Are investors confusing bitcoin and blockchain? Or is that confusion possibly not wrong?
Living in Alan Turing’s Future New Yorker
This weird-looking pigeon is actually a drone that flies with real feathers MIT Technology Review
The Hill
January 17,
2020
A
bipartisan group of senators on Friday introduced legislation that would
establish a federally funded program to put in place state cybersecurity
leaders nationwide, increasing the ability of states to respond to
cyberattacks. The Cybersecurity State Coordinator Act would create a federal
program named after the bill that would ensure every state has a cybersecurity
coordinator, with this person responsible for working with all levels of
government to prepare for, prevent and respond to cyberattacks. The program
would be housed within the Department of Homeland Security’s Cybersecurity and
Infrastructure Security Agency, an agency that works closely with state and
local governments on issues including defending against cyber threats to
elections. The bill would also increase coordination on cyber issues between
the federal government and state and local governments, boost efforts to prepare
for and respond to cyberattacks, and increase sharing of cyber threat
information. Sen. Maggie Hassan (D-N.H.) is the lead sponsor of the bill, with
Sen. Gary Peters (Mich.), the top Democrat on the Senate Homeland Security
Committee, and Sens. John Cornyn (R-Texas) and Rob Portman (R-Ohio) as
co-sponsors.
Nextgov
January 16,
2020
A
Democratic lawmaker wants answers and actions taken to address unsecured
servers at three military medical facilities that he said are putting service
members’ personal information at risk. Sen. Mark Warner, D-Va., penned a letter
to the Defense Health Agency Thursday pressing it to eliminate the exposure of
sensitive medical data belonging to military personnel that he said remains vulnerable
due to risky practices at Fort Belvoir Medical Center, Ireland Army Health
Clinic and the Womack Army Medical Center. “The exposure of this information is
an outrageous violation of privacy and represents a grave national security
vulnerability that could be exploited by state actors or others,” Warner wrote.
DICOM is the standard format for medical images, and Warner—who co-chairs the
bipartisan Senate Cybersecurity Caucus—recently learned that anyone with a
DICOM web viewer can access service members’ personally identifiable and
sensitive medical information from the three entities, due to unsecured Picture
and Archiving Servers, or PACs. Last September, Warner wrote to health care
entities that controlled the PACs after a comprehensive investigation detailed
how the servers were leaving millions of Americans’ medical images up for grabs
on the internet without their consent.
Gov Info
Security
January 16,
2020
Iranian-led
disinformation campaigns and other cyberthreats against the U.S. are likely to
surge in the aftermath of Iranian Major General Qasem Soleimani's death,
security and political experts told the House Homeland Security Committee
Wednesday. That's why the experts warned that federal agencies should not only
shore up their defenses, but also create efficient ways to inform the public
about looming threats. The death of Soleimani in a U.S. drone strike on Jan. 3
escalated tensions between Washington and Tehran, and now lawmakers want to
know more about Iran's offensive cyber capabilities. Rep. Bennie Thompson,
D-Miss., the chairman of the Homeland Security Committee, noted during his opening
remarks that this geopolitical tension could have "dire consequences"
for U.S. homeland security and asked the experts testifying to help lawmakers
better understand the potential cyberthreats from Iran and its proxies. "I
am particularly interested in understanding how Iran could use its relatively
sophisticated cyber capabilities against state and local governments and
critical infrastructure to exact revenge for the death of Soleimani,"
Thompson said. "We need to understand whether potential targets are
prepared to defend against Iranian cyberthreats and what the federal government
can do to help them if they are not."
Nextgov
January 16,
2020
The Defense
Department agreed with Government Accountability Office recommendations on the
importance of highlighting reliability—a foundational principle of
cybersecurity—in procuring weapons systems, amid consternation from some
stakeholders about security requirements for such systems being assumed, rather
than explicitly expressed. “In an environment emphasizing speed, without senior
leadership focus on a broader range of key reliability practices, DOD runs the
risk of delivering less reliable systems than promised to the warfighter and
spending more than anticipated on rework and maintenance of major weapon
systems,” reads the report GAO released Tuesday. As noted in a white paper by
Ebonése Olfus, vice president of cyber strategy and emerging technologies at
military technology company Envistacom, the reliability principle is closely
tied to achieving a core cybersecurity feature: resilience. “Resilience is
related to survivability, which builds on the disciplines of security, fault
tolerance, safety, reliability, and performance,” reads the paper. GAO
previously flagged the issue in a 2018 report that found “an entire generation
of systems that were designed and built without adequately considering
cybersecurity.”
CyberScoop
January 15,
2020
The federal
agency charged with supporting small U.S. businesses should take “immediate
action” to ensure that such firms are adequately protected from cyberthreats
emanating from Iran, a bipartisan pair of senators said Wednesday. “We are
concerned that small businesses may not have the information and tools
necessary” to implement cybersecurity practices recommended by the Department
of Homeland Security in the wake of the U.S. killing of Iran’s top general,
Sens. Marco Rubio, R-Fla., and Ben Cardin, D-Md., wrote in a letter to the
Small Business Administration. The advisory from DHS’s Cybersecurity and
Infrastructure Security Agency warned of Iran’s history of “disruptive and
destructive cyber operations against strategic targets” and advised U.S.
organizations to consider whether they make an attractive target for the
Iranians. According to the FBI, those potential private-sector targets include
cleared defense contractors. Security experts have also advised organizations
not to overreact to potential cyberthreats from Iran. Ned Moran, a researcher
at Microsoft who tracks Iran-linked hackers, said that basic security practices
will go a long way in guarding against the threat.
Nextgov
January 15,
2020
In 2020,
bipartisan legislation aimed at helping strategically pave America’s way to the
Internet of Things could (finally) become law. The Senate late last week passed
the Developing and Growing the Internet of Things, or DIGIT Act. Originally
introduced in 2016 and again in 2017, the bill was re-upped last year by Sens.
Deb Fischer, R-Neb., Brian Schatz, D-Hawaii, Cory Gardner, R-Colo., and Cory
Booker, D-N.J. “With our bipartisan bill now one step closer to becoming law,
we’ll be able to realize the full potential of the Internet of Things, and help
the private and public sectors work together to produce well-informed policies
on connected technology,” Schatz said in a statement. According to Congress’
estimate in the bill, the Internet of Things will encompass 125 billion
connected devices by 2030—and could also generate trillions of dollars for U.S.
businesses. Through the DIGIT Act, lawmakers mandate the establishment of an
interagency working group with representation from the Commerce,
Transportation, Homeland Security and Energy departments, the National
Institute of Standards and Technology, National Science Foundation and many
others, to ultimately identify federal barriers that could inhibit IoT
deployment—and examine the challenges and opportunities agencies assume when
accessing the internet of things.
The Hill
January 15,
2020
The
Democratic leaders of the House Energy and Commerce Committee on Wednesday
requested briefings from two key federal agencies on efforts to secure the
nation’s telecommunications against potential Iranian cyberattacks, as another
House committee also put the spotlight on Iranian cyber threats. House Energy
and Commerce Committee Chairman Frank Pallone (D-N.J.) and Rep. Mike Doyle
(D-Penn.), the chair of the subcommittee on communications and technology, sent
letters to the Department of Homeland Security (DHS) and the Federal
Communications Commission (FCC) asking for briefings on what steps have been
taken to “warn telecommunications providers of potential cyberattacks on
critical communications networks and how the providers should prepare for and
defend against such attacks.” Congressional concern over potential cyberattacks
from Iran have spiked this month in the wake of the U.S. targeting and killing
Iranian Gen. Qassem Soleimani.
ADMINISTRATION
Nextgov
January 17,
2020
The Federal
Bureau of Investigation announced Thursday it will begin informing state
election officials when local election systems are hacked, a policy change
intended to improve cybersecurity coordination and address concerns state
leaders have raised about transparency. More than 8,000 jurisdictions run
elections in the United States, but state election officials often have a role
in certifying election results. In the past, when the FBI has gotten involved
in a local election system breach, it has not automatically reported its
findings to state-level officials. But because of the dual role that state and
local officials play in overseeing elections, the FBI said it will now report
cyber intrusions to both levels of government. The bureau was criticized in the
wake of the 2016 presidential election, after it was disclosed that Russian
military intelligence had infiltrated the election systems of two Florida
counties. State officials said they didn’t know anything about the hacks. Gov.
Ron DeSantis was later briefed on the matter, but not allowed to disclose which
counties were affected. The new FBI policy requires disclosures about cyber
intrusions to be made to both state and local election officials as soon as
possible and preferably in person, according to senior FBI and Department of
Justice officials who briefed reporters on the policy change.
Gov Info
Security
January 17,
2020
A
cyberattack targeting one of the largest banks in the U.S. that stops the
processing of payments likely would have a major ripple effect throughout the
financial system, according to a new report from the Federal Reserve Bank of
New York. The study, Cyber Risk and the U.S. Financial System: A Pre-Mortem
Analysis, looks at how a cyberattack could disrupt the entire U.S. financial
system if banks lost the ability to process payments among themselves. Under
this scenario, nearly a third of all the country's assets would be affected,
according to the researchers. If banks respond to this type of cyber incident
by hoarding money and assets, the potential impact in foregone payments could
reach 2.5 times the daily gross domestic product of the U.S., according to the
report. "We estimate that the impairment of any of the five most active
U.S. banks will result in significant spillovers to other banks, with 38
percent of the network affected on average," according to the analysis
written by researchers Thomas Eisenbach, Anna Kovner and Michael Junho Lee of
the New York Fed.
Politico
January 16,
2020
A Georgia
election server contains evidence that it was possibly hacked before the 2016
presidential election and the 2018 vote that gave Georgia Gov. Brian Kemp a
narrow victory over Democratic opponent Stacey Abrams, according to an election
security expert. The incident, which occurred in late 2014, long before either
of those elections, not only calls into question the integrity of Georgia’s
voting machines during critical elections, but raises new questions about
whether attackers were able to manipulate election data and voter information
through the compromised server. It's unclear who may have carried out the
alleged attack or if voter information was altered, but Logan Lamb, the
election security expert who uncovered the activity, believes that if hackers
did breach the server, they could have gained “almost total control of the
server, including abilities to modify files, delete data, and install malware.”
Georgia has already been at the center of questions about voter security, due
to the fact that the state has used insecure paperless voting machines since
2002.
Fifth
Domain
January 16,
2020
As Army
Cyber Command looks to focus on the information warfare environment, the Army’s
Cyber Center of Excellence in Georgia has started training cyber and electronic
warfare personnel on the specifics of information operations. “We’ve been
thinking about it for many months now, about how we’re going to integrate what
is going on in information operations with what’s going on with both running,
defending and doing cyberspace operations and electronic warfare,” Col. Paul
Craft, commandant of the cyber school at Fort Gordon, told reporters during a
phone call Jan 15. Leaders at Army Cyber Command have repeatedly said they
would like to change the name and focus of the organization to reflect a
greater emphasis on information warfare. The school house has now become the
focal point for this transformation.
Nextgov
January 15,
2020
A sweeping
plan to conduct independent third-party cybersecurity audits of prospective
Defense Department contractors’ management of sensitive information will be
subject to a formal rulemaking process, but the department and the nonprofit
organization being established to train and approve certifiers are still moving
at a quick clip. “Because we’re doing rulemaking, this isn’t going to roll out
as hard and fast as we thought,” said a government official delivering a
briefing on Defense’s Cybersecurity Maturity Model Certification program at a
meeting of the Software Supply Chain Assurance forum today. Quarterly meetings
of the forum—co-led by Defense, the General Services Administration, the
National Institute of Standards and Technology, and Homeland Security
Department—are attended by public and private sector representatives and
conducted under the Chatham House Rule to encourage a free exchange of ideas.
The official said Defense expects the CMMC requirements to be issued as a
proposed rule this fall, but regardless of the related public comment process,
officials still plan to include the rules in requests for proposals starting in
the third quarter.
CyberScoop
January 15,
2020
The Chief
Information Security Officer for Democratic presidential candidate Pete
Buttigieg’s campaign, Mick Baccio, has resigned, CyberScoop has learned.
Baccio, who has been with the Buttigieg campaign since last August, told
CyberScoop he left because he no longer agreed with the way senior leadership
in the campaign was envisioning campaign cybersecurity. “[I left due to]
fundamental philosophical differences with the campaign management regarding
the architecture and scope of the information security program,” Baccio told
CyberScoop. Baccio declined to share details about what exactly led to his resignation.
The campaign said it is still committed to digital security. “Mick resigned
earlier this month and we thank him for the work he did to protect our campaign
against attacks. Our campaign has retained a new security firm and continues to
be committed to digital security and protecting against cyber attacks,” Chis
Meagher, campaign press secretary, told CyberScoop.
Fifth
Domain
January 15,
2020
The new
assistant director for cybersecurity within the Department of Homeland Security
has outlined his top priorities for making the agency more “effective and
efficient.” Bryan Ware, who replaced Jeanette Manfra as assistant director for
cybersecurity at the Cybersecurity and Infrastructure Security Agency, said
Jan. 14 at FedScoop’s Data Cloud Summit that CISA Director Chris Krebs tasked
him with modernizing CISA’s legacy infrastructure and tackling some of the
challenges the agency has with the data it collects. At the heart of that is
modernizing artificial intelligence and tools it uses to sift through data.
There are big implications in that effort for CISA — charged with protecting
critical infrastructure and federal networks from cyberattack — as the agency
is already collecting significant net flow records every day: 55 billion, or
almost two terabytes of data, Ware said. On top of that, he’s sharing millions
of threat indicators weekly with intelligence companies and other industry
stakeholders. But there’s another new problem CISA is facing associated with
its data: it’s finding more false positives, or files or activities that’s been
incorrectly identified as malicious, in its cybersecurity data. “As we’ve been
able to collect and share indicators, our adversaries have adapted their
strategies and tactics,” said Ware. “And so now we have to provide a lot more
enrichment to those indicators.”
StateScoop
January 15,
2020
A new
report published jointly this week by the National Association of State Chief
Information Officers and National Governors Association urges state governments
to embrace partnerships with their localities to beef up the cybersecurity
postures of all parties. The document comes after a year in which many state IT
organizations were called upon by counties and cities for assistance following
incidents like ransomware attacks. Both NASCIO and NGA have been nudging their
members to embrace what the groups call a “whole-of-state” approach on
cybersecurity, in which all stakeholders — including IT agencies and other
departments with roles in business operations, public safety and emergency
management — collaborate on information security. “Cybersecurity is not just an
‘IT problem’ anymore,” says the report, titled “Stronger Together: State and
Local Cybersecurity Collaboration.” “It is a critical business risk, homeland
security and public safety threat, voter confidence issue and economic
development opportunity.”
The
Washington Post
January 14,
2020
The
National Security Agency recently discovered a major flaw in Microsoft’s
Windows operating system — one that could expose computer users to significant
breaches, surveillance or disruption — and alerted the firm about the problem
rather than turning it into a hacking weapon, officials announced Tuesday. The
public disclosure represents a major shift in the NSA’s approach, choosing to
put computer security ahead of building up its arsenal of hacking tools that
allow the agency to spy on adversaries’ networks. “This is . . . a change in
approach . . . by NSA of working to share, working to lean forward and then
working to really share the data as part of building trust,” said Anne
Neuberger, director of the NSA’s Cybersecurity Directorate, which was launched
in October. “As soon as we learned about [the flaw], we turned it over to
Microsoft.” Cybersecurity professionals hailed the move. “Big kudos to NSA for
voluntarily disclosing to Microsoft,” computer security expert Dmitri Alperovitch
said in a tweet Tuesday. “This is the type of [vulnerability] I am sure the
[NSA hackers] would have loved to use for years to come.”
Nextgov
January 14,
2020
Federal
agencies have 10 business days to apply security updates to all endpoints
affected by 49 vulnerabilities Microsoft identified in a high-profile “patch
Tuesday,” under the Cybersecurity and Infrastructure Security Agency directive
issued today. Within that time, federal agencies must have controls in place to
ensure new or previously disconnected endpoints are patched before connecting
to their networks, according to the directive, which also lays out timelines
for agencies to report on their plans. Initial status reports must be made to
CISA within the next three business days. CISA in turn, gives itself through
Feb. 3 before the CISA director will begin engaging with chief information
officers and/or senior risk management officials at agencies that have not
completed the actions “as appropriate” and through Feb. 14 before it reports
“cross-agency status and outstanding issues” to the secretary of Homeland
Security and the director of Office of Management and Budget. “We do not issue
emergency directives unless we have carefully and collaboratively assessed it
to be necessary,” CISA notes. “Indeed, this is only the second time CISA has
ever issued an emergency directive.”
NPR
January 14,
2020
Iowa's
Democratic Party plans to use a new Internet-connected smartphone app to help
calculate and transmit results during the state's caucuses next month, Iowa
Public Radio and NPR have confirmed. Party leaders say they decided to opt for
that strategy fully aware of three years' worth of warnings about Russia's
attack on the 2016 presidential election, in which cyberattacks played a
central role. Iowa's complicated caucus process is set to take place Feb. 3 in
gymnasiums, churches, recreation centers and other meeting places across the
state. As opposed to a primary in which voters cast ballots in the same way
they would for a general election, Iowa's caucuses are social affairs;
caucusgoers gather in person and pledge their support for a candidate by physically
"standing in their corner" in designated parts of a room. Iowa's
Democrats hope the new app lets the party get results out to the public
quicker, says Troy Price, the chairman of the state party.
NBC
January 14,
2020
The U.S.
government is geared up as never before to combat foreign election
interference, but there are limits to what American intelligence agencies can
do, even as determined adversaries build on their 2016 playbook, the nation's
election security czar said Tuesday. In prepared remarks before an elections
group, and in an exclusive interview afterward with NBC News, Shelby Pierson,
the election security threats executive at the Office of the Director of
National Intelligence, said a number of adversaries may be poised to attempt
election interference. "The threats as we go into 2020 are more
sophisticated," she said. "This is not a Russia-only problem. Russia,
China, Iran, North Korea, non-state hacktivists all have opportunity, means and
potentially motive to come after the United States in the 2020 election to
accomplish their goals." Pierson spoke at an election summit sponsored by
the U.S. Election Assistance Commission, an independent, bipartisan agency that
certifies voting systems and serves as a national clearinghouse of information
on election administration.
Federal
News Network
January 14,
2020
Don’t start
playing a dirge for the 16-year old cybersecurity program known as EINSTEIN.
But with the release of the draft Trusted Internet Connections 3.0
implementation guidance, industry experts agree, the end is near for the
long-time and sometimes questionable-value intrusion detection, intrusion
prevent program. “Today’s concept of EINSTEIN is going away. It kind of has to
happen,” said Stephen Kovac, vice president of global government and corporate
compliance at Zscaler, said in an interview. “TIC 3.0 isn’t here to kill
EINSTEIN, but decouple it from TIC. I think some form of EINSTEIN will still
need to exist. Agencies and DHS still need to collect telemetry data.” Kovac
said what many federal chief information security officers and chief
information officers have said over the years, “EINSTEIN today is not providing
very useful data.” Kovac said Zscaler collects 93 data fields through its
sensors, while EINSTEIN is focused mainly on netflow data and blocking known
threats and signatures. Susie Adams, the chief technology officer for federal
at Microsoft, said the draft guidance from DHS makes it clear that EINSTEIN’s
shelf life is limited, even if it doesn’t specifically say that.
The
Times-Picayune
January 13,
2020
New Orleans
City Hall's computer systems have more or less recovered from the cyberattack
that pummeled them in December. But residents won't be able to access many
police reports or other public records for at least another week. While
thousands of city computers have been cleared for use, requests for police
reports filed before the Dec. 13 attack won't be fulfilled for another few days
or longer, depending on the date of the report, the city said. The online
public records system, where users can make requests online, is expected to be
back up and running within two weeks. Handwritten reports filed in the month
since the attack are being made available to residents requesting them at New
Orleans Police Department headquarters, though they may take some time to
locate, a city spokesman said.
INDUSTRY
BBC
January 17,
2020
The boss of
Travelex has broken his silence about a cyber attack that forced its staff to
use pen and paper and halted travel money sales at some banks and supermarkets.
The firm has released a number of short statements since cyber criminals held
the firm to ransom on 31 December. But in a video message on the firm's
website, boss Tony D'Souza said the IT system used by in-store staff was working
again. However, other systems remain offline. In a scripted video that was
uploaded to a backup Travelex website, Mr D'Souza said the company had taken
its systems down after the cyber attack on New Year's Eve. However, while he
said the system used by staff is now working, there was no word on when the
firm's main UK website would be returned to service.
CyberScoop
January 17,
2020
Over the
course of a week, the security implications have grown more dire for a critical
vulnerability in two popular products made by Citrix, a corporate virtual
private network service provider used at many Fortune 500 companies. The flaw
exists in a Citrix cloud-based application delivery tool, as well as in a
product that allows remote access to the company’s applications. Experts say
that successful exploitation of the bug could allow a hacker to burrow into the
many enterprise networks that use the software. The result could be the
exposure or theft of corporate information from Citrix clients who otherwise
trust technology provided by the $2.5 billion company. First, experts said that
attackers would soon begin exploiting the flaw. Citrix then issued an advisory
assuring that its recommended stop-gap security measures would help address the
issue. But as researchers warned that hackers had begun exploiting the
vulnerability, Citrix updated its advisory to say that, in certain scenarios,
the company’s mitigation techniques would not work. The company then told
customers to switch to a different software compilation to avoid the issue.
Late on Thursday night, cybersecurity company FireEye revealed another plot twist:
an unknown hacker, or set of hackers, was exploiting the vulnerability in a
Citrix product, cleaning up other malware on that network, and planting their
own code, likely as a backdoor for future access.
Gov Info
Security
January 16,
2020
A day after
the U.S. National Security Agency disclosed a vulnerability that could affect
the cryptographic operations in some versions of Microsoft Windows, security
researchers started releasing "proof of concept" code to show how
attackers potentially could exploit the flaw. This highlights the urgency of
patching. The vulnerability affects versions of Windows 10 as well as Windows
Server 2016 and 2019. While some proof-of-concept code has been released, it's
not yet clear if attackers have actually exploited the vulnerability. On
Wednesday, security researcher Saleem Rashid posted on Twitter an explanation
of how an attacker could use the Windows vulnerability to create phony
Transport Layer Security, or TLS, certificates, which would then allow someone to
spoof a legitimate website.
CyberScoop
January 16,
2020
Stuxnet,
the potent malware reportedly deployed by the U.S. and Israel to disrupt an
Iranian nuclear facility a decade ago, helped change the way that many
energy-infrastructure operators think about cybersecurity. The computer worm
drove home the idea that well-resourced hackers could sabotage industrial plant
operations, and it marked a new era of state-sponsored cyber-operations against
critical infrastructure. Years later, industrial cybersecurity experts are
still learning from the destructive potential of Stuxnet’s code and how it was
deployed. While Stuxnet was an extraordinary situation — an intensive operation
designed to hinder Iran’s nuclear program — it holds lessons for the wider
world in securing industrial equipment that moves machinery. In a new study to
improve security, a researcher at the cybersecurity subsidiary of European
planemaker Airbus describes how he designed a program to execute code in a
“Stuxnet-type attack” on a programmable logic controller (PLC), the ruggedized
computers that monitor and control industrial systems like pumps, circuit
breakers and valves.
Reuters
January 16,
2020
McAfee LLC
told Reuters on Thursday it has hired Peter Leav, the former CEO of BMC
Software, as its new CEO, replacing Chris Young, who created the cyber security
company in its current form by carving it out of Intel Corp four years ago. The
move gives McAfee the option of pursuing an initial public offering with a new
leader. It has also considered deals in the sector, including potentially
merging with NortonLifeLock Inc. Young will become a senior advisor at buyout
firm TPG, which acquired a majority stake in McAfee from Intel Corp in 2016 in
a deal which valued the company at $4.2 billion, including debt. Young will
work with TPG on new technology investments. During Young’s tenure, the company
saw mid-single digit revenue growth, according to a person familiar with the
matter. Leav previously served as president and CEO of BMC, a business software
firm, for three years. He left in 2019, a few months after the completion of
private equity firm KKR & Co’s $8.5-billion buyout of the company. He will
start as McAfee CEO on Feb. 3.
The Hill
January 15,
2020
California-based
security company Cloudflare announced Wednesday that it will offer free
cybersecurity assistance to U.S. political campaigns and others around the
world as concerns mount about the potential for increased cyber threats against
campaigns in 2020. The new “Cloudflare for Campaigns” program will offer free
cybersecurity services including firewall protection and and internal data
management for campaigns. It will also assist staffers with access to internal
systems from accidentally being exposed to malware and other viruses. “Given
the increase and sophistication of foreign election interference efforts, there
is a clear need to help campaigns improve the security of not only their
websites and other public-facing assets, but also their internal data security
systems and teams,” Matthew Prince, co-founder and CEO of Cloudflare, said in a
statement. “This is our way of providing best practices and no-brainer
solutions to not only large campaigns, but also smaller, but equally important
campaigns that may have limited resources.” In order to provide cyber
assistance to campaigns, Cloudflare is collaborating with the nonprofit group
Defending Digital Campaigns (DDC), which was approved by the Federal Election
Commission (FEC) last year to provide free cybersecurity assistance to federal
campaigns and national party committees.
Gov Info
Security
January 15,
2020
A federal
judge in Atlanta has given final approval to a settlement that resolves a class
action lawsuit against credit bureau Equifax, which in 2017 suffered one of the
largest data breaches in history. The deal is essentially the same as the final
version of a proposed agreement reached in July 2019 with the Federal Trade
Commission. Consumers will get free credit monitoring, or if they already had
that in place, up to $125 in a cash payment. But the settlement includes a $31
million cap for any such cash payments. It means that the more people who apply
for a payment, the more the payment amounts will be proportionally lowered.
Still, Chief Judge Thomas W. Thrash Jr. writes that "this settlement is
the largest and most comprehensive recovery in a data breach case in U.S.
history by several orders of magnitude." The minimum cost to Equifax will
be $1.38 billion, which includes $1 billion in security upgrades, Thrash writes.
CyberScoop
January 15,
2020
The
professionals who work to uncover security vulnerabilities in hardware must
find a “common language” for categorizing them in order to make important
strides in securing those systems, according to chipmaking giant Intel Corp.
Hardware researchers “do not have the same standard taxonomy that would enable
them to share information and techniques with one another,” Intel researchers
Jason Fung, Arun Kanuparthi and Hareesh Khattri argued in an op-ed published
this week on Help Net Security, an information security website. “If we expect
hardware vendors and their partners to collectively deliver more secure
solutions, we must have a common language for discussing hardware security
vulnerabilities,” Fung, Kanuparthi and Khattri wrote. At issue is the Common Weakness
Enumeration (CWE) system, a list that is used as a yardstick on which to map
Common Vulnerabilities and Exposures (CVE). CVEs are more familiar to security
researchers as signposts for potential threats, and they’re a notch in the belt
to those who discover them. Both programs are run by the federally-funded,
not-for-profit MITRE Corp. The CWE only covers software, though, so the Intel
researchers argue that the list should be expanded to include the potential
consequences of hardware weaknesses and the methods that organizations can use
to detect such vulnerabilities.
Ars
Technica
January 14,
2020
Today is
the day that Microsoft's extended support for the Windows 7 operating system
ends. Microsoft stopped selling Windows 7, which was first released in 2009, on
October 13, 2013. Sales of systems with Windows 7 pre-installed ended three
years to the day later in 2016. It lived a long life and is survived by Windows
10 and maybe a few remaining instances of Windows 8. But it seems most
organizations are in no hurry to cast off the now-unsupported Microsoft
operating system, based on a survey from the enterprise content delivery
company Kollective. A survey of 100 US- and UK-based companies found that
overall, 53 percent of companies had not completed or had not started migration
off of Windows 7 to Windows 10. The continued presence of Windows 7 was more
prevalent in the UK, where two-thirds of businesses are still using the
operating system on at least some devices. US businesses were more likely to
have moved on, with 40 percent reporting they still had Windows 7. But
one-tenth of those surveyed had no idea whether Windows 7 was still running on
devices within their organizations.
Politico
January 14,
2020
Apple on
Tuesday rejected the Justice Department’s claim that it has refused to help
investigators unlock two iPhones that belonged to the shooter in the Pensacola,
Fla., naval base attack. The iPhone maker said that Attorney General William
Barr was wrong to claim Monday that the company “has not given us any
substantive assistance" in accessing phones associated with the December
shooting. “We reject the characterization that Apple has not provided
substantive assistance in the Pensacola investigation,” Apple said in a
statement to POLITICO. “Our responses to their many requests since the attack
have been timely, thorough and are ongoing.” The FBI first requested help with
an iPhone on the day of the shooting, Apple said, and it responded by sharing
“a wide variety” of data. It provided other data, such as iCloud backups, in
response to “six additional legal requests” over the course of the next week.
“In every instance,” Apple said, “we responded with all of the information that
we had.”
INTERNATIONAL
AP
January 17,
2020
An alleged
hacker charged with publishing internal documents that embarrassed soccer clubs
and officials in the Football Leaks case is going on trial. A Portuguese judge
ruled Friday that prosecutors have enough evidence incriminating Rui Pinto for
him to stand trial. The ruling is a procedural part of Portuguese law. No trial
date was immediately set. Prosecutors accuse Pinto of attempted extortion and
hacking into secret information held by Sporting Lisbon and the Portuguese
soccer federation, including financial dealings. He is also accused of illegal
access to confidential data held on computers at the Portuguese attorney
general’s office. Pinto denies wrongdoing, saying he is a whistleblower who in
the public interest has helped expose what he claims are murky financial
dealings. His lawyer, Francisco Teixeira da Mota, says Pinto has been helping
law enforcement in other European countries with investigations into their
soccer clubs’ finances. Pinto did not speak during the pretrial proceedings but
will speak “when his time comes,” Teixeira da Mota said, apparently referring
to the trial. The Football Leaks website began in 2015 and published
confidential information about the financial dealings of some top European
clubs, including such details as players’ and coaches’ contracts and transfer
fees.
Ars
Technica
January 17,
2020
On
Wednesday, police in the Netherlands and Northern Ireland arrested two
22-year-old men believed to be connected to WeLeakInfo, a site offering
usernames and passwords from multiple data breaches for sale. At the same time,
the Federal Bureau of Investigation, in coordination with the UK's National
Crime Agency, the Netherlands National Police Corps, the German
Bundeskriminalamt, and the Police Service of Northern Ireland, took down the
domain for the site, redirecting it to a seizure notice.
The
Guardian
January 16,
2020
An Israeli
judge has rejected an attempt by the spyware firm NSO Group to dismiss a case
brought against it by a prominent Saudi activist who alleged that the company’s
cyberweapons were used to hack his phone. The decision could add pressure on
the company, which faces multiple accusations that it sold surveillance
technology, named Pegasus, to authoritarian regimes and other governments that
have allegedly used it to target political activists and journalists. A Tel
Aviv court ruled that the case brought by Omar Abdulaziz, a dissident based in
Canada, could go ahead. In his lawsuit, he has argued that Saudi spies used
Pegasus to read his conversations with Jamal Khashoggi, a Washington Post
columnist later murdered in the Saudi Arabian consulate in Istanbul. The
Guardian understands that Abdulaziz and Khashoggi exchanged hundreds of
messages in the months before he died. NSO had attempted to get the case thrown
out of court by arguing that it lacked “good faith” and was abusing Israel’s
judicial system, according to a copy of the ruling on 22 December. However, the
judge, Guy Hyman, found no grounds for dismissal. Separately, while he agreed
that the trial related to sensitive security issues, he did not accept that
meant it should be held in secret.
Bloomberg
January 16,
2020
After
successfully creating a health care app for doctors to view medical records,
Diego Fasano, an Italian entrepreneur, got some well-timed advice from a police
officer friend: Go into the surveillance business because law enforcement
desperately needs technological help. In 2014, he founded a company that
creates surveillance technology, including powerful spyware for police and
intelligence agencies, at a time when easy-to-use encrypted chat apps such as
WhatsApp and Signal were making it possible for criminal suspects to protect
phone calls and data from government scrutiny. The concept behind the company’s
product was simple: With the help of Italy’s telecom companies, suspects would
be duped into downloading a harmless-seeming app, ostensibly to fix network
errors on their phone. The app would also allow Fasano’s company, eSurv, to
give law enforcement access to a device’s microphone, camera, stored files and
encrypted messages. Fasano christened the spyware “Exodus.” “I started to go to
all the Italian prosecutors’ offices to sell it,” explained Fasano, a
46-year-old with short, dark-brown hair and graying stubble. “The software was
good. And within three years, it was used across Italy. In Rome, Naples,
Milan.” Even the country’s foreign intelligence agency, L’Agenzia Informazioni e
Sicurezza Esterna, came calling for Exodus’s services, Fasano said. But
Fasano’s success was short lived, done in by a technical glitch that alerted
investigators that something could be amiss. They followed a digital trail
between Italy and the U.S. before unearthing a stunning discovery. Authorities
found that eSurv employees allegedly used the company’s spyware to illegally
hack the phones of hundreds of innocent Italians—playing back phone
conversations of secretly recorded calls aloud in the office, according to
legal documents. The company also struck a deal with a company with alleged
links to the Mafia, authorities said.
The
Washington Post
January 13,
2020
Russian
military spies have hacked a Ukrainian gas company that is at the heart of an
impeachment trial of President Trump, who sought last year to pressure Ukraine
to investigate the company and its links to Joe Biden’s son, according to a
cybersecurity firm. Beginning in early November, the Russian spy agency known
as the GRU launched a cyber “phishing” campaign against Burisma Holdings to
trick unsuspecting employees into giving up their email credentials so the
hackers could gain access to their email accounts — once again entangling
Moscow in domestic U.S. politics, according to Area 1 Security, a Redwood City,
Calif., company. The operation’s launch coincided with a congressional
impeachment inquiry into Trump and whether he abused his office by seeking to
press Ukrainian President Volodymyr Zelensky into announcing a probe of Burisma
and Hunter Biden — an action that conceivably would aid Trump’s reelection bid.
The GRU was active in the 2016 presidential campaign, hacking the servers of
the Democratic Party and Hillary Clinton’s campaign chairman and releasing
their emails that summer and fall. The disclosures disrupted the Democratic
convention and undermined Clinton’s campaign in the critical final weeks, and
the U.S. intelligence community concluded that with such actions Moscow aimed
to help Trump and hurt Clinton.
TECHNOLOGY
Ars Technica
January 17,
2020
Serious
vulnerabilities have recently come to light in three WordPress plugins that
have been installed on a combined 400,000 websites, researchers said.
InfiniteWP, WP Time Capsule, and WP Database Reset are all affected. The highest-impact
flaw is an authentication bypass vulnerability in the InfiniteWP Client, a
plugin installed on more than 300,000 websites. It allows administrators to
manage multiple websites from a single server. The flaw lets anyone log in to
an administrative account with no credentials at all. From there, attackers can
delete contents, add new accounts, and carry out a wide range of other
malicious tasks. People exploiting the vulnerability need only know the user
name of a valid account and include a malicious payload in a POST request
that's sent to a vulnerable site. According to Web application firewall
provider Wordfence, the vulnerability stems from a feature that allows
legitimate users to automatically log in as an administrator without providing
a password.
Venture
Beat
January 14,
2020
The Cloud
Native Computing Foundation (CNCF) today announced it is funding a bug bounty
program for Kubernetes. Security researchers who find security vulnerabilities
in Kubernetes’ codebase, as well as the build and release processes, will be
rewarded with bounties ranging from $100 to $10,000. Bug bounty programs
motivate individuals and hacker groups to not only find flaws but disclose them
properly, instead of using them maliciously or selling them to parties that
will. Originally designed by Google and now run by the CNCF, Kubernetes is an
open source container orchestration system for automating application
deployment, scaling, and management. Given the hundreds of startups and
enterprises that use Kubernetes in their tech stacks, it’s significantly cheaper
to proactively plug security holes than to deal with the aftermath of breaches.