Wednesday, January 22, 2020

Windows Vulnerability: Researchers Demonstrate Exploits


The Hill
January 17, 2020
A bipartisan group of senators on Friday introduced legislation that would establish a federally funded program to put in place state cybersecurity leaders nationwide, increasing the ability of states to respond to cyberattacks. The Cybersecurity State Coordinator Act would create a federal program named after the bill that would ensure every state has a cybersecurity coordinator, with this person responsible for working with all levels of government to prepare for, prevent and respond to cyberattacks. The program would be housed within the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, an agency that works closely with state and local governments on issues including defending against cyber threats to elections. The bill would also increase coordination on cyber issues between the federal government and state and local governments, boost efforts to prepare for and respond to cyberattacks, and increase sharing of cyber threat information. Sen. Maggie Hassan (D-N.H.) is the lead sponsor of the bill, with Sen. Gary Peters (Mich.), the top Democrat on the Senate Homeland Security Committee, and Sens. John Cornyn (R-Texas) and Rob Portman (R-Ohio) as co-sponsors.

Nextgov
January 16, 2020
A Democratic lawmaker wants answers and actions taken to address unsecured servers at three military medical facilities that he said are putting service members’ personal information at risk. Sen. Mark Warner, D-Va., penned a letter to the Defense Health Agency Thursday pressing it to eliminate the exposure of sensitive medical data belonging to military personnel that he said remains vulnerable due to risky practices at Fort Belvoir Medical Center, Ireland Army Health Clinic and the Womack Army Medical Center. “The exposure of this information is an outrageous violation of privacy and represents a grave national security vulnerability that could be exploited by state actors or others,” Warner wrote. DICOM is the standard format for medical images, and Warner—who co-chairs the bipartisan Senate Cybersecurity Caucus—recently learned that anyone with a DICOM web viewer can access service members’ personally identifiable and sensitive medical information from the three entities, due to unsecured Picture and Archiving Servers, or PACs. Last September, Warner wrote to health care entities that controlled the PACs after a comprehensive investigation detailed how the servers were leaving millions of Americans’ medical images up for grabs on the internet without their consent.

Gov Info Security
January 16, 2020
Iranian-led disinformation campaigns and other cyberthreats against the U.S. are likely to surge in the aftermath of Iranian Major General Qasem Soleimani's death, security and political experts told the House Homeland Security Committee Wednesday. That's why the experts warned that federal agencies should not only shore up their defenses, but also create efficient ways to inform the public about looming threats. The death of Soleimani in a U.S. drone strike on Jan. 3 escalated tensions between Washington and Tehran, and now lawmakers want to know more about Iran's offensive cyber capabilities. Rep. Bennie Thompson, D-Miss., the chairman of the Homeland Security Committee, noted during his opening remarks that this geopolitical tension could have "dire consequences" for U.S. homeland security and asked the experts testifying to help lawmakers better understand the potential cyberthreats from Iran and its proxies. "I am particularly interested in understanding how Iran could use its relatively sophisticated cyber capabilities against state and local governments and critical infrastructure to exact revenge for the death of Soleimani," Thompson said. "We need to understand whether potential targets are prepared to defend against Iranian cyberthreats and what the federal government can do to help them if they are not."

Nextgov
January 16, 2020
The Defense Department agreed with Government Accountability Office recommendations on the importance of highlighting reliability—a foundational principle of cybersecurity—in procuring weapons systems, amid consternation from some stakeholders about security requirements for such systems being assumed, rather than explicitly expressed. “In an environment emphasizing speed, without senior leadership focus on a broader range of key reliability practices, DOD runs the risk of delivering less reliable systems than promised to the warfighter and spending more than anticipated on rework and maintenance of major weapon systems,” reads the report GAO released Tuesday. As noted in a white paper by Ebonése Olfus, vice president of cyber strategy and emerging technologies at military technology company Envistacom, the reliability principle is closely tied to achieving a core cybersecurity feature: resilience. “Resilience is related to survivability, which builds on the disciplines of security, fault tolerance, safety, reliability, and performance,” reads the paper. GAO previously flagged the issue in a 2018 report that found “an entire generation of systems that were designed and built without adequately considering cybersecurity.”

CyberScoop
January 15, 2020
The federal agency charged with supporting small U.S. businesses should take “immediate action” to ensure that such firms are adequately protected from cyberthreats emanating from Iran, a bipartisan pair of senators said Wednesday. “We are concerned that small businesses may not have the information and tools necessary” to implement cybersecurity practices recommended by the Department of Homeland Security in the wake of the U.S. killing of Iran’s top general, Sens. Marco Rubio, R-Fla., and Ben Cardin, D-Md., wrote in a letter to the Small Business Administration. The advisory from DHS’s Cybersecurity and Infrastructure Security Agency warned of Iran’s history of “disruptive and destructive cyber operations against strategic targets” and advised U.S. organizations to consider whether they make an attractive target for the Iranians. According to the FBI, those potential private-sector targets include cleared defense contractors. Security experts have also advised organizations not to overreact to potential cyberthreats from Iran. Ned Moran, a researcher at Microsoft who tracks Iran-linked hackers, said that basic security practices will go a long way in guarding against the threat.

Nextgov
January 15, 2020
In 2020, bipartisan legislation aimed at helping strategically pave America’s way to the Internet of Things could (finally) become law. The Senate late last week passed the Developing and Growing the Internet of Things, or DIGIT Act. Originally introduced in 2016 and again in 2017, the bill was re-upped last year by Sens. Deb Fischer, R-Neb., Brian Schatz, D-Hawaii, Cory Gardner, R-Colo., and Cory Booker, D-N.J. “With our bipartisan bill now one step closer to becoming law, we’ll be able to realize the full potential of the Internet of Things, and help the private and public sectors work together to produce well-informed policies on connected technology,” Schatz said in a statement. According to Congress’ estimate in the bill, the Internet of Things will encompass 125 billion connected devices by 2030—and could also generate trillions of dollars for U.S. businesses. Through the DIGIT Act, lawmakers mandate the establishment of an interagency working group with representation from the Commerce, Transportation, Homeland Security and Energy departments, the National Institute of Standards and Technology, National Science Foundation and many others, to ultimately identify federal barriers that could inhibit IoT deployment—and examine the challenges and opportunities agencies assume when accessing the internet of things.

The Hill
January 15, 2020
The Democratic leaders of the House Energy and Commerce Committee on Wednesday requested briefings from two key federal agencies on efforts to secure the nation’s telecommunications against potential Iranian cyberattacks, as another House committee also put the spotlight on Iranian cyber threats. House Energy and Commerce Committee Chairman Frank Pallone (D-N.J.) and Rep. Mike Doyle (D-Penn.), the chair of the subcommittee on communications and technology, sent letters to the Department of Homeland Security (DHS) and the Federal Communications Commission (FCC) asking for briefings on what steps have been taken to “warn telecommunications providers of potential cyberattacks on critical communications networks and how the providers should prepare for and defend against such attacks.” Congressional concern over potential cyberattacks from Iran have spiked this month in the wake of the U.S. targeting and killing Iranian Gen. Qassem Soleimani.


ADMINISTRATION

Nextgov
January 17, 2020
The Federal Bureau of Investigation announced Thursday it will begin informing state election officials when local election systems are hacked, a policy change intended to improve cybersecurity coordination and address concerns state leaders have raised about transparency. More than 8,000 jurisdictions run elections in the United States, but state election officials often have a role in certifying election results. In the past, when the FBI has gotten involved in a local election system breach, it has not automatically reported its findings to state-level officials. But because of the dual role that state and local officials play in overseeing elections, the FBI said it will now report cyber intrusions to both levels of government. The bureau was criticized in the wake of the 2016 presidential election, after it was disclosed that Russian military intelligence had infiltrated the election systems of two Florida counties. State officials said they didn’t know anything about the hacks. Gov. Ron DeSantis was later briefed on the matter, but not allowed to disclose which counties were affected. The new FBI policy requires disclosures about cyber intrusions to be made to both state and local election officials as soon as possible and preferably in person, according to senior FBI and Department of Justice officials who briefed reporters on the policy change.

Gov Info Security
January 17, 2020
A cyberattack targeting one of the largest banks in the U.S. that stops the processing of payments likely would have a major ripple effect throughout the financial system, according to a new report from the Federal Reserve Bank of New York. The study, Cyber Risk and the U.S. Financial System: A Pre-Mortem Analysis, looks at how a cyberattack could disrupt the entire U.S. financial system if banks lost the ability to process payments among themselves. Under this scenario, nearly a third of all the country's assets would be affected, according to the researchers. If banks respond to this type of cyber incident by hoarding money and assets, the potential impact in foregone payments could reach 2.5 times the daily gross domestic product of the U.S., according to the report. "We estimate that the impairment of any of the five most active U.S. banks will result in significant spillovers to other banks, with 38 percent of the network affected on average," according to the analysis written by researchers Thomas Eisenbach, Anna Kovner and Michael Junho Lee of the New York Fed.

Politico
January 16, 2020
A Georgia election server contains evidence that it was possibly hacked before the 2016 presidential election and the 2018 vote that gave Georgia Gov. Brian Kemp a narrow victory over Democratic opponent Stacey Abrams, according to an election security expert. The incident, which occurred in late 2014, long before either of those elections, not only calls into question the integrity of Georgia’s voting machines during critical elections, but raises new questions about whether attackers were able to manipulate election data and voter information through the compromised server. It's unclear who may have carried out the alleged attack or if voter information was altered, but Logan Lamb, the election security expert who uncovered the activity, believes that if hackers did breach the server, they could have gained “almost total control of the server, including abilities to modify files, delete data, and install malware.” Georgia has already been at the center of questions about voter security, due to the fact that the state has used insecure paperless voting machines since 2002.

Fifth Domain
January 16, 2020
As Army Cyber Command looks to focus on the information warfare environment, the Army’s Cyber Center of Excellence in Georgia has started training cyber and electronic warfare personnel on the specifics of information operations. “We’ve been thinking about it for many months now, about how we’re going to integrate what is going on in information operations with what’s going on with both running, defending and doing cyberspace operations and electronic warfare,” Col. Paul Craft, commandant of the cyber school at Fort Gordon, told reporters during a phone call Jan 15. Leaders at Army Cyber Command have repeatedly said they would like to change the name and focus of the organization to reflect a greater emphasis on information warfare. The school house has now become the focal point for this transformation.

Nextgov
January 15, 2020
A sweeping plan to conduct independent third-party cybersecurity audits of prospective Defense Department contractors’ management of sensitive information will be subject to a formal rulemaking process, but the department and the nonprofit organization being established to train and approve certifiers are still moving at a quick clip. “Because we’re doing rulemaking, this isn’t going to roll out as hard and fast as we thought,” said a government official delivering a briefing on Defense’s Cybersecurity Maturity Model Certification program at a meeting of the Software Supply Chain Assurance forum today. Quarterly meetings of the forum—co-led by Defense, the General Services Administration, the National Institute of Standards and Technology, and Homeland Security Department—are attended by public and private sector representatives and conducted under the Chatham House Rule to encourage a free exchange of ideas.   The official said Defense expects the CMMC requirements to be issued as a proposed rule this fall, but regardless of the related public comment process, officials still plan to include the rules in requests for proposals starting in the third quarter.

CyberScoop
January 15, 2020
The Chief Information Security Officer for Democratic presidential candidate Pete Buttigieg’s campaign, Mick Baccio, has resigned, CyberScoop has learned. Baccio, who has been with the Buttigieg campaign since last August, told CyberScoop he left because he no longer agreed with the way senior leadership in the campaign was envisioning campaign cybersecurity. “[I left due to] fundamental philosophical differences with the campaign management regarding the architecture and scope of the information security program,” Baccio told CyberScoop. Baccio declined to share details about what exactly led to his resignation. The campaign said it is still committed to digital security. “Mick resigned earlier this month and we thank him for the work he did to protect our campaign against attacks. Our campaign has retained a new security firm and continues to be committed to digital security and protecting against cyber attacks,” Chis Meagher, campaign press secretary, told CyberScoop.

Fifth Domain
January 15, 2020
The new assistant director for cybersecurity within the Department of Homeland Security has outlined his top priorities for making the agency more “effective and efficient.” Bryan Ware, who replaced Jeanette Manfra as assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said Jan. 14 at FedScoop’s Data Cloud Summit that CISA Director Chris Krebs tasked him with modernizing CISA’s legacy infrastructure and tackling some of the challenges the agency has with the data it collects. At the heart of that is modernizing artificial intelligence and tools it uses to sift through data. There are big implications in that effort for CISA — charged with protecting critical infrastructure and federal networks from cyberattack — as the agency is already collecting significant net flow records every day: 55 billion, or almost two terabytes of data, Ware said. On top of that, he’s sharing millions of threat indicators weekly with intelligence companies and other industry stakeholders. But there’s another new problem CISA is facing associated with its data: it’s finding more false positives, or files or activities that’s been incorrectly identified as malicious, in its cybersecurity data. “As we’ve been able to collect and share indicators, our adversaries have adapted their strategies and tactics,” said Ware. “And so now we have to provide a lot more enrichment to those indicators.”

StateScoop
January 15, 2020
A new report published jointly this week by the National Association of State Chief Information Officers and National Governors Association urges state governments to embrace partnerships with their localities to beef up the cybersecurity postures of all parties. The document comes after a year in which many state IT organizations were called upon by counties and cities for assistance following incidents like ransomware attacks. Both NASCIO and NGA have been nudging their members to embrace what the groups call a “whole-of-state” approach on cybersecurity, in which all stakeholders — including IT agencies and other departments with roles in business operations, public safety and emergency management — collaborate on information security. “Cybersecurity is not just an ‘IT problem’ anymore,” says the report, titled “Stronger Together: State and Local Cybersecurity Collaboration.” “It is a critical business risk, homeland security and public safety threat, voter confidence issue and economic development opportunity.”

The Washington Post
January 14, 2020
The National Security Agency recently discovered a major flaw in Microsoft’s Windows operating system — one that could expose computer users to significant breaches, surveillance or disruption — and alerted the firm about the problem rather than turning it into a hacking weapon, officials announced Tuesday. The public disclosure represents a major shift in the NSA’s approach, choosing to put computer security ahead of building up its arsenal of hacking tools that allow the agency to spy on adversaries’ networks. “This is . . . a change in approach . . . by NSA of working to share, working to lean forward and then working to really share the data as part of building trust,” said Anne Neuberger, director of the NSA’s Cybersecurity Directorate, which was launched in October. “As soon as we learned about [the flaw], we turned it over to Microsoft.” Cybersecurity professionals hailed the move. “Big kudos to NSA for voluntarily disclosing to Microsoft,” computer security expert Dmitri Alperovitch said in a tweet Tuesday. “This is the type of [vulnerability] I am sure the [NSA hackers] would have loved to use for years to come.”

Nextgov
January 14, 2020
Federal agencies have 10 business days to apply security updates to all endpoints affected by 49 vulnerabilities Microsoft identified in a high-profile “patch Tuesday,” under the Cybersecurity and Infrastructure Security Agency directive issued today. Within that time, federal agencies must have controls in place to ensure new or previously disconnected endpoints are patched before connecting to their networks, according to the directive, which also lays out timelines for agencies to report on their plans. Initial status reports must be made to CISA within the next three business days. CISA in turn, gives itself through Feb. 3 before the CISA director will begin engaging with chief information officers and/or senior risk management officials at agencies that have not completed the actions “as appropriate” and through Feb. 14 before it reports “cross-agency status and outstanding issues” to the secretary of Homeland Security and the director of Office of Management and Budget. “We do not issue emergency directives unless we have carefully and collaboratively assessed it to be necessary,” CISA notes. “Indeed, this is only the second time CISA has ever issued an emergency directive.”

NPR
January 14, 2020
Iowa's Democratic Party plans to use a new Internet-connected smartphone app to help calculate and transmit results during the state's caucuses next month, Iowa Public Radio and NPR have confirmed. Party leaders say they decided to opt for that strategy fully aware of three years' worth of warnings about Russia's attack on the 2016 presidential election, in which cyberattacks played a central role. Iowa's complicated caucus process is set to take place Feb. 3 in gymnasiums, churches, recreation centers and other meeting places across the state. As opposed to a primary in which voters cast ballots in the same way they would for a general election, Iowa's caucuses are social affairs; caucusgoers gather in person and pledge their support for a candidate by physically "standing in their corner" in designated parts of a room. Iowa's Democrats hope the new app lets the party get results out to the public quicker, says Troy Price, the chairman of the state party.

NBC
January 14, 2020
The U.S. government is geared up as never before to combat foreign election interference, but there are limits to what American intelligence agencies can do, even as determined adversaries build on their 2016 playbook, the nation's election security czar said Tuesday. In prepared remarks before an elections group, and in an exclusive interview afterward with NBC News, Shelby Pierson, the election security threats executive at the Office of the Director of National Intelligence, said a number of adversaries may be poised to attempt election interference. "The threats as we go into 2020 are more sophisticated," she said. "This is not a Russia-only problem. Russia, China, Iran, North Korea, non-state hacktivists all have opportunity, means and potentially motive to come after the United States in the 2020 election to accomplish their goals." Pierson spoke at an election summit sponsored by the U.S. Election Assistance Commission, an independent, bipartisan agency that certifies voting systems and serves as a national clearinghouse of information on election administration.

Federal News Network
January 14, 2020
Don’t start playing a dirge for the 16-year old cybersecurity program known as EINSTEIN. But with the release of the draft Trusted Internet Connections 3.0 implementation guidance, industry experts agree, the end is near for the long-time and sometimes questionable-value intrusion detection, intrusion prevent program. “Today’s concept of EINSTEIN is going away. It kind of has to happen,” said Stephen Kovac, vice president of global government and corporate compliance at Zscaler, said in an interview. “TIC 3.0 isn’t here to kill EINSTEIN, but decouple it from TIC. I think some form of EINSTEIN will still need to exist. Agencies and DHS still need to collect telemetry data.” Kovac said what many federal chief information security officers and chief information officers have said over the years, “EINSTEIN today is not providing very useful data.” Kovac said Zscaler collects 93 data fields through its sensors, while EINSTEIN is focused mainly on netflow data and blocking known threats and signatures. Susie Adams, the chief technology officer for federal at Microsoft, said the draft guidance from DHS makes it clear that EINSTEIN’s shelf life is limited, even if it doesn’t specifically say that.

The Times-Picayune
January 13, 2020
New Orleans City Hall's computer systems have more or less recovered from the cyberattack that pummeled them in December. But residents won't be able to access many police reports or other public records for at least another week. While thousands of city computers have been cleared for use, requests for police reports filed before the Dec. 13 attack won't be fulfilled for another few days or longer, depending on the date of the report, the city said. The online public records system, where users can make requests online, is expected to be back up and running within two weeks. Handwritten reports filed in the month since the attack are being made available to residents requesting them at New Orleans Police Department headquarters, though they may take some time to locate, a city spokesman said.


INDUSTRY

BBC
January 17, 2020
The boss of Travelex has broken his silence about a cyber attack that forced its staff to use pen and paper and halted travel money sales at some banks and supermarkets. The firm has released a number of short statements since cyber criminals held the firm to ransom on 31 December. But in a video message on the firm's website, boss Tony D'Souza said the IT system used by in-store staff was working again. However, other systems remain offline. In a scripted video that was uploaded to a backup Travelex website, Mr D'Souza said the company had taken its systems down after the cyber attack on New Year's Eve. However, while he said the system used by staff is now working, there was no word on when the firm's main UK website would be returned to service.

CyberScoop
January 17, 2020
Over the course of a week, the security implications have grown more dire for a critical vulnerability in two popular products made by Citrix, a corporate virtual private network service provider used at many Fortune 500 companies. The flaw exists in a Citrix cloud-based application delivery tool, as well as in a product that allows remote access to the company’s applications. Experts say that successful exploitation of the bug could allow a hacker to burrow into the many enterprise networks that use the software. The result could be the exposure or theft of corporate information from Citrix clients who otherwise trust technology provided by the $2.5 billion company. First, experts said that attackers would soon begin exploiting the flaw. Citrix then issued an advisory assuring that its recommended stop-gap security measures would help address the issue. But as researchers warned that hackers had begun exploiting the vulnerability, Citrix updated its advisory to say that, in certain scenarios, the company’s mitigation techniques would not work. The company then told customers to switch to a different software compilation to avoid the issue. Late on Thursday night, cybersecurity company FireEye revealed another plot twist: an unknown hacker, or set of hackers, was exploiting the vulnerability in a Citrix product, cleaning up other malware on that network, and planting their own code, likely as a backdoor for future access.

Gov Info Security
January 16, 2020
A day after the U.S. National Security Agency disclosed a vulnerability that could affect the cryptographic operations in some versions of Microsoft Windows, security researchers started releasing "proof of concept" code to show how attackers potentially could exploit the flaw. This highlights the urgency of patching. The vulnerability affects versions of Windows 10 as well as Windows Server 2016 and 2019. While some proof-of-concept code has been released, it's not yet clear if attackers have actually exploited the vulnerability. On Wednesday, security researcher Saleem Rashid posted on Twitter an explanation of how an attacker could use the Windows vulnerability to create phony Transport Layer Security, or TLS, certificates, which would then allow someone to spoof a legitimate website.

CyberScoop
January 16, 2020
Stuxnet, the potent malware reportedly deployed by the U.S. and Israel to disrupt an Iranian nuclear facility a decade ago, helped change the way that many energy-infrastructure operators think about cybersecurity. The computer worm drove home the idea that well-resourced hackers could sabotage industrial plant operations, and it marked a new era of state-sponsored cyber-operations against critical infrastructure. Years later, industrial cybersecurity experts are still learning from the destructive potential of Stuxnet’s code and how it was deployed. While Stuxnet was an extraordinary situation — an intensive operation designed to hinder Iran’s nuclear program — it holds lessons for the wider world in securing industrial equipment that moves machinery. In a new study to improve security, a researcher at the cybersecurity subsidiary of European planemaker Airbus describes how he designed a program to execute code in a “Stuxnet-type attack” on a programmable logic controller (PLC), the ruggedized computers that monitor and control industrial systems like pumps, circuit breakers and valves.

Reuters
January 16, 2020
McAfee LLC told Reuters on Thursday it has hired Peter Leav, the former CEO of BMC Software, as its new CEO, replacing Chris Young, who created the cyber security company in its current form by carving it out of Intel Corp four years ago. The move gives McAfee the option of pursuing an initial public offering with a new leader. It has also considered deals in the sector, including potentially merging with NortonLifeLock Inc. Young will become a senior advisor at buyout firm TPG, which acquired a majority stake in McAfee from Intel Corp in 2016 in a deal which valued the company at $4.2 billion, including debt. Young will work with TPG on new technology investments. During Young’s tenure, the company saw mid-single digit revenue growth, according to a person familiar with the matter. Leav previously served as president and CEO of BMC, a business software firm, for three years. He left in 2019, a few months after the completion of private equity firm KKR & Co’s $8.5-billion buyout of the company. He will start as McAfee CEO on Feb. 3.

The Hill
January 15, 2020
California-based security company Cloudflare announced Wednesday that it will offer free cybersecurity assistance to U.S. political campaigns and others around the world as concerns mount about the potential for increased cyber threats against campaigns in 2020. The new “Cloudflare for Campaigns” program will offer free cybersecurity services including firewall protection and and internal data management for campaigns. It will also assist staffers with access to internal systems from accidentally being exposed to malware and other viruses. “Given the increase and sophistication of foreign election interference efforts, there is a clear need to help campaigns improve the security of not only their websites and other public-facing assets, but also their internal data security systems and teams,” Matthew Prince, co-founder and CEO of Cloudflare, said in a statement. “This is our way of providing best practices and no-brainer solutions to not only large campaigns, but also smaller, but equally important campaigns that may have limited resources.” In order to provide cyber assistance to campaigns, Cloudflare is collaborating with the nonprofit group Defending Digital Campaigns (DDC), which was approved by the Federal Election Commission (FEC) last year to provide free cybersecurity assistance to federal campaigns and national party committees.

Gov Info Security
January 15, 2020
A federal judge in Atlanta has given final approval to a settlement that resolves a class action lawsuit against credit bureau Equifax, which in 2017 suffered one of the largest data breaches in history. The deal is essentially the same as the final version of a proposed agreement reached in July 2019 with the Federal Trade Commission. Consumers will get free credit monitoring, or if they already had that in place, up to $125 in a cash payment. But the settlement includes a $31 million cap for any such cash payments. It means that the more people who apply for a payment, the more the payment amounts will be proportionally lowered. Still, Chief Judge Thomas W. Thrash Jr. writes that "this settlement is the largest and most comprehensive recovery in a data breach case in U.S. history by several orders of magnitude." The minimum cost to Equifax will be $1.38 billion, which includes $1 billion in security upgrades, Thrash writes.

CyberScoop
January 15, 2020
The professionals who work to uncover security vulnerabilities in hardware must find a “common language” for categorizing them in order to make important strides in securing those systems, according to chipmaking giant Intel Corp. Hardware researchers “do not have the same standard taxonomy that would enable them to share information and techniques with one another,” Intel researchers Jason Fung, Arun Kanuparthi and Hareesh Khattri argued in an op-ed published this week on Help Net Security, an information security website. “If we expect hardware vendors and their partners to collectively deliver more secure solutions, we must have a common language for discussing hardware security vulnerabilities,” Fung, Kanuparthi and Khattri wrote. At issue is the Common Weakness Enumeration (CWE) system, a list that is used as a yardstick on which to map Common Vulnerabilities and Exposures (CVE). CVEs are more familiar to security researchers as signposts for potential threats, and they’re a notch in the belt to those who discover them. Both programs are run by the federally-funded, not-for-profit MITRE Corp. The CWE only covers software, though, so the Intel researchers argue that the list should be expanded to include the potential consequences of hardware weaknesses and the methods that organizations can use to detect such vulnerabilities.

Ars Technica
January 14, 2020
Today is the day that Microsoft's extended support for the Windows 7 operating system ends. Microsoft stopped selling Windows 7, which was first released in 2009, on October 13, 2013. Sales of systems with Windows 7 pre-installed ended three years to the day later in 2016. It lived a long life and is survived by Windows 10 and maybe a few remaining instances of Windows 8. But it seems most organizations are in no hurry to cast off the now-unsupported Microsoft operating system, based on a survey from the enterprise content delivery company Kollective. A survey of 100 US- and UK-based companies found that overall, 53 percent of companies had not completed or had not started migration off of Windows 7 to Windows 10. The continued presence of Windows 7 was more prevalent in the UK, where two-thirds of businesses are still using the operating system on at least some devices. US businesses were more likely to have moved on, with 40 percent reporting they still had Windows 7. But one-tenth of those surveyed had no idea whether Windows 7 was still running on devices within their organizations.

Politico
January 14, 2020
Apple on Tuesday rejected the Justice Department’s claim that it has refused to help investigators unlock two iPhones that belonged to the shooter in the Pensacola, Fla., naval base attack. The iPhone maker said that Attorney General William Barr was wrong to claim Monday that the company “has not given us any substantive assistance" in accessing phones associated with the December shooting. “We reject the characterization that Apple has not provided substantive assistance in the Pensacola investigation,” Apple said in a statement to POLITICO. “Our responses to their many requests since the attack have been timely, thorough and are ongoing.” The FBI first requested help with an iPhone on the day of the shooting, Apple said, and it responded by sharing “a wide variety” of data. It provided other data, such as iCloud backups, in response to “six additional legal requests” over the course of the next week. “In every instance,” Apple said, “we responded with all of the information that we had.”


INTERNATIONAL

AP
January 17, 2020
An alleged hacker charged with publishing internal documents that embarrassed soccer clubs and officials in the Football Leaks case is going on trial. A Portuguese judge ruled Friday that prosecutors have enough evidence incriminating Rui Pinto for him to stand trial. The ruling is a procedural part of Portuguese law. No trial date was immediately set. Prosecutors accuse Pinto of attempted extortion and hacking into secret information held by Sporting Lisbon and the Portuguese soccer federation, including financial dealings. He is also accused of illegal access to confidential data held on computers at the Portuguese attorney general’s office. Pinto denies wrongdoing, saying he is a whistleblower who in the public interest has helped expose what he claims are murky financial dealings. His lawyer, Francisco Teixeira da Mota, says Pinto has been helping law enforcement in other European countries with investigations into their soccer clubs’ finances. Pinto did not speak during the pretrial proceedings but will speak “when his time comes,” Teixeira da Mota said, apparently referring to the trial. The Football Leaks website began in 2015 and published confidential information about the financial dealings of some top European clubs, including such details as players’ and coaches’ contracts and transfer fees.

Ars Technica
January 17, 2020
On Wednesday, police in the Netherlands and Northern Ireland arrested two 22-year-old men believed to be connected to WeLeakInfo, a site offering usernames and passwords from multiple data breaches for sale. At the same time, the Federal Bureau of Investigation, in coordination with the UK's National Crime Agency, the Netherlands National Police Corps, the German Bundeskriminalamt, and the Police Service of Northern Ireland, took down the domain for the site, redirecting it to a seizure notice.

The Guardian
January 16, 2020
An Israeli judge has rejected an attempt by the spyware firm NSO Group to dismiss a case brought against it by a prominent Saudi activist who alleged that the company’s cyberweapons were used to hack his phone. The decision could add pressure on the company, which faces multiple accusations that it sold surveillance technology, named Pegasus, to authoritarian regimes and other governments that have allegedly used it to target political activists and journalists. A Tel Aviv court ruled that the case brought by Omar Abdulaziz, a dissident based in Canada, could go ahead. In his lawsuit, he has argued that Saudi spies used Pegasus to read his conversations with Jamal Khashoggi, a Washington Post columnist later murdered in the Saudi Arabian consulate in Istanbul. The Guardian understands that Abdulaziz and Khashoggi exchanged hundreds of messages in the months before he died. NSO had attempted to get the case thrown out of court by arguing that it lacked “good faith” and was abusing Israel’s judicial system, according to a copy of the ruling on 22 December. However, the judge, Guy Hyman, found no grounds for dismissal. Separately, while he agreed that the trial related to sensitive security issues, he did not accept that meant it should be held in secret.

Bloomberg
January 16, 2020
After successfully creating a health care app for doctors to view medical records, Diego Fasano, an Italian entrepreneur, got some well-timed advice from a police officer friend: Go into the surveillance business because law enforcement desperately needs technological help. In 2014, he founded a company that creates surveillance technology, including powerful spyware for police and intelligence agencies, at a time when easy-to-use encrypted chat apps such as WhatsApp and Signal were making it possible for criminal suspects to protect phone calls and data from government scrutiny. The concept behind the company’s product was simple: With the help of Italy’s telecom companies, suspects would be duped into downloading a harmless-seeming app, ostensibly to fix network errors on their phone. The app would also allow Fasano’s company, eSurv, to give law enforcement access to a device’s microphone, camera, stored files and encrypted messages. Fasano christened the spyware “Exodus.” “I started to go to all the Italian prosecutors’ offices to sell it,” explained Fasano, a 46-year-old with short, dark-brown hair and graying stubble. “The software was good. And within three years, it was used across Italy. In Rome, Naples, Milan.” Even the country’s foreign intelligence agency, L’Agenzia Informazioni e Sicurezza Esterna, came calling for Exodus’s services, Fasano said.  But Fasano’s success was short lived, done in by a technical glitch that alerted investigators that something could be amiss. They followed a digital trail between Italy and the U.S. before unearthing a stunning discovery. Authorities found that eSurv employees allegedly used the company’s spyware to illegally hack the phones of hundreds of innocent Italians—playing back phone conversations of secretly recorded calls aloud in the office, according to legal documents. The company also struck a deal with a company with alleged links to the Mafia, authorities said.

The Washington Post
January 13, 2020
Russian military spies have hacked a Ukrainian gas company that is at the heart of an impeachment trial of President Trump, who sought last year to pressure Ukraine to investigate the company and its links to Joe Biden’s son, according to a cybersecurity firm. Beginning in early November, the Russian spy agency known as the GRU launched a cyber “phishing” campaign against Burisma Holdings to trick unsuspecting employees into giving up their email credentials so the hackers could gain access to their email accounts — once again entangling Moscow in domestic U.S. politics, according to Area 1 Security, a Redwood City, Calif., company. The operation’s launch coincided with a congressional impeachment inquiry into Trump and whether he abused his office by seeking to press Ukrainian President Volodymyr Zelensky into announcing a probe of Burisma and Hunter Biden — an action that conceivably would aid Trump’s reelection bid. The GRU was active in the 2016 presidential campaign, hacking the servers of the Democratic Party and Hillary Clinton’s campaign chairman and releasing their emails that summer and fall. The disclosures disrupted the Democratic convention and undermined Clinton’s campaign in the critical final weeks, and the U.S. intelligence community concluded that with such actions Moscow aimed to help Trump and hurt Clinton.


TECHNOLOGY

Ars Technica
January 17, 2020
Serious vulnerabilities have recently come to light in three WordPress plugins that have been installed on a combined 400,000 websites, researchers said. InfiniteWP, WP Time Capsule, and WP Database Reset are all affected. The highest-impact flaw is an authentication bypass vulnerability in the InfiniteWP Client, a plugin installed on more than 300,000 websites. It allows administrators to manage multiple websites from a single server. The flaw lets anyone log in to an administrative account with no credentials at all. From there, attackers can delete contents, add new accounts, and carry out a wide range of other malicious tasks. People exploiting the vulnerability need only know the user name of a valid account and include a malicious payload in a POST request that's sent to a vulnerable site. According to Web application firewall provider Wordfence, the vulnerability stems from a feature that allows legitimate users to automatically log in as an administrator without providing a password.

Venture Beat
January 14, 2020
The Cloud Native Computing Foundation (CNCF) today announced it is funding a bug bounty program for Kubernetes. Security researchers who find security vulnerabilities in Kubernetes’ codebase, as well as the build and release processes, will be rewarded with bounties ranging from $100 to $10,000. Bug bounty programs motivate individuals and hacker groups to not only find flaws but disclose them properly, instead of using them maliciously or selling them to parties that will. Originally designed by Google and now run by the CNCF, Kubernetes is an open source container orchestration system for automating application deployment, scaling, and management. Given the hundreds of startups and enterprises that use Kubernetes in their tech stacks, it’s significantly cheaper to proactively plug security holes than to deal with the aftermath of breaches.