
that ensnared tech companies like Uber and LinkedIn in data breach scandals.
The resolution of the case comes as Americans grapple with theft and misuse of
their personal information amid serious data breaches at companies from
Facebook and Equifax to Target and Marriott over the past decade. Lynda.com,
which is owned by LinkedIn, disclosed to its users in December 2016 that it had
a data breach. Officials said some 55,000 accounts were affected, and the
company warned another 9.5 million customers about the breach. The Uber breach
affected more than 57 million people, as the hackers gained access to the
names, phone numbers and email addresses of riders and drivers who used the
service.
Reuters
October 30,
2019
A cyber
attack on Asian ports could cost as much as $110 billion, or half the total
global loss from natural catastrophes in 2018, a Lloyd's of London-backed
report said on Wednesday. Cyber insurance is seen as a growth market by
insurance providers such as Lloyd's, which specializes in covering commercial
risks, although take-up in Europe and Asia remains far behind levels in the
United States. The worst-case scenario in the report was based on a simulated
cyber attack disrupting 15 ports in Japan, Malaysia, Singapore, South Korea and
China. Some 92% or $101 billion of the total estimated economic costs of such
an attack are uninsured, Lloyd's said. The figure was calculated by simulating
the impact of a computer virus carried by ships and which scrambles cargo
database records at the ports.
CyberScoop
October 30,
2019
Fifteen
major companies, including the Apple, Facebook, Google, IBM, and PwC, announced
Wednesday they are joining together to change their cybersecurity job descriptions
and requirements to attract more talent to the 3 million cybersecurity job
openings that are expected to be available over the next two years.
Specifically, the companies — which are part of the Aspen Cybersecurity Group —
are focused on nixing requirements that candidates have four-year bachelor’s
degrees and gender-biased job descriptions. “A bachelors degree is actually not
a good proxy for whether you have the talent,” Chair of the Aspen Institute’s
Cyber & Technology Program John Carlin told CyberScoop. “There’s plenty of
talented people out there but we need to figure out better ways to identify
them and train them.” The group, which also includes AIG, Cloudflare, the Cyber
Threat Alliance, Duke Energy, IronNet, Johnson & Johnson, Northrop Grumman,
Symantec, Unisys, and Verizon, came together over the past year to address the
cybersecurity skills gap, which Carlin believes is the actual dilemma facing
the cybersecurity workforce — not a talent gap.
Ars
Technica
October 30,
2019
When more
than 20 local governments in Texas were hit this summer by ransomware in one
day. The attack was apparently tracked back to one thing the organizations had
in common: a managed service provider. With limited IT resources of their own,
local governments have increasingly turned to MSPs to operate significant
portions of their networks and applications, as have other organizations and
businesses—often placing critical parts of their business operations in the
MSPs' hands. And that has made MSPs a very attractive target to ransomware
operators. Threat researchers at the global cloud security provider Armor have
been tracking publicly-reported incidents in which MSP and cloud service
providers have been hit with ransomware. Thus far, they have documented 13 such
incidents this year—with 6 of them reported in the past few months.
Reuters
October 29,
2019
WhatsApp
sued Israeli surveillance firm NSO Group on Tuesday, accusing it of helping
government spies break into the phones of roughly 1,400 users across four
continents in a hacking spree whose targets included diplomats, political
dissidents, journalists and senior government officials. In a lawsuit filed in
federal court in San Francisco, messaging service WhatsApp, which is owned by
Facebook Inc, accused NSO of facilitating government hacking sprees in 20 countries.
Mexico, the United Arab Emirates and Bahrain were the only countries
identified. WhatsApp said in a statement that 100 civil society members had
been targeted, and called it “an unmistakable pattern of abuse.” NSO denied the
allegations. “In the strongest possible terms, we dispute today’s allegations
and will vigorously fight them,” NSO said in a statement. “The sole purpose of
NSO is to provide technology to licensed government intelligence and law
enforcement agencies to help them fight terrorism and serious crime.”
Gov Info
Security
October 29,
2019
Fast-food
chain Krystal says it's investigating a payment card "security
incident" that affected as many as 228 of its restaurants across
southeastern U.S. states. The incident affected debit and credit cards used at
certain stores between July and last month, the company says in a statement.
Krystal says law enforcement has been notified, and it has retained a forensic
firm. "We have already taken steps to contain and remediate the
incident," the company says. "We are working hard to determine the
specific locations and dates for each restaurant involved in the attack."
Krystal, based in Dunwoody, Georgia, has 342 restaurants across Alabama,
Arkansas, Florida, Georgia, Kentucky, Louisiana, Mississippi, North Carolina,
South Carolina and Tennessee. The company's list of the states where its
restaurants were affected omitted only Louisiana.
CyberScoop
October 29,
2019
Norsk Hydro
received an insurance payout of $3.6 million following a highly publicized
cyberattack earlier this year, the company revealed in its third quarter
earnings report. The insurance payout represents about 6% of the $60 million to
$71 million in costs created by the incident through the third quarter, the
company said. The Norwegian aluminum and energy giant expects more compensation
will come as more costs are totaled. Norsk Hydro, which had a market
capitalization of $12 billion last year, said after the attack in March that
its policy, led by AIG, was “solid.” The company said it was struck with a
large ransomware attack that started in its U.S. facilities then spread. It
wasn’t until summer when Norsk Hydro determined the situation was stable.
INTERNATIONAL
Ars
Technica
October 30,
2019
The Nuclear
Power Corporation of India Limited (NPCIL) has acknowledged today that malware
attributed by others to North Korean state actors had been found on the
administrative network of the Kudankulam Nuclear Power Plant (KKNPP). The admission
comes a day after the company issued a denial that any attack would affect the
plant's control systems. In a press release today, NPCIL Associate Director A.
K. Nema stated, "Identification of malware in NPCIL system is correct. The
matter was conveyed by CERT-In [India's national computer emergency response
team] when it was noticed by them on September 4, 2019." That matches the
date threat analyst Pukhraj Singh said he reported information on the breach to
India's National Cyber Security Coordinator. "The matter was immediately
investigated by [India Department of Atomic Energy] specialists," Nema
stated in the release. "The investigation revealed that the infected PC
belonged to a user who was connected to the Internet connected network used for
administrative purposes. This is isolated from the critical internal network.
The networks are being continuously monitored."
ZDNet
October 29,
2019
The
Australian government needs to drop the "national security" framing
of its cybersecurity strategy, according to speakers at the inaugural NetThing,
held at the University of Technology Sydney (UTS) on Tuesday. Australia is
currently reviewing its national strategy. The Department of Home Affairs
published a discussion paper last month, Australia's 2020 Cyber Security
Strategy: A call for views. Speakers were concerned that the framing of
cybersecurity had shifted from that of the original 2016 strategy issued by
then-Prime Minister Malcolm Turnbull. "There's two sort of narratives in
cybersecurity and ... states align with one or the other," said Lucie
Krahulcova, Asia policy analyst at Access Now. One is the narrative of national
security; a narrative of control, like in China and Russia, as well as in many
other governments. The other is the narrative of the internet as a shared
common good and an enabler of civic rights. Under that framing, cybersecurity
is about the integrity of the system and the protection of individual users.
"I think Australia teeters on the edge of those," Krahulcova said.
"I would go as far as to say that certain parts of the government aren't
quite as aware [of] how much Australia sits with the Chinas and Russias,"
she said.
CNN
October 29,
2019
Authorities
in Johannesburg are scrambling to gain control of the city's cyber networks
from hackers who are demanding payment in bitcoins. Johannesburg city council
member Funzela Ngobeni said the hackers gained access to the city's computer
systems last Thursday and gave them until Monday to make the payment of four
bitcoins, which is equivalent to 500,000 rands, according to the council. The
officials are refusing to pay and the ultimatum date has now elapsed. "The
city will not concede to their demands for bitcoins, and we are confident that
we will be able to restore systems to full functionality," Ngobeni said in
a statement. Ngobeni called the breach an "attack on the people of the
city" and said the hackers had targeted a period when residents were
making monthly payments for utilities and also when the council pays its
vendors.
ZDNet
October 29,
2019
European
authorities have released today a patch for the eIDAS system. The patch fixes
two security flaws that could allow an attacker to pose as any EU citizen or
business during official transactions. eIDAS stands for electronic
IDentification, Authentication and trust Services. It is a very complex,
cryptographically-secured electronic system for managing electronic
transactions and digital signatures between EU member states, citizens, and
businesses. The EU created eIDAS in 2014 to allow member state governments,
citizens, and businesses to carry out cross-border electronic transactions that
can be verified against official databases in any country, regardless of the
origin state of the transaction. eIDAS-Node is the official software package
that government organizations run on their servers to support eIDAS-friendly
transactions against their private databases. Due to this crucial role, any
vulnerabilities in the eIDAS-Node software can allow attackers to tamper with
official EU digital transactions, such as tax payments, bank transfers, goods
shipments, and others.
Wired
October 28,
2019
Russia's
state-sponsored hackers have a few predictable fixations: NATO-country
embassies. Hillary Clinton. Ukraine. But a less expected target has somehow
remained in their sights for more than three years: the Olympics—and
specifically anyone who would dare to accuse Russian athletes of cheating. On
Monday, Microsoft revealed in a blog post that the Russian hacking group known
as Fancy Bear, APT28, or Strontium recently targeted no fewer than 16
anti-doping agencies around the world; in some cases those attacks were
successful. Microsoft notes that the hackers, long believed to be working in
the service of the Russian military intelligence agency known as the GRU, began
their attacks on September 16, just ahead of reports that the Worldwide
Anti-Doping Agency had found "inconsistencies" in Russian athletes'
compliance with anti-doping standards, which may lead to the country's ban from
the 2020 Tokyo Olympics, just as they were from the Pyeongchang Winter Games in
2018.
AFP
October 28,
2019
Some 2,000
websites in Georgia, including those of the president, courts, and media were
hacked in a massive cyber attack on Monday, officials and media said. They
displayed a photo of Georgia's exiled former president Mikheil Saakashvili with
an inscription "I'll be back!" Georgia's Interpress news agency
reported. Georgian President Salome Zurabishvili's website was "attacked by
hackers this afternoon," her spokeswoman told AFP. "Law enforcement
agencies are investigating the incident," Sopho Jajanashvili said.
Interpress said the website for Georgia's general jurisdiction courts as well
as websites of a number of government agencies, NGOs and media outlets were
also hit by cyber attacks on Monday.
TECHNOLOGY
TechCrunch
October 31,
2019
A security
researcher has found several vulnerabilities in the popular open-source Horde
web email software that allow hackers to near-invisibly steal the contents of a
victim’s inbox. Horde is one of the most popular free and open-source web email
systems available. It’s built and maintained by a core team of developers, with
contributions from the wider open-source community. It’s used by universities,
libraries and many web hosting providers as the default email client. Numan
Ozdemir disclosed his vulnerabilities to Horde in May. An attacker can scrape
and download a victim’s entire inbox by tricking them into clicking a malicious
link in an email. Once clicked, the inbox is downloaded to the attacker’s
server. But the researcher did not hear back from the Horde community. Security
researchers typically give organizations three months to fix flaws before they
are publicly disclosed. NIST, the government department that maintains the
national vulnerability database, said this week that the flaws pose a “high”
security risk to users.
ProPublica
October 28,
2019
About 10
years ago, Michael Gillespie and several classmates at Pekin Community High
School in central Illinois were clicking on links on the school’s website when
they discovered a weakness that exposed sensitive information such as students’
Social Security numbers. They quickly alerted their computer repair and
networking teacher, Eric McCann. “It was a vulnerability that nobody even knew
about,” McCann said. “They did a quick search on passwords and student
accounts, and lo and behold, that file is sitting out there.” Without crediting
the students, school administrators closed the breach and changed everyone’s
passwords. Gillespie’s anonymous protection of the school’s cyberdefenses was a
harbinger of his future. Like a real-life version of Clark Kent or Peter
Parker, the self-effacing Gillespie morphs in his spare time into a
crime-foiling superhero. A cancer survivor who works at a Nerds on Call
computer repair shop and has been overwhelmed by debt — he and his wife had a
car repossessed and their home nearly foreclosed on — the 27-year-old Gillespie
has become, with little fanfare or reward, one of the world’s leading
conquerors of an especially common and virulent cybercrime: ransomware. Asked
what motivates him, he replied, “I guess it’s just the affinity for challenge
and feeling like I am contributing to beating the bad guys.”
