Technology Fails: I’m just here for the LOLZ.
Tax Commissioner attacks 'out of control' press over whistleblower reporting
Chris Jordan has accused the media of "deliberately sensationalist" reporting over allegations the ATO was ripping money out of individual accounts.
Huang Xiangmo brands Tax Office a 'despicable tool of political persecution'
Exiled Chinese billionaire Huang Xiangmo, a central figure in ICAC's inquiry into Labor donations, launched the extraordinary attack as he fights a $140 million tax bill.
The material was a major factor in the deadly Grenfell Tower fire in London which claimed 72 lives, and a blaze at Melbourne's Lacrosse Tower in 2014.
The
Panama Papers inspired film, The Laundromat, hit Netflix over the weekend,
garnering mixed responses. While some are less than impressed with Steven
Soderbergh’s style, others are praising Meryl Streep’s acting. Either way, it
appears the attempt by the Mossack Fonseca co-founders to stop the film
going live has done nothing other than promote it to an even
broader audience.
INDIA’S DEVICES
Medical devices in India are
set to be regulated and registered in the same way that
drugs come December. New laws will also force manufacturers and
importers to report adverse events to regulators. The crackdown comes nearly a
year after our local partners, the Indian Express, revealed - as part of our
Implant Files collaboration - that just 23 devices (out of about 5,000) were
registered.
ROBOT POWER
“What this does is help you
find more documents that you wouldn’t have been able to find with a plain text
search,” John Keefe, an editor at Quartz, explained last week during our
inaugural ICIJ Labs webinar. Expounding on artificial intelligence, Keefe told
the attendant journalists that machine learning is the use of complex code to
create programs that can detect patterns
and sort information faster than any team of humans can. (Fewf!)
‘FIGHT FOR JUSTICE’
Last week marked two years since the assassination of Maltese investigative reporter Daphne Caruana Galizia. She was working on stories related to the Panama Papers in the lead up to her death. Vigils were held in several cities across Europe to honor her memory. “The fight for justice must continue, for her family’s sake, for Malta’s sake and for the sake of press freedom around the world,” said ICIJ director Gerard Ryle.Alexa and Google Home abused to eavesdrop and phish passwords
technica – Amazon- and Google-approved apps turned both voice-controlled devices into “smart spies”. – “By now, the privacy threats posed by Amazon Alexa and Google Home are common knowledge. Workers for both companies routinely listen to audio of users—recordings of which can be kept forever—and the sounds the devices capture can be used in criminal trials. Now, there’s a new concern: malicious apps developed by third parties and hosted by Amazon or Google. The threat isn’t just theoretical. Whitehat hackers at Germany’s Security Research Labs developed eight apps—four Alexa “skills” and four Google Home “actions”—that all passed Amazon or Google security-vetting processes. The skills or actions posed as simple apps for checking horoscopes, with the exception of one, which masqueraded as a random-number generator. Behind the scenes, these “smart spies,” as the researchers call them, surreptitiously eavesdropped on users and phished for their passwords…”Jennie Granger: Revamping the tax office shouldn’t be taxing
Nextgov October 18,
2019
A
congressional privacy hawk wants to put the power of people’s personal data
back into their own hands—and punish corporations that aren’t transparent about
information collection with high fines and prison time. The Mind Your Own
Business Act, introduced Thursday by Sen. Ron Wyden, D-Ore., grants the Federal
Trade Commission resources and six new authorities to establish stricter
protections that safeguard Americans’ data and impose tougher penalties against
companies that lie about their data collection and use. “[The bill] is based on
three basic ideas,” Wyden said in a statement. “Consumers must be able to
control their own private information, companies must provide vastly more
transparency about how they use and share our data, and corporate executives
need to be held personally responsible when they lie about protecting our
personal information.” If passed, the legislation would enable the agency to
add 175 new members to its staff. The FTC would also be tasked with creating
minimum privacy and cybersecurity standards to products and services that
process consumer data and would allow.
The Hill
October 18,
2019
Sen. Maggie
Hassan (D-N.H.) this week urged the Government Accountability Office (GAO) to
look into how the federal government is supporting state and local governments
that have been hit by debilitating cyberattacks over the past few months. In a
letter sent to GAO on Thursday, Hassan noted that “ransomware is a serious and
growing threat to government operations at the federal, state, and local
level,” and asked that GAO review and issue a report on current federal efforts
to assist state and local government entities to protect their systems against
ransomware attacks. These attacks, which have been increasingly widespread
across the country this year, involve a malicious actor or group gaining access
to a network, encrypting it, and then asking the user to pay a ransom in order
to gain back access. Hassan asked that the GAO give evaluating ransomware
assistance its “prompt attention,” and noted that is an area of “great concern”
to the Senate Homeland Security and Governmental Affairs Committee, on which
Hassan serves.
FCW
October 16,
2019
Officials
at the Cybersecurity and Infrastructure Security Agency have told lawmakers
that there have been at least a half dozen instances over the past year where
they have been unable to adequately respond to known cyber risks because they
could not identify the owners of vulnerable IP addresses. The agency is
pressing Congress for new administrative subpoena powers to compel internet
service providers to turn over subscriber information for IP addresses
associated with critical infrastructure. In a legislative proposal to Congress
seen by FCW, the agency claimed the lack of such authority has left
vulnerabilities unmitigated and potential victims "exposed." "In
the past year alone, there have been at least six occasions in which CISA has
been delayed, restricted, or altogether foreclosed in responding to known and
actionable cyber risks because it lacked a way to identify the targets,"
the agency told Congress. The proposal, submitted to the House and Senate
Homeland Security Committees in June, did not provide details about the
occasions, potential victims or whether the incidents involved critical
infrastructure.
FCW
October 16,
2019
Representatives
of commercial telecommunications and IT gear told the House Homeland Security
Committee that additional liability protections are needed to share information
about companies and products they fear might harbor cybersecurity threats.
Although the 2015 Cybersecurity Information Sharing Act provided liability
cover for companies to share specific indicator data from cyberattacks, it
didn't provide such cover for actual products, Robert Mayer, senior vice
president, cybersecurity, at USTelecom, told an Oct. 16 House Homeland Security
Committee panel on supply chain security. "What we don't have is a
situation where an organization has a piece of equipment where they discover
software or malware or a pattern of activities makes them suspicious" can
be shared comfortably among companies, he told committee Chairman Rep. Bennie
Thompson, (D-Miss.). That kind of explicit information on such a threat from a
product, "would be very beneficial to share" within the commercial ecosystem,
said Mayer.
Nextgov
October 15,
2019
The House
Homeland Security Committee returned to the scene of one of Russia’s direct
attacks on U.S. elections in 2016 on Tuesday to discuss how the state of
Illinois—and the nation at large—have improved election security since the last
presidential election. In 2016, Russians hacked an Illinois Board of Elections
voter registration database, compromising the information of some 76,000 voters
and instilling confusion, despite investigations that showed no votes were
changed or altered by the bad actors. At the field hearing, state officials
said Illinois partnered with federal partners, including the Department of
Homeland Security, and invested more than $13 million in security upgrades and
digital vulnerability assessments for its 108 voting jurisdictions. However,
like most states, Illinois has more challenges than it can fully address, given
budgetary restrictions and short timelines. Steve Sandvoss, executive director
of the Illinois Board of Elections, said approximately two-thirds of its 108
voting jurisdictions do not have the resources to employ an IT division and
likely only have a single vendor-contracted employee responsible for things
like patching electronic voting machines.
ADMINISTRATION
Nextgov
October 18,
2019
The Defense
Department is less than three months away from finalizing its framework for
measuring vendors’ cybersecurity practices, and industry has a lot to say about
the program. Over the past six weeks, the Pentagon received more than 2,000
comments on the first public draft of the Cybersecurity Maturity Model
Certification, or CMMC, according to Ellen Lord, the department’s
undersecretary for acquisition and sustainment. The framework would serve as a
yardstick for measuring the strength of different contractors’ digital
defenses, allowing Pentagon officials to ensure vendors are appropriately
protecting the sensitive military data that resides on their networks. The
department will use the feedback to inform the next iteration of the CMMC,
which officials plan to publish in the first week of November, Lord said during
a press conference on Friday. After another round of public comments, the
Pentagon will release the final framework sometime in January, and contracting
officers will start assimilating certifications into the acquisition process by
summer 2020, she said.
The Hill
October 18,
2019
Pennsylvania
will launch a pilot of an election security audit in Philadelphia and Mercer
County after the November elections, the Pennsylvania Department of State
announced this week. The risk-limiting audit is designed to check the
accuracy of election outcomes. It will use security measures new to the state
and much of the country, according to the Pennsylvania Department of State.
"This pilot project will allow us to explore audit procedures that will
further strengthen Pennsylvania's election security profile and provide
confidence to the voters that their votes are being counted accurately,"
acting Pennsylvania Secretary of State Kathy Boockvar (D) said in the
announcement. The state department will work with local officials to conduct
the audit using new paper-based voting systems in Mercer County and
Philadelphia.
AP
October 17,
2019
The city of
Baltimore is set to purchase $20 million in cyber insurance coverage, five
months after an attack hobbled its computer network. The city’s Board of
Estimates on Wednesday approved the purchase of two $10 million policies. The
premiums will total $835,000. The move comes after hackers in May demanded
about $76,000 in ransom after freezing key computer systems. Online payments,
billing systems and email were down, and property transactions came to a stop,
exasperating home sellers and real estate professionals. The city refused to
pay the ransom, but recovery has been estimated at about $18 million. City
officials said 17 insurers entered the bidding process. Chubb Insurance and AXA
XL Insurance were selected.
The
Tampa Bay Times
October 17,
2019
How
vulnerable are Florida government agencies to a cyberattack? It’s a question
state leaders hope to be able to answer by this time next year. The state’s
newly-appointed Florida Cybersecurity Task Force convenes next week to begin a
year-long analysis of the state’s cybersecurity health. Its goal is to identify
areas for improvement and prioritize digital threats against the state. “These
threats continue to increase in complexity,” said Eman El-Sheikh, director of
the University of West Florida Center for Cybersecurity. “We need to be
prepared with a long-term solution that not only keeps our information and
citizens secure, as well as our critical infrastructure, but maintains that in
years to come.” Chaired by Lt. Gov. Jeañette Nunez, the committee consists of
13 members from both the public and private sectors who have backgrounds in
security. El-Sheikh is one of seven private sector members appointed by Gov.
Ron DeSantis at the end of September. She joins security experts from sectors
including health care, energy, entertainment and retail.
Fifth
Domain
October 16,
2019
U.S. Cyber
Command is working with the energy sector and the Department of Energy as a way
to bolster their relationship in case of a malicious, or catastrophic,
cyberattack. Cyber Command follows a philosophy of persistent engagement — the
notion that it has to be in constant contact with adversaries in friendly,
neutral and enemy cyberspace — and officials have stressed this includes
enabling other partners. It also includes using its unique authorities to
operate outside U.S. networks as a way to provide warning for domestic agencies
about potential threats. Now, the Department of Defense and Cyber Command are
working on a pathfinder effort with DOE. As part of the initiative, the
Pentagon has tasked staffers with better understanding how the energy sector
operates. The exercise, called Grid X, examined a catastrophic power failure,
Maj. Gen. Stephen Hager, deputy commander of the Cyber National Mission Force,
said during an Oct. 15 panel at the annual Association of U.S. Army conference.
Reuters
October 16,
2019
The United
States carried out a secret cyber operation against Iran in the wake of the
Sept. 14 attacks on Saudi Arabia’s oil facilities, which Washington and Riyadh
blame on Tehran, two U.S. officials have told Reuters. The officials, who spoke
on condition of anonymity, said the operation took place in late September and
took aim at Tehran’s ability to spread “propaganda.” One of the officials said
the strike affected physical hardware, but did not provide further details. The
attack highlights how President Donald Trump’s administration has been trying
to counter what it sees as Iranian aggression without spiraling into a broader
conflict. Asked about Reuters reporting on Wednesday, Iran’s Minister of
Communications and Information Technology Mohammad Javad Azari-Jahromi said:
“They must have dreamt it,” Fars news agency reported. The U.S. strike appears
more limited than other such operations against Iran this year after the
downing of an American drone in June and an alleged attack by Iran’s
Revolutionary Guards on oil tankers in the Gulf in May.
Fifth
Domain
October 14,
2019
An eighth
iteration of the Pentagon’s bug bounty program discovered a critical
vulnerability in Department of Defense systems. HackerOne, the ethical hacking
company partnered with the DoD for penetration testing, announced Oct. 14 it
completed the Pentagon’s “Hack the Proxy” program, which allowed white hat
hackers to probe the department’s Virtual Private Networks, virtual desktops
and proxies. The hackers found 31 vulnerabilities. Nine were considered “high
severity" and 21 were “medium/low severity." The release did not
offer any additional details on the critical vulnerability found. Last year, an
Army secure file sharing site was taken offline because a critical
vulnerability was found through a similar disclosure program. The goal was to
find “find places where the many external DoDIN [Department of Defense
Information Network] touchpoints might be used by adversaries to surveil
information that is internal to the network.”
C4ISRNet
October 14,
2019
In what
senior officials described as one of the most historic and significant days for
the Air Force, the service officially created its first information warfare
entity, known as 16th Air Force, Air Forces Cyber, during an Oct. 11 ceremony
at Lackland Air Force Base, in San Antonio, Texas. The event included several
former commanders of 24th and 25th Air Force, Rep. Will Hurd, R-Texas, Deputy
Assistant Secretary of Defense for Cyber Burke “Ed” Wilson, himself a former
24th commander, Lt. Gen. VeraLinn “Dash” Jamieson, deputy chief of staff for
ISR and cyber effects operations and Lt. Gen. (s) Mary O’Brien who most
recently was the commander of 25th Air Force and will replace Jamieson when she
retires in November. The Air Force deactivated 24th Air Force and 25th Air
Force combining their functions into the new numbered Air Force, a move that
has been in the works for several years. The change is aimed at modernizing the
Air Force for a new age of warfare, one officials described has shifting from
one of attrition to cognition.
INDUSTRY
Gov Info
Security
October 18,
2019
The
Sodinokibi ransomware-as-a-service operation appears to be making a killing,
with proceeds flowing both to the gang behind the malware as well as dozens of
affiliates. Also known as REvil and Sodin, Sodinokibi has lately seized the
RaaS mantle from GandCrab, after the administrators of that criminal scheme
announced their retirement on May 31, boasting that their affiliates had earned
more than $2 billion. Security firm McAfee has been tracing where Sodinokibi
payments go, aided in part by each infection generating its own, unique bitcoin
wallet if victims pay, with the average ransom demand working out to about 0.45
bitcoin, worth $4,000. Based on following the money, McAfee researchers have
found that the RaaS operation appears lucrative in the extreme.
CyberScoop
October 18,
2019
Microsoft
on Friday said it was establishing a bug bounty program for its open-source
election software, the latest move by the tech giant to try to bolster election
security. Microsoft is inviting researchers from anywhere and any background —
whether elite industry professionals, tinkerers, or students — to find
“high-impact vulnerabilities in targeted areas” of its ElectionGuard Software
Development Kit, said Jarek Stanley, a senior program manager at the Microsoft
Security Response Center. Researchers can make up to $15,000 per bug they find
and share through Microsoft’s coordinated vulnerability disclosure (CVD)
program. They are being asked to hunt for bugs that could affect the integrity
of data in the ElectionGuard software, including for example, the kit’s
implementation of cryptography. Big tech companies from Microsoft to Apple to
Google all have bug bounty programs, but they are much rarer in the election
security space. Voting equipment vendors, for example, are setting up a CVD
program but have yet to pursue bug bounty policies.
Ars
Technica
October 17,
2019
Google is
temporarily increasing the rewards it pays for hacks that exploit holes in a
beefed-up security protection that debuted in desktop versions of Chrome last
month. Chrome for Android, meanwhile, is receiving a slimmed-down version of
the same protection. For a limited time, Google will boost its normal bounty
amounts for exploits that allow one site the browser is interacting with to
steal passwords or other sensitive data from another accessed site. Google is
also broadening its vulnerability reward program to include bugs in Blink—the
core software that Chrome uses to render HTML and other resources—that allow
similar types of cross-site data thefts. The changes come a month after the
release of Chrome 77, which quietly strengthened an existing protection known
as site isolation. Google developers first added site isolation in July 2018 in
a highly ambitious engineering feat that required major architectural changes
to the way the browser worked under the hood.
Gov Info
Security
October 17,
2019
Eighteen
technology companies have formed the Open Cybersecurity Alliance to foster the
development of open source tools to improve interoperability and data sharing
between cybersecurity applications. But some observers say getting all the
players to agree on a common platform will be challenging. The initial open
source content and code will come from IBM and McAfee, which has been
spearheading the project. The new alliance was formed under the auspices of
OASIS, a consortium driving the development, convergence and adoption of open
standards. It was launched as an OASIS Open Project on Oct. 8. In addition to
IBM and McAfee, initial members of the alliance include: Advanced Cyber
Security Corp., Corsa, CrowdStrike, CyberArk, Cybereason, DFLabs, EclecticIQ,
Electric Power Research Institute, Fortinet, Indegy, New Context,
ReversingLabs, SafeBreach, Syncurity, ThreatQuotient and Tufin. The group says
it will continue to welcome new members.
CNet
October 15,
2019
Facebook is
putting its money where its mouth is on security and privacy, announcing
Tuesday that it'll be expanding several of its bug bounty programs, including
bonus payouts for rare vulnerabilities. In a series of blog posts, the social
network said it would be giving security researchers more ways to find and
disclose flaws in third-party apps and websites that integrate with Facebook.
Researchers will no longer be limited to "passively observing the
vulnerability," Facebook's engineering security manager, Dan Gurfinkel,
said in a statement. The bug bounty hunters will now be able to actively test
these third-party apps for security issues, as long as the third party
authorizes the researchers, Facebook said. Think of it as the difference
between finding a bug through observing traffic from a third-party app versus
security researchers looking for ways a third-party app could abuse your data.
"This change significantly increases the scope of the security research
that our bug bounty community can share with us and get rewarded for when they
find potential vulnerabilities in these external apps and websites,"
Gurfinkel said.
Gov Info
Security
October 15,
2019
Mailing
equipment manufacturer Pitney Bowes says it has been hit by file-encrypting
malware, disrupting customers' ability to use many services. But the firm says
that no client data appears to have been compromised. The company, based in
Stamford, Connecticut, offers a number of mailing and postage services,
including manufacturing widely used postal meters and shipping software.
"At this time, the company has seen no evidence that customer or employee
data has been improperly accessed," Pitney Bowes says in a statement
posted on its website. But it says that as a result of the ransomware attack,
many of its online offerings remain inaccessible, including customers' ability
to access its postage supply web store as well as to automatically upload
envelope-printing transactions from machines, which they typically do at least
once every day and once daily after hours. "If you have funds on your
meter you will be able to process mail," the company advises postage meter
users. "Until the system is restored you will not be able to refill your
system."
Reuters
October 14,
2019
U.S.
private equity firm Thoma Bravo is adding Sophos Group to its cybersecurity
stable, announcing on Monday a buyout deal that values the British maker of
antivirus and encryption products at about $3.8 billion. The takeover price of
583 pence per share represented a 37% premium from Sophos's closing price on
Friday and Sophos shares surged nearly 38% on news of the deal. Sophos, whose
customers include Under Armour Inc, Ford Motor Co and Toshiba Corp, listed in
2015 at 225 pence per share and has seen its market value double since then,
despite a tough 2018. Thoma Bravo's move for Sophos trails several other buyout
deals by U.S. funds drawn toward the UK as the pound weakened ahead of Brexit.
Shares of rival Avast also rose after the Sophos deal was announced. Sophos CEO
Kris Hagerman told Reuters that his company had first been approached by Thoma
Bravo in June. "The (Sophos) board ultimately concluded that this offer
and the acquisition can accelerate Sophos' progress in next-generation
cybersecurity," Hagerman said.
INTERNATIONAL
Infosecurity
Magazine
October 18,
2019
The UK
government has revealed it is working with chip-maker Arm on a £36m initiative
to make more secure processors. Although details are few and far between at
this stage, the government claimed that the project could help to protect more
UK businesses from remote cyber-attacks and breaches, while boosting new
business opportunities and productivity. According to the government’s own
data, around 60% of mid-sized and 61% of large businesses in the UK have
suffered a cyber-attack or breach over the past year. The Arm tie-up is part of
the government’s Digital Security by Design initiative, also backed by Microsoft
and Google. "Achieving truly robust security for a world of a trillion
connected devices requires a radical shift in how technology companies approach
cyber-threats. Research into new ways of building inherently more
cyber-resilient chip platforms is critical,” explained Arm chief architect,
Richard Grisenthwaite. Alongside this push, the government announced a further
£18m through its Strategic Priorities Fund, designed to help tackle online
fraud, privacy abuses and misinformation online.
Wired
October 17,
2019
Just before
8 pm on February 9, 2018, high in the northeastern mountains of South Korea,
Sang-jin Oh was sitting on a plastic chair a few dozen rows up from the floor
of Pyeongchang's vast, pentagonal Olympic Stadium. He wore a gray and red
official Olympics jacket that kept him warm despite the near-freezing weather,
and his seat, behind the press section, had a clear view of the raised,
circular stage a few hundred feet in front of him. The 2018 Winter Olympics
opening ceremony was about to start. For more than three years, the 47-year-old
civil servant had been director of technology for the Pyeongchang Olympics
organizing committee. He'd overseen the setup of an IT infrastructure for the
games comprising more than 10,000 PCs, more than 20,000 mobile devices, 6,300
Wi-Fi routers, and 300 servers in two Seoul data centers. That immense
collection of machines seemed to be functioning perfectly—almost. Half an hour
earlier, he'd gotten word about a nagging technical issue. The source of that
problem was a contractor, an IT firm from which the Olympics were renting
another hundred servers. The contractor's glitches had been a long-term
headache. Oh's response had been annoyance: Even now, with the entire world
watching, the company was still working out its bugs? Ten seconds before 8 pm,
numbers began to form, one by one, in projected light around the stage, as a
choir of children's voices counted down in Korean to the start of the event. In
the middle of the countdown, Oh's Samsung Galaxy Note8 phone abruptly lit up.
He looked down to see a message from a subordinate on KakaoTalk, a popular
Korean messaging app. The message shared perhaps the worst possible news Oh
could have received at that exact moment: Something was shutting down every
domain controller in the Seoul data centers, the servers that formed the
backbone of the Olympics' IT infrastructure.
CyberScoop
October 17,
2019
One of the
Kremlin-linked hacking groups that breached the Democratic National Committee
in 2016 has remained active in the years that followed, even if it’s been less
visible. Cozy Bear, also known as APT29 and the Dukes, began using different malicious
software and new hacking techniques after 2016, according to findings published
Thursday by the Slovakian security firm ESET. There wasn’t much public evidence
of the group’s activity, but researchers say it did not go quiet after
interfering in the U.S. presidential election. The hackers targeted U.S. think
tanks in 2017, defense contractors in 2018 and three European countries’
ministries of foreign affairs. (The U.S. security firm FireEye suggested in
November that Cozy Bear was showing signs of activity.) “Our new research shows
that even if an espionage group disappears from public reports for many years,
it may not have stopped spying,” ESET said in its report. “The Dukes were able
to fly under the radar for many years while compromising high-value targets, as
before.”
Axios
October 17,
2019
China is
applying tougher cybersecurity standards more widely as of Dec. 1, requiring
companies to open their networks and deploy government-approved equipment. The
changes worry international organizations and underscore the difference between
U.S. and Chinese approaches to cybersecurity. China already has a law, applying
to the most secure networks, that allows the government to audit private
business networks and mandates the use of government-approved security
equipment. That law will now apply to all networks. "It’s going to be
incredibly invasive," said Adam Segal, director of the Digital and
Cyberspace Policy Program at the Council on Foreign Relations. China's
cybersecurity law has been on a slow rollout since 2017. Clarifications of
standards serving as de facto regulations were introduced in May this year.
Haaretz
October 16,
2019
Should
graduates of Israel Defense Forces technology units be able to use the
knowledge and skills they gained during their service to work for an Arab cyber
firm with close ties to a dictatorial regime that does not have diplomatic
relations with Israel? Strange as the question may sound, there is growing
evidence that such a thing is occurring. Even though it is not widespread, some
say the defense establishment is growing increasingly worried. DarkMatter, a
cybersecurity company formed in 2015 in Abu Dhabi, part of the United Arab
Emirates, officially limits itself to cyber defense. But according to a Reuters
expose published earlier this year, DarkMatter provides hacking services to the
UAE intelligence agency against Western targets, journalists and human rights
activists. The company operates an office in Cyprus, which among other things
employs Israeli software developers. “That is de facto smuggling of Israeli
intellectual property without any supervision of the [Israel Defense
Ministry’s] Defense Export Controls Agency,” said one source in the Israeli
cyber intelligence sector, who asked to be identified only as Y. “They’re
taking these young people to Cyprus, buying them off with huge salaries.”
Cyberattack researchers’ job is to find vulnerabilities in software and
networks in order to break into them. Those with the skills, often acquired
while serving in elite units, command some of the highest salaries in Israeli
high-tech. Y. claimed DarkMatter pays even more. “I know of researchers who
were tempted with salaries of close to $1 million a year,” he said. DarkMatter
did not provide a comment by press time.
ZDNet
October 16,
2019
Australian
bosses have far more confidence in the cybersecurity of their organisations
than their own cyberdefenders, according to newly-released research from
Unisys. "What the study found is pretty much a disconnect and lack of
communication between the two very important roles of chief information
security officer (CISO) and chief executive officer (CEO)," said Gergana
Kiryakova, industry director for cyber security at Unisys Australia and New
Zealand. "We were expecting some sort of a disconnect, but we were
definitely not expecting such a big disconnect," she told journalists in
Sydney on Tuesday. The report, “Cybersecurity Standoff Australia,” describes
CEOs as "overconfident and out of the loop.” While 63% of surveyed CISOs
said their organisation had suffered a data breach over the last 12 months,
only 6% of the CEOs thought so.
AP
October 15,
2019
Germany
released draft security guidelines on Tuesday for next generation wireless
networks that stopped short of banning Huawei, as the U.S. warned again it
would reconsider intelligence sharing with allies that use the Chinese
company's equipment. The Federal Network Agency catalog of conditions for
suppliers of new 5G networks include requiring certification of critical
components and ensuring trustworthiness of manufacturers, without singling out
Huawei for exclusion. Huawei said it welcomed the German government's move to
"create a level playing field" for 5G suppliers, in which "all
vendors are equally and fairly welcome to participate in the construction of 5G
networks if they fulfill the security requirements." The U.S. has been
lobbying allies in Europe to shun Huawei, the world's biggest maker of
networking equipment, over worries its equipment might aid Chinese electronic spying,
claims the company has repeatedly denied. The Trump administration cut off its
access to U.S. technology in May, part of a broader geopolitical feud between
Washington and Beijing over technology and trade.
CyberScoop
October 15,
2019
orth Korean
government-backed hackers are targeting cryptocurrency exchanges to try to
steal financial resources as Pyongyang searches for ways to fund its regime,
two researchers discovered within the past week. Lazarus Group, also known as
APT38, has carried out hacks against central banks and exploited monetary
exchanges as part of an effort to boost Kim Jong-un’s financial and military
goals. The United Nations revealed in August North Korea had gained
approximately $2 billion from hacking banks and cryptocurrency companies. This
time, they’re using a front company to do it. Researchers Patrick Wardle, the
principal security researcher at Jamf, and MalwareHunterTeam, of IDRansomware,
a group that aims to help provide guidance on ransomware, found malware
affecting Mac and Windows operating systems that installs a backdoor Trojan on
victim machines, allowing hackers to gain control of infected targets. The
malware asks for administrative privileges during installation, then
communicates with a command-and-control server, and can receive instructions
from the hackers to run certain tasks, such as uploading files to victim
machines or causing the malware to exit, according to Wardle.
AP
October 15,
2019
Chinese
telecom company Huawei on Tuesday criticized the Estonian government and media
for spreading what it says are "arbitrary and unfounded" allegations
about cybersecurity risks related to the company's mobile phones. Hong Yang,
head of Huawei's Baltic consumer business, said in a statement that the company
"is always ready to defend its rights and interests in a situation where
any party is spreading baseless rumors and malicious libel." He referred
to an Estonian television program aired in September that discussed the issue
in detail. In it, Foreign Trade and Technology Minister Kert Kingo spoke about
alleged security risks with Huawei phones. It later was reported that Kingo
used a Huawei handset as a work phone, and her ministry announced this week
that it has now been replaced by an Apple iPhone.
Ars
Technica
October 12,
2019
Mobile
phones of two prominent human rights activists were repeatedly targeted with
Pegasus, the highly advanced spyware made by Israel-based NSO, researchers from
Amnesty International reported this week. The Moroccan human rights defenders
received SMS text messages containing links to malicious sites. If clicked, the
sites would attempt to install Pegasus, which is one of the most advanced and
full-featured pieces of spyware ever to come to light. One of the activists was
also repeatedly subjected to attacks that redirected visits intended for Yahoo
to malicious sites. Amnesty International identified the targets as activist
Maâti Monjib and human rights lawyer Abdessadak El Bouchattaoui.
TECHNOLOGY
CyberScoop
October 18,
2019
Thieves are
using malware that masquerades as Tor, the anonymizing internet browser, to
steal money from Russian-speaking people on the dark web, researchers said
Friday. The operation uncovered by researchers at Slovakian cybersecurity
company ESET has netted the unidentified attackers some $40,000 in bitcoin so
far, but the amount could be larger. “They likely stole more in Qiwi,” said
Robert Lipovsky, a senior malware researcher at ESET, referring to a Russian
payment service. The insidious attack is a reminder that hackers can upend the
privacy and security users expect from software by tricking them into
downloading malicious code. Tor is used by everyone from human rights defenders
and journalists to criminals trying to hide activities like drug sales and
child pornography from law enforcement. This effort, only the latest malicious
operation exploiting users who rely on the software, comes as the Tor Project
is seeking to spread awareness about Tor, and increase trust in the notoriously
unreliable technology.
Ars Technica
October 17,
2019
A
potentially serious vulnerability in Linux may make it possible for nearby
devices to use Wi-Fi signals to crash or fully compromise vulnerable machines,
a security researcher said. The flaw is located in the RTLWIFI driver, which is
used to support Realtek Wi-Fi chips in Linux devices. The vulnerability
triggers a buffer overflow in the Linux kernel when a machine with a Realtek
Wi-Fi chip is within radio range of a malicious device. At a minimum, exploits
would cause an operating-system crash and could possibly allow a hacker to gain
complete control of the computer. The flaw dates back to version 3.10.1 of the
Linux kernel released in 2013. "The bug is serious," Nico Waisman,
who is a principal security engineer at Github, told Ars. "It's a
vulnerability that triggers an overflow remotely through Wi-Fi on the Linux
kernel, as long as you're using the Realtek (RTLWIFI) driver." The
vulnerability is tracked as CVE-2019-17666. Linux developers proposed a fix on
Wednesday that will likely be incorporated into the OS kernel in the coming
days or weeks. Only after that will the fix make its way into various Linux
distributions.
ZDNet
October 16,
2019
The npm
ecosystem of JavaScript libraries is more interwoven than most developers
think, and the entire thing is a gigantic house of cards, being one bad hack
away from compromising hundreds of thousands of projects, according to a recent
academic study. The research, carried out by the Department of Computer Science
from the Technical University of Darmstadt, in Germany, analyzed the dependency
graph of the entire npm ecosystem. Researchers downloaded metadata for all the
npm packages published until April 2018 and created a giant graph that included
676,539 nodes and 4,543,473 edges. In addition, academics also analyzed
different versions of the same packages, looking at historical versions
(5,386,239 versions for the 676,539 packages), but also at the package
maintainers (199,327 npm accounts), and known security flaws impacting the
packages (609 public reports). Their goal was to get an idea of how hacking one
or more npm maintainer accounts, or how vulnerabilities in one or more
packages, reverberated across the npm ecosystem; along with the critical mass
needed to cause security incidents inside tens of thousands of npm projects at
a time.
