Pity the precocious? The hyper-intelligent often suffer from boredom, isolation, and depression — and so genius may not be the gift we perceive it to be
YOU CAN BET THE CRIMINAL SOCIALIST GOVERNMENT STILL HAS PLENTY: Venezuela’s economic crisis is now so bad that criminals can’t afford to buy bullets.
Following up on my previous post, House Holds Hearing Today On The Tax Gap: the Joint Committee on Taxation has released Overview Of The Tax Gap(JCX-19-19) (May 08, 2019):
COCAINE DEALER ENJOYS LUXURY SPA BREAK HALF WAY THROUGH HIS NINE-YEAR PRISON SENTENCE.
Venomously malignant. Noxious. Blasphemous. Grotesque. Disgusting. Repulsive. Entirely bestial. Indecent. Being among the critical greetings for Leaves of Grass. Not to omit ithyphallic audacity. Plus garbage.
YOU CAN BET THE CRIMINAL SOCIALIST GOVERNMENT STILL HAS PLENTY: Venezuela’s economic crisis is now so bad that criminals can’t afford to buy bullets.
CLAUDIA ROSETT: Huawei’s An Asset All Right — But It’s Not Our Asset. “Whatever the details of Huawei’s officially private ownership, or the marvels of its innovations and industry, Huawei is for strategic purposes an asset of the globally ambitious despotism that is the government of China. Which makes it dangerous.”
I’ve been calling Huawei a “communist front corporation” for a while now, which seems more apt than ever — and do read the whole thing.
This document ... provides a standard definition of the tax gap, a description of issues relevant to measurement of the tax gap, and a discussion of taxpayer behavioral responses and the effectiveness of measures to increase compliance. ...
A standard definition of the tax gap is the shortfall between the amount of tax voluntarily and timely paid by taxpayers and the actual tax liability of taxpayers. It measures taxpayers’ failure to accurately report their full tax liabilities on tax returns (i.e., underreporting), pay taxes due from filed returns (i.e., underpayment), or file a required tax return altogether or on time (i.e., non-filing). Estimates of the tax gap provide a picture of the level of overall noncompliance by taxpayers for a particular tax year, and include shortfalls in individual income taxes, corporate income taxes, employment taxes, estate taxes, and excise taxes. The individual behavioral responses to taxation that result in the tax gap raise a set of important policy questions, such as the optimal level of resources to devote to tax administration and the manner in which those resources are best deployed.
COCAINE DEALER ENJOYS LUXURY SPA BREAK HALF WAY THROUGH HIS NINE-YEAR PRISON SENTENCE.
Venomously malignant. Noxious. Blasphemous. Grotesque. Disgusting. Repulsive. Entirely bestial. Indecent. Being among the critical greetings for Leaves of Grass. Not to omit ithyphallic audacity. Plus garbage.
Profound stupidity. Maniacal raving. Pure nonsense. Among some for the best of Shelley. Which was also called abominable.
No philosopher has ever influenced the attitudes of even the street he lived on. Said Voltaire.
I am not an orphan on the earth, so long as this man lives on it. Said Gorky re Tolstoy.
So difficult and opaque it is, I am not certain what it is I print. Said John Donne's very publisher about the first edition of his verse.
Stories happen only to people who know how to tell them. Said Thucydides.
He never thinks about something; he thinks something. Said Hannah Arendt, re Heidegger.
Realizing that as recently as in the case of Haydn, musicians under the patronage of royalty were still treated as servants - and still wore livery.
He kept bottles of wine at his lodgeing, and many times he would drinke liberally by himselfe to refresh his spirits, and exalt his Muse. Said John Aubrey of Andrew Marvell.
The imagination will not perform until it has been flooded by a vast torrent of reading. Announced Petronius.
The nature of genius is to provide idiots with ideas twenty years later. Said Louis Aragon.
Was he Christian, Jewish or atheist? Samuel Beckett was once asked in a Dublin courtroom. To which: None of the three.
The Shakespeare of the lunatic asylum. An early French critic called Dostoevsky.
Literature is the art of writing something that will be read twice. Said Cyril Connolly.
Kant's irrationally compulsive 3.30PM walk, which it is said he forswore only once in thirty years - on the day when the post brought him a first copy of Rousseau's Emile.
The sound of Paul Desmond's alto saxophone: Like a dry martini, being what Desmond himself said he wanted.
The sign in the window says Pants Pressed Here. But when you bring in your pants, you discover that it is the sign that is for sale. Being Kierkegaard - on the typical obscurity of what normally passes for philosophy.
If you value my work, please, do not knock. Requested a notice on Hermann Hesse's door in Ticino.
A fiend of a book. The action is laid out in Hell - only it seems places and people have English names there. Said Dante Gabriel Rossetti of Wuthering Heights.
It is never difficult to paint, said Dali. It is either easy or impossible.
Thinking with someone else's brain. Schopenhauer called reading.
You have but two topics, yourself and me, and I'm sick of both. Johnson once told Boswell.
A designated area for booksellers existed in the central market in Athens as far back as in the fifth century BC.
Neither Graham Greene nor Evelyn Waugh ever learned to drive a car.
Chopin was buried in Pere Lachaise in Paris - but with Polish earth later sprinkled on the grave.
The only excuse for the suffering that God allows in the world - is that he does not exist. Stendhal said.
Dostoevsky gave me more than any thinker, more even than Gauss. Einstein said.
'Tis such a task as scarce leaves a man time to be good neighbour, an useful friend, nay, to plant a tree, much less to save his soul. Said Pope, re writing well.
A portable fatherland, Heine called the Torah.
When a head and a book collide, and one sounds hollow - is it always the book? Asked Lichtenberg.
Not to be born is far best. Wrote Sophocles.
Not to be born at all would be the best thing. Wrote Theognis, at least a half a century earlier.
The man who has seen a truly beautiful woman has seen God. Said Rumi.
Morningless sleep. Epicurus called death.
Dr Donne's verses are like the peace of God: they pass all understanding. Said James I.
Reality is under no obligation to be interesting. Said Borges.
Like a vile scum on a pond. Pound viewed G K Chesterton.
Borges' vision of Paradise: A kind of library.
The greatest kindness we can show some of the authors of our youth is not to reread them. Said Francois Mauriac.
I'm a poet, I'm life. You're an editor, you're death. Proclaimed Gregory Corso to someone in the White Horse tavern - who shortly commenced punching him through the door and across the sidewalk.
You can tell from my handwriting that I am in the twenty-fourth hour. Not a single thought is born in me that does not have death graven within. Wrote Michaelangelo at eighty-one - himself with eight years remaining.
I've no more sight, no hand, nor pen, nor inkwell. I lack everything. All I still possess is will. Said Goya - nearing eighty.
It is later than you know. Printed Baudelaire onto the face of his clock - after having broken off its hands.
from David Markson's, The Last Novel
FCW
May 23,
2019
The
Election Assistance Commission and the Cybersecurity and Infrastructure
Security Agency were sharply questioned in hearings this week by lawmakers
about human resource decisions. The EAC has just a small handful of employees
dedicated to testing and certification of voting machines, and the acting
director of testing and certification stepped down earlier this month. While
the agency quickly hired a new director and has worked to bring on more
personnel, there's concern that EAC staff could be under-resourced heading into
the 2020 election cycle and beyond. The agency had nearly 50 full-time
employees and a budget of $17 million budget in 2009. Today they have a
headcount in the low twenties and a budget of $10 million despite an expanded
role in election cybersecurity. Chair Christy McCormick and other commissioners
were questioned over a host of perceived staffing and management failures at a
May 21 House Administration committee hearing.
The
Orlando Sentinel
May 23,
2019
U.S. Reps.
Stephanie Murphy and Michael Waltz will file bipartisan legislation to require
federal officials to alert Congress and state and local officials when election
systems are hacked. The Achieving Lasting Electoral Reforms on Transparency and
Security Act, or ALERTS Act, comes in response to Murphy, Waltz and the Florida
congressional delegation’s criticism of the FBI following a classified briefing
last week. Afterward, the Congress members had demanded the FBI release the
names of two counties it says were successfully breached by Russian hackers in
2016. The FBI, which also made Gov. Ron DeSantis sign a non-disclosure
agreement not to reveal the counties, said protocol considered the counties as
victims and would need their approval to name them. If signed into law, the
bill would require federal officials “to promptly alert the appropriate state
and local officials and members of Congress” if they have credible evidence of
hacking, as well as a reasonable basis to believe voter information could have
been altered or affected.
The Hill
May 22,
2019
The
Department of Homeland Security (DHS) is asking its cybersecurity-focused
employees to consider taking on new roles by volunteering to help with the
border crisis. Acting Secretary Kevin McAleenan told House lawmakers Wednesday
that employees in the Cybersecurity and Infrastructure Security Agency (CISA)
have been asked to consider relocating to the U.S.-Mexico border, but he
insisted he would not support sending “critical” cyber staff to the region. “I
am aware of the call for volunteers to help address the border crisis, just as
we would do in a natural disaster. Our expectation, though, is that CISA would
make risk-based decisions on the types of professionals they would free up for
this kind of mission and balance against their day jobs and their current
focus,” McAleenan said in a response to a question about the volunteer drive
from Rep. Jim Langevin (D-R.I.) at a Homeland Security Committee hearing on
DHS’ fiscal year 2020 budget request.
AP
May 22,
2019
The hacking
of U.S. election systems, including by foreign adversaries, is inevitable, and
the real challenge is ensuring the country is resilient enough to withstand
catastrophic problems from cyber breaches, government officials said Wednesday.
The comments by representatives from the departments of Justice and Homeland
Security underscored the challenges for federal and state governments in trying
to ward off interference from Russia and other countries in the 2020 election.
Special counsel Robert Mueller has documented a sweeping effort by Moscow to
meddle in the 2016 election in Donald Trump's favor by hacking Democrats and
spreading disinformation online, and FBI Director Chris Wray said in April that
the government regarded last November's midterm election was "as just kind
of a dress rehearsal for the big show in 2020." Adam Hickey, a deputy assistant
attorney general in the Justice Department's national security division, told a
House Oversight and Reform subcommittee that hacking was
"inevitable." "Systems that are connected to the Internet, if
they're targeted by a determined adversary with enough time and resources, they
will be breached," Hickey said. "So, we need to be focusing on
resilience."
Nextgov
May 21,
2019
The federal
government must immediately work to reverse the under-representation of women
and racial and ethnic minorities in its cyber workforce by increasing funding
across America’s education system and tapping into more inclusive talent
streams, lawmakers and a panel of experts said Tuesday. “Right now, the vast
majority of the cybersecurity workforce is white and male–only 9% are African
American, 4% are Hispanic and 11% are women,” Cybersecurity, Infrastructure
Protection and Innovation Subcommittee Chairman Cedric Richmond, D-La., said at
a hearing on the cyber talent pipeline in Washington. “Now that I have the
gavel, I want to use it to drive home an important point: Diversity is
essential for national security, and for cybersecurity.” In his opening
statement, Richmond referenced the White House’s recently issued executive
order on America’s Cybersecurity Workforce, noting that it was “mostly silent”
on diversity. “Officials reportedly explained that they ‘hoped diversity would
be a natural byproduct’ of the order,” Richmond said. “This is exactly the type
of thinking we cannot afford to have if we are serious about reversing trends.”
Reuters
May 20,
2019
U.S.
lawmakers want the State Department and intelligence community to help rein in
the sale of surveillance tools by private companies to repressive regimes,
according to a letter signed by a bipartisan group of congressmen released on
Monday. The effort, led by Democratic Representative Tom Malinowski, is the
second request in the last week asking the State Department to provide
information about its approval process for U.S. companies that sell offensive
cyber capabilities and other surveillance services to foreign governments. The
letter to Secretary of State Mike Pompeo and Director of National Intelligence
Daniel Coats references a Reuters report in January which showed a U.S. defense
contractor provided staff to a United Arab Emirates hacking unit called Project
Raven. The UAE program utilized former U.S. intelligence operatives to target
militants, human rights activists and journalists in the Middle East as well as
American citizens.
ADMINISTRATION
FCW
May 24,
2019
An updated
credentialing policy from the White House looks to tap agency-issued
identifiers like Social Security numbers to secure digital transactions. A new
memo from the Office of Management and Budget directs agencies to set up teams
for each agency to govern identity management efforts. It also stresses the
importance of making valid identities interoperable across agency boundaries.
To that end, the memo directs agencies to accept existing personal identity
verification credentials rather than issue new ones and to use PIV credentials
as "a method to encrypt information in transit and shared between two or
more federal employees or contractors." It also tasks the National
Institute of Standards and Technology, the Federal CIO Council and the Federal
Privacy Council to collaborate with agencies to pilot alternatives to managing
identities. Chih-Wei Yi, a risk and financial advisory principal at Deloitte,
said that while "most" of memo consisted of "codifying"
best practices in industry, the focus on interoperability would make doing
business across agencies easier.
Nextgov
May 24,
2019
Advances in
quantum computing could render the government’s strongest encryption systems
obsolete, and the Defense Department is trying to get ahead of the curve. The
Defense Information Systems Agency is asking security researchers to share
ideas for protecting the Pentagon’s IT infrastructure against quantum
computers. Though today’s quantum systems are still in their infancy, military
officials worry their more powerful successors will be able to easily crack the
codes used to secure military networks today. “The exact time of the arrival of
the quantum-computing era is unknown,” DISA officials wrote in the
solicitation. “However, [the Defense Department] must begin now to prepare its
information security systems to be able to resist attacks from large-scale
quantum computers.”
CyberScoop
The Federal
Election Commission has decided that a nonprofit spinoff of Harvard’s Defending
Digital Democracy Project may provide free and low-cost cybersecurity services
to political campaigns without violating campaign finance laws, given the fact
that there is a “highly unusual and serious threat” posed to U.S. elections by
foreign adversaries. The driving force behind the FEC’s advisory opinion, which
FEC Chair Ellen Weintraub issued Tuesday, is the fact that there is a
“demonstrated, currently enhanced threat of foreign cyberattacks against party
and candidate committees,” she writes in the advisory. The nonprofit, Defending
Digital Campaigns, has political campaign veterans Matt Rhoades and Robby Mook
among its board members, as well as former National Security Agency executive
Debora Plunkett. In the ruling, Weintraub notes the FEC’s decision is partly
due to the other efforts by the government, primarily to expose and prosecute
foreign adversaries, that she indicates have not done enough to protect
campaigns and political parties. “[F]oreign cyberattacks, in which the attackers
may not have any spending or physical presence in the United States, may
present unique challenges to both criminal prosecution and civil enforcement,”
she writes.
Nextgov
May 23,
2019
The
Environmental Protection Agency has a detailed process for dealing with new
cybersecurity weaknesses: develop a plan to remediate with clear goals and
milestones, then attack the problem. The only issue: Those plans aren’t being
logged, managed or tracked, according to the agency inspector general. The
agency created an automated tool for logging vulnerabilities that will take
time to remediate and track progress through official plans of action and
milestones. According to an inspector general report released Tuesday, many of
those plans were never entered into the system, meaning they were never tracked
and, in some cases, the vulnerabilities were never patched. Auditors from the
Office of the Inspector General found disparate levels of participation from
EPA offices. The IG interviewed employees who said their office either doesn’t
have a formal process for using the system—despite it being an agencywide
requirement—and others who developed independent methods of tracking patching
progress. “One information security person indicated that their office … [is]
tracking and managing the reported weaknesses on a spreadsheet,” the report
states. “The person indicated their office took this action to prevent external
parties within the EPA from having oversight of their office’s remediation
activities.”
The New
York Times
May 22,
2019
More than
two weeks ago, hackers seized parts of the computer systems that run
Baltimore’s government. It could take months of work to get the disrupted
technology back online. That, or the city could give in to the hackers’ ransom
demands. “Right now, I say no,” Mayor Bernard Young told local reporters on
Monday. “But in order to move the city forward? I might think about it. But I
have not made a decision yet.” On May 7, the city discovered that it was a
victim of a ransomware attack, in which critical files are encrypted remotely until
a ransom is paid. The city immediately notified the F.B.I. and took systems
offline to keep the ransomware from spreading, but not before it took down
voice mail, email, a parking fines database, and a system used to pay water
bills, property taxes and vehicle citations. At least 1,500 pending home sales
have been delayed, too, according to a letter from a group of congressional
lawmakers in Maryland requesting information on the attack from the directors
of the F.B.I. and the Secret Service.
CNN
May 22,
2019
The state
of Florida will conduct a cybersecurity review into election security for every
county in the state after it was revealed two counties were hacked during the
2016 election, Gov. Rick DeSantis announced Wednesday. The news comes eight
days after DeSantis, a Republican, met with the FBI and announced that Russian
military intelligence had successfully breached the networks of two Florida
counties in the runup to the 2016 presidential election. DeSantis called for
the meeting after special counsel Robert Mueller's report on interference in
the election said that "at least one" Florida county had been
breached. In a letter to Secretary of State Laurel Lee, DeSantis directed her
to "immediately initiate a review of the security, particularly the
cybersecurity, of our state's election systems and the elections systems of
Florida's 67 counties." A spokesperson for Lee, Sarah Revell, told CNN
that Lee "applauds" the initiative. Neither office immediately
responded to questions about what such a review would entail, or whether its
results would be made public.
Ars
Technica
In a study
of US and European political parties' security postures, researchers at the
security-monitoring company SecurityScorecard found that while the Democratic
National Committee had made "significant investments" in security
since being hacked in 2016, the Democrats still lagged behind the Republican
National Committee's defenses. And both parties have problems that could still
leak personally identifying information about voters. According to the report,
one major US political party was "programmatically leaking" personal
information about voters through a voting validation application "which
enumerates voter name, date of birth and address via search terms," the
researchers noted. The vulnerability was disclosed to the party involved and
other "appropriate parties." SecurityScorecard's team looked at the
DNC, RNC, Green Party, and Libertarian Party in the US.
Nextgov
May 22,
2019
The
Continuous Diagnostics and Mitigation program launched America’s space agency
into a new age of cybersecurity, a NASA official said Wednesday. In 2016, the
agency began implementing the first phase of CDM, a Homeland Security
Department effort to provide agencies with a suite of consistent cybersecurity
tools to help them better monitor hacking attempts and other malicious threats.
“CDM for us, needless to say, has been a success story,” Willie Crenshaw Jr.,
NASA’s program executive for CDM and risk management said at an event hosted by
FCW in Washington Wednesday. “It has tremendously helped NASA not only
implement certain tools across the agency, but it’s also helped change and it
is changing the culture and the discussion around cybersecurity overall.” NASA
has an immense amount of data and many complex operating systems, making it
difficult to know where everything is. But Crenshaw said CDM technology has
helped agency insiders better identify all sorts of different assets and
discover so many new things. “We know more now than we did three years ago
about what’s on NASA’s network,” he said.
FCW
State
officials and security experts say security updates contained in the Election
Assistance Commission's new Voluntary Voting System Guidelines 2.0 are badly
needed, but there is concern that the bureaucratic process the agency has set
up to approve and update those standards can't keep up with the pace of
technological change. Later this year, the commission is expected to vote to
approve a five-page document outlining principles that will guide the
development of VVSG 2.0, including a new emphasis on security. That process
will be followed up with far more detailed technical guidance and standards
that companies will rely on to design their new voting machines. At a May 21
hearing, the commission heard from a number of stakeholders who advised that
the agency refrain from requiring a full vote to approve the technical portions
of the guidelines, saying it would run counter to the goal of ensuring that
voting machine standards account for the latest developments in technology.
AP
A lawsuit
challenging Georgia's outdated voting machines and seeking statewide use of
hand-marked paper ballots can move forward, a federal judge ruled Tuesday. The
lawsuit argues that the paperless touchscreen voting machines Georgia has used
since 2002 are unsecure, vulnerable to hacking and unable to be audited. The
state's voting system drew national scrutiny during last year's midterm
election in which Brian Kemp, a Republican who was the state's chief election
officer at the time, narrowly defeated Democrat Stacey Abrams to become
Georgia's governor. State lawyers had asked U.S. District Judge Amy Totenberg
to dismiss the lawsuit. Totenberg wrote in her order rejecting that request
that the state's arguments "completely ignore the reality faced by election
officials across the country underscored by Plaintiffs' allegations that
electronic voting systems are under unceasing attack."
CyberScoop
May 21,
2019
The malware
sample that U.S. Cyber Command uploaded to VirusTotal last week is still
involved in active attacks, multiple security researchers tell CyberScoop.
Researchers from Kaspersky Lab and ZoneAlarm, a software security company run
by Check Point Technologies, tell CyberScoop they have linked the malware with
APT28, the same hacking group that breached the Democratic National Committee
during the 2016 election cycle. A variant of the malware is being used in
ongoing attacks, hitting targets as recently this month. The targets include
Central Asian nations, as well as diplomatic and foreign affairs organizations,
Kaspersky Lab’s principal security researcher Kurt Baumgartner tells
CyberScoop. While ZoneAlarm can’t confirm the targets the attack is focused on,
the company detected the specific malware hash in an active attack in the Czech
Republic last week, Lotem Finkelsteen, ZoneAlarm’s Threat Intelligence Group
Manager, tells CyberScoop. “Although we cannot confirm such an attack,
Finkelsteen said, referring to the Kaspersky intelligence, “we think it is
possible APT28 manages several efforts simultaneously.”
The Air
Force Times
The Air
Force is investigating the Navy for a cyber intrusion into its network,
according to a memo obtained by Military Times. The bizarre turn of events
stems from a decision by a Navy prosecutor to embed hidden tracking software
into emails sent to defense attorneys, including one Air Force lawyer, involved
in a high-profile war-crimes case of a Navy SEAL in San Diego. The tracking
device was an attempt to find out who was leaking information to the editor of
Navy Times, a sister publication. A similar tracking device was also sent to
Carl Prine, the Navy Times editor, who has written numerous stories about the
case. Navy Capt. David Wilson, chief of staff for the Navy’s Defense Service
Offices, wrote in the May 19 memo that an Air Force attorney was among the
defense lawyers who had received emails with the hidden tracking software,
which he described as “malware.” The Air Force defense lawyer reported the
tracking device to his information security manager, who concluded the malware
was a “splunk tool,” which allowed the sender of the malware to gain “full
access to his computer and all files on his computer,” Wilson wrote in the
memo, which he sent to the chief of staff for the Navy’s Region Legal Service
Offices.
CyberScoop
With the
private industrial cybersecurity market thriving, the Department of Homeland
Security is continuing to push for closer coordination with experts on the
front lines of defending facilities like power plants from hackers. In speeches
last week to vendors, security researchers, and state officials, DHS personnel
said they wanted to help put companies on a more proactive defensive posture to
thwart hacking threats to industrial environments. The department has been
working with ICS vendors to test security products before they go to market,
but more needs to be done, Jeanette Manfra, assistant director for
cybersecurity at DHS’s Cybersecurity and Infrastructure Security Agency, said
last Wednesday at Hack the Capitol, an ICS security conference in Washington,
D.C. “In this space, unlike really, frankly, any other, we have got to have
much more capability to prevent the attacks from happening before they get in
there – or at least detect them quickly so we can stop them and mitigate those
consequences,” she said. The DHS outreach is a recognition of the expertise and
dollars that the private sector has invested in ICS security, and the reality
that the vast majority of control systems that underpin key sectors like
electricity and manufacturing are not owned by the government.
CNN
President
Donald Trump appeared to confirm that the United States had conducted a
cyberattack against a Russian entity during last year's midterm elections in an
interview aired Sunday on Fox News. "I would rather not say that, but you
can believe that the whole thing happened, and it happened during my
administration," Trump told Fox News' Steve Hilton when asked about a
report that he personally authorized a cyberattack on Russia during the time of
the midterms. When pressed as to why he didn't talk about it, Trump said
"because they don't like me to talk, intelligence says, 'please don't talk
intelligence,' you know sometimes intelligence is good, and sometimes you look
at Comey, and you look at Brennan and you look at Clapper, and I'm supposed to
believe that intelligence? I never believe that intelligence." The
National Security Council did not respond to a CNN request for comment about
what specifically the President was referencing.
INDUSTRY
Ars
Technica
May 23,
2019
It has been
nine days since Microsoft patched the high-severity vulnerability known as
BlueKeep, and yet the dire advisories about its potential to sow worldwide
disruptions keep coming. Until recently, there was little independent
corroboration that exploits could spread virally from computer to computer in a
way not seen since the WannaCry and NotPetya worms shut down computers
worldwide in 2017. Some researchers felt Microsoft has been unusually
tight-lipped with partners about this vulnerability, possibly out of concern
that any details, despite everyone’s best efforts, might hasten the spread of
working exploit code. Until recently, researchers had to take Microsoft's word
the vulnerability was severe. Then five researchers from security firm McAfee
reported last Tuesday that they were able to exploit the vulnerability and gain
remote code execution without any end-user interaction. The post affirmed that
CVE-2019-0708, as the vulnerability is indexed, is every bit as critical as
Microsoft said it was. “There is a gray area to responsible disclosure,” the
researchers wrote. “With our investigation we can confirm that the exploit is
working and that it is possible to remotely execute code on a vulnerable system
without authentication."
ZDNet
May 23,
2019
For more
than a year, mobile browsers like Google Chrome, Firefox, and Safari failed to
show any phishing warnings to users, according to a research paper published
this week. "We identified a gaping hole in the protection of top mobile
web browsers," the research team said. "Shockingly, mobile Chrome,
Safari, and Firefox failed to show any blacklist warnings between mid-2017 and
late 2018 despite the presence of security settings that implied blacklist
protection." The issue only impacted mobile browsers that used the Google
Safe Browsing link blacklisting technology. The research team -- consisting of
academics from Arizona State University and PayPal staff -- notified Google of
the problem, and the issue was fixed in late 2018.
Ars
Technica
May 22,
2019
A serial
publisher of Microsoft zeroday vulnerabilities has dropped exploit code for
three more unpatched flaws, marking the seventh time the unknown person has
done so in the past year. Technical details of the vulnerabilities, along with
working proof-of-concept exploits, are the work of someone using the moniker
SandBoxEscaper. A local privilege-escalation vulnerability in the Windows Task
Scheduler that was disclosed on Tuesday allows an authenticated attacker to
gain SYSTEM privileges on an affected system. On Thursday, the person released
a privilege escalation code that exploits a bug in the Windows Error Reporting
service. Attackers can use it to modify files that would normally be off
limits. A third exploit, which was also released Wednesday, works against
Internet Explorer 11 and allows attackers to execute a JavaScript that runs
with higher system access than is normally permitted by the browser sandbox.
CNBC
May 22,
2019
Moody’s has
just slashed its rating outlook on Equifax, the first time cybersecurity issues
have been cited as the reason for a downgrade. Moody’s lowered Equifax’s
outlook from stable to negative on Wednesday, as the credit monitoring company
continues to suffer from the massive 2017 breach of consumer data. “We are
treating this with more significance because it is the first time that cyber
has been a named factor in an outlook change,” Joe Mielenhausen, a spokesperson
for Moody’s, told CNBC. “This is the first time the fallout from a breach has
moved the needle enough to contribute to the change.” Equifax could not
immediately be reached for comment. The decision is significant because
investors increasingly look to ratings firms and insurance companies to
adequately predict the longer-term fallout of some of the biggest breaches, a
difficult task given the relative lack of historical data on these incidents.
Ars Technica
May 18,
2019
More than
20,000 Linksys wireless routers are regularly leaking full historic records of
every device that has ever connected to them, including devices' unique
identifiers, names, and the operating systems they use. The data can be used by
snoops or hackers in either targeted or opportunistic attacks. Independent
researcher Troy Mursch said the leak is the result of a flaw in almost three
dozen models of Linksys routers. It took about 25 minutes for the BinaryEdge
search engine of Internet-connected devices to find 21,401 vulnerable devices
on Friday. A scan earlier in the week found 25,617. They were leaking a total
of 756,565 unique MAC addresses. Exploiting the flaw requires only a few lines
of code that harvest every MAC address, device name, and operating system that
has ever connected to each of them.
INTERNATIONAL
Defense
One
May 24, 2019
In the
latest signal NATO is adopting a tougher posture against cyber and electronic
attacks, Secretary General Jens Stoltenberg this week said that the defensive
alliance will not remain purely defensive. Stoltenberg told attendees at the
Cyber Defence Pledge conference in London, “We are not limited to respond in
cyberspace when we are attacked in cyberspace.” NATO members have already
“agreed to integrate national cyber capabilities or offensive cyber into
Alliance operations and missions,” he said. But the parameters of a NATO
response to cyber attacks remains undefined. In 2015, Stoltenberg said that a
cyber attack against one member nation could trigger an Article 5 collective
response by all members. Yet only once has a collective response ever been
invoked, at the request of the United States following the attacks of September
11, 2001. NATO is a defensive organization, so what an offensive cyber posture
looks like remains something of a mystery. An Article 5 response can take many
different forms.
CyberScoop
May 23, 2019
It’s a been
a year since private security researchers worked with the FBI to dismantle a
500,000-router-strong botnet that loomed over Ukraine. Lessons learned in that
takedown of the “VPNFilter” botnet are still reverberating today in the
cybersecurity community, informing defenders about other sets of malicious
activity, said Martin Lee, a manager at Cisco Talos, the threat intelligence
team that helped uncover the botnet. Lee pointed to the so-called Sea Turtle
domain name system hijacking campaign, which Talos detailed last month. Like
VPNFilter, the Sea Turtle activity was an example of a state-sponsored attacker
abusing internet infrastructure at scale to steal credentials. Data gathered
from the VPNFilter investigation, combined with the lesson that state-sponsored
actors are willing to subvert core internet infrastructure, has driven home the
fact that attackers can exploit critical devices at scale in a way that few
people had fully appreciated. “Essentially, [the Sea Turtle perpetrator] is a
threat actor trying to do the same kind of activity [as VPNFilter] – conduct
man-in-the middle attacks, siphon off user names and passwords – but through a different
technique,” said Lee, who is manager for Europe, the Middle East and North
Africa, and Asia at Talos’ Outreach division.
The Hill
May 23, 2019
The United
Kingdom is preparing to invest 22 million pounds, the equivalent of almost $28
million, to open new cyber operation centers. British Defense Secretary Penny
Mordaunt is set to make the announcement during a conference in London at the
U.K.’s National Cyber Security Centre. “It’s time to pay more than lip service
to cyber," she is expected to say. "We must convince our adversaries
their advances simply aren’t worth the cost. The cybersecurity centers will
provide the British Army with 24/7 information and analyses on cyber threats
and will also aim to give both the British military and allies intelligence on
emerging threats. The centers have not yet been built, which will begin early
next year, with operations to start in the early 2020s. "Cyber enemies
think they can act with impunity. We must show them they can’t," Mordaunt
is set to say. "That we are ready to respond at a time and place of our
choosing in any domain, not just the virtual world.”
Gov Info Security
May 21,
2019
MuddyWater,
a relatively new advanced persistent threat group that is targeting
organizations in the Middle East, has changed some of its tactics to avoid
detection while continuing to plant backdoors within targeted networks,
according to new research from Cisco Talos. In a blog posted Monday, Cisco
Talos researchers write that they have "moderate confidence" a new
campaign called "BlackWater" is tied to MuddyWater. That campaign,
which is mainly focused on targets in Turkey, shows that the group is changing
its preferred tactics, techniques and procedures to help avoid detection and
bypass certain security controls, the researchers say. And while avoiding
endpoint detection helps improve this group's overall operational security, the
main goal of BlackWater is still to plant a PowerShell-based backdoor within a
target's network and gain remote access, the researchers note. "Due to the
relation to MuddyWater and that actor's previous methods, we suspect the larger
goal [of BlackWater] was cyberespionage," Matt Valites, threat research
manager for Cisco Talos Outreach, tells Information Security Media Group.
Reuters
May 21,
2019
In early 2018, in a complex of low-rise buildings in the Australian
capital, a team of government hackers was engaging in a destructive digital war
game. The operatives – agents of the Australian Signals Directorate, the
nation’s top-secret eavesdropping agency – had been given a challenge. With all
the offensive cyber tools at their disposal, what harm could they inflict if
they had access to equipment installed in the 5G network, the next-generation
mobile communications technology, of a target nation? What the team found, say
current and former government officials, was sobering for Australian security
and political leaders: The offensive potential of 5G was so great that if
Australia were on the receiving end of such attacks, the country could be
seriously exposed. The understanding of how 5G could be exploited for spying
and to sabotage critical infrastructure changed everything for the Australians,
according to people familiar with the deliberations. Washington is widely seen
as having taken the initiative in the global campaign against Huawei
Technologies Co Ltd, a tech juggernaut that in the three decades since its
founding has become a pillar of Beijing’s bid to expand its global influence.
Yet Reuters interviews with more than two dozen current and former Western
officials show it was the Australians who led the way in pressing for action on
5G; that the United States was initially slow to act; and that Britain and
other European countries are caught between security concerns and the competitive
prices offered by Huawei.
AP
May 21,
2019
The United
States is delaying some restrictions on U.S. technology sales to Chinese tech
powerhouse Huawei in what it calls an effort to ease the blow on Huawei
smartphone owners and smaller U.S. telecoms providers that rely on its
networking equipment. The Trump administration insists the sanctions are
unrelated to its escalating trade war with China, and many analysts see it as
aimed at pressuring U.S. allies in Europe to accede to Washington’s entreaties
to exclude Huawei equipment from their next-generation wireless networks, known
as 5G. The U.S. government says that the ban on selling technology to Huawei,
the world’s biggest maker of mobile network gear and the No. 2 smartphone
brand, will be delayed by 90 days as it applies to existing hardware and
software. Shares in tech companies rose Tuesday on the news. The U.S. claims
Huawei is a cybersecurity risk and has targeted it against the backdrop of a
wider battle with China over economic and technological pre-eminence that has
included tariffs on billions worth of trade and limits on business.
TECHNOLOGY
Wired
May 19, 2019
Bluetooth
is the invisible glue that binds devices together. Which means that when it has
bugs, it affects everything from iPhones and Android devices to scooters and
even physical authentication keys used to secure other accounts. The order of
magnitude can be stunning: The BlueBorne flaw, first disclosed in September
2017, impacted 5 billion PCs, phones, and IoT units. As with any computing
standard, there's always the possibility of vulnerabilities in the actual code
of the Bluetooth protocol itself, or in its lighter-weight sibling Bluetooth
Low Energy. But security researchers say that the big reason Bluetooth bugs
come up has more to do with sheer scale of the written standard—development of
which is facilitated by the consortium known as the Bluetooth Special Interest
Group. Bluetooth offers so many options for deployment that developers don't
necessarily have full mastery of the available choices, which can result in
faulty implementations. "One major reason Bluetooth is involved in so many
cases is just how complex this protocol is," says Ben Seri, one of the
researchers who discovered BlueBorne and vice president of research at the
embedded device security firm Armis. "When you look at the Bluetooth
standard it’s like 3,000 pages long—if you compare that to other wireless
protocols like Wi-Fi, for example, Bluetooth is like 10 times longer. The
Bluetooth SIG tried to do something very comprehensive that fits to many
various needs, but the complexity means it’s really hard to know how you should
use it if you’re a manufacturer."
via Nick
Leiserson
