Fake
‘ONI’ Twitter account is fake, PM’s department confirms. Satirical accounts
walk a fine line. One purporting to be the Office of National Intelligence was
shut down, while another account that uses a version of the Australian coat of
arms and has the handle @ASIO is still up and running
FBI Seized Smashed Hard Drives From Debbie Wasserman Schultz IT Aide’s Home
Gov Info
Security
Putin’s
Hackers Now Under Attack—From Microsoft The
Daily Beast
A new offensive by
Microsoft has been making inroads against the Russian government hackers behind
last year’s election meddling, identifying over 120 new targets of the
Kremlin’s cyber spying, and control-alt-deleting segments of Putin’s hacking
apparatus. How are they doing it? It turns out Microsoft has something even
more formidable than Moscow’s malware: Lawyers
The state of Colorado
is moving to audit future digital election results, hiring a Portland-based
startup to develop software to help ensure that electronic vote tallies are
accurate.
A
Democratic senator is pressing the Department of Homeland Security (DHS) to
mandate the government-wide use of an email authentication tool “to ensure that
hackers cannot send emails that impersonate federal agencies.” Sen. Ron Wyden
(D-Ore.) made the request in a letter to a top official at the National
Protection and Programs Directorate (NPPD), the DHS office in charge of
securing cyber and physical infrastructure. “I write to ask you to take
immediate steps to ensure that hackers cannot send emails that impersonate
federal agencies,” Wyden wrote Tuesday to Jeanette Manfra, the DHS official.
“The threat posed by criminals and foreign governments impersonating U.S.
government agencies is real.” Rob Joyce, President Trump’s cybersecurity
coordinator, was also copied on the letter. Specifically, Wyden asked DHS to
require agencies to use a tool called the Domain-based Message Authentication,
Reporting and Conformance (DMARC), a standard developed by the industry that
lets organizations send impersonating emails to a spam folder or have them
rejected by victims’ email providers.
After 2016 Hack, House Democratic Committee Switches To Encrypted Messaging
Hackers who
breached a Kansas Department of Commerce data system used by multiple states
gained access to more than 5.5 million Social Security Numbers and put the
agency on the hook to pay for credit monitoring services for all victims. The
number of SSNs exposed across the 10 states whose data was accessed has not
been previously reported. The Kansas News Service, a collaboration of KCUR,
Kansas Public Radio, KMUW and High Plains Public Radio, obtained the
information through an open records request. More than half a million of the
SSNs were from Kansas, according to the Department of Commerce. The data is
from websites that help connect people to jobs, such as Kansasworks.com, where
members of the public seeking employment can post their resumes and search job
openings. Kansas was managing data for 16 states at the time of the hack, but
not all were affected. In addition to the 5.5 million personal user accounts
that included SSNs, about 805,000 more accounts that did not contain SSNs were
also exposed.
Ashley
Madison wants to put that sordid data breach affair behind it. On Friday,
Ashley Madison parent company Ruby Life, née Avid Dating Life, announced that
it's reached an $11.2 million settlement agreement with plaintiffs in a
consolidated lawsuit that was filed against the infidelity dating site
following its massive July 2015 data breach. The full terms of the settlement
agreement have yet to be approved by the court. But the proposal calls for Ruby
to contribute "a total of $11.2 million to a settlement fund,"
designed, in part, to compensate "settlement class members who submit
valid claims for alleged losses resulting from the data breach and alleged
misrepresentations" tied to Ashley Madison, Ruby says in a statement.
The
security woes of the internet of things stem from more than just connecting a
bunch of cheap gadgets to a cruel and hacker-infested internet. Often dozens of
different vendors run the same third-party code across an array of products.
That means a single bug can impact a startling number of disparate devices. Or,
as one security company's researchers recently found, a vulnerability in a
single internet-connected security camera can expose a flaw that leaves
thousands of different models of device at risk. On Tuesday, the
internet-of-things-focused security firm Senrio revealed a hackable flaw it's
calling "Devil's Ivy," a vulnerability in a piece of code called
gSOAP widely used in physical security products, potentially allowing faraway
attackers to fully disable or take over thousands of models of
internet-connected devices from security cameras to sensors to access-card
readers. In all, the small company behind gSOAP, known as Genivia, says that at
least 34 companies use the code in their IoT products. And while Genivia has
already released a patch for the problem, it's so widespread—and patching so
spotty in the internet of things—that it could persist unfixed in a large swath
of devices
A new Harvard study shows that multiple researchers independently uncover the same security flaws more often than previously thought, a discovery that could affect the way governments determine whether to keep those flaws secret for use in espionage.
Study
shows hacking techniques harder to keep secret than first thought
Estonia,
the only country in the world where voters elect their leaders through online
balloting, is taking steps to fend off potential hacking attacks as
cyber-security fears intensify. A software overhaul for the system, introduced
in 2005, is ready for testing before local elections in October, according to
Tarvi Martens, the National Electoral Committee’s head of e-voting. The upgrade
includes anti-tampering features known as end-to-end verifiability that
addresses security concerns from groups such as the Organization for Security
and Cooperation in Europe, he said. “End-to-end verifiability is the ‘Holy
Grail’ for electronic voting,” Martens said this month in a phone interview.
“When we talk about international criticism, the new software now addresses
it.”
GCHQ
Says Hackers Have Likely Compromised UK Energy Sector Targets
<
<
Cyberattack on
Ukrainian clinics, pharmacies worries experts
A
29-year-old British man has confessed to carrying out a cyber-attack on
Deutsche Telekom’s routers last year, claiming he had acted on behalf of a
Liberian telecommunications company but that his mission had got out of hand.
Speaking via a translator at a court in Cologne, the man, who was arrested
under a European arrest warrant at Luton airport in February, described it as
the “biggest mistake of my life”. The November attack hijacked about 900,000
routers and briefly stopped their owners getting online, affecting about 1.25
million Deutsche Telekom customers. The Bonn-based company estimated the cost
of the attack to have been more than €2m (£1.79m).
Commons committee was hit
by cyber attack
US Senator
Ron Wyden (D-Ore.) criticized the Federal Communications Commission for failing
to turn over its internal analysis of the DDoS attacks that hit the FCC's
public comment system. The FCC declined to provide its analysis of the attacks
to Gizmodo, which had filed a Freedom of Information Act (FoIA) request for a
copy of all records related to the FCC analysis "that concluded a DDoS
attack had taken place." The FCC declined the request, saying that its
initial analysis on the day of the attack "did not result in written
documentation." “If the FCC did suffer a DDoS attack and yet created no
written materials about it, that would be deeply irresponsible and cast doubt
on how the FCC could possibly prevent future attacks," Wyden told Gizmodo
in a story today. "On the other hand, if FCC is playing word games to
avoid responding to FoIA requests, it would clearly violate Chairman Ajit Pai’s
pledge to increase transparency at the FCC.” Wyden also said that the FCC's
response to the FoIA request raised "legitimate questions about whether
the agency is being truthful when it claims a DDoS attack knocked its
commenting system offline.”
