Wednesday, July 17, 2019

Cyber Matters: More Than Words Can Say


 The Inland Revenue Authority of Singapore (IRAS) has released a draft proposal to exempt cryptocurrencies that are intended to function as a medium of exchange from Goods and Services Tax.

 A recently published U.S. Internal Revenue Service (IRS) slide describes recommendations on how tax agents should deal with digital currency users who are not paying taxes. The slide recommends that agents question crypto users’ friends and family, comb through social media posts and issue subpoenas to make sure U.S. residents are paying taxes on their cryptocurrencies.


Amadeus! Amadeus! Pwn meAmadeus! Airline check-in bug may have exposed all y'all boarding passes tospies

Patched IDOR hole would have been child's play to exploit


MIT Sloan Management Review – By examining cybercrime through a value-chain lens, we can better understand how the ecosystem works and find new strategies for combating it. “…Attackers always seem to be one or two steps ahead of the defenders. Are they more technically adept, or do they have a magical recipe for innovation that enables them to move more quickly? If, as is commonly believed, hackers operated mainly as isolated individuals, they would need to be incredibly skilled and fast to create hacks at the frequency we’ve seen.

An email arrives. It's from the boss. Subject: Hybrid Cloud. You gulp. You get the cloud – but what's this 'hybrid' bit? 


One hundred years ago, six United States Post Office Inspectors were transferred to the Bureau of Internal Revenue (now Internal Revenue Service) to become the first special agents in charge of a new crime fighting unit. This month, a host of tax professionals, including IRS Commissioner Charles Rettig, IRS-CI Chief Don Fort, and former Deputy Attorney General Rod Rosenstein, met to honor the occasion.
IRS Crime Unit Marks 100 Years Of Following The Money and Tackling Crime ... - Forbes

Tax Practitioners Board begins new financial year investigating 350 tax practitioners

At the start of the new financial year, the Tax Practitioners Board (TPB) has revealed that it is currently investigating more than 350 tax practitioners who are suspected of high-risk behaviour including:
  • failure to meet personal tax obligations
  • over-claiming work-related expenses on behalf of clients
  • egregious conduct which is considered black economy behaviour
  • non-lodgement of annual declarations
  • non-compliance with continuing professional education (CPE) requirements.
A number of these cases were as a result of referrals from the Australian Taxation Office (ATO). The TPB continues to work closely with the ATO to identify high-risk behaviour.
TPB CEO, Mr Michael O’Neill, said the TPB handed down heavy sanctions for some of the cases it considered in June.
 


TPB homes in on 350 high-risk practitioners | Accountants Daily






FCW

July 12, 2019

Filling the Defense Department's 12 leadership vacancies is vital for military accountability to civilians and overall "effectiveness and efficiency of the department," said Army Chief of Staff Gen. Mark Milley during his Senate nomination hearing for chairman of the Joint Chiefs of Staff July 11. Senate Armed Services Committee leaders, Chairman James Inhofe (R - Okla.) and Ranking Member Jack Reed (D-R.I.), expressed displeasure with DOD's vacancies -- and lack of presidential nominations -- during the hearing. Milley also briefly touched on cyber warfare during his testimony. "Good offense is critical, it is the best defense," he said of cyber operations. "We also need to improve the network and resilience in defensive capabilities of the military and the United States at large with the infrastructure." Milley's written testimony homed in on cybersecurity, advising Cyber Command and the National Security Agency to continue with the "dual-hatted" leadership while seeking a cyber- review for the Joint Chiefs. "The current 'dual hat' configuration between U.S. Cyber Command and the National Security Agency is working well and should be maintained," Milley said, adding that if confirmed, the issue would be carefully attended and based on the best military advice.




CyberScoop

July 12, 2019
Almost one year after President Donald Trump issued a classified memorandum that has made it easier for the Pentagon to run offense cyber-operations against U.S. adversaries, lawmakers still haven’t seen the details of the document, and they want the details from the White House. Thursday evening the House of Representatives added a provision to the National Defense Authorization Act that would compel the White House to turn over the memorandum as well as any others relating to the Pentagon’s cyber-operations.  The amendment was part of an “en bloc” package, meaning both sides accepted by voice vote without debate, signaling to the White House just how much interest there is — on both sides of the aisle — in allowing the legislative branch to see the memorandum. Part of the concern is that with increased authorizations to run offensive operations against adversaries, the administration runs the risk of escalating tensions with adversaries in cyberspace without proper Congressional oversight, according to Rep. Jim Langevin, D-RI, who has been a driving force behind the amendment.

FCW
July 12, 2019
The heads of agencies charged with protecting the cybersecurity of electrical transmission infrastructure told members of the House Energy and Commerce Committee's Energy Subcommittee that they're addressing supply chain concerns on a number of fronts. The top managers of the Office of Cybersecurity, Energy Security, and Emergency Response (CESER); the Federal Energy Regulatory Commission (FERC); and the North American Electric Reliability Corporation (NERC) faced questions in a July 12 hearing from lawmakers concerned about whether gear from Chinese manufacturers Huawei and ZTE are showing up in bulk power companies' operations. NERC President and CEO Jim Robb said his organization plans additional action over Huawei/ZTE concerns in the coming days. NERC first issued a bulletin to grid providers in March in response to the administration's prohibitions of those companies' products.

The Washington Post
July 10, 2019
The full House and Senate were briefed about election security Wednesday by the Trump administration’s top intelligence, homeland security and cybersecurity officials as the parties continue to battle over how to protect the 2020 elections against foreign threats. Director of National Intelligence Daniel Coats; FBI Director Christopher A. Wray; the director of the National Security Agency and commander of U.S. Cyber Command, Gen. Paul M. Nakasone; and acting homeland security secretary Kevin McAleenan were among the senior officials who spoke to the full complement of House members and senators in back-to-back briefings. They told the lawmakers about the state of election security, including the new tools the government has equipped itself with to identify and avert future organized attempts to interfere with federal elections. Democrats and Republicans left the sessions expressing confidence in the officials’ efforts, even while the parties remain bitterly divided as to whether President Trump is taking election security seriously enough.

The Hill
July 10, 2019
A pair of House lawmakers from Florida have introduced new legislation that would require the Department of Homeland Security (DHS) to notify voters and other parties of potential breaches to election systems. Reps. Stephanie Murphy (D) and Mike Waltz (R) introduced their measure following revelations earlier this year that Russia infiltrated computer networks in two counties in the Sunshine State ahead of the 2016 presidential election. Members of the Florida congressional delegation blasted federal agencies in May for their lack of transparency about the cyberattacks, saying they only received an FBI briefing on the matter when former special counsel Robert Mueller revealed in his report that the bureau was investigating a Moscow-led hack into "at least one" Florida county. The FBI, which informed the Florida delegation that Russia had infiltrated a second county, has not permitted the members of Congress to reveal the names of which counties were targeted.

The Washington Post
July 10, 2019
U.S. Customs and Border Protection was not informed that a hacker had stolen a huge cache of sensitive border-surveillance documents until nearly three weeks after the cyberattack was first discovered, according to a new timeline provided Wednesday by the subcontractor Perceptics, raising new questions over a breach that left travelers’ images and license plates open to potential abuse. Perceptics, the Tennessee-based maker of the U.S. government’s widely used license-plate scanners, offered a timeline of the breach to The Washington Post late Wednesday after a CBP official told Congress that a “significant amount of time” passed before the agency was alerted to the document theft. By that time, the stolen files — including private images, hardware diagrams and other sensitive records detailing the surveillance systems of U.S. border checkpoints — had already been made freely available on a corner of the Internet known as the “dark web.” Perceptics told The Post that it learned of the breach May 13, immediately contacted a cyber-forensics firm and reported suspicious emails to the FBI within 24 hours. The company said it also notified Unisys, the information-technology giant for whom Perceptics was doing subcontracting work, during an in-person meeting on May 17, and that it was “told that Unisys would notify CBP” because the larger company maintained “communication with CBP for all contractual matters.”

The Hill
July 8, 2019
Sens. Gary Peters (D-Mich.) and Marco Rubio (R-Fla.) introduced legislation Monday designed to protect small businesses from cyberattacks by making it easier for those companies to access tools to protect themselves. The Small Business Cybersecurity Assistance Act would authorize Small Business Development Centers (SBDCs) to work with the Department of Homeland Security (DHS) to provide consulting to small businesses on how to strengthen their cybersecurity protocols. It would also require DHS to develop materials and programs for SBDCs to help the small businesses in their area defend against cyberattacks. Peters and Rubio cited an industry report that found that small businesses accounted for 43 percent of data breaches in 2018, in touting the need for legislation.


ADMINISTRATION

CyberScoop
July 12, 2019
The largest health insurance company in the Pacific Northwest says it will pay $10.4 million to 30 states to settle an investigation into a data breach that compromised information on more than 10 million people. The settlement, entered into court Thursday, requires Premera Blue Cross to pay $5.4 million to Washington to resolve an investigation that determined the company was slow to patch known security vulnerabilities. Hackers had access to customers’ medical records, bank account information and Social Security numbers from May 2014 until May 2015. The remaining $5 million will be split between other states. The case is the latest example of how, in the absence of federal leadership, state attorneys are taking legal action following large-scale security incidents. Connecticut and Illinois have opened investigations into the breach this year at the American Medical Collection Agency, which affected at least 20 million people. Other state lawsuits have resulted in settlements from Equifax, Uber and others.

The Hill
July 11, 2019
The Federal Election Commission (FEC) on Thursday approved a request from a private company to provide discounted cybersecurity services to political campaigns, saying it did not violate campaign finance rules. The decision came in response to a request from Area 1 Security, a California-based company, to offer cybersecurity services to federal political candidates and political committees at discounted rates. The FEC, which has jurisdiction over campaign finance for presidential and congressional elections, decided the arrangement did not violate campaign contribution rules because the company offers similar discounted services to nonpolitical clients as well. The decision allows the company to sell anti-phishing services to federal candidates and political committees for as little as $1,337 per year, according to the FEC.

Fifth Domain
The expected nomination of Vice Adm. Michael Gilday to lead the Navy brings forward an officer with key cyber experience to the top echelons of military leadership. Gilday, a career surface warfare officer, lead the Navy’s component to U.S. Cyber Command, 10th Fleet/Fleet Cyber Command, from July 2016 to June 2018. He would be the first officer to lead a service that has also commanded a service cyber component. Many in the national security community have said how modern conflicts will require a “multi-domain” approach, one in which capabilities from all five domains of warfare, land, sea, air, space and cyber will be included. Gilday’s cyber experience will help normalize cyber operations at the Joint Chiefs level.

The NY Daily News
July 11, 2019
Monroe College’s computer system was hacked by someone demanding a $2 million ransom in Bitcoin, the Daily News has learned. A hacker crippled the Bronx-based school’s computer network by encrypting its files remotely at 6:45 a.m. Wednesday, authorities said. Police sources say the attack affected each of Monroe’s campuses in Manhattan, New Rochelle and St. Lucia. Nearly 8,000 students are enrolled at the college. The school’s website was completely inaccessible after the hack, though its Facebook page is still up. A spokeswoman for Monroe said emails have also been compromised, but that classes remain in session. Their payroll system is handled by an outside firm and was not impacted, she said.

AP
July 11, 2019
A federal judge has ordered Georgia election officials to allow computer experts and lawyers to review the databases used to create ballots and count votes. The ruling came Tuesday in a lawsuit that challenges Georgia’s election system and seeks statewide use of hand-marked paper ballots. U.S. District Judge Amy Totenberg gave the state until Friday to turn over electronic copies of the databases to the plaintiffs’ lawyers and computer experts. The lawsuit was filed by a group of voters and the Coalition for Good Governance, an election integrity advocacy organization. It argues that the paperless touchscreen voting machines Georgia has used since 2002 are unsecure, vulnerable to hacking and unable to be audited. Lawyers for the plaintiffs have argued that they need to inspect the databases at issue because they provide the information that is loaded onto voting machines and then record the cast vote records.

ZDNet
July 11, 2019
The US Conference of Mayors unanimously adopted yesterday a resolution not to pay any more ransom demands to hackers following ransomware infections. "Paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit," the adopted resolution reads. "The United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm," it said. "NOW, THEREFORE, BE IT RESOLVED, that the United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach." The resolution adopted this week at the 87th annual meeting of the US Conference of Mayors doesn't have any legal binding, but can be used as an official position to justify administrative actions, for both federal authorities and taxpayers alike.

Nextgov
The Homeland Security Department’s Cybersecurity and Infrastructure Security Agency published security tips Tuesday to educate users on how to best protect themselves against threats from applications installed on their smartphones and other personal devices. “When you download an app, it may ask for permission to access personal information—such as email contacts, calendar inputs, call logs, and location data—from your device,” the agency warns. “[Y]ou should be aware that app developers will have access to this information and may share it with third parties, such as companies who develop targeted ads based on your location and interests.” According to CISA, it’s imperative that users ensure they are downloading apps solely from legitimate sources, and specifically on official app stores. Users should also read the apps’ permissions and privacy policies (which are frequently extensive and dense).

CyberScoop
July 10, 2019
When U.S. Cyber Command warned last week that a hacking group was using a Microsoft Outlook vulnerability previously leveraged by an Iran-linked malware campaign, it appeared to be signaling just how much the military knows about those operations. But the alert was significant in other ways: behind-the-scenes details uncovered by CyberScoop show that it is an example of how the U.S. government has built up its use of the information-sharing platform VirusTotal so the private sector gets more information sooner. Along with Cyber Command’s warning, which also was shared in a tweet, the Department of Homeland Security (DHS) released its own private warning to industry, CyberScoop has learned. The department’s traffic light protocol (TLP) alert covered the same threat that Cyber Command would eventually post to VirusTotal. In going public with the malicious files, Cyber Command appears to have revealed new information about how Iran-linked actors leveraged another malware family, known as Shamoon, as recently as 2017, according to Chronicle, which owns VirusTotal. Not only is it believed to be the first time Cyber Command has documented Iranian activity in a VirusTotal upload, but former Pentagon and intelligence officials also say the specific details of the upload show that the military wants to enhance its information sharing in a way that supports the cybersecurity mission of the entire U.S. government.

Nextgov
As more everyday items like toasters, TVs and thermostats become connected to the internet, the rules for keeping those devices secure must be able to evolve as quickly as the technology itself, experts said Tuesday. Congress and government regulators have spent years debating the best strategies for securing the billions of network-connected devices that permeate virtually every corner of the physical world. Last month, the National Institute of Standards and Technology published guidelines managing security on the internet of things, and lawmakers have introduced multiple bills over the past year meant to secure connected devices purchased by federal agencies. While today most people agree the tech should follow a set of minimum security standards, experts fear regulations that are “overly prescriptive” could hinder security rather than help. “It’s hard to tell manufacturers a discrete set of things you should do till the end of time for all devices, because [that guidance] is based on today,” Michael Fagan, a cyber specialist at NIST, said on a panel hosted by the Telecommunications Industry Association. “We don’t know where devices will go in the future.” During the event, Fagan and other industry cyber experts warned legislation that mandates specific protections might not even be applicable to tomorrow’s tech because it’s based on the use cases and threats facing the tools today. The internet of things is changing so rapidly, and its evolution is so unpredictable, that even basic rules like requiring devices to come with changeable passwords could quickly become “stale,” they said.

CyberScoop
July 9, 2019
The U.S. Coast Guard has issued a safety alert encouraging mariners to follow basic cybersecurity protocols after a ship bound for the East Coast experienced a “significant cyber incident” in February. The Coast Guard said the deep draft ship was traveling to the Port of New York and New Jersey from international waters earlier this year when it experienced an incident affecting its shipboard network. An interagency team of specialists responded, finding that “malware significantly degraded the functionality of the onboard computer system,” though the boat’s essential controls were not affected, the Coast Guard said Monday. The shipboard network had been used to conduct official business, like updating electronic charts, managing cargo information and communicating with onshore resources. The warning comes as maritime traffic has become a prominent venue for ongoing tensions between Iran and Saudi Arabia and its allies, including the United States. In March, the FBI privately notified industry of cyberthreats to U.S. commercial and military vessels.

The Philadelphia Inquirer
July 9, 2019
Pennsylvania Gov. Tom Wolf announced a $90 million bond issue Tuesday to fund a statewide voting machine upgrade effort that he ordered more than a year ago to ensure that every vote cast creates a paper trail that can be checked by voters and audited. Republicans who control the state legislature pushed back immediately, questioning the legality of Wolf’s maneuver. The new money would cover around 60 percent of the estimated $150 million cost for the state’s 67 counties, and answer to months of uncertainty over funding. “Everybody in this building recognizes that we’ve got to support the counties,” Wolf said. “This cannot be an unfunded mandate.” House Appropriations Committee Chairman Stan Saylor (R., York), however, called it an “executive overreach.” “So far, the governor has not stated his legal authority to bond $90 million without legislative approval,” he said in a statement.

AP
July 8, 2019
Federal agents descended on the suburban Maryland house with the flash and bang of a stun grenade, blocked off the street and spent hours questioning the homeowner about a theft of government documents that prosecutors would later describe as “breathtaking” in its scale. The suspect, Harold Martin, was a contractor for the National Security Agency. His arrest followed news of a devastating disclosure of government hacking tools by a mysterious internet group calling itself the Shadow Brokers. It seemed to some that the United States might have found another Edward Snowden, who also had been a contractor for the agency. “You’re a bad man. There’s no way around that,” one law enforcement official conducting the raid told Martin, court papers say. “You’re a bad man.” Later this month, about three years after that raid, the case against Martin is scheduled to be resolved in Baltimore’s federal court. But the identity of the Shadow Brokers, and whoever was responsible for a leak with extraordinary national security implications, will remain a public mystery even as the case concludes.

Nextgov
The National Security Agency is failing to live up to government standards for cybersecurity, leaving the spy agency potentially vulnerable to digital attacks, according to an internal watchdog. The NSA Inspector General on Monday revealed the organization, which collects and analyzes some of the government’s of the most sensitive intelligence, doesn’t always follow its own rules for keeping that information secure. Auditors also found the agency held onto some of that data for longer than the law permits and failed to implement protections against insider threats. The report, which summarizes dozens of IG audits and investigations conducted between October 2018 and March 2019, offers a rare glimpse inside an agency whose inner workings are usually sealed off from the public.

The Boston Globe
July 8, 2019
Government watchdogs say it is “shortsighted” for Governor Gina M. Raimondo’s administration to eliminate the state’s first cabinet-level cybersecurity officer position at a time when cyberattacks are on the rise and the 2020 presidential election is on the horizon. In April 2017, the administration trumpeted the hiring of Mike Steinmetz as the state’s first cybersecurity officer and its homeland security adviser, saying that “in the ever-changing technology ecosystem, it is imperative that Rhode Island stay up to speed.” But the administration slashed his $184,446 salary from the budget and at the end of June Steinmetz left to join a Providence venture capital firm. Administration officials said Steinmetz had recently completed a “Rhode Island State Cybersecurity Strategy” and that other parts of state government would now handle cybersecurity and homeland security duties. John M. Marion, executive director of Common Cause Rhode Island, said the move runs counter to efforts by other states to bolster election cybersecurity. With the 2020 election approaching, the state’s Board of Elections lacks in-house cybersecurity expertise, he said.

The New York Times
Audrey Sikes, city clerk of Lake City, Fla., has a thing for documents: She does not like losing them. It falls to Ms. Sikes, as official custodian of records for this city of 12,000 people about an hour west of Jacksonville, to maintain Lake City’s archives. She keeps a log of public record requests and has spreadsheets that track things like property deeds and building permits. She spent years digitizing all the papers of a city that incorporated before the Civil War. “It’s everything I do,” Ms. Sikes said. Did. More than 100 years’ worth of municipal records, from ordinances to meeting minutes to resolutions and City Council agendas, have been locked in cyberspace for nearly a month, hijacked by unidentified hackers who encrypted the city’s computer systems and demanded more than $460,000 in ransom. Weeks after the city’s insurer paid the ransom, the phones are back on and email is once again working, but the city has still not recovered all of its files. There is a possibility that thousands of pages of documents that had been painstakingly digitized by Ms. Sikes and her team will have to be manually scanned, again. Every Friday, get an exclusive look at how one of the week’s biggest news stories on “The Daily” podcast came together. “It puts us years and years and years behind,” Ms. Sikes said.


INDUSTRY

ZDNet
July 12, 2019
Japan-based cryptocurrency exchange Bitpoint announced it lost 3.5 billion yen (roughly $32 million) worth of cryptocurrency assets after a hack that happened late yesterday, July 11. The exchange suspended all deposits and withdrawals this morning to investigate the hack, it said in a press release. In a more detailed document released by RemixPoint, the legal entity behind Bitpoint, the company said that hackers stole funds from both of its "hot" and "cold" wallets. This suggests the exchange's network was thoroughly compromised. Hot wallets are used to store funds for current transactions, while the cold wallets are offline devices storing emergency and long-term funds. Bitpoint reported the attackers stole funds in five cryptocurrencies, including Bitcoin, Bitcoin Cash, Litecoin, Ripple, and Ethereal. The exchange said it detected the hack because of errors related to the remittance of Ripple funds to customers. Twenty-seven minutes after detecting the errors, Bitpoint admins realized they had been hacked, and three hours later, they discovered thefts from other cryptocurrency assets.

Reuters
July 11, 2019
China's ZTE opened a cybersecurity lab in Brussels on Wednesday, aiming to boost transparency four months after bigger telecoms equipment rival Huawei did the same to allay concerns about spying. Chinese vendors of network gear are being scrutinized by the United States and some of its allies who believe the equipment could be used by Beijing to spy on customers if deployed in 5G networks, which are beginning to be built around the world. Huawei, the world's biggest maker of telecoms network gear, has been blacklisted by the U.S. government, meaning that U.S. companies need special approval - which they are unlikely to get - to export products to the Chinese company. Huawei has denied the U.S. allegations. ZTE, which is not blacklisted, said its new cyber lab would allow customers, regulators and other stakeholders to review its source code and documents and to carry out software testing to simulate hacking attacks.

TechCrunch
July 10, 2019
Apple has released a silent update for Mac users removing a vulnerable component in Zoom, the popular video conferencing app, which allowed websites to automatically add a user to a video call without their permission. The Cupertino, Calif.-based tech giant told TechCrunch that the update — now released — removes the hidden web server, which Zoom quietly installed on users’ Macs when they installed the app. Apple said the update does not require any user interaction and is deployed automatically. The video conferencing giant took flack from users following a public vulnerability disclosure on Monday by Jonathan Leitschuh, in which he described how “any website [could] forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.” The undocumented web server remained installed even if a user uninstalled Zoom. Leitschuh said this allowed Zoom to reinstall the app without requiring any user interaction.

The Wall Street Journal
July 10, 2019
Cybersecurity-software company McAfee LLC is planning to return to the public markets, joining a record rush of initial public offerings. McAfee and its owners are meeting with bankers this week to discuss plans for a listing that could come as soon as this year, according to people familiar with the matter. An IPO could raise at least $1 billion and value McAfee at more than $5 billion, one of the people said. There is no guarantee the company will successfully stage an IPO or achieve that valuation.

Gov Info Security
July 10, 2019
Security researchers have uncovered a new vulnerability in a Siemens software platform that helps maintain industrial control systems for large critical infrastructure facilities, such as nuclear power plants. If exploited, an attacker could gain access to these systems for espionage or cause widespread physical damage, researchers at the security firm Tenable warned in a blog published Tuesday. The vulnerability is in the same Siemens software platform used by the originators of Stuxnet to help spread that malware against Iran's nuclear facilities nearly a decade ago. Earlier this month, Siemens issued a patch for the vulnerability, dubbed CVE-2019-10915. Joe Bingham, a senior research engineer with Tenable, tells Information Security Media Group that the vulnerability apparently has not been exploited in the wild. Tenable and Siemens are urging organizations that use this software for industrial control systems to apply the patch as soon as possible.

Ars Technica
July 10, 2019
Whitehats used a novel denial-of-service hack to score a key victory against ransomware criminals. Unfortunately, the blackhats have struck back by updating their infrastructure, leaving the fight with no clear winner. Researchers at security firm Intezer performed the DoS technique against ransomware dubbed QNAPCrypt, a largely undetected strain that, as its name suggests, infects network storage devices made by Taiwan-based QNAP Systems and possibly other manufacturers. The hack spread by exploiting secure shell, (or SSH) connections that used weak passwords. The researchers’ analysis found that each victim received a unique bitcoin wallet for sending ransoms, a measure that was most likely intended to prevent the attackers from being traced. The analysis also showed that QNAPCrypt only encrypted devices after they received the wallet address and a public RSA key from the command-and-control server. Intezer researchers soon noticed two key weaknesses in that process. The weaknesses allowed the researchers to write a script that could emulate an unlimited number of simulated infections. After spoofing infections for nearly 1,100 devices from 15 separate campaigns, the whitehats exhausted the supply of unique bitcoin wallets the attackers had pre-generated. As a result, the campaigns were disrupted, since devices are only encrypted after they receive the wallet.

Wired
July 9, 2019
After initially saying that it wouldn't issue a full fix for a vulnerability disclosed on Monday, the video conferencing service Zoom has changed course. The company now tells WIRED that it will push a patch on Tuesday to alter Zoom's functionality and eliminate the bug. You should update Zoom now. The Zoom controversy stems from the service's slippery video streaming settings that launch instantly on Macs when users join a call. Late Monday evening, the company published an extensive statement defending the practice and addressing other bugs found by security researcher Jonathan Leitschuh. But it declined to fully address the concern that an attacker could distribute a malicious Zoom call URL, trick users into clicking it, and then open a channel to their lives when their webcam automatically activated. Zoom originally said that it would adjust the settings by which a user chooses to launch video by default with every call.

CyberScoop
July 9, 2019
A flaw in the firmware of anesthesia and respiratory devices made by General Electric could allow a hacker to change the composition of gases dispensed by the equipment, putting patients at risk, cybersecurity researchers warned Tuesday. “If exploited, this vulnerability could directly impact the confidentiality, integrity and availability of device components,” CyberMDX, the health care security company that discovered the issue, said in a statement. For the vulnerability to be exploited, a hacker would need access to a hospital’s network and for the machines to be connected to a terminal server, or one that allows enterprises to connect to multiple systems, according to CyberMDX. But with that access, an attacker could not only alter gas composition, the researchers said, but also silence alarms on the equipment and change dates and timestamps that document a patient’s surgery. “Once the integrity of time and date settings has been compromised, you no longer have reliable audit trails,” said Elad Luz, head of research at CyberMDX. “That’s a very serious problem for any medical center.” The vulnerability is in versions 7100 and 7900 of GE’s Aestiva and Aespire anesthesia devices. The Department of Homeland Security amplified the warning in a separate advisory on Tuesday that encouraged users to report any malicious activity related to the vulnerability.


INTERNATIONAL

Politico
July 11, 2019
Europe's cybersecurity authorities are struggling to pick their next chief of the beefed-up EU Cybersecurity Agency — and time is running out. The EU Agency for Cybersecurity, formerly known as ENISA, got more powers under the new "Cybersecurity Act," a landmark regulation that came into force at the end of last month. The agency will in coming years draft certification schemes to better protect internet-connected devices, boost the security of 5G telecom networks and raise security standards for cloud providers, among other things. Current Executive Director Udo Helmbrecht's second term ends in mid-October and his replacement is chosen by the management board, which includes the national EU cybersecurity authorities as well as representatives of the European Commission. But a selection procedure that should have ended last March has run into trouble. POLITICO spoke to more than half a dozen people close to the process who said the Commission had run into problems drafting its shortlist, and that national agencies are very sensitive about the selection — leading to a slow and painstaking appointment process.

Reuters
July 9, 2019
Firefox browser maker Mozilla is blocking the United Arab Emirates’ government from serving as one of its internet security gatekeepers, citing Reuters reports on a UAE cyber espionage program. Mozilla said in a statement on Tuesday it was rejecting the UAE’s bid to become a globally recognized internet security watchdog, empowered to certify the safety of websites for Firefox users. Mozilla said it made the decision because cybersecurity firm DarkMatter would have administered the gatekeeper role and it had been linked by Reuters and other reports to a state-run hacking program. Reuters reported in January that Abu Dhabi-based DarkMatter provided staff for a secret hacking operation, codenamed Project Raven, on behalf of an Emirati intelligence agency. The unit was largely comprised of former U.S. intelligence officials who conducted offensive cyber operations for the UAE government.

Gov Info Security
July 9, 2019
Britain's privacy watchdog has previewed a suggested fine of £99 million ($125 million) under the EU's General Data Protection Regulation against hotel giant Marriott for its failure to more rapidly detect and remediate a data breach that persisted for four years. The massive data breach exposed approximately 339 million customer records globally, of which about 30 million related to residents of 31 countries in the European Economic Area and 7 million to U.K. residents, Britain's Information Commissioner's Office said on Tuesday. The ICO enforces the country's data protection laws, including GDPR. The previewed GDPR fine was first revealed on Tuesday when Marriott International, based in Bethesda, Maryland, said in a filing with the U.S. Securities and Exchange Commission that "the U.K. Information Commissioner's Office (ICO) has communicated its intent to issue a fine in the amount of £99,200,396 against the company in relation to the Starwood guest reservation database incident that Marriott announced on November 30, 2018."

The New York Times
July 8, 2019
The British authorities said on Monday that they intended to order British Airways to pay a fine of nearly $230 million for a data breach last year, the largest penalty against a company for privacy lapses under a new European data protection law. Poor security at the airline allowed hackers to divert about 500,000 customers visiting the British Airways website last summer to a fraudulent site, where names, addresses, login information, payment card details, travel bookings and other data were taken, according to the Information Commissioner’s Office, the British agency in charge of reviewing data breaches. In a statement British Airways said it was “surprised and disappointed” by the agency’s finding and would dispute the judgment. The penalty signals a new era for companies that experience large-scale data breaches. Frustrated that businesses were not doing enough to protect people’s online information, European policymakers last year adopted a new law, the General Data Protection Regulation, known as G.D.P.R., which allows regulators in each European Union country to issue fines of up to 4 percent of a company’s global revenue for a breach. And by acting against an iconic British brand, officials showed that enforcement would not be limited to American-based tech companies, which have been seen as a primary target.


TECHNOLOGY

Ars Technica
July 11, 2019
Website drive-by attacks that try to booby trap visitors’ routers are alive and well, according to antivirus provider Avast, which blocked more than 4.6 million of them in Brazil over a two-month span. The attacks come from compromised websites or malicious ads that attempt to use cross-site request forgery attacks to change the domain name system settings of visitors’ routers. When successful, the malicious DNS settings redirect targets to websites that spoof Netflix and a host of banks. Over the first half of the year, Avast software detected more than 180,000 routers in Brazil that had hijacked DNS settings, the company reported. The attacks work when routers use weak administrative passwords and are vulnerable to CSRF attacks. Attackers use the malicious DNS settings to phish passwords, display malicious ads inside legitimate webpages, or use a page visitor’s computer to mine cryptocurrencies.

ZDNet
July 10, 2019
The Caps Lock, Num Lock, and Scroll Lock LEDs on a keyboard can be used to exfiltrate data from a secure air-gapped system, academics from an Israeli university have proved. The attack, which they named CTRL-ALT-LED, is nothing that regular users should worry about but is a danger for highly secure environments such as government networks that store top-secret documents or enterprise networks dedicated to storing non-public proprietary information. The attack requires some pre-requisites, such as the malicious actor finding a way to infect an air-gapped system with malware beforehand. CTRL-ALT-LED is only an exfiltration method. But once these prerequisites are met, the malware running on a system can make the LEDs of an USB-connected keyboard blink at rapid speeds, using a custom transmission protocol and modulation scheme to encode the transmitted data. A nearby attacker can record these tiny light flickers, which they can decode at a later point, using the same modulation scheme used to encode it. The research team behind this exfiltration method says it tested the CTRL-ALT-LED technique with various optical capturing devices, such as a smartphone camera, a smartwatch's camera, security cameras, extreme sports cameras, and even high-grade optical/light sensors.