Pages

Thursday, November 07, 2019

Should contractors be fined for their subprimes’ cybersecurity?



Gov Info Security
November 1, 2019
Calling election security a "national emergency," nearly 100 past and current Democratic and Republican lawmakers and other government officials have sent a letter to the Senate calling for passage of stalled legislation. The Thursday letter, presented by the nonprofit group Issue One, which focuses on reducing the role of money in politics and "modernizing elections," requests the Senate approve five bills covering a range of cybersecurity-related issues. "We are alarmed at the lack of meaningful Congressional action to secure our elections. The United States cannot afford to sit by as our adversaries exploit our vulnerabilities," the letter states. "Congress - especially the Senate - must enact a robust and bipartisan set of policies now. China, Iran, Russia, and nonstate actors are utilizing every means possible to manipulate our elections and undermine the faith Americans have in our democracy. These efforts pose severe threats to our national security."
New York Times, Can Trump Avoid Taxes by Leaving New York? It’s Not So Simple.:
Like a long line of other wealthy New Yorkers, President Trump has decided to establish his legal residence in Florida, apparently at least in part to save money on his taxes.
But changing one’s legal home is not so simple.
The Hill
October 30, 2019
A bipartisan group of senators on Wednesday introduced legislation intended to shore up cybersecurity for local governments by providing resources for them to switch to secure internet domains administered by the federal government. The bill, dubbed the DOTGOV Online Trust in Government Act, would not require local governments to switch their domains to .gov, but would require the Department of Homeland Security to provide resources and assistance to local governments that do intend to make the switch. Cyber criminals have spoofed local government websites due to some governments not using .gov addresses, which can trick individuals or businesses into sharing personal information with what they think is a secure government website. Most federal and state governments websites already use the .gov domain, which is administered by the federal General Services Administration (GSA), but many local governments do not. The bill is sponsored by Senate Homeland Security and Governmental Affairs Committee Chairman Ron Johnson (R-Wis.) as well as Sen. Gary Peters (Mich.), the panel's top Democrat, along with Sens. Amy Klobuchar (D-Minn.) and James Lankford (R-Okla.).

Fifth Domain
October 30, 2019
Data breaches that have troubled the Department of Defense supply chain have captured the attention of lawmakers on Capitol Hill. In a wide-ranging confirmation hearing Oct. 29 for DoD CIO Dana Deasy, Sen. Joe Manchin, D-W.V., pressed on how the DoD can shore up the cybersecurity shortfalls of subprime contractors. Manchin said he wants to impose “very, very severe" financial penalties on prime contractors who don’t oversee the cybersecurity of their subprime components. Manchin asked Deasy if he supports financial penalties, but Deasy said that monetary punishment wasn’t something he’s considered so far. However, the Pentagon’s top IT official did agree that there needed to be an “intervention.” Prime contractors shouldn’t be allowed to self-assess, Deasy said. Deasy’s answer wasn’t enough for Manchin, who firmly asserted that top-tier contractors need to be held accountable for the cybersecurity of subprimes included in contracts. “We’ve got serious problems there,” Manchin said. “Someone’s got to be held accountable for this all the way down the food chain. And that’s where you’re going to have to step in."

FCW
October 29, 2019
Security researchers showed lawmakers and reporters how easy it is to compromise voting machines in what has become an annual event at the U.S. Capitol. The Washington, D.C., version of the Voting Village event at the DefCon security conference in Las Vegas gives policymakers a hands-on glimpse of the technology that powers U.S. democracy. This year's report is consistent with prior exercises: virtually every machine experts can get their hands on can be easily exploited in a number of different ways. What has changed in recent years, said Voting Village Co-founder Harri Hursti, is that the community of security researchers with first-hand experience working with these machines has grown from less than a dozen to thousands. Even though the annual event has been held for several years, fresh researchers have discovered of new vulnerabilities and attack vectors.

The Hill
October 29, 2019
Leaders of the Blue Dog Coalition on Tuesday urged House and Senate leaders to provide states with election security funds as part of the ongoing appropriations process. The coalition, which consists of 26 moderate Democrats, wrote a letter to the bipartisan leaders of the House and Senate Appropriations committees asking for their support in including $600 million to be given to states in order to bolster election security as part of the ongoing appropriations process. “In light of the proven threat posed by Russia—and possibly other foreign powers—to our democratic process, we believe the final bill should provide $600 million or as close to it as possible,” the leaders of the coalition wrote. They also asked for the House and Senate, when they meet to negotiate the differences between their versions of appropriations bills, to add language requiring the funds to go toward improving the cybersecurity of elections, such as providing cybersecurity training for election officials and moving toward voter-verified paper ballots. The letter was signed by Reps. Stephanie Murphy (D-Fla.), Tom O’Halleran (D-Ariz.), Lou Correa (D-Calif.), Anthony Brindisi (D-N.Y.), Kendra Horn (D-Okla.) and Jeff Van Drew (D-N.J.).

Wired
October 28, 2019
Ransomware has steadily become one of the most pervasive cyberattacks in the world. And while high-profile global meltdowns like 2017’s NotPetya strain garner the most attention, localized attacks have devastating consequences as well. Look no further than the cities of Atlanta and Baltimore, whose online operations ground to a halt after ransomware takeovers. Or more recently, Alabama’s DCH Health Systems, which had to turn away all but the most critical patients from its three hospitals after hackers seized control of their networks. The attacks affect communities both large and small. In fact, victims often aren’t even specifically targeted. Hackers have increasingly focused on so-called managed service providers, companies that remotely handle IT infrastructure for a wide range of customers, to get the highest return on their investment. Successfully compromise one MSP, and you can hit nearly two-dozen local Texas governments, as one recent example proved. It’s the kind of large-scale problem that would benefit from a large-scale solution. Yet despite the clear and pervasive danger, Congress seems stumped. “There’s a gap between the focus and resources here in Washington and what happens in a town of 200,000 people,” representative Jim Himes (D-Connecticut) tells WIRED. While Himes, a member of the House Intelligence Committee, is concerned about the rise in these brazen attacks, he also sees fundamental limitations in the federal government’s ability to help stop hyper-local attacks.

FCW
October 28, 2019
A member of Congress wants Acting White House Chief of Staff Mick Mulvaney to answer for recent reports that indicate the White House's cybersecurity team has been gutted. In an Oct. 25 letter, Rep. Ted Lieu (D-Calif.) references an Oct. 17 memo from Dimitrios Vastakis, former Branch Chief of White House Computer Network titled "Cyber Security Personnel Leaving Office of the Administration at an Alarming Rate." Vastakis, complains that his Office of the Chief Information Security Officer had been absorbed into the CIO office and claims officials White House have been "systematically" targeting security personnel with “hostile” actions meant to drive them out and objected to changes in organizational structure that would put the team’s actions under a White House entity not covered by the Presidential Records Act. The memo, obtained and first reported on in Axios, claimed that these tactics included revoking incentives, reducing the scope of duties, reducing access to programs and buildings and revoking positions with strategic and tactical decision-making authorities. It notes that these tactics have "forced the majority of GS-14 and GS-15 OCISO staff to resign."


ADMINISTRATION

CyberScoop
November 1, 2019
The Pentagon once again is sending cyber personnel overseas to gather intelligence to help protect the 2020 presidential elections against foreign interference, the U.S. Embassy in Montenegro announced this week. U.S. European Command and U.S. Cyber Command are deploying an undisclosed number of defensive cyber operators to Montenegro in order to gain insights into cyber threats from adversaries before both the U.S. and Montenegrin elections next year. It’s the second time in as many years the Department of Defense is going through the effort as part of a partnership that’s uniquely poised to provide insights on possible Russian election interference. Montenegro and the U.S. both have been targeted by the Russian government-linked hacking outfit APT28, or Fancy Bear. If Cyber Command uncovers similar activity again in Montenegro, those insights could inform decisions on how to safeguard the U.S. “Montenegro is among the first in Europe to face unconventional attacks on its democracy and freedom of choice,” Montenegrin Defense Minister Predrag Boskovic said in a statement. “It is precisely in the face of new challenges with the United States that we seek a way, using their resources, to protect democracy in the Western Balkans from those who would keep this part of Europe in conflicts, setbacks, and economic decline.”

The Hill
November 1, 2019
Pennsylvania Gov. Tom Wolf (D) on Thursday signed into law a proposal that provides $90 million for replacing outdated and nonsecure voting machines, along with making reforms to ways Pennsylvanians can vote. The new law marks a major change for Pennsylvania’s voting system, allowing mail-in voting and a 50-day period for voters to mail in ballots ahead of the election, as well as moving the deadline to register to vote from 30 days prior to the election to 15 days prior. The law also provides $90 million to assist counties in purchasing new election machines with paper trails to help increase the security of voting. These funds will serve to reimburse counties for 60 percent of what they have spent on replacing older voting equipment with machines that have paper records of votes, something Pennsylvania’s Department of State ordered them to do last year. Forty-six Pennsylvania counties, or around 68 percent, have the new systems in place as of this month.

FCW
October 31, 2019
A Federal Elections Commission-sanctioned nonprofit group has announced partnerships with a number of companies to offer free or cheap cybersecurity services to candidates running for federal office. The group, Defending Digital Campaigns, announced a suite of services that will be made available to campaigns, including end-to-end encryption services from Wickr, IT security training services from Cybrary, email security services from Area1 and managed security services from GRA Quantum. Michael Kaiser, who was named CEO of the group in the same announcement, said the services are meant to help campaigns deal with some of the most common digital threats, from phishing attacks and email compromise to data theft or loss of campaign donor information, polling data and other sensitive data. The unique role that these campaigns play as “elemental pieces” of democracy mean they are going to be the subject of more targeted and determined attacks from hackers.

Nextgov
October 30, 2019
Winners of the Energy Department’s CyberForce Competition next month could leave with more than just medals, trophies or bragging rights for their hacking or defending success—this year, some who come out on top could secure a job with the federal government. An Energy executive and national lab insider who have helped pave the way for the competition’s growth from fewer than 10 teams in 2016 to more than 100 in 2019 shared insights with Nextgov this week into their work to shape the unique event into a tool that can help close critical gaps across the federal workforce. “Our goal is to actually hire some of the winning team members based on their performance and their understanding of this environment,” Assistant Secretary for the Office of Cybersecurity, Energy Security, and Emergency Response Karen Evans said. “So, success to me would be these professional teams competing, having an understanding and scoring well on the competition, and then CESER hiring some of them.” The first CyberForce Competition launched at Argonne National Laboratory four years ago, and since then has ballooned to 10 times the people competing at 10 national labs across the United States. Participants will be tasked with maintaining the security of one of four separate infrastructures, which include an energy distribution substation, solar energy generation facility, high-performance computing data center and manufacturing facility. But in 2019, the competition also includes a professional pilot, through which individuals outside of school—who expressly want to work for Energy or a national lab in the future—will compete and could eventually have their scores considered in hiring for future federal positions.

Ars Technica
October 30, 2019
In a business park that plays home to a number of tech and cybersecurity firms situated strategically between Washington, DC, and Baltimore, there's a two-story building that looks externally like many other office buildings, remarkable this day only for the food trucks in the parking lot and the stream of people in camouflage swarming in and out. The building, called DreamPort, is a collaboration facility leased by US Cyber Command—and on October 18, it was the location of AvengerCon IV, the latest incarnation of a soldier-led cybersecurity training event that takes the shape of a community hacking conference.

Nextgov
October 30, 2019
The Defense Department is working on a new policy that will require its vendors to obtain a certification confirming the contractor’s own systems have strong enough cybersecurity to protect the department’s secrets. A civilian agency counterpart to that would look very different than what the Pentagon is developing, according to the second-ranking civilian IT official. While the government does have a method for certifying the cybersecurity of vendors’ products—through the authority to operate, or ATO, process and the Federal Risk and Authorization Management Program, or FedRAMP—it does not have a program for assessing the security of the systems used by the vendors. The Defense Department’s Cybersecurity Maturity Model Certification, or CMMC, looks to change that with a set of 18 “key sets of capabilities for cybersecurity,” according to the draft released in September. A similar program would be useful in the civilian space but would require a much different framework, Margie Graves, deputy federal chief information officer, said in answer to a question at the Professional Services Council’s annual Vision conference. “We, as a civilian community, cannot adopt DOD rubrics writ-large,” she said. “But there are some aspects of the civilian agencies—I would say, [the Homeland Security and Justice departments] and others in the law enforcement among them—that are similar. We could actually learn from the framework that’s being set up with DOD on that issue.”

Nextgov
October 28, 2019
One hack made a county’s emails unreadable. Another disabled a city’s 311 help line amid a snowstorm. At least three local governments in Ohio and the Cleveland Hopkins International Airport have all been hit with ransomware attacks in the last year alone. The next time hackers go after a local government in Ohio, however, the state will have a new weapon to deploy: the Ohio Cyber Reserve. Gov. Mike DeWine signed a bill into law Friday that establishes a volunteer “cyber reserve” of computer and information technology experts who will be able to assist local governments in the face of a ransomware or cybersecurity attacks. The reserve will consist of five teams of 10 people spread throughout the state who will be vetted and trained to respond to cybersecurity emergencies affecting local governments. The response will be similar to the way the Ohio National Guard is placed on active duty during a natural disaster, said Maj. Gen. John C. Harris Jr., the Ohio Adjutant General who oversees the state’s National Guard.


INDUSTRY

Ars Technica
November 1, 2019
As many as 2,000 users of NordVPN, the virtual private network service that recently disclosed a server hack that leaked crypto keys, have fallen victim to credential-stuffing attacks that allow unauthorized access to their accounts. In recent weeks, credentials for NordVPN users have circulated on Pastebin and other online forums. They contain the email addresses, plain-text passwords, and expiration dates associated with NordVPN user accounts.

Gov Info Security
November 1, 2019
A trio of well-known domain name registrars are mandating a password reset after revealing a breach affecting about 22 million accounts that occurred in late August. Web.com and two of its brands, Network Solutions and Register.com, published identical breach notices, noting "that a third party gained unauthorized access to a limited number of our computer systems." The incident was discovered on Oct. 16. "Upon discovery of this unauthorized access, the company immediately began working with an independent cybersecurity firm to conduct a comprehensive investigation to determine the scope of the incident, including the specific data impacted," according to the notices. "We have also reported the intrusion to federal authorities and are notifying affected customers." The exposed account data, which encompasses current and former accounts, includes names, addresses, phone numbers, email addresses and services held by the account owner. The three registrars say they're notifying victims by email.

ZDNet
November 1, 2019
Yesterday, on late Halloween night, Google engineers delivered the best scare of the evening and released an urgent update for the Chrome browser to patch an actively exploited zero-day. "Google is aware of reports that an exploit for CVE-2019-13720 exists in the wild," Google engineers said in a blog post announcing the new v78.0.3904.87 release. The actively-exploited zero-day was described as a use-after-free bug in Chrome's audio component. Use-after-free vulnerabilities are memory corruption bugs that occur when an application tries to reference memory that was previously assigned to it but has been freed or deleted in the meantime. This usually causes a program to crash, but can also sometimes lead to other, unintended consequences, such as code execution scenarios.

Gov Info Security
November 1, 2019
Ransomware continues to be highly profitable for criminals. For the third quarter of this year, the average ransom amount paid was $41,198, an increase of 13 percent compared to the second quarter and a nearly six-fold increase from the third quarter of 2018, according to ransomware incident response firm Coveware. The five most-targeted industries in the third quarter were professional services, the public sector, healthcare, software services and retail. "The rate of increase has plateaued, reflecting resistance to paying by victims who are increasingly finding new ways to restore and recreate data, rather than pay," Coveware says in a new report. "Ryuk continued to make headlines, and other similar Hermes variants like DopplePaymer and I-Encrypt became more prevalent, suggesting that threat actors are rotating through different kits."

CNBC
November 1, 2019
As internet crimes and abuse stalk the globe, cybersecurity firms are having trouble attracting and keeping skilled workers to help protect networks. Today some 2.8 million professionals work in cybersecurity around the globe, but an additional 4 million trained workers would be needed to close the skills gap and properly defend organizations, according to the 2019 ISC2 Cyber Security Workforce Study. The global nonprofit is the largest association of certified cybersecurity professionals. The data reveals that in the U.S. alone, nearly a half million workers would be needed to fill the shortage. “The volume of attacks and sophistication of attacks from around the world continue to increase,” said ISC2 CEO David Shearer. “We have nation-state types of attacks, criminal activity types of attacks and individuals that are just trying to do fraud and cybercrime. And so as these activities on the web continue to grow, there continues to be less and less of the qualified people that we need to conquer those attacks.”

Reuters
October 31, 2019
Senior government officials in multiple U.S.-allied countries were targeted earlier this year with hacking software that used Facebook Inc’s WhatsApp to take over users’ phones, according to people familiar with the messaging company’s investigation. Sources familiar with WhatsApp’s internal investigation into the breach said a “significant” portion of the known victims are high-profile government and military officials spread across at least 20 countries on five continents. Many of the nations are U.S. allies, they said. The hacking of a wider group of top government officials’ smartphones than previously reported suggests the WhatsApp cyber intrusion could have broad political and diplomatic consequences. WhatsApp filed a lawsuit on Tuesday against Israeli hacking tool developer NSO Group. The Facebook-owned software giant alleges that NSO Group built and sold a hacking platform that exploited a flaw in WhatsApp-owned servers to help clients hack into the cellphones of at least 1,400 users between April 29, 2019, and May 10, 2019.

E&E News
October 31, 2019
A Utah renewable energy developer was hit by a first-of-its-kind cyberattack that briefly cut contact to a dozen wind and solar farms this spring, according to documents obtained by E&E News under the Freedom of Information Act. Salt Lake City-based sPower suffered "denial of service" attacks on March 5 that left grid operators temporarily blinded to generation sites totaling 500 megawatts, the documents show. Hackers did not cause any blackouts or generation outages, according to sPower, which says it's the biggest private solar power operator in the United States. The cyberattack took advantage of a known weakness in Cisco firewalls to trigger a series of five-minute communications outages over a span of about 12 hours, according to an emergency report sPower filed with the Department of Energy at the time of the disruption that was not publicly released. Denial-of-service attacks flood target devices or websites with bogus traffic to crash them. The cybersecurity incident is the first confirmed to have caused "interruptions of electrical system operations," based on DOE records. Experts say the hackers behind the attack may not have known they were affecting the power grid, based on the fact that Cisco firewalls are used in a range of industries and are a popular target of opportunity when left exposed to the internet.

Ars Technica
October 31, 2019
Nation-sponsored hackers have a new tool to drain telecom providers of huge amounts of SMS messages at scale, researchers said. Dubbed "Messagetap" by researchers from the Mandiant division of security firm FireEye, the recently discovered malware infects Linux servers that route SMS messages through a telecom’s network. Once in place, Messagetap monitors the network for messages containing either a preset list of phone or IMSI numbers or a preset list of keywords. Messages that meet the criteria are then XOR encoded and saved for harvesting later. FireEye said it found the malware infecting an undisclosed telecom provider. The company researchers said the malware is loaded by an installation script but didn’t otherwise explain how infections take place.

The New York Times
October 30, 2019
Two men pleaded guilty in federal court in San Jose, Calif., to charges of computer hacking and an extortion conspiracy on Wednesday, capping a thorny legal saga that ensnared tech companies like Uber and LinkedIn in data breach scandals. The resolution of the case comes as Americans grapple with theft and misuse of their personal information amid serious data breaches at companies from Facebook and Equifax to Target and Marriott over the past decade. Lynda.com, which is owned by LinkedIn, disclosed to its users in December 2016 that it had a data breach. Officials said some 55,000 accounts were affected, and the company warned another 9.5 million customers about the breach. The Uber breach affected more than 57 million people, as the hackers gained access to the names, phone numbers and email addresses of riders and drivers who used the service.

Reuters
October 30, 2019
A cyber attack on Asian ports could cost as much as $110 billion, or half the total global loss from natural catastrophes in 2018, a Lloyd's of London-backed report said on Wednesday. Cyber insurance is seen as a growth market by insurance providers such as Lloyd's, which specializes in covering commercial risks, although take-up in Europe and Asia remains far behind levels in the United States. The worst-case scenario in the report was based on a simulated cyber attack disrupting 15 ports in Japan, Malaysia, Singapore, South Korea and China. Some 92% or $101 billion of the total estimated economic costs of such an attack are uninsured, Lloyd's said. The figure was calculated by simulating the impact of a computer virus carried by ships and which scrambles cargo database records at the ports.

CyberScoop
October 30, 2019
Fifteen major companies, including the Apple, Facebook, Google, IBM, and PwC, announced Wednesday they are joining together to change their cybersecurity job descriptions and requirements to attract more talent to the 3 million cybersecurity job openings that are expected to be available over the next two years. Specifically, the companies — which are part of the Aspen Cybersecurity Group — are focused on nixing requirements that candidates have four-year bachelor’s degrees and gender-biased job descriptions. “A bachelors degree is actually not a good proxy for whether you have the talent,” Chair of the Aspen Institute’s Cyber & Technology Program John Carlin told CyberScoop. “There’s plenty of talented people out there but we need to figure out better ways to identify them and train them.” The group, which also includes AIG, Cloudflare, the Cyber Threat Alliance, Duke Energy, IronNet, Johnson & Johnson, Northrop Grumman, Symantec, Unisys, and Verizon, came together over the past year to address the cybersecurity skills gap, which Carlin believes is the actual dilemma facing the cybersecurity workforce — not a talent gap.

Ars Technica
October 30, 2019
When more than 20 local governments in Texas were hit this summer by ransomware in one day. The attack was apparently tracked back to one thing the organizations had in common: a managed service provider. With limited IT resources of their own, local governments have increasingly turned to MSPs to operate significant portions of their networks and applications, as have other organizations and businesses—often placing critical parts of their business operations in the MSPs' hands. And that has made MSPs a very attractive target to ransomware operators. Threat researchers at the global cloud security provider Armor have been tracking publicly-reported incidents in which MSP and cloud service providers have been hit with ransomware. Thus far, they have documented 13 such incidents this year—with 6 of them reported in the past few months.

Reuters
October 29, 2019
WhatsApp sued Israeli surveillance firm NSO Group on Tuesday, accusing it of helping government spies break into the phones of roughly 1,400 users across four continents in a hacking spree whose targets included diplomats, political dissidents, journalists and senior government officials. In a lawsuit filed in federal court in San Francisco, messaging service WhatsApp, which is owned by Facebook Inc, accused NSO of facilitating government hacking sprees in 20 countries. Mexico, the United Arab Emirates and Bahrain were the only countries identified. WhatsApp said in a statement that 100 civil society members had been targeted, and called it “an unmistakable pattern of abuse.” NSO denied the allegations. “In the strongest possible terms, we dispute today’s allegations and will vigorously fight them,” NSO said in a statement. “The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime.”

Gov Info Security
October 29, 2019
Fast-food chain Krystal says it's investigating a payment card "security incident" that affected as many as 228 of its restaurants across southeastern U.S. states. The incident affected debit and credit cards used at certain stores between July and last month, the company says in a statement. Krystal says law enforcement has been notified, and it has retained a forensic firm. "We have already taken steps to contain and remediate the incident," the company says. "We are working hard to determine the specific locations and dates for each restaurant involved in the attack." Krystal, based in Dunwoody, Georgia, has 342 restaurants across Alabama, Arkansas, Florida, Georgia, Kentucky, Louisiana, Mississippi, North Carolina, South Carolina and Tennessee. The company's list of the states where its restaurants were affected omitted only Louisiana.

CyberScoop
October 29, 2019
Norsk Hydro received an insurance payout of $3.6 million following a highly publicized cyberattack earlier this year, the company revealed in its third quarter earnings report. The insurance payout represents about 6% of the $60 million to $71 million in costs created by the incident through the third quarter, the company said. The Norwegian aluminum and energy giant expects more compensation will come as more costs are totaled. Norsk Hydro, which had a market capitalization of $12 billion last year, said after the attack in March that its policy, led by AIG, was “solid.” The company said it was struck with a large ransomware attack that started in its U.S. facilities then spread. It wasn’t until summer when Norsk Hydro determined the situation was stable.


INTERNATIONAL

Ars Technica
October 30, 2019
The Nuclear Power Corporation of India Limited (NPCIL) has acknowledged today that malware attributed by others to North Korean state actors had been found on the administrative network of the Kudankulam Nuclear Power Plant (KKNPP). The admission comes a day after the company issued a denial that any attack would affect the plant's control systems. In a press release today, NPCIL Associate Director A. K. Nema stated, "Identification of malware in NPCIL system is correct. The matter was conveyed by CERT-In [India's national computer emergency response team] when it was noticed by them on September 4, 2019." That matches the date threat analyst Pukhraj Singh said he reported information on the breach to India's National Cyber Security Coordinator. "The matter was immediately investigated by [India Department of Atomic Energy] specialists," Nema stated in the release. "The investigation revealed that the infected PC belonged to a user who was connected to the Internet connected network used for administrative purposes. This is isolated from the critical internal network. The networks are being continuously monitored."

ZDNet
October 29, 2019
The Australian government needs to drop the "national security" framing of its cybersecurity strategy, according to speakers at the inaugural NetThing, held at the University of Technology Sydney (UTS) on Tuesday. Australia is currently reviewing its national strategy. The Department of Home Affairs published a discussion paper last month, Australia's 2020 Cyber Security Strategy: A call for views. Speakers were concerned that the framing of cybersecurity had shifted from that of the original 2016 strategy issued by then-Prime Minister Malcolm Turnbull. "There's two sort of narratives in cybersecurity and ... states align with one or the other," said Lucie Krahulcova, Asia policy analyst at Access Now. One is the narrative of national security; a narrative of control, like in China and Russia, as well as in many other governments. The other is the narrative of the internet as a shared common good and an enabler of civic rights. Under that framing, cybersecurity is about the integrity of the system and the protection of individual users. "I think Australia teeters on the edge of those," Krahulcova said. "I would go as far as to say that certain parts of the government aren't quite as aware [of] how much Australia sits with the Chinas and Russias," she said.

CNN
October 29, 2019
Authorities in Johannesburg are scrambling to gain control of the city's cyber networks from hackers who are demanding payment in bitcoins. Johannesburg city council member Funzela Ngobeni said the hackers gained access to the city's computer systems last Thursday and gave them until Monday to make the payment of four bitcoins, which is equivalent to 500,000 rands, according to the council. The officials are refusing to pay and the ultimatum date has now elapsed. "The city will not concede to their demands for bitcoins, and we are confident that we will be able to restore systems to full functionality," Ngobeni said in a statement. Ngobeni called the breach an "attack on the people of the city" and said the hackers had targeted a period when residents were making monthly payments for utilities and also when the council pays its vendors.

ZDNet
October 29, 2019
European authorities have released today a patch for the eIDAS system. The patch fixes two security flaws that could allow an attacker to pose as any EU citizen or business during official transactions. eIDAS stands for electronic IDentification, Authentication and trust Services. It is a very complex, cryptographically-secured electronic system for managing electronic transactions and digital signatures between EU member states, citizens, and businesses. The EU created eIDAS in 2014 to allow member state governments, citizens, and businesses to carry out cross-border electronic transactions that can be verified against official databases in any country, regardless of the origin state of the transaction. eIDAS-Node is the official software package that government organizations run on their servers to support eIDAS-friendly transactions against their private databases. Due to this crucial role, any vulnerabilities in the eIDAS-Node software can allow attackers to tamper with official EU digital transactions, such as tax payments, bank transfers, goods shipments, and others.

Wired
October 28, 2019
Russia's state-sponsored hackers have a few predictable fixations: NATO-country embassies. Hillary Clinton. Ukraine. But a less expected target has somehow remained in their sights for more than three years: the Olympics—and specifically anyone who would dare to accuse Russian athletes of cheating. On Monday, Microsoft revealed in a blog post that the Russian hacking group known as Fancy Bear, APT28, or Strontium recently targeted no fewer than 16 anti-doping agencies around the world; in some cases those attacks were successful. Microsoft notes that the hackers, long believed to be working in the service of the Russian military intelligence agency known as the GRU, began their attacks on September 16, just ahead of reports that the Worldwide Anti-Doping Agency had found "inconsistencies" in Russian athletes' compliance with anti-doping standards, which may lead to the country's ban from the 2020 Tokyo Olympics, just as they were from the Pyeongchang Winter Games in 2018.

AFP
October 28, 2019
Some 2,000 websites in Georgia, including those of the president, courts, and media were hacked in a massive cyber attack on Monday, officials and media said. They displayed a photo of Georgia's exiled former president Mikheil Saakashvili with an inscription "I'll be back!" Georgia's Interpress news agency reported. Georgian President Salome Zurabishvili's website was "attacked by hackers this afternoon," her spokeswoman told AFP. "Law enforcement agencies are investigating the incident," Sopho Jajanashvili said. Interpress said the website for Georgia's general jurisdiction courts as well as websites of a number of government agencies, NGOs and media outlets were also hit by cyber attacks on Monday.


TECHNOLOGY

TechCrunch
October 31, 2019
A security researcher has found several vulnerabilities in the popular open-source Horde web email software that allow hackers to near-invisibly steal the contents of a victim’s inbox. Horde is one of the most popular free and open-source web email systems available. It’s built and maintained by a core team of developers, with contributions from the wider open-source community. It’s used by universities, libraries and many web hosting providers as the default email client. Numan Ozdemir disclosed his vulnerabilities to Horde in May. An attacker can scrape and download a victim’s entire inbox by tricking them into clicking a malicious link in an email. Once clicked, the inbox is downloaded to the attacker’s server. But the researcher did not hear back from the Horde community. Security researchers typically give organizations three months to fix flaws before they are publicly disclosed. NIST, the government department that maintains the national vulnerability database, said this week that the flaws pose a “high” security risk to users.

ProPublica
October 28, 2019
About 10 years ago, Michael Gillespie and several classmates at Pekin Community High School in central Illinois were clicking on links on the school’s website when they discovered a weakness that exposed sensitive information such as students’ Social Security numbers. They quickly alerted their computer repair and networking teacher, Eric McCann. “It was a vulnerability that nobody even knew about,” McCann said. “They did a quick search on passwords and student accounts, and lo and behold, that file is sitting out there.” Without crediting the students, school administrators closed the breach and changed everyone’s passwords. Gillespie’s anonymous protection of the school’s cyberdefenses was a harbinger of his future. Like a real-life version of Clark Kent or Peter Parker, the self-effacing Gillespie morphs in his spare time into a crime-foiling superhero. A cancer survivor who works at a Nerds on Call computer repair shop and has been overwhelmed by debt — he and his wife had a car repossessed and their home nearly foreclosed on — the 27-year-old Gillespie has become, with little fanfare or reward, one of the world’s leading conquerors of an especially common and virulent cybercrime: ransomware. Asked what motivates him, he replied, “I guess it’s just the affinity for challenge and feeling like I am contributing to beating the bad guys.”