Print Page | Contact Us | Sign In | Register
News & Press: Industry News

Congressional Cybersecurity Caucus News Round-up

Friday, May 12, 2017   (0 Comments)
Posted by: EWF ADMIN - Credits Nick Leiserson
Share |

The Congressional Cybersecurity Caucus News Round-Up is a collection of the major news stories in cybersecurity policy. The Congressional Cybersecurity Caucus is co-chaired by Congressmen James Langevin and Michael McCaul. If your Member is interested in joining the Caucus or if you would like to be removed from the Caucus distribution list, please e-mail Nick Leiserson (nick.leiserson@mail.house.gov) with Rep. Langevin or Brandon Batch (Brandon.Batch@mail.house.gov) with Chairman McCaul.

 

Clips from around the globe, web and Hill

May 12, 2017

HILL

Lack of resilience led to lack of cyber strategy, says former DNI

Congress offers some early praise of Trump’s cyber executive order

Intelligence Officials Warn of Continued Russia Cyberthreats

McCaskill slams 'turf wars' over cyber

CYBERCOM Chief Defends Delay in Trump's Cyber Strategy

Good news! The entire Senate just embraced web encryption

DOD needs cyberwarriors so badly it may let skilled recruits skip boot camp

 

ADMINISTRATION

GSA readies first civilian bug bounty program with new platform

NIST Wants to Get Rid of Periodic Password Changes

Trump signs order on cybersecurity that holds agency heads accountable for network attacks

NIST Issues Draft Guidance for Wireless Infusion Pumps

NYU Accidentally Exposed Military Code-breaking Computer Project to Entire Internet

U.S. military cyber operation to attack ISIS last year sparked heated debate over alerting allies

What Federal Cyber Workers Think Would Improve Hiring

Social Security to Try Two-Factor Authentication Again

FCC Says Bogus Traffic Overwhelmed Website After John Oliver Segment

DHS infrastructure group searches for relevance

 

INDUSTRY

Former cyber-intelligence sleuths for Israel now work to uncover malicious hackers

Head of Russian cybersecurity firm defends company amid US scrutiny

Hacker Steals Millions of User Account Details from Education Platform Edmodo

HP laptops covertly log user keystrokes, researchers warn

Cyber Attack Pushes French News Sites Offline

A Vicious Microsoft Bug Left a Billion PCs Exposed

Cisco kills leaked CIA 0-day that let attackers commandeer 318 switch models

Officials fear Russia could try to target US through popular software firm under FBI scrutiny

Microsoft’s recent success in blocking in-the-wild attacks is eerily good

Intel's AMT Flaw: Worse Than Feared

Mac users installing popular DVD ripper get nasty backdoor instead

 

INTERNATIONAL

Foreign Business Groups Push for Delay in Controversial China Cyber Law

German cyber agency chides Yahoo for not helping hacking probe

Russia-linked hackers impersonate NATO in attempt to hack Romanian government

Hackers Came, but the French Were Prepared

French Prosecutors Investigate Hacking of Macron Campaign

Japan to rate home devices on cyber-attack vulnerabilities

Macron Campaign Says It Was Target of ‘Massive’ Hacking Attack

 

TECHNOLOGY

An NSA-derived ransomware worm is shutting down computers worldwide

Hackers Find Celebrities’ Weak Links in Their Vendor Chains

 

 

HILL

 

Lack of resilience led to lack of cyber strategy, says former DNI

Fifth Domain Cyber

May 12, 2017

At almost every Senate Armed Services hearing within the last few years remotely focused on cyber, Chairman John McCain, R-Ariz., has lamented the lack of a national policy and strategy on cyber from the Defense Department and the White House. As it turns out, resilience – one of the key issues every cybersecurity guru harps on – is at the heart of a lack of strategy. “In response to your request for thoughts on policy, strategy and organization,” James Clapper, who most recently served as Director of National Intelligence, told McCain at a hearing May 11, “I want to offer one overarching thought: To me, the first order of business is defense and resilience.” Resilience is often touted as a critical metric in the way of deterrence by denial – meaning networks will be so hardened that even attempting attacks will be futile. However, according to Clapper, the U.S.’s vulnerability has hindered its ability to project power in cyberspace. “We’ve got to focus on this because without it, we’ll never be in a position to launch a counter attack even if we can quickly and accurately attribute who attacked us … and we’re always going to doubt our ability to withstand counter retaliation,” he told the committee.

 

Congress offers some early praise of Trump’s cyber executive order

The Hill

May 11, 2017

President Trump’s executive order on cybersecurity won early supporters on Capitol Hill, though several expressed continuing concern about the path forward to defend against cyber threats. Trump signed the long-awaited executive order on Thursday, thought drafts have been circulating since the White House abruptly cancelled a planned signing event in January. The executive order says agencies should be held accountable for their own cybersecurity and requires, effective immediately, that they use the cybersecurity framework developed by the National Institute of Standards and Technology (NIST). Rep. Lamar Smith (R-Texas), who chairs the House Science Committee, celebrated the order’s NIST framework requirement. Smith’s committee has approved legislation that would require NIST to audit and assist agencies that adopt the framework. “Cybersecurity is critical to national security, and today’s executive order shows that President Trump is taking the matter seriously,” Smith said. Sen. John McCain (R-Ariz.), who has taken aim at the new administration for its lack of movement toward a cyber policy or strategy, expressed appreciation for Trump’s interest in understanding the threats in cyberspace—but said plainly, “We do not need more assessments, reports, and reviews.” Rep. Jim Langevin (D-R.I.), a member of a cyber subcommittee in the House, expressed support for the executive order, particularly its provisions related to federal network and critical infrastructure protection. He described the order as largely a “continuation of the Obama administration’s approach” to cybersecurity.

 

Intelligence Officials Warn of Continued Russia Cyberthreats

The New York Times

May 11, 2017

On the same day that President Trump went on Twitter to renew his claim that the focus on Russian hacking was “a Democrat EXCUSE for losing the election,” his two top intelligence officials told the Senate on Thursday that Russian cyberactivities were the foremost threat facing the United States and were likely to grow only more severe. The officials delivered the warning as the nation’s intelligence agencies released their annual worldwide threat assessment, which described the Kremlin’s “aggressive cyberposture,” evidenced by “Russia’s efforts to influence the 2016 U.S. election.” Dan Coats, Mr. Trump’s director of national intelligence, repeated and endorsed, almost word for word, the Obama administration’s conclusion that “only Russia’s senior-most officials could have authorized the 2016 U.S. election-focused data thefts and disclosures, based on the scope and sensitivity of the targets.” That conclusion is widely shared among Mr. Trump’s top national security officials. The only prominent dissenter appears to be the president himself, who has continued to insist that there is no conclusive evidence pinning the cyberactivity on the Russians, though he said in an interview with NBC News, “If Russia did anything, I want to know that.”

 

McCaskill slams 'turf wars' over cyber

FCW

May 10, 2017

The federal government needs to define its strategies and authorities to defend against a growing wave of electronic threats from criminal and nation-state organizations, said lawmakers and private industry officials in a Senate panel on the current cyberthreat landscape. "It is worse than spaghetti," said Senate Homeland Security and Governmental Affairs Committee Ranking Member Sen. Claire McCaskill, (D-Mo.), describing the various groups in the U.S. military and at DHS responsible for U.S. cyber security and defense. "It is so confusing, so disparate there's no wonder we're having these turf wars," she said at a May 10 committee hearing. "We have got to figure out how to break through the bureaucratic rules, our pay scales and how do we engage the private sector, so we literally do have the best and brightest" working on the issue, said committee Chairman Ron Johnson (R-Wis.). Johnson promised more hearings to sort out that tangle and generate solutions, with the help of more nimble commercial companies and private organizations.

 

CYBERCOM Chief Defends Delay in Trump's Cyber Strategy

Nextgov

May 9, 2017

The Trump administration is hard at work on a governmentwide strategy to deter adversary cyberattacks despite missing a self-imposed deadline to draft that policy, National Security Agency Director Michael Rogers told lawmakers Tuesday. President Donald Trump promised soon before his inauguration in January he’d release a plan to vastly improve the nation’s cybersecurity within 90 days of taking office, a deadline that passed last month. Senate Armed Services Chairman John McCain, who regularly hammered the Obama administration for its lack of a detailed cyber deterrence strategy, expressed dismay during a committee hearing that the Trump team seems to be similarly falling short. “We were hopeful that after years without any serious effort to develop a cyber deterrence policy and strategy from the last administration, the new administration promised one within 90 days of the inauguration.” he said, adding the 90-day window has “come and gone and no such policy and strategy have been provided.” Rogers defended the delay, saying the administration is working diligently on the problem, which involves “a whole lot of complexity and nuance.”

 

Good news! The entire Senate just embraced web encryption

ZDNet

May 9, 2017

Anyone now visiting their senator's website will see something new: a little green lock in their browser's address bar. Last week the US Senate quietly began serving its entire domain -- including each of the 100 elected senators' websites -- over an encrypted HTTPS channel by default. HTTPS isn't just reserved for banks and login pages anymore, and hasn't been for a long time. It's nowadays seen as a measure for sites taking their own security and the privacy of their visitors seriously. The government has been on its own encryption binge for the past few years, trying to secure every page on every domain it has to ensure a standard level of security across the government domain space. The logic is simple enough: Serving up each page through a secure and private connection ensures that every Senate page hasn't been intercepted or impersonated (which is easy to do) and modified by hackers -- or even intelligence agencies. It also protects the web address past the domain, in most cases preventing internet providers from knowing which individual pages a person visited.

 

DOD needs cyberwarriors so badly it may let skilled recruits skip boot camp

Ars Technica

May 9, 2017

The US military is having a hard time getting people with essential information technology and information security skill sets as the services struggle to build a force of "cyber-warriors." During a Senate Armed Services Committee hearing today, senators focused in part on how the work force problem is affecting the US Cyber Command's (US CYBERCOM's) ability to deal with the demands of information warfare and threats both to the Defense Department's networks and those of other agencies and industry. Admiral Michael Rogers, appearing in his capacity as commander of US CYBERCOM (a role he holds as well as that of director of the National Security Agency), told the committee that he was confident that CYBERCOM would meet a 2018 deadline for the command to reach full operational capability. But he acknowledged that there was still a shortage of service members throughout the military required to sustain CYBERCOM long-term. Senator John McCain (R-Ariz.) pointed out during the hearing that, of the 124 Air Force network operations officers who had done tours at CYBERCOM, "not a single one stayed in cyber" when they were rotated out of a tour with a cyber mission team.

 

 

ADMINISTRATION

 

GSA readies first civilian bug bounty program with new platform

Fifth Domain Cyber

May 12, 2017

The General Services Administration’s innovation arm, 18F, said the agency was edging closer to standing up its own bug bounty program after tapping a new provider for its reporting platform. 18F officials said in a May 11 blog post that GSA’s Technology Transformation Service had tapped HackerOne to provide its Software-as-a-Service bug-reporting platform. The San Francisco-based company offers vulnerability coordination and platform services to reward ethical hackers to locate and report network security vulnerabilities. The GSA’s bug bounty platform would represent the first use of an ethical hacking program by a civilian agency in the federal government. Bug bounty programs have been gaining steam in the federal government after the Department of Defense’s successful “Hack the Pentagon” and “Hack the Army” exercises in 2016.

 

NIST Wants to Get Rid of Periodic Password Changes

Quartz

May 12, 2017

New guidelines from the National Institute of Standards and Technology, expected to be released this summer, suggest  periodic password changes are no longer necessary. The report also recommends changes to several other password policies that have become antiquated in the modern computing environment. These requirements will bring standards closer to what security experts currently recommend. NIST is also recommending checking new passwords against several lists, such as: “context specific words, such as the name of the service, the username and derivatives thereof; repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’); and passwords obtained from previous breach corpuses.”

 

Trump signs order on cybersecurity that holds agency heads accountable for network attacks

The Washington Post

May 11, 2017

President Trump on Thursday signed an executive order on cybersecurity that makes clear that agency heads will be held accountable for protecting their networks, and calls on government and industry to reduce the threat from automated attacks on the Internet. Picking up on themes advanced by the Obama administration, Trump’s order also requires agency heads to use Commerce Department guidelines to manage risk to their systems. It commissions reports to assess the country’s ability to withstand an attack on the electric grid and to spell out the strategic options for deterring adversaries in cyberspace. “We’ve seen increasing attacks from allies, adversaries, primarily nation-states, but also non-nation-state actors, and sitting by and doing nothing is no longer an option,” said Thomas Bossert, Trump’s homeland security adviser, at a White House briefing.

 

NIST Issues Draft Guidance for Wireless Infusion Pumps

Gov Info Security

May 11, 2017

New draft guidance from the National Institute of Standards and Technology calls for using commercially available, standards-based technologies to improve the security of wireless infusion pumps. NIST issued a white paper on the same topic in 2014, but it was criticized for being too prescriptive. Wireless infusion pumps are commonly used medical devices that can be potentially vulnerable to accidental and malicious tampering, posing both data security and patient safety risks. In fact, certain infusion pumps from Hospira were the subject of two 2015 alerts from the Food and Drug Administration following the discovery by independent researchers of cyber vulnerabilities. But there have been no documented cases of patients being harmed as a result of an infusion pump, or other medical device, being hacked.

 

NYU Accidentally Exposed Military Code-breaking Computer Project to Entire Internet

The Intercept

May 11, 2017

In early December 2016, Adam was doing what he’s always doing, somewhere between hobby and profession: looking for things that are on the internet that shouldn’t be. That week, he came across a server inside New York University’s famed Institute for Mathematics and Advanced Supercomputing, headed by the brilliant Chudnovsky brothers, David and Gregory. The server appeared to be an internet-connected backup drive. But instead of being filled with family photos and spreadsheets, this drive held confidential information on an advanced code-breaking machine that had never before been described in public. Dozens of documents spanning hundreds of pages detailed the project, a joint supercomputing initiative administered by NYU, the Department of Defense, and IBM. And they were available for the entire world to download. The supercomputer described in the trove, “WindsorGreen,” was a system designed to excel at the sort of complex mathematics that underlies encryption, the technology that keeps data private, and almost certainly intended for use by the Defense Department’s signals intelligence wing, the National Security Agency. WindsorGreen was the successor to another password-cracking machine used by the NSA, “WindsorBlue,” which was also  documented in the material leaked from NYU and which had been previously described in the Norwegian press thanks to a document provided by National Security Agency whistleblower Edward Snowden. Both systems were intended for use by the Pentagon and a select few other Western governments, including Canada and Norway.

 

U.S. military cyber operation to attack ISIS last year sparked heated debate over alerting allies

The Washington Post

May 9, 2017

A secret global operation by the Pentagon late last year to sabotage the Islamic State’s online videos and propaganda sparked fierce debate inside the government over whether it was necessary to notify countries that are home to computer hosting services used by the extremist group, including U.S. allies in Europe. While U.S. Cyber Command claimed success in carrying out what was called Operation Glowing Symphony, the issue remained unresolved and now confronts the Trump administration, which is conducting a broad review of what powers to give the military in countering the Islamic State, including in the cyber realm. As part of the operation, Cyber Command obtained the passwords to a number of Islamic State administrator accounts and then used them to access the accounts, change the passwords and delete content such as battlefield video. It also shut the group’s propaganda specialists out of their accounts, former officials said.

 

What Federal Cyber Workers Think Would Improve Hiring

Nextgov

May 9, 2017

Half of federal government cybersecurity workers polled recently think their agency’s digital security has improved during the past year and only 4 percent think their agency’s security is worse than last year, according to a workforce survey released Tuesday. Nearly 70 percent of the 2,620 civilian and military respondents said there were too few information security workers in their organization, however, according to the Center for Cyber Safety and Education’s Global Information Security Workforce Study. The respondents cited the difficulty of finding and retaining qualified personnel as top reasons for the workforce shortage, according to the study sponsored by the cybersecurity certification group (ISC)², Booz Allen Hamilton and Alta Associates. The best ways to attract new cyber workers to government positions are sponsoring certification or training programs, offering flexible schedules and pay incentives, the survey respondents said.

 

Social Security to Try Two-Factor Authentication Again

Gov Info Security

May 8, 2017

The U.S. Social Security Administration has come up with a revised plan to implement strong authentication after a previous effort was scrapped amid criticism. As of June 10, those logging into their "my Social Security" account will be required to turn on multifactor authentication, according to a notice sent by email over the weekend. The security control requires a time-sensitive passcode in addition to a username and password. "You will be able to choose either your cell phone or your email address as your second identification method," the notice says. "Using two ways to identify you when you log on will help better protect your account from unauthorized use and potential identity fraud." In July 2016, the Social Security Administration announced it would implement multifactor authentication to comply with Executive Order 13681. The order, signed by President Barack Obama in October 2014, required government agencies to strengthen security in order to prevent fraud. But the agency's original plan for multifactor authentication, which involved sending one-time passcodes via SMS, came under immediate fire. It required all users to have a mobile phone, a questionable requirement for an agency that distributes retirement benefits to seniors.

 

FCC Says Bogus Traffic Overwhelmed Website After John Oliver Segment

Nextgov

May 8, 2017

The Federal Communications Commission was hit by multiple distributed denial-of-service attacks Sunday evening, causing delays to consumers trying to leave feedback on the agency’s cloud-based Electronic Comment Filing System. According to a statement from FCC Chief Information Officer David Bray, the DDoS attacks started around midnight Sunday and did not shut the comment system down but instead used a large amount of bandwidth to tie up its servers. “These were deliberate attempts by external actors to bombard the FCC’s comment system with a high amount of traffic to our commercial cloud host,” Bray said in a statement. “These actors were not attempting to file comments themselves; rather they made it difficult for legitimate commenters to access and file with the FCC. While the comment system remained up and running the entire time, these DDoS events tied up the servers and prevented them from responding to people attempting to submit comments.”

 

DHS infrastructure group searches for relevance

FCW

May 8, 2017

A Homeland Security advisory group is sharpening its focus and methods to get information on critical infrastructure out to stakeholders. The National Infrastructure Advisory Council studies potential risks for critical infrastructure, both in the real world and in cyberspace. The 15-year-old group is also charged with recommending solutions to reduce risks to infrastructure. At the behest of the White House, the group polled senior government and private-sector leaders to see what it could do better in the future. NIAC found that its mission and operations are not well understood by stakeholders and policymakers, that its recommendations don't always reach the target audience, that customers would appreciate interim findings as studies progress and that its final reports "may be too dense for easy use" by NIAC stakeholders.

 

 

INDUSTRY

 

Former cyber-intelligence sleuths for Israel now work to uncover malicious hackers

CNBC

May 11, 2017

Israel's focus on national security for decades has created fertile ground for many former members of its famed intelligence agency to take their cyber-sleuthing and anti-hacking skills to the private sector. Outside the United States, Israel stands out for the large concentration of cybersecurity firms it has produced over the years — some of which, such as the Nasdaq-listed Check Point Software, have gone on to become global success stories. Many in the industry say this phenomenon ties back to the high-tech spy agency called Unit 8200, the local equivalent of the NSA. "What (Unit) 8200 has been able to do is create a pretty unique, and very effective, screening program, which for the most part lets you identify not the people with the most knowledge, but rather the people with the aptitude to learn new technologies, ideas very, very quickly," Nadav Zafrir, co-founder and CEO of Team8, told CNBC.

 

Head of Russian cybersecurity firm defends company amid US scrutiny

The Hill

May 11, 2017

The CEO of Russia-based global cybersecurity firm Kaspersky Lab defended his company Thursday as the heads of six U.S. intelligence agencies testified on Capitol Hill that they have treated the company as a threat. Eugene Kaspersky answered questions on the internet forum Reddit about alleged ties between his company and the Russian government. "Does Russian government have any influence on your company?" one user questioned on the Reddit "Ask Me Anything" thread. "Hi. No, it doesn’t and any speculation about it are false, they are [sic] unfounded conspiracy theories," Kaspersky replied. The pushback came as the heads of the CIA, National Security Agency, National Geospatial-Intelligence Agency and Defense Intelligence Agency, Director of National Intelligence and acting head of the FBI addressed the company on Capitol Hill. Sen. Marco Rubio (R-Fla.) questioned whether the security officials testifying before the Senate Intelligence Committee would use Kaspersky software on their home computers, to which each member of the panel responded no.

 

Hacker Steals Millions of User Account Details from Education Platform Edmodo

Vice Motherboard

May 11, 2017

A hacker has stolen millions of user account details from popular education platform Edmodo, and the data is apparently for sale on the so-called dark web. Teachers, students and parents use Edmodo to work on lesson plans, assign homework, and more. The organization claims to have over 78 million members. "Thanks to those who guided and supported us in the beginning, we're now the number one K-12 social learning network in the world, dedicated to connecting all learners with the people and resources they need to reach their full potential," Edmodo's website reads. For-profit breach notification site LeakBase provided Motherboard with a sample of over two million user records for verification purposes. The data includes usernames, email addresses, and hashed passwords. The passwords have apparently been hashed with the robust bcrypt algorithm, and a string of random characters known as a salt, meaning hackers will have a much harder time obtaining user's actual login credentials. Not all of the records include a user email address.

 

HP laptops covertly log user keystrokes, researchers warn

Ars Technica

May 11, 2017

HP is selling more than two dozen models of laptops and tablets that covertly monitor every keystroke a user makes, security researchers warned Thursday. The devices then store the key presses in an unencrypted file on the hard drive. The keylogger is included in a device driver developed by Conexant, a manufacturer of audio chips that are included in the vulnerable HP devices. That's according to an advisory published by modzero, a Switzerland-based security consulting firm. One of the device driver components is MicTray64.exe, an executable file that allows the driver to respond when a user presses special keys. It turns out that the file sends all keystrokes to a debugging interface or writes them to a log file available on the computer's C drive. "This type of debugging turns the audio driver effectively into keylogging spyware," modzero researchers wrote. "On the basis of meta-information of the files, this keylogger has already existed on HP computers since at least Christmas 2015."

 

Cyber Attack Pushes French News Sites Offline

Reuters

May 10, 2017

Several French news companies, including Le Monde and Le Figaro, said their websites went temporarily offline on Wednesday because a company that helps speed delivery of their content was hit by a cyber attack. The company, Cedexis, said it had come under a "unique and sophisticated" distributed denial of service attack, which is when hijacked and virus-infected computers target networks with data requests until they can no longer cope. Magazine L'Obs, which was also affected, said the attack had also hit the websites of several big French manufacturers. "This attack caused a partial but widespread outage that affected many of our customers," Cedexis Chief Executive Ryan Windham said in a statement to Reuters.

 

A Vicious Microsoft Bug Left a Billion PCs Exposed

Wired

May 9, 2017

Microsoft’s security team had a busy weekend. On Friday night, security researcher Tavis Ormandy of Google’s Project Zero announced on Twitter that he had found a Windows bug. Well, not just any bug. It was “crazy bad,” Ormandy wrote. “The worst Windows remote code exec in recent memory.” By Monday night, Microsoft had released an emergency patch, along with details of what the vulnerability entailed. And yes, it was every bit as scary as advertised. That’s not only because of the extent of the damage hackers could have done, or the range of devices the bug affected. It’s because the bug’s fundamental nature underscores the vulnerabilities inherent in the very features meant to keep our devices safe. What made this particular bug so insidious was that it would have allowed hackers to target Windows Defender, an antivirus system that Microsoft builds directly into its operating system. That means two things: First, that it impacted the billion-plus devices that have Windows Defender installed. (Specifically, it took advantage of the Microsoft Malware Protection Engine that underpins several of the company’s software security products.) Second, that it leveraged that program’s expansive permissions to enable general havoc, without physical access to the device or the user taking any action at all.

 

Cisco kills leaked CIA 0-day that let attackers commandeer 318 switch models

Ars Technica

May 9, 2017

Cisco Systems has patched a critical flaw that even novice hackers could exploit using Central Intelligence Agency attack tools that were recently leaked to the Internet. As previously reported, the zero-day exploit allowed attackers to issue commands that remotely execute malicious code on 318 models of Cisco switches. The attack code was published in early March by WikiLeaks as part of its Vault7 series of leaks, which the site is billing as the largest publication of intelligence documents ever. The bug resides in the Cisco Cluster Management Protocol (CMP), which uses the telnet protocol to deliver signals and commands on internal networks. It stems from a failure to restrict telnet options to local communications and the incorrect processing of malformed CMP-only telnet options.

 

Officials fear Russia could try to target US through popular software firm under FBI scrutiny

ABC

May 9, 2017

Russia’s growing aggression toward the United States has deepened concerns among U.S. officials that Russian spies might try to exploit one of the world’s most respected cybersecurity firms to snoop on Americans or sabotage key U.S. systems, according to an ABC News investigation. Products from the company, Kaspersky Lab, based in Moscow, are widely used in homes, businesses and government agencies throughout the United States, including the Bureau of Prisons. Kaspersky Lab’s products are stocked on the shelves of Target and Best Buy, which also sells laptops loaded by manufacturers with the firm’s anti-virus software. But in a secret memorandum sent last month to Director of National Intelligence Dan Coats and Attorney General Jeff Sessions, the Senate Intelligence Committee raised possible red flags about Kaspersky Lab and urged the intelligence community to address potential risks posed by the company’s powerful market position. “This [is an] important national security issue,” declared the bipartisan memorandum, described to ABC News by congressional sources.

 

Microsoft’s recent success in blocking in-the-wild attacks is eerily good

Ars Technica

May 9, 2017

Microsoft engineers have neutralized a series of attacks that took control of targeted computers by exploiting independent vulnerabilities in Word and Windows. Remarkably, the software maker said fixes or partial mitigations for all four security bugs were released before it received private reports of the attacks. Both versions of the attacks used malformed Word documents that were attached to phishing e-mails sent to a highly select group of targets. The malicious documents chained together two exploits, one that targeted flaws in an Encapsulated PostScript filter in Word and the other that targeted elevation-of-privilege bugs in Windows so that the attack could break out of the security sandbox that fortifies Office. Encapsulated PostScript is an old format that's rarely used any more.

 

Intel's AMT Flaw: Worse Than Feared

Gov Info Security

May 8, 2017

The critical Active Management Technology - AMT - flaw present in the firmware running on many Intel chips since 2010 is worse than feared, security researchers warn. In particular, the flaw can be easily exploited to allow a remote attacker to take control of vulnerable systems without even having to enter a password. AMT is remote-management software installed on many vPro chipsets' firmware. While it's designed to require a username and password before it can be accessed, Maksim Malyutin, a researcher at embedded security firm Embedi, reverse-engineered the AMT code in February and found that the authentication checks can be bypassed using simple tools and only about five or 10 lines of code. No reports have surfaced yet that the AMT flaw has been exploited in the wild. But AMT access to a system - or any subsequent changes to that system - isn't logged by default, meaning that unless extra defenses and monitoring are in place, it would be difficult if not impossible to spot related attack attempts.

 

Mac users installing popular DVD ripper get nasty backdoor instead

Ars Technica

May 8, 2017

Hackers compromised a download server for a popular media-encoding software named HandBrake and used it to push stealthy malware that stole victims' password keychains, password vaults, and possibly the master credentials that decrypted them, security researchers said Monday. Over a four-day period ending Saturday, a download mirror located at download.handbrake.fr delivered a version of the DVD ripping and video conversion software that contained a backdoor known as Proton, HandBrake developers warned over the weekend. At the time that the malware was being distributed to unsuspecting Mac users, none of the 55 most widely used antivirus services detected it. That's according to researcher Patrick Wardle, who reported results here and here from the VirusTotal file-scanning service. When the malicious download was opened, it directed users to enter their Mac administrator password, which was then uploaded in plain text to a server controlled by the attackers. Once installed, the malware sent a variety of sensitive user files to the same server.

 

 

INTERNATIONAL

 

Foreign Business Groups Push for Delay in Controversial China Cyber Law

Reuters

May 12, 2017

Overseas business groups are pushing Chinese regulators to delay the June 1 implementation of a controversial cyber law that mandates strict data surveillance and storage for firms working in China, saying the rules would severely hurt business. The European Union Chamber of Commerce in China and U.S.-based Business Software Alliance say the law, passed by China's largely rubber-stamp parliament in November, as well as rules for implementing it, need further review before being rolled out. The new regulation includes requirements for data to be stored locally as well as contentious security reviews, which critics say could unfairly target foreign firms. In a letter to the government's Cyberspace Administration of China dated May 11 and seen by Reuters, the EU Chamber said the new rules were "fraught with weaknesses," would lead to "great uncertainties and compliance risks" and crimp China's booming information technology market for both foreign and domestic companies. It recommended delaying the law to "allow sufficient discussion."

 

German cyber agency chides Yahoo for not helping hacking probe

Reuters

May 11, 2017

Germany's federal cyber agency said on Thursday that Yahoo Inc had not cooperated with its investigation into a series of hacks that compromised more than one billion of the U.S. company's email users between 2013 and 2016. Yahoo's Dublin-based Europe, Middle East and Africa unit "refused to give the BSI any information and referred all questions to the Irish Data Protection Commission, without, however, giving it the authority to provide information to the BSI," Germany's BSI computer security agency said. A BSI spokesman said it decided to go public after Yahoo repeatedly failed to respond to efforts to look into the data breaches and garner lessons to prevent similar lapses. BSI also urged internationally active Internet service providers to work more closely with it when German customers were affected by cyber attacks and other computer security issues.

 

Russia-linked hackers impersonate NATO in attempt to hack Romanian government

Cyber Scoop

May 11, 2017

n elite hacking group linked to the Russian government masqueraded as a NATO representative to send a barrage of phishing emails to diplomatic organizations in Europe, including Romania’s Foreign Ministry of Affairs, documents show. CyberScoop obtained a copy of one such phishing email that researchers have attributed to the hacking group, which is known as APT28 or Fancy Bear. The email, which carries a booby-trapped attachment that leverages two recently disclosed Microsoft Word vulnerabilities, shows that the government-backed hacking group effectively spoofed a NATO email address to make the message appear authentic. The hq.nato.intl domain is currently used by NATO employees.

 

Hackers Came, but the French Were Prepared

The New York Times

May 9, 2017

Everyone saw the hackers coming. The National Security Agency in Washington picked up the signs. So did Emmanuel Macron’s bare-bones technology team. And mindful of what happened in the American presidential campaign, the team created dozens of false email accounts, complete with phony documents, to confuse the attackers. The Russians, for their part, were rushed and a bit sloppy, leaving a trail of evidence that was not enough to prove for certain they were working for the government of President Vladimir V. Putin but which strongly suggested they were part of his broader “information warfare” campaign. The story told by American officials, cyberexperts and Mr. Macron’s own campaign aides of how a hacking attack intended to disrupt the most consequential election in France in decades ended up a dud was a useful reminder that as effective as cyberattacks can be in disabling Iranian nuclear plants, or Ukrainian power grids, they are no silver bullet. The kind of information warfare favored by Russia can be defeated by early warning and rapid exposure.

 

French Prosecutors Investigate Hacking of Macron Campaign

Reuters

May 9, 2017

French prosecutors have opened an investigation into the leak of large quantities of hacked data from Emmanuel Macron's campaign two days before Sunday's presidential election, which the centrist won, a judicial source said on Tuesday. Macron's team said a "massive" hack had dumped emails, documents and campaign financing information online just before campaigning ended on Friday and France entered a quiet period which forbade politicians from commenting on the leak. French authorities worked to keep the hack from influencing the outcome of the election, with the electoral commission warning the media on Saturday that it could be a criminal offence to republish the data. Prosecutors are investigating "entry into an automated data system and violating the secrecy of correspondence,” the judicial source said.

 

Japan to rate home devices on cyber-attack vulnerabilities

AP

May 8, 2017

The Internal Affairs and Communications Ministry plans to introduce a certification system for home appliances and other devices that can be connected to the internet that will show how resilient the devices are against cyber-attacks, it has been learned. To make it easier for consumers to determine whether such products, collectively called the internet of things (IoT), are safe, the ministry will create a certification mark. The ministry plans to introduce the system in 2018. With the internet becoming more integrated into daily life, there are more IoT devices such as routers and webcams being used in the home. However, many devices have shortcomings in terms of security, such as lacking measures to alter passwords, which is essential for preventing third parties from hacking them. Nor do many of them have any system in place to update defense programs against cyber-attacks.

 

Macron Campaign Says It Was Target of ‘Massive’ Hacking Attack

The New York Times

May 5, 2017

On the eve of the most consequential French presidential election in decades, the staff of the centrist candidate Emmanuel Macron said late Friday that the campaign had been targeted by a “massive and coordinated” hacking operation, one with the potential to destabilize the nation’s democracy before voters go to the polls on Sunday. The digital attack, which involved a dump of campaign documents including emails and accounting records, emerged hours before a legal prohibition on campaign communications went into effect. While the leak may be of little consequence, the timing makes it extremely difficult for Mr. Macron to mitigate any damaging fallout before the runoff election, in which he faces the far-right candidate Marine Le Pen, who has pledged to pull France out of the euro and hold a referendum to leave the European Union. The hacking immediately evoked comparisons to last year’s presidential election in the United States, during which American intelligence agencies have concluded that Russia’s president, Vladimir V. Putin, ordered an “influence campaign” to benefit the Republican nominee, Donald J. Trump.

 

 

TECHNOLOGY

 

An NSA-derived ransomware worm is shutting down computers worldwide

Ars Technica

May 12, 2017

A highly virulent new strain of self-replicating ransomware is shutting down computers all over the world, in part by appropriating a National Security Agency exploit that was publicly released last month by the mysterious group calling itself Shadow Brokers. The malware, known as Wanna, Wannacry, or Wcry, has infected at least 75,000 computers, according to antivirus provider Avast. AV provider Kaspersky Lab said organizations in at least 74 countries have been affected, with Russia being disproportionately affected, followed by Ukraine, India, and Taiwan. Infections are also spreading through the United States. The malware is notable for its multi-lingual ransom demands, which support more than two-dozen languages. Wcry is reportedly causing disruptions at banks, hospitals, telecommunications services, and other mission-critical organizations in multiple countries, including the UK, Spain, Germany, and Turkey. FedEx, the UK government's National Health Service, and Spanish telecom Telefonica have all been hit. The Spanish CERT has called it a "massive ransomware attack" that is encrypting all the files of entire networks and spreading laterally through organizations. Another cause for concern: wcry copies a weapons-grade exploit codenamed Eternalblue that the NSA used for years to remotely commandeer computers running Microsoft Windows.

 

Hackers Find Celebrities’ Weak Links in Their Vendor Chains

The New York Times

May 7, 2017

In December, hackers impersonating an executive at Interscope Records, the record label owned by Universal Music Group, managed to bypass all the latest in digital defenses with a simple email. In a carefully tailored message, the hackers urged an executive at September Management, a music management business, and another at Cherrytree Music Company, a management and record company, to send them Lady Gaga’s stem files — files used by music engineers and producers for remixing and remastering. With a click of a button, the files made their way into hackers’ hands, according to three people who are familiar with the episode but are not allowed to discuss it publicly. Executives would not elaborate on the incident, and it is unclear what happened to the files. The heist — which has not been reported previously — was a classic example of how hackers exploit the weakest link in the extensive chain of vendors, postproduction studios and collaborators that corporations must trust with their most valuable intellectual property.