The Cybersecurity (CS) Digest is a curated bi-weekly news summary for cybersecurity professionals. It is transmitted in an HTML-formatted email and provides links to articles and news summaries across a spectrum of cybersecurity topics.

CSIAC ANNOUNCEMENTS:

Free CSIAC Webinar Wednesday Apr 25 @ 12:00 pm EDT – Cybersecurity of DoD Critical Infrastructure - CSIAC

The substantial cyber threat to the nation’s Critical Infrastructure is the context for this discussion on DoD policy concerns and current R&D efforts. Topics will include Weasel Board being developed at Sandia National Laboratory, More Situational Awareness for Industrial Control Systems (MOSAICS), sponsored by PACOM and NORTHCOM, and recent policy concerns relating to cyber security and Utilities Privatization of Critical Infrastructure. This webinar will also report the results of a panel discussion from the DHS Industrial Control System Joint Working Group (ICSJWG) meeting April 9-11 at Albuquerque NM.

RECENT HEADLINES:

Critical Infrastructure:

A Cyberattack Hobbles Atlanta, and Security Experts Shudder - NY Times

The City of Atlanta's 8,000 employees got the word on Tuesday that they had been waiting for: It was O.K. to turn their computers on. But as the city government's desktops, hard drives and printers flickered back to life for the first time in five days, residents still could not pay their traffic tickets or water bills online, or report potholes or graffiti on a city website. Travelers at the world's busiest airport still could not use the free Wi-Fi.

Baltimore 911 Dispatch System Hacked, Investigation Underway, Officials Confirm - Baltimore Sun

Baltimore's 911 dispatch system was hacked by an unknown actor or actors over the weekend, prompting a temporary shutdown of automated dispatching and an investigation into the breach, Mayor Catherine Pugh's office confirmed Tuesday.

Cyberwarfare:

U.S. Charges Iranians for Global Cyber Attacks on Behalf of Tehran - Reuters

The United States on Friday charged nine Iranians and an Iranian company with attempting to hack into hundreds of U.S. and international universities, dozens of companies and parts of the U.S. government on behalf of the Tehran government.

Data Security:

Saks, Lord & Taylor Hit by Payment Card Data Breach - Reuters

Retailer Hudson's Bay Co on Sunday disclosed that it was the victim of a security breach that compromised data on payment cards used at Saks and Lord & Taylor stores in North America.

Under Armour Says 150 Million MyFitnessPal Accounts Breached - Reuters

Under Armour Inc said on Thursday that data from some 150 million MyFitnessPal diet and fitness app accounts was compromised in February, in one of the biggest hacks in history, sending shares of the athletic apparel maker down 3 percent in after-hours trade.

Cambridge Analytica Took 50M Facebook Users’ Data – And Both Companies Owe Answers - Wired

Cambridge Analytica, a data analysis firm that worked on President Trump's 2016 campaign, and its related company, Strategic Communications Laboratories, pilfered data on 50 million Facebook users and secretly kept it, according to two reports in The New York Times and The Guardian. The apparent misuse of Facebook data-and the social media giant's failure to police it-leave both companies with plenty still to answer for.

Blockchain and Digital Currency:

CoinMiner Campaigns Move to the Cloud via Docker, Kubernetes - Bleeping Computer

After becoming a scourge inside browsers, on desktops, and on servers, cryptocurrency-mining malware is now invading the cloud, and it appears to be quite successful.

81% of Recent ICOs Were Scams, Research Finds - Bleeping Computer

Four out of five initial coin offerings (ICOs) that have taken place in the last year have been classified as scams, according to a recent study by Satis Group, an ICO advisory firm. ICOs have been the rage of the cryptocurrency world because they allow companies to raise money for various ventures by issuing cryptocurrency tokens that users could buy and later trade on cryptocurrency exchanges.

Emerging Technology:

Golden Touch: Next-gen Optical Disk to Solve Data Storage Challenge - Phys

Researchers from Australia and China used gold nanoparticles to create a new type of high-capacity optical storage disk which can hold data securely for more than 600 years. The technology promises a better solution to the global data storage problem where the explosion of big data and cloud storage has led to power-hungry data centres.

Legislation and Regulation:

US Congress Passes CLOUD Act Hidden in Budget Spending Bill - Bleeping Computer

The United States Congress passed late last night a $1.3 trillion budget spending bill that also contained a piece of legislation that allows internal and foreign law enforcement access to user data stored online without a search warrant or probable cause.

Machine Learning and Artificial Intelligence:

Tesla Says Crashed Vehicle Had Been on Autopilot Prior to Accident - Reuters

Tesla Inc said on Friday that a Tesla Model X involved a fatal crash in California last week had activated its Autopilot system, raising new questions about the semi-autonomous system that handles some driving tasks.

Police Say Uber Is Likely Not at Fault for Its Self-Driving Car Fatality in Arizona - Fortune

The police chief of Tempe, Arizona, where a woman was struck and killed by one of Uber's self-driving cars Sunday, says the ride-sharing company is likely not at fault for the accident, following a preliminary investigation.

Mobile Security:

Monero-Mining HiddenMiner Android Malware Can Potentially Cause Device Failure - Trend Micro

New Android malware that can surreptitiously use the infected device's computing power to mine Monero. Trend Micro detects this as ANDROIDOS_HIDDENMINER. This Monero-mining Android app's self-protection and persistence mechanisms include hiding itself from the unwitting user and abusing the Device Administrator feature (a technique typically seen in SLocker Android ransomware).

Network Security:

IETF Approves TLS 1.3 as Internet Standard - Bleeping Computer

The Internet Engineering Task Force (IETF) - the organization that approves proposed Internet standards and protocols - has formally approved TLS 1.3 as the next major version of the Transport Layer Security (TLS) protocol.

MOSQUITO Attack Allows to Exfiltrates Data From Air-Gapped Computers Via Leverage Connected Speakers - Security Affairs

MOSQUITO is new technique devised by a team of researchers at Israel's Ben Gurion University, led by the expert Mordechai Guri, to exfiltrate data from an air-gapped network.

Public Sector:

New Undersecretary Griffin Asserts Role as Pentagon’s R&D Leader - National Defense Magazine

The Defense Department's new Research and Engineering office will take a more assertive role in setting the direction of U.S. military technology development, a senior official from the new organization said March 20. The undersecretary of defense for research and engineering "will set the technical direction for the department, not just recommend," a slide displayed at the National Defense Industrial Association's Science and Engineering Technology conference in Austin, Texas, stated.

Software Security:

Microsoft’s Windows 7 Meltdown Patch Created ‘Worse’ Flaw - Naked Security

Microsoft's updates for the Meltdown microprocessor mega-flaw inadvertently left users running Windows 7 64-bit systems open to a "way worse" flaw, a researcher has claimed.

Drupal Fixes Drupalgeddon2 Security Flaw That Allows Hackers to Take Over Sites - Bleeping Computer

The Drupal CMS team has fixed a highly critical security flaw that allows hackers to take over a site just by accessing an URL. Drupal site owners should immediately - and we mean right now - update their sites to Drupal 7.58 or Drupal 8.5.1, depending on the version they're running.

CSIAC Supported Communities

CSIAC supports several communities of practice, such as the Cyber Community of Interest (COI) Group and research & development working groups.

Technical Resources, Policy and Guidance

This list of related sites provides additional sources to pursue the topic of Cybersecurity. The sites include Government organizations, including federal agencies, Department of Defense and military service agencies, commercial organizations, and academic institutions.

The CS Digest provides links to third party Websites. The CSIAC is not responsible for the availability of, and content provided on, third party Websites. You should refer to the policies posted by other Websites regarding their privacy and other topics before you use them. The CSIAC is not responsible for third party content accessible through the CSIAC CS Digest, including opinions, advice, statements, advertisements and endorsements, and you bear all risks associated with the use of such content.