Wednesday, March 20, 2019

Hide it well or market it well: Two reports show how point-of-sale malware has users in mind



BBC: “Fabian is world renowned for destroying ransomware – the viruses sent out by criminal gangs to extort money. Because of this, he lives a reclusive existence, always having to be one step ahead of the cyber criminals. He has moved to an unknown location since this interview was carried out…Ransomware is a particularly nasty type of computer virus. Instead of stealing data or money from victims, the virus takes control of computers and scrambles every single document, picture, video and email. Then the ransom demand is issued. Sometimes it’s written inside a note left on a desktop, sometimes it just pops up on a screen without warning…They always come with a price tag. Pay the hackers a few hundred pounds – or sometimes thousands – and they’ll restore your files…”



Gov Info Security


March 15, 2019


The U.S. Congress is hoping that the third time is the charm for an internet of things cybersecurity bill that would set minimum security standards for the connected devices that the federal government purchases for various projects. The Internet of Things (IoT) Cybersecurity Improvement Act of 2019 was introduced in the Senate on March 11 by a bipartisan group that includes Mark Warner, D-Va., and Cory Gardner, R-Colo, who are the co-chairs of the Senate Cybersecurity Caucus, along with Maggie Hassan, D-N.H. and Steve Daines, R-Mont. A similar bill sponsored by Reps. Robin Kelly, D-Ill., and Will Hurd, R-Texas, has been introduced in the House. The latest effort to pass the legislation comes at a time when a flood of IoT devices are entering the market, with Gartner estimating that more than 20 billion internet-connected devices will be online by the end of 2020. Over the last two years, two bills, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 and the Internet of Things (IoT) Federal Cybersecurity Improvement Act of 2018 both failed to pass. Right now, there's no set of U.S. national security standards for IoT devices, so any security features and protections are left to the discretion of the individual manufacturers or vendors.




FCW


March 14, 2019


Cyber Command and the National Security Agency have been joined at the hip since the command's founding in 2009. When Cyber Command was elevated to an independent combatant command in 2017, President Donald Trump included an instruction that the Secretary of Defense make recommendations "regarding the future command relationship" between Cyber Command and NSA. That's a reference to the long-standing "dual-hat" arrangement -- with a single general or flag officer serving as both NSA director and CyberCom commander. Rep. Jim Langevin (D-R.I.), who chairs the House Armed Services subcommittee on Intelligence, Emerging Threats and Capabilities, cautioned against a breakup of the current command structure in a March 13 hearing. "Before any significant changes are implemented for the dual-hat arrangement, this subcommittee expects a robust understanding of how and why it is necessary to split the leadership function of NSA director and CyberCom director," Langevin said.


 




CyberScoop


March 13, 2019


The Senate should have an annual tally of when its computers and smartphones have been breached in order to better inform congressional cybersecurity policy, a pair of bipartisan senators says in a letter sent Wednesday to the Senate Sergeant at Arms. Describing Congress as a perennial target for hackers, Sens. Tom Cotton, R-Arkansas, and Ron Wyden, D-Oregon, have asked the Senate Sergeant at Arms (SAA) to be transparent in providing lawmakers with information about the scale of successful hacks of Senate devices, including smartphones. They want annual reports sent to each senator with aggregate data on compromises of computers and other breaches of sensitive Senate data. The senators also asked the SAA to notify the Senate leadership, along with members of the rules and intelligence committees, within five days of breaches to Senate computers being discovered. Right now, lawmakers appear to be in the dark on the issue. “We believe that the lack of data regarding successful cyberattacks against the Congress has contributed to the absence of debate regarding congressional cybersecurity – this must change,” Cotton and Wyden wrote in a letter to Senate Sergeant at Arms Michael Stenger.


 




Nextgov


March 13, 2019


The country’s election infrastructure is better protected than ever and federal computer networks have seen “demonstrable improvements” in their cybersecurity, according to the Homeland Security Department’s cyber chief. The 2018 midterms marked “the most secure election held in the modern era in the U.S.,” Chris Krebs, director of the Cybersecurity and Infrastructure Security Agency, told lawmakers on Wednesday. And while there will always be room for progress, “there’s no question” cybersecurity at federal agencies has improved in recent years, he said. In an unusually hopeful testimony before the House Appropriations Homeland Security subpanel, Krebs highlighted the agency’s success in bring cybersecurity resources to state and local election groups scattered across the country. In 2018, CISA installed intrusion detection software on more than 90 percent of the networks used by state and local offices to manage voting, according to Krebs. In 2016, only 32 percent of nationwide networks were using the tools, he said. The agency also conducted multiple election security exercises to test and bolster digital defenses ahead of the midterms.


 




The Hill


March 13, 2019


A Democrat on the House Intelligence Committee introduced a bill on Wednesday that would require publicly traded companies to disclose to investors whether any members of their board of directors have cybersecurity expertise amid growing cyberattacks targeting U.S. companies. Rep. Jim Himes (D-Conn.) introduced the Cybersecurity Disclosure Act of 2019, a companion bill introduced in the upper chamber, that would make the Securities and Exchange Commission issue a new set of rules requiring U.S. companies to tell their investors whether they have someone who has cyber expertise on their board. If they don't, they must explain to their investors why this is the case. The bill comes at a time when "cyberattacks and data breaches against U.S. companies are becoming more frequent and sophisticated," according to a press release accompanying the rollout of the bill.


 


 


ADMINISTRATION


 




Reuters


March 15, 2019


While a teenager, O’Rourke acknowledged in an exclusive interview, he belonged to the oldest group of computer hackers in U.S. history. The hugely influential Cult of the Dead Cow, jokingly named after an abandoned Texas slaughterhouse, is notorious for releasing tools that allowed ordinary people to hack computers running Microsoft’s Windows. It’s also known for inventing the word “hacktivism” to describe human-rights-driven security work. Members of the group have protected O’Rourke’s secret for decades, reluctant to compromise his political viability. Now, in a series of interviews, CDC members have acknowledged O’Rourke as one of their own.


 




Vice Motherboard


March 14, 2019


For years security professionals and election integrity activists have been pushing voting machine vendors to build more secure and verifiable election systems, so voters and candidates can be assured election outcomes haven’t been manipulated. Now they might finally get this thanks to a new $10 million contract the Defense Department’s Defense Advanced Research Projects Agency (DARPA) has launched to design and build a secure voting system that it hopes will be impervious to hacking. The first-of-its-kind system will be designed by an Oregon-based firm called Galois, a longtime government contractor with experience in designing secure and verifiable systems. The system will use fully open source voting software, instead of the closed, proprietary software currently used in the vast majority of voting machines, which no one outside of voting machine testing labs can examine. More importantly, it will be built on secure open source hardware, made from special secure designs and techniques developed over the last year as part of a special program at DARPA. The voting system will also be designed to create fully verifiable and transparent results so that voters don’t have to blindly trust that the machines and election officials delivered correct results.


 




Energywire




Walled off inside the National Security Agency complex in Fort Meade, Md., leaders of U.S. Cyber Command are preparing for digital combat against state-backed hackers targeting critical energy infrastructure. The top-secret work comes after a decade of relentless probing by cyber units from Russia and China. It follows two years of sobering revelations about accelerating efforts by America's adversaries to break into electric grid and pipeline control rooms. And in a sharp departure from the past, Cyber Command is recruiting U.S. energy companies as partners in developing and defining the new strategy disclosed last fall. Several have joined up so far, the command says, without identifying them. Called "defend forward," it includes for the first time a commitment by Pentagon cyber commandos to hit back at adversaries to block the most dangerous attacks before they're launched. The offensive strategy has the support of leaders in Congress who are eager to send a message to U.S. rivals. But the support is joined by anxiety about throwing open the door to a dangerous, more chaotic new chapter in digital warfare.


 




CyberScoop


March 14, 2019


As part of its work to protect the 2018 U.S. midterm elections from foreign hackers and trolls, Cyber Command personnel visited Montenegro, North Macedonia, and Ukraine to collaborate on network defense with those allies and study cyberthreats, U.S. officials confirmed to CyberScoop. The trip to Europe demonstrates how the command, which has grown in stature and capability since its 2009 inception, supports and learns from allies facing threats from persistent hackers. “We sent defensive teams… to three different European countries,” Gen. Paul Nakasone, head of Cyber Command, told a House Armed Services subcommittee on Wednesday. Nakasone did not name the countries. But a Cyber Command spokesperson said two of those countries were the Balkan nations of Montenegro and North Macedonia, which until February was known as Macedonia. And a U.S. government official with knowledge of the matter said the third country was Ukraine – something corroborated by a public statement from a top Defense Department official.


 




FCW


March 14, 2019


The federal cybersecurity agency designated with protecting the energy sector is creating a tool that could help commercial electric critical infrastructure providers put a price tag on managing cybersecurity risk for their networks. Karen Evans, assistant secretary for the Department of Energy's Office of Cybersecurity, Energy Security, and Emergency Response, said company executives don't want a lot of granular detail on cybersecurity technology, they want to see the bottom line. "They want to know for 'X' amount of dollars how much risk is being reduced in the enterprise," Evans said. "We're working on a tool right now that will answer that question." Evans said at a March 14 meeting of the DOE's Energy Electricity Advisory Board that CESER is working with the Energy Department's National Labs on a formula the tool will use.


 




Defense One


March 14, 2019


U.S. Navy captains and admirals nominated for higher ranks are vulnerable to cyberattackers—and that’s why the service stopped publicly announcing their promotions last year, the chief of naval operations said Wednesday. Adm. John Richardson spoke a week after an internal Navy review warned that the service and its suppliers are “under cyber siege.” “Our competitors are focused prejudicially on those technologies where they see that they’re at a disadvantage and undersea is one where I think that we would definitely have an advantage and many other maritime types of capabilities,” Richardson said of the new assessment at a press conference on the sidelines of a McAleese and Associates/Credit Suisse conference in Washington. “We shouldn’t be surprised, I suppose, that that’s a target.” The admiral noted that this is just the latest report to warn about cybersecurity vulnerabilities. But he also said the threat of cyberattacks against its top brass led to last year’s decision to stop releasing promotion lists to the public.


 




FCW




Army Cyber Command plans to put cyber electromagnetic activities, or CEMA, teams on the battlefield and into every brigade combat team, division, corps and Army service component staff starting in June, Army Cyber Commander Lt. Gen. Stephen Fogarty said at the AFCEA Army Signal conference March 13. The effort is part of the pilot CEMA Support to Corps and Below that looks to advise commanders on how to integrate cyber and electronic warfare capabilities into operations. Within about two years, information warfare specialists will be swapped in for the cyber or EW people to transition to an information warfare cell, Fogarty said. The move is all part of Army Cyber's shifting information operations capabilities from Ft. Belvoir in Virginia to Ft. Gordon, the command's headquarters in Georgia by 2020 and changing the command's name to something along the lines of Army Information Warfare Command by 2028 -- the same year the Army is due to complete its network modernization plan.


 




Gov Info Security


March 14, 2019


Operating divisions of the Department of Health and Human Services need to shore up security controls to more effectively detect and prevent certain cyberattacks, according to a new federal watchdog report. In a summary report issued Wednesday, the HHS Office of Inspector General highlighted several security controls that need improvement across eight HHS operating divisions. The weaknesses included configuration management, access control, data input controls and software patching, the report notes. Similar concerns have been raised in previous OIG reports. The OIG report is based on findings from a series of audits in fiscal years 2016 and 2017 at eight unnamed HHS operating divisions. Network and web application penetration testing was conducted by a third-party contractor to determine how well HHS systems were protected when subject to cyberattacks, the study notes. "Based on the findings of this audit, we have initiated a new series of audits looking for indicators of compromise on HHS and operating division systems to determine whether an active threat exists on HHS networks or whether there has been a past breach by threat actors," OIG says.


 




CyberScoop


March 13, 2019


The U.S. intelligence community’s center for analyzing cyberthreat data has a new director in Erin Joe, a career FBI official with experience dealing with nation-state-level threats, the Office of the Director of National Intelligence announced Wednesday. Joe becomes the second director of the four-year-old Cyber Threat Intelligence Integration Center at a time of continuous nation-state hacking threats to U.S. organizations. She most recently served as a senior FBI executive focusing on nation-state hacking and “cyberterrorism” threats, the ODNI said in a statement. As part of a 22-year career as an FBI field officer, Joe investigated the perpetrators of the September 11, 2001 attacks and led terrorism investigations across the Middle East, according to a biography on the RSA Conference website.


 




Nextgov


March 12, 2019


The Homeland Security Department is warning political candidates that they need to take cybersecurity seriously no matter what level of government they’re running for. The department has steadily ramped up its election security operations following Russia’s interference in the 2016 race, with the newly minted Cybersecurity and Infrastructure Security Agency responsible for much of the work. While CISA’s efforts have largely focused on securing election infrastructure and sharing threat information, the group is also working with political campaigns to bolster their digital defenses. While presidential hopefuls and other high-profile candidates usually have the resources to invest in security, that’s not the case for thousands of people running for federal, state and local office, according to Jeanette Manfra, CISA’s assistant director for cybersecurity. As such, low-budget campaigns are left relying on personal devices and accounts, which are potentially rife with bugs and easy to infiltrate, she said. Often, low-level candidates also don’t think there’d be any reason to target them, but Manfra warned it’s impossible to know what races online adversaries will be interested in swaying. “I don’t care if you think you’re not interesting or your information is not interesting,” she said Saturday at SXSW. “When it comes to elections, anybody can be a target.”


 




Gov Info Security


March 12, 2019


Officials in Jackson County, Georgia, along with the FBI are investigating a ransomware attack that crippled IT systems over a two-week period. Struggling to recover from the outage, local officials reportedly paid a ransom worth $400,000 in bitcoins to restore IT systems and infrastructure. Jackson County Manager Kevin Poe told Online Athens that the county government decided to cough up the ransom late last week after IT systems had been offline since about March 1, forcing officials to use paper and pen to complete numerous task, although police radios and the 911 system continued to function.


 




FCW


March 12, 2019


The Department of Homeland Security has the authority to compel federal agencies to address cybersecurity threats. In recent years DHS has issued Binding Operational Directives to require agencies to stay current with patches for critical vulnerabilities, protect high value assets, remove Kaspersky software from government networks and defend against email and website spoofing. The Cybersecurity and Infrastructure Security Agency (and its predecessor agency at DHS) faced skepticism from other federal agencies in deploying these authorities, which were conferred by the Federal Information Security Management Act of 2014 and the Cybersecurity Act of 2015. "I think stakeholders were worried about what we would do with the authority," said Gabriel Taran, assistant general counsel for cybersecurity law at DHS at a Mar. 11 event. "They didn't trust DHS necessarily to do this, or didn't think it was the right approach for one entity to direct others."


 


 


INDUSTRY


 




Wired


March 15, 2019


In January 2018 a group of hackers, now thought to be working for the North Korean state-sponsored group Lazarus, attempted to steal $110 million from the Mexican commercial bank Bancomext. That effort failed. But just a few months later, a smaller yet still elaborate series of attacks allowed hackers to siphon off 300 to 400 million pesos, or roughly $15 to $20 million from Mexican banks. Here's how they did it. At the RSA security conference in San Francisco last Friday, penetration tester and security advisor Josu Loza, who was an incident responder in the wake of the April attacks, presented findings on how hackers executed the heists both digitally and on the ground around Mexico. The hackers' affiliation remains publicly unknown. Loza emphasizes that while the attacks likely required extensive expertise and planning over months, or even years, they were enabled by sloppy and insecure network architecture within the Mexican financial system and security oversights in SPEI, Mexico's domestic money transfer platform run by central bank Banco de México, also known as Banxico.


 




The New York Times


March 14, 2019


Aleksej Gubarev is a Russian technology entrepreneur who runs companies in Europe and the United States that provide cut-rate internet service. But he is best known for his appearance in 2016 in a dossier that purported to detail Russia’s interference in the 2016 presidential election — and the Trump campaign’s complicity. Mr. Gubarev’s companies, the dossier claimed, used “botnets and porn traffic to transmit viruses, plant bugs, steal data and conduct ‘altering operations’ against the Democratic Party leadership.” On Thursday, new evidence emerged that indicated that internet service providers owned by Mr. Gubarev appear to have been used to do just that: A report by a former F.B.I. cyberexpert unsealed in a federal court in Miami found evidence that suggests Russian agents used networks operated by Mr. Gubarev to start their hacking operation during the 2016 presidential campaign.


 




Ars Technica


March 14, 2019


Malicious hackers wasted no time exploiting a nasty code-execution vulnerability recently disclosed in WinRAR, a Windows file-compression program with 500 million users worldwide. The in-the-wild attacks install malware that, at the time this post was going live, was undetected by the vast majority of antivirus product. The flaw, disclosed last month by Check Point Research, garnered instant mass attention because it made it possible for attackers to surreptitiously install persistent malicious applications when a target opened a compressed ZIP file using any version of WinRAR released over the past 19 years. The absolute path traversal made it possible for archive files to extract to the Windows startup folder (or any other folder of the archive creator’s choosing) without generating a warning. From there, malicious payloads would automatically be run the next time the computer rebooted. On Thursday, a researcher at McAfee reported that the security firm identified “100 unique exploits and counting” in the first week since the vulnerability was disclosed. So far, most of the initial targets were located in the US.


 




CyberScoop


March 13, 2019


Microsoft has released security updates for two vulnerabilities that researchers say have been exploited by suspected nation-state hacking groups dubbed FruityArmor and SandCat. The March edition of Microsoft’s Patch Tuesday — when the company introduces fixes for reported security problems — includes 64 updates, 17 of which were rated as “critical.” Attackers already have leveraged at least two of the bugs, CVE-2019-0808 and CVE-2019-0797, according to researchers from Google and Russian security vendor Kaspersky Lab. Both bugs are known as elevation of privilege vulnerabilities, and could allow outsiders to manipulate Windows machines into authorizing an action that should not be allowed. “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode,” Microsoft wrote in a security bulletin about the vulnerabilities. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” The warning is not just theoretical. Kaspersky researchers Vasily Berdnikov and Boris Larin said in a blog post Wednesday they believe hacking groups including FruityArmor and SandCat are using the CVE-2019-0797 vulnerability.


 




Reuters


March 12, 2019


A Philippine bank has filed a lawsuit accusing Bangladesh’s central bank of defamation, hitting back at what it says are baseless claims of its complicity in the world’s biggest cyber heist. In February 2016, criminals used fraudulent orders on the SWIFT payments system to steal $81 million from the Bangladesh central bank’s account at the Federal Reserve Bank of New York. The money was sent to accounts at Manila-based Rizal Commercial Banking Corp (RCBC) and then vanished into the casino industry in the Philippines. RCBC said its reputation had come under a sustained “vicious and public attack” by Bangladesh Bank. It is seeking at least 100 million pesos ($1.9 million) in damages. “Bangladesh Bank has embarked on a massive ploy and scheme to extort money from plaintiff RCBC by resorting to public defamation, harassment and threats geared towards destroying RCBC’s good name, reputation, and image,” it said in a statement on Tuesday, citing the civil court filing on March 6.


 


 


INTERNATIONAL


 




AP


March 15, 2019


Israeli Prime Minister Benjamin Netanyahu's leading challenger in his heated race for re-election is trying to play down an embarrassing phone hacking scandal that has erupted just as the ex-general is sliding in opinion polls. Benny Gantz's campaign confirmed late Thursday that the former military chief, who has been campaigning on his security credentials in a bid to end Netanyahu's decade-long rule, was the target of an Iranian hacking attack several months ago. It was not clear what information Israel's archenemy had obtained from Gantz's smartphone. His campaign said the security lapse occurred months before he entered politics and suggested the leak was a politically-motivated attempt to embarrass him ahead of April 9 elections. The revelation splashed across the internet, sending his new Blue and White party reeling. Gantz convened a surprise press conference Friday from Israel's southern border, where he tried to divert attention to recent violence involving Gaza militants. Gantz has pointed to his leading role in the 2014 Gaza war as proof of his toughness.


 




AP


March 14, 2019


NATO Secretary-General Jens Stoltenberg said Thursday that the military alliance is mulling how to respond to security concerns raised by some member countries about Chinese tech giant Huawei. Stoltenberg says some of NATO's 29 allies are uneasy about the potential security challenges of working with Huawei as they consider investment in 5G communications infrastructure. The United States is lobbying European and other allies to shun the biggest maker of network technology as their phone carriers invest billions in upgrading to next-generation mobile networks. Huawei rejects accusations that it might facilitate Chinese spying or is controlled by the ruling Communist Party.


 




Reuters


March 13, 2019


Presidential and legislative polls in Indonesia next month are not at risk of disruption from cyber attacks, the head of the election commission said on Wednesday, even though regular hacking attempts had been detected on the agency's website. Arief Budiman, head of the National Election Commission (KPU), was earlier cited in a media report as saying Chinese and Russian hackers were attacking Indonesia's voter database "to manipulate and modify" content and create ghost voters. "The election process will not be disturbed because we can handle (the attacks)," he told journalists at a briefing. "This is not about China or Russia," he said, adding that cyber attacks had originated both locally and from abroad. A KPU source with knowledge of the matter said the voter database had been subject to "probing" attacks from IP addresses originating in several countries, not just China and Russia.


 




The Wall Street Journal


March 12, 2019


The Navy and its industry partners are “under cyber siege” by Chinese hackers and others who have stolen national security secrets in recent years, exploiting critical weaknesses that threaten the U.S.’s standing as the world’s top military power, an internal Navy review concluded. The assessment, delivered to Navy Secretary Richard Spencer last week and reviewed by The Wall Street Journal, depicts a branch of the armed forces under relentless cyberattack by foreign adversaries and struggling in its response to them.


 




NBC


March 12, 2019


In 2019 Russia will likely try to influence the European Parliament elections, continue intelligence and influence operations against the West, and keep preparing for armed conflict with NATO, according to the latest annual threat assessment by the Estonian Foreign Intelligence Service. NBC News obtained an exclusive preview of the 70-page report, which provides a window into the activity and goals of the Russian intelligence services from next door in Estonia. Russia will target the European parliamentary elections in May, the report says, with a likely focus on the larger member states — Germany, France and Italy — where it can hope to have the most influence on the composition of the E.U. Parliament, whose members are elected for five-year terms.


 




Vice Motherboard


March 12, 2019


An international group of researchers who have been examining the source code for an internet voting system Switzerland plans to roll out this year have found a critical flaw in the code that would allow someone to alter votes without detection. The cryptographic backdoor exists in a part of the system that is supposed to verify that all of the ballots and votes counted in an election are the same ones that voters cast. But the flaw could allow someone to swap out all of the legitimate ballots and replace them with fraudulent ones, all without detection. “The vulnerability is astonishing,” said Matthew Green, who teaches cryptography at Johns Hopkins University and did not do the research but read the researchers’ report. “In normal elections, there is no single person who could undetectably defraud the entire election. But in this system they built, there is a party who could do that.”


 


 


TECHNOLOGY


 




CyberScoop


March 14, 2019


Sometimes the little things can help cybercriminals separate their wares from the pack. It could be an uncommon feature in the malware itself, or it could just be a new way to market a familiar strategy. In unrelated reports Wednesday, cybersecurity companies detailed DMSniff, which takes a new approach to remaining stealthy as it steals point-of-sale (POS) information from consumers, as well as GlitchPOS, which steals credit-card information in a familiar way but comes with an instructional video from its creators. Threat intelligence company Flashpoint reports that DMSniff has quietly been in active use since 2016 thanks in part to a domain generation algorithm, which allows hackers to continue siphoning data from a web page even after police or researchers have taken hackers’ domain pages offline. Even as scammers deploy more advanced tools like DMSniff, other groups are using more sensational marketing to sell tools that appear to borrow from existing code. The GlitchPOS malware revealed by Cisco’s Talos research team is custom-designed code meant to steal credit card information from hacked machines’ memory for $250. The author of GlitchPOS apparently is the same hacker who built the DiamondFox L!NK botnet in 2015 and 2016, a tool that promised to allow buyers to steal credit data, password credentials, or launched a distributed denial-of-service attack.


 

via Nick Leiserson