Gov Info
Security
July 19,
2019
The
Internal Revenue Services' internal financial reporting systems and IT
infrastructure have 14 new security vulnerabilities, along with a long list of
previously unresolved deficiencies, according to the U.S. Government
Accountability Office. The findings were part of an annual audit of the IRS's
financial security control systems, the government watchdog noted in a report
released Thursday. The GAO report also includes 20 recommendations for
improving security and mitigating flaws and misconfigurations within IRS IT
systems. The security recommendations are aimed at safeguarding the IRS'
infrastructure and databases, which contains financial data and other personal
information on millions of U.S. taxpayers. By extensively using technologies
such as encryption and identity and access management tools, the IRS would make
it systems less susceptible to cybercrimes, such as identity theft and other
financial frauds, the report states.
The Hill
July 18,
2019
A
bipartisan group of senators on Thursday introduced legislation to increase
cybersecurity training for U.S. high school students involved in the Junior
Reserve Officers’ Training Corps (JROTC) in an effort to increase overall cyber
defense training. The JROTC Cyber Training Act would direct the secretary of
Defense to create a program to enhance the preparation of JROTC high school
students for military or civilian careers in cybersecurity and computer
science, including internship or research opportunities and funding for
training. The bill is sponsored by Sens. Jacky Rosen (D-Nev.), Marsha Blackburn
(R-Tenn.), John Cornyn (R-Texas) and Gary Peters (D-Mich.). According to
Rosen’s office, the bill has the potential to bring computer science and
cybersecurity training to 500,000 students nationwide at 3,400 schools with
JROTC programs.
Roll Call
July 18,
2019
The Senate
took another small step to improve election security Wednesday evening, even as
there is no plan for a broader debate on the floor. As the chamber was closing
for the evening, senators passed by unanimous consent a bipartisan bill out of
the Senate Judiciary Committee designed to make sure that hacking election
systems is actually a federal crime. The bill would amend current law on
computer hacking to specify that hacking a computer designated as part of a
voting system or for the administration of a federal election is a crime. The
legislation was drafted in response to a Justice Department report released
last summer that determined “should hacking of a voting machine occur, the
government would not, in many conceivable circumstances, be able to use CFAA
[The Computer Fraud and Abuse Act] to prosecute the hackers.” Judiciary
Chairman Lindsey Graham of South Carolina was the lead Republican supporter of
the legislation. He said in a statement that threats of such attacks go well
beyond the Russian Federation.
Nextgov
July 17,
2019
The Census
Bureau still faces a lengthy list of IT and cybersecurity risks less than a
year before the 2020 count, but on Tuesday the agency’s chief told lawmakers
that they have the situation under control. “This is a mammoth operation ...
there will be risk throughout the 2020 Census,” Director Steven Dillingham said
before the Senate Homeland Security Committee. “We’re managing those risks and
we’re making progress, and we’ll continue to make progress.” His reassurance
came as officials from the Government Accountability Office reiterated
longstanding concerns that delayed IT rollouts, shortened security tests and
opaque cyber patching processes could leave the decennial census vulnerable to
system failures and digital attacks. The office has included the 2020 count on
its list of high-risk government programs since 2017. “I don’t think we’re
looking at disaster but there’s still a lot of work [that] needs to be done
going forward,” Robert Goldenkoff, director of GAO’s strategic issues office,
said during the hearing.
Fifth
Domain
July 17,
2019
Secretary
of Defense nominee Mark Esper, speaking to senators during his July 16 confirmation
hearing, shared his feelings that U.S. Cyber Command possesses “exceptional”
cyber capabilities, but just as important is a streamlined framework for using
them outside U.S. networks. “Maybe as important as our capabilities, last year
the administration put out a new [National Security Presidential Memorandum]
13, which really put our cyber capabilities on a more offensive footing,
allowing us to lean forward,” Esper said. Under the previous process, approval
for cyber operations had to go all the way to the president for approval. NSPM
13 now allows the president to delegate some of those authorities and
reorganizes the approval process through the interagency. Esper credited the
new process for the successful operations during the 2018 midterm elections
that sought to mitigate threats to the democratic process. “I think for those
reasons it’s why you saw in the 2018 elections no issues. That’s why I think
we’re more and more confident that the 2020 elections will also be” unfettered,
he said of NSPM 13.
Nextgov
July 17,
2019
Within a
month, the Defense Department—one of the most risk-averse agencies in the
federal government—will be trusting other agencies’ assessments of cloud
vendors’ security for middle-tier products and services. Every software and
service running on a federal network or hosting an agency service must meet a
security baseline, certified through an authority to operate, or ATO. The
Federal Risk and Authorization Management Program, or FedRAMP, was established
to assist with this mandate, but the program has been mired in long wait times
and heavy cost burdens for companies applying for authorization. “What was
supposed to be an expedited process—six months, maybe costing a quarter of a
million dollars—instead, in many cases, took years—and takes years—and can cost
companies millions of dollars, the very opposite of what FedRAMP was designed
to achieve,” Rep. Gerry Connolly, D-Va., said during a hearing Wednesday held
by the House Oversight Subcommittee on Government Operations. “We can’t
leverage the potential of cloud computing if the processes are slower than the
speed at which the technology itself advances.”
The Hill
July 15,
2019
The House
passed legislation by voice vote on Monday intended to increase cybersecurity
at the Small Business Administration (SBA) and separately approved a bill to
help small businesses defend against cyber attacks. The SBA Cyber Awareness
Act, sponsored primarily by Rep. Jason Crow (D-Colo.), would require the SBA to
produce an annual report to Congress that assesses the quality of its
information technology, and that details any equipment used by the SBA that was
manufactured in China. The report would also be required to include details of
all cyber risks or incidents faced by the agency since the previous report was
submitted. The bill would also require the SBA to notify Congress within seven
days of a suspected cyber incident or attack on the agency and concurrently
notify individuals and small businesses impacted by this incident within 30
days. The House on Monday also passed the Small Business Development Center
Cyber Training Act by voice vote. This legislation, sponsored by Rep. Steve
Chabot (R-Ohio), would require counselors at small business development centers
to be certified in cybersecurity to assist small businesses in preventing and
responding to cyber attacks.
Politico
July 13,
2019
The Trump
administration is sending aggressive messages about the United States'
willingness to hack its adversaries — alarming lawmakers and experts who fear
the president is provoking a global cyberconflict that the U.S. may not be
prepared to face. A U.S. cyberattack on Iranian military and intelligence
targets last month was one of the most prominent signs of the new approach,
which comes after a reported effort to implant hostile computer code in
Russia's electrical grid and a temporary takedown of a notorious Kremlin-backed
troll operation last fall. To supporters, the tactics are a sign the U.S. may
finally be getting out of its defensive crouch in cyberspace — as advocated by
hawks such as national security adviser John Bolton. But the moves also lay the
potential groundwork for a tit for tat of cyberattacks that could inflict
significant damage on bystanders. Targets such as banks, hospitals, oil companies
and electric utilities in the U.S. and elsewhere have already proved
vulnerable, as seen in recent criminal hacks that paralyzed entities such as
Baltimore's city government. Now, both Republican and Democratic members of
Congress are pressing the White House for details about its offensive cyber
strategies, worried that unchecked operations could be dangerously
destabilizing for the U.S. “It’s essential that Congress have its ability to
conduct proper oversight. It’s our constitutional responsibility,” Rep. Jim
Langevin (D-R.I.) told POLITICO. “I support the administration’s plan to be
more forward-leaning in cyberspace, on balance. But with that comes the
responsibility to make sure we’re not undermining stability in cyberspace.”
ADMINISTRATION
The New
York Times
July 19,
2019
A troubled
former National Security Agency contractor who spent two decades stuffing his
home, car and garden shed with highly classified documents was sentenced on
Friday to nine years in prison in a case that exposed a shocking laxity in
security at the N.S.A. and other secret government facilities. Investigators
originally feared that the contractor, Harold T. Martin III, might have passed
or sold secrets to a foreign power or to a still-mysterious group calling
itself the Shadow Brokers, which released dangerous N.S.A. hacking tools online
in 2016 and 2017. But they appear to have concluded that his amassing of
secrets was a symptom of a quirky, disturbed mind, not evidence that Mr.
Martin, a 54-year-old Navy veteran, wanted to betray his country. In March, Mr.
Martin pleaded guilty to a single count of willful retention of national
defense information. Prosecutors and defense lawyers agreed on the sentence,
which was approved by United States District Judge Richard D. Bennett. Mr.
Martin’s lawyer, James Wyda, said his client had an “autism spectrum disorder”
and had experienced difficulty forming and keeping relationships since
childhood. As a result, the lawyer said, he had sought meaning and validation
in his work as a contractor at the N.S.A. and other agencies, bringing home
documents to work on at night.
Nextgov
July 19,
2019
In
executing an enterprisewide approach to cybersecurity, the Cybersecurity and
Infrastructure Security Agency is transforming the way the federal government
tackles threats across the nation’s cyber landscape, a top security official
said Thursday. “We try to be very focused on enterprise risks—how can we take
action and how can they be tangible, doable actions, not just these things that
are high in the sky, complicated and resource-intensive,” CISA’s Assistant
Director for Cybersecurity Jeanette Manfra said at a GovernmentCIO cyber forum
in Arlington, Va. Manfra explained that, like most companies, every agency is
responsible and accountable for securing its own cyber networks and systems.
She said before CISA, the Homeland Security Department and the Office of
Management and Budget weren’t thinking of treating all 99 civilian agencies
together as an enterprise. Because of this, decisions weren’t being thought
through and officials weren’t effectively considering the significance of
shared services between the civilian agencies, or the risk management transfers
that accompany one agency hosting other agencies’ data and information.
Further, they started to see that the connectedness of agencies’ IT
infrastructures allowed adversaries to work through indirect entities to target
a specific agency they aimed to exploit. “And so that’s where I see [Homeland
Security] really filling this [gap] in federal cybersecurity is understanding
and helping to manage enterprise risk across all civilian agencies,” she said.
The New
York Times
An
experienced official will oversee election security intelligence across the
government in a newly created senior position, the director of national
intelligence announced on Friday as part of an effort to improve coordination
and speed response to attacks by foreign governments. Intelligence officials
said the new post reflects the reality that influence operations by Russia,
China and other countries are likely to continue indefinitely. Shelby Pierson,
who worked on intelligence issues surrounding the 2018 midterm elections, was
named to the post, which will cover both potential attacks on voting
infrastructure and influence campaigns. Administration critics praised the
appointment but said it did not obviate the need for a director at the National
Security Council to coordinate not just intelligence but also the response to
foreign interference campaigns. And critics in Congress warned that President
Trump’s skepticism over foreign influence campaigns continues to undermine the
government response. Ms. Pierson’s appointment will help intelligence agencies
direct resources to election security and “bring the strongest level of support
to this critical issue,” said Dan Coats, the director of national intelligence,
who called it an “enduring challenge.”
Gov Info
Security
July 19,
2019
Business
email compromise scams are surging, and they're costing U.S. companies a total
of more than $300 million a month, according to a recently released analysis by
the U.S. Treasury Department. Manufacturing and construction firms are the
hardest hit by this type of fraud, the study notes. The analysis, which the
Treasury Department's Financial Crimes Enforcement Network released this week,
found that the number of reported business email compromise scams increased to
1,100 per month in 2018, up from 500 incidents each month in 2016. The
increasing number of BEC incidents also means that more money is flowing into
the coffers of scammers. The Treasury Department report notes that BEC scams
cost businesses an average total of $301 million in fraud per month in 2018, up
from $110 million in 2016. The overall financial impact of BEC scams, as
described in the Treasury Department report, is much higher than earlier
estimates from the FBI.
The New
Yorker
July 18,
2019
In the
weeks before two Japanese and Norwegian oil tankers were attacked, on June
13th, in the Gulf of Oman—acts which the United States attributes to
Iran—American military strategists were planning a cyberattack on critical
parts of that country’s digital infrastructure. According to an officer
involved, who asked to remain anonymous, as Iran ramped up its attacks on ships
carrying oil through the Persian Gulf—four tankers had been mined in May—and
the rhetoric of the national-security adviser, John Bolton, became increasingly
bellicose, there was a request from the Joint Chiefs of Staff to “spin up cyber
teams.” On June 20th, hours after a Global Hawk surveillance drone, costing
more than a hundred million dollars, was destroyed over the Strait of Hormuz by
an Iranian surface-to-air missile, the United States launched a cyberattack
aimed at disabling Iran’s maritime operations. Then, in a notable departure
from previous Administrations’ policies, U.S. government officials, through
leaks that appear to have been strategic, alerted the world, in broad terms, to
what the Americans had done.
Nextgov
July 18,
2019
Penetration
testing—allowing trusted sources to simulate cyberattacks to assess computer
network and system security—is proving to be a vital practice that helps
agencies identify risks before bad actors can exploit them, federal security
officials said Thursday. “Really critically and importantly, what [penetration
testing] has done is given us a much better sense of what are the things we
need to focus on and where are the control areas that we really have
weaknesses,” Adrian Monza, cyber defense branch chief of the Homeland Security
Department’s U.S. Citizen and Immigration Services said at a GovernmentCIO
cyber forum in Arlington, Va. Monza explained that he has a number of
penetration testers on his team, who he fondly looks to as his internal
hackers. Working across a variety of the agency’s systems, Monza said the
creativity they bring to recognizing risk has helped insiders find new threats
that were never identified before. “I will tell you that the results that
we have seen from that have been just illuminating,” Monza said.
CyberScoop
When U.S.
Cyber Command simulated a cyberattack against a seaport last month, military
personnel hunted for adversaries who appeared to be using malware against a
critical trade hub. It was the latest version of an annual weeklong test known
as “Cyber Flag” that teaches cyber staffers better defend against critical
infrastructure attacks, military commanders involved in the exercise told
reporters in a briefing Tuesday. By imitating an attack that blocked the
seaport’s ability to move cargo — potentially affecting international trade —
military leaders tested their readiness for a real-world incident and looked
for ways to improve their response. The simulation also included officials from
throughout the U.S. government and from allied partners to emphasize stronger
coordination. “Cyber Flag is the command’s annual tactical exercise series that
features teams working on keyboard against a live opposing force,” said Rear
Adm. John Mauger, Cyber Command’s director of exercises and training. “The
environment is really intended to challenge the teams both as individuals and
their knowledge as analysts and operators — but more importantly as a
collective team and their ability to work together to achieve mission outcomes
while fighting through a contested environment.”
AP
Over six
weeks, the vandals kept coming, knocking the school system's network offline
several times a day. There was no breach of sensitive data files, but the
attacks in which somebody deliberately overwhelmed the Avon Public Schools
system in Connecticut still proved costly. Classroom lesson plans built around
access to the internet had come to a halt. "The first time I called the
FBI, their first question was, 'Well, what did it cost you?'" said Robert
Vojtek, the district's technology director. "It's like, 'Well, we were
down for three quarters of a day, we have 4,000 students, we have almost 500
adults, and teaching and learning stopped for an entire day.' So how do you put
a price tag on that?" The kind of attacks more commonly reserved for banks
and other institutions holding sensitive data are increasingly targeting school
systems around the country. The widespread adoption of education technology,
which generates data that officials say can make schools more of a target for
hackers, also worsens an attack's effects when instructional tools are rendered
useless by internet outages.
FCW
July 16,
2019
The Defense
Information Systems Agency is testing zero-trust networking on the Defense Department's
classified network. DISA ultimately wants to move to a zero-trust network
environment where access is denied by default and only approved requests are
permitted, the agency's Director of Operations David Bennett told reporters on
July 16. Bennett told reporters following a July 16 keynote at a FedInsider
event that his agency is currently implementing a zero-trust pilot on the
Secret Internet Protocol Router Network with U.S. Cyber Command. "It's a
proof-of-concept pilot," he said, adding that DISA hopes to expand it as
more lessons are learned. "Zero trust is really about figuring out the
data and applications and how to put that together and then try to connect it
to the rest of the world," he said. In that same vein, Bennett said one of
the trickiest issues will be reining in and quantifying the internet of things.
He said DISA was "not doing a lot" with IoT right now because it's
"a very complicated scenario."
Fifth
Domain
July 15,
2019
Pennsylvania’s
message was clear: The state was taking a big step to keep its elections from
being hacked in 2020. Last April, its top election official told counties they
had to update their systems. So far, nearly 60 percent have taken action, with
$14.15 million of mostly federal funds helping counties buy brand-new electoral
systems. But there’s a problem: Many of these new systems still run on old
software that will soon be outdated and more vulnerable to hackers. An
Associated Press analysis has found that like many counties in Pennsylvania,
the vast majority of 10,000 election jurisdictions nationwide use Windows 7 or
an older operating system to create ballots, program voting machines, tally
votes and report counts. That’s significant because Windows 7 reaches its “end
of life” on Jan. 14, meaning Microsoft stops providing technical support and
producing “patches” to fix software vulnerabilities, which hackers can exploit.
In a statement to the AP, Microsoft said Friday it would offer continued Windows
7 security updates for a fee through 2023.
CyberScoop
July 15,
2019
Officials
in La Porte County, Indiana, agreed to pay $130,000 in bitcoin to alleviate the
pain from a ransomware attack that affected two domain controllers, knocking
network services offline, according to WSB-TV. While an insurer will cover
$100,000 of that fee, the northern Indiana county is the latest local
government to pay digital extortionists to unlock a compromised network amid a
spree of similar incidents throughout the country. Attackers hit La Porte on
July 6, deploying the Ryuk ransomware to disable the city’s computer network,
website and email service systems. Versions of Ryuk, which the FBI said has had
a “disproportionate impact” on small municipalities, also have been blamed for
attacks on Georgia’s court system and on small towns in Florida. In this case,
La Porte County leaders told WSB-TV they decided to pay the ransom after a
decryption key provided by the FBI was ineffective. The initial ransomware
request reportedly was higher, with the FBI negotiators bringing the ultimate
fee down to $130,000, according to the local news outlet. Travelers Insurance,
which the county enlisted last year, will cover $100,000 of that, county
president Vidya Kora told the Michigan City News Dispatch. The FBI doesn’t
encourage ransomware victims to pay hackers, but the La Porte incident
highlights law enforcement’s struggle in stopping the attacks.
FCW
Army
researchers have developed a cyber agility framework – a new way to train
defensive cyber operators to thwart attackers. As with a set of rules or an
algorithm, application of the framework can help organizations better
understand the effectiveness of their cybersecurity efforts. It also serves as
a foundation for developing software. "Historically, when dealing with
cybersecurity, analysts are looking at screens full of numbers, trying to
identify where, and what kind of, cyberattacks are taking place by looking for
patterns," Purush Iyer, division chief of network sciences at Army
Research Office, which is a part of Army Research Laboratory, told FCW.
"The cyber agility framework offers a better way of identifying (and
predicting) attacks, by taking into account past history of traffic, and
allowing an analyst to concentrate on higher order reasoning. It's a big step
in enhancing cybersecurity predictability." In a partnership with the
University of Texas, San Antonio (UTSA) and the Army Research Laboratory,
cybersecurity researchers developed a set of metrics to help operators measure
how well their methods and tactics work during an active intrusion.
INDUSTRY
The
Financial Times
July 19,
2019
The Israeli
company whose spyware hacked WhatsApp has told buyers its technology can
surreptitiously scrape all of an individual’s data from the servers of Apple,
Google, Facebook, Amazon and Microsoft, according to people familiar with its
sales pitch. NSO Group’s flagship smartphone malware, nicknamed Pegasus, has
for years been used by spy agencies and governments to harvest data from
targeted individuals’ smartphones. But it has now evolved to capture the much
greater trove of information stored beyond the phone in the cloud, such as a
full history of a target’s location data, archived messages or photos,
according to people who shared documents with the Financial Times and described
a recent product demonstration. The documents raise difficult questions for
Silicon Valley’s technology giants, which are trusted by billions of users to
keep critical personal information, corporate secrets and medical records safe
from potential hackers. NSO denied promoting hacking or mass-surveillance tools
for cloud services. However, it did not specifically deny that it had developed
the capability described in the documents.
Vice Motherboard
July 18,
2019
Artificial
intelligence has been touted by some in the security community as the silver
bullet in malware detection. Its proponents say it’s superior to traditional
antivirus since it can catch new variants and never-before-seen malware—think
zero-day exploits—that are the Achilles heel of antivirus. One of its biggest
proponents is the security firm BlackBerry Cylance, which has staked its
business model on the artificial intelligence engine in its endpoint PROTECT
detection system, which the company says has the ability to detect new
malicious files two years before their authors even create them. But
researchers in Australia say they’ve found a way to subvert the
machine-learning algorithm in PROTECT and cause it to falsely tag already known
malware as “goodware.” The method doesn’t involve altering the malicious code,
as hackers generally do to evade detection. Instead, the researchers developed
a “global bypass” method that works with almost any malware to fool the Cylance
engine. It involves simply taking strings from a non-malicious file and
appending them to a malicious one, tricking the system into thinking the
malicious file is benign.
Wired
July 17,
2019
When news
appeared in May of the security vulnerability in Windows that would come to be
known as BlueKeep, security researchers almost immediately cautioned that the
flaw looked like the central ingredient for a destructive worm sure to rampage
through the internet. Microsoft issued a series of stark warnings to patch the
flaw, which persisted in roughly a million computers. Even the NSA took the
rare step of noting the bug's severity. But two months later, the dreaded
BlueKeep doomsday has yet to materialize. In fact, its apparent absence has
made clear that in an age of hardened operating systems with built-in
protections against easy exploitation, the mere existence of a known flaw in
software no longer means an immediate open season for hackers. State-sponsored
groups may already be using it for quiet intrusions, but low-skilled criminals
have yet to use it for wide-scale calamity. But that doesn't mean that a larger
wave of BlueKeep exploitation isn't in store if—or when—the secret details of
exploiting the Windows vulnerability leak out to a wider audience. On
Wednesday, security firm BitSight released the results of a new round of
scanning for the BlueKeep flaw, which affects unpatched Windows machines
running Windows 7 or earlier. The company found that about 800,000 computers
remain vulnerable to the attack—a significant drop from the nearly 1 million
unpatched machines BitSight counted in late May, but still enough to cause
mayhem if a worm were unleashed.
Ars
Technica
July 17,
2019
Microsoft
said on Wednesday that it has notified almost 10,000 customers in the past year
that they’re being targeted by nation-sponsored hackers. According to a post
from Microsoft Corporate Vice President of Customer Security & Trust Tom
Burt, about 84% of the attacks targeted customers that were large “enterprise”
organizations such as corporations. The remaining 16% of attacks targeted
consumer email accounts. Burt said some of the 10,000 customers were
successfully compromised while others were only targeted, but he didn’t provide
figures. “This data demonstrates the significant extent to which nation-states
continue to rely on cyberattacks as a tool to gain intelligence, influence
geopolitics, or achieve other objectives,” Burt wrote. Microsoft presented the
figures Wednesday at the Aspen Security Forum.
CyberScoop
July 17,
2019
When
researchers first found critical vulnerabilities in the firmware of certain
Lenovo computer servers, it looked like a fairly straightforward issue. The
problem, however, involved far more than the Hong Kong-based PC giant. The
vulnerabilities were in the firmware of baseboard management controllers (BMC),
the small processors used to remotely manage servers at an organization. The
flaws could allow an attacker to run arbitrary code within the BMCs to retain
persistent access to a computer system, or to “brick” the BMC entirely,
rendering it inoperable. Those facts alone were cause for concern, but
specialists at hardware-security company Eclypsium discovered a bigger story.
The firmware in question was actually sourced from another company — Ohio-based
Vertiv — and it was present in servers made by at least seven other vendors.
“That’s when we realized just how complex and vulnerable the BMC supply chain
is,” said Jesse Michael, principal security researcher at Eclypsium.
TechCrunch
July 17,
2019
Another
clinical lab ensnared in the AMCA data breach has come forward. Clinical
Pathology Laboratories (CPL) says 2.2 million patients may have had their
names, addresses, phone numbers, dates of birth, dates of service, balance
information and treatment provider information stolen in the previously
reported breach. Another 34,500 patients had their credit card or banking
information compromised. The breach was limited to U.S. residents, the company
said. CPL blamed AMCA, which it and other labs used to process payments for
their patients, for not providing more details on the breach when it was
disclosed in June. “At the time of AMCA’s initial notification, AMCA did not
provide CPL with enough information for CPL to identify potentially affected
patients or confirm the nature of patient information potentially involved in
the incident, and CPL’s investigation is on-going,” said the company in a
statement.
ZDNet
July 17,
2019
Microsoft
plans to explore using the Rust programming language as an alternative to C,
C++, and others, as a way to improve the security posture of its and everyone
else's apps. The announcement was made yesterday by Gavin Thomas, Principal
Security Engineering Manager for the Microsoft Security Response Center (MSRC).
"You're probably used to thinking about the Microsoft Security Response
Center as a group that responds to incidents and vulnerabilities," Thomas
said. "We are a response organization, but we also have a proactive role,
and in a new blog series we will highlight Microsoft's exploration of safer
system programming languages, starting with Rust." The end game is to find
a way to move developers from the aging C and C++ programming language to
so-called "memory-safe languages." Memory-safe languages, such as
Rust, are designed from the ground up with protections against memory
corruption vulnerabilities, such as buffer overflows, race conditions, memory
leaks, use-after free and memory pointer-related bugs.
Wired
July 16,
2019
Two years
ago, researchers Billy Rios and Jonathan Butts discovered disturbing
vulnerabilities in Medtronic's popular MiniMed and MiniMed Paradigm insulin
pump lines. An attacker could remotely target these pumps to withhold insulin
from patients, or to trigger a potentially lethal overdose. And yet months of
negotiations with Medtronic and regulators to implement a fix proved fruitless.
So the researchers resorted to drastic measures. They built an Android app that
could use the flaws to kill people. Rios and Butts, who work at the security
firm QED Security Solutions, had first raised awareness about the issue in
August 2018 with a widely publicized talk at the Black Hat security conference
in Las Vegas. Alongside that presentation, the Food and Drug Administration and
Department of Homeland Security warned affected customers about the
vulnerabilities as did Medtronic itself. But no one presented a plan to fix or
replace the devices. To spur a full replacement program, which ultimately went
into effect at the end of June, Rios and Butts wanted to convey the true extent
of the threat. "We’ve essentially just created a universal remote for
every one of these insulin pumps in the world," Rios says. "I don’t
know why Medtronic waits for researchers to create an app that could hurt or
kill someone before they actually start to take this seriously. Nothing has
changed between when we gave our Black Hat talk and three weeks ago."
pointer-related
bugs.
CNBC
July 15,
2019
Symantec
and Broadcom have ceased deal negotiations, sources tell CNBC’s David Faber.
The people familiar with the matter added that Symantec would not accept less
than $28 a share. People familiar with the matter added that Broadcom indicated
in early conversations that it would be willing to pay $28.25 per share for
Symantec, but that following due diligence knocked that figure down below $28.
Symantec had surged earlier this month after it was revealed that Broadcom was
in advanced talks to acquire the security software vendor. Faber had reported
the two sides were negotiating a price and had seen possible synergies of $1.5
billion. Symantec shares dropped 12.8% to $22.30 on Monday. Symantec has been
dogged in recent years by management turnover and a softer core business as
cloud security companies have captured enterprise market share and as newer
companies offer ways to protect mobile devices.
INTERNATIONAL
ZDNet
July 18, 2019
Starting
Wednesday, July 17, 2019, the Kazakhstan government has started intercepting
all HTTPS internet traffic inside its borders. Local internet service providers
(ISPs) have been instructed by the local government to force their respective users
into installing a government-issued certificate on all devices, and in every
browser. The certificate, once installed, will allow local government agencies
to decrypt users' HTTPS traffic, look at its content, encrypt it again with
their certificate, and send it to its destination. Kazakh users trying to
access the internet since yesterday have been redirected to web pages that
contained instructions on how to install the government's root certificate in
their respective browsers, may it be a desktop or mobile device.
The New
York Times
July 17, 2019
An
investigation into the theft of the personal information of nearly every adult
in Bulgaria led to the arrest of a 20-year-old computer programmer, the police
announced Wednesday, in connection with a breach that underscores the
vulnerability of vast troves of digitized information. The authorities acknowledged
that Bulgaria’s national tax agency was hacked after a news outlet received an
email on Monday with a taunt and a claim of responsibility. The names,
addresses, incomes and social security information of as many as five million
Bulgarians and foreign residents — in a country of only seven million — had
been taken. “The state of your cybersecurity is a parody,” the self-proclaimed
hacker emailed. Though the police cautioned that the investigation was in its
early stages, some officials suggested that Russia might have been behind the
attack, as retaliation for the country’s recent purchase of American-made
fighter jets. A lawyer for the suspect denied he played any role in the breach.
Gov Info
Security
July 17, 2019
A
20-year-old Dutch man suspected of creating the Rubella Macro Builder toolkit
and other malicious tools and distributing them on underground forums has been
arrested by Dutch National Police. The man, a Dutch resident whose name is not
being released, has not yet been formally charged, police say. Investigators
with the Dutch National High-Tech Crime Unit note that they confiscated about €20,000
($22,400) worth of bitcoins from the man as well as manuals for committing
credit fraud and login credentials for "thousands" of systems.
Security analysts at McAfee assisted in the investigation, which is ongoing.
The suspect was arrested at his computer without incident, Dutch authorities
say.
BBC
July 16,
2019
An attempt
to defraud thousands of people using a bogus email from a UK airport was one of
a range of cyber-attacks prevented last year. The scam used a fake gov.uk
address, but the messages were prevented from ever reaching their intended
recipients. The details were revealed by GCHQ's National Cyber Security Centre
in an annual report. In all, NCSC disclosed it had stopped 140,000 separate
phishing attacks. This refers to the attempted online theft of bank details and
other sensitive information by impersonating a trustworthy person or
organisation. In addition, the agency said it had taken down 190,000 fraudulent
sites. This often happened quickly. The centre said that 64% of illegal sites
were offline within 24 hours of being discovered and 99.3% eventually went dark.
TECHNOLOGY
Dark Reading
July 18,
2019
An open
source white-hat hacking tool that nation-state hacking teams out of China, Iran,
and Russia have at times employed to avoid detection has been updated with new
features that allow attacks to persist and spread more efficiently. Sean
Dillon, creator of the so-called Koadic tool that works like a remote access
Trojan (RAT), says the software he first released two years ago at DEF CON can
now extract information and intelligence about a targeted Windows environment,
more efficiently scrape user credentials, and more easily spread around a
network. "It's much more efficient now. It can be used to compromise
entire networks in a matter of minutes," says Dillon, who plans to show
off Koadic's new features next month at the Black Hat USA Arsenal in Las Vegas.
Koadic is basically a RAT based on VBScript and JScript that uses Windows executables
such a PowerShell rather than malware, so it mimics a growing trend of
sophisticated attackers employing legitimate tools instead of writing or
burning their own exploits. The trend, known as "living off the
land," also allows attackers to remain under the radar as they run
internal Windows tools like PowerShell to hack their way through networks.
via Nick
Leiserson
