The Cybersecurity (CS) Digest is a curated bi-weekly news summary for cybersecurity professionals. It is transmitted in an HTML-formatted email and provides links to articles and news summaries across a spectrum of cybersecurity topics.
Watch the Latest CSIAC Webinar – Overview of the Software Assurance Marketplace (SWAMP) and SWAMP-in-a-Box (SiB) - CSIAC
With the increasing rate of security breaches, today's applications need to be built more securely at the code level, and that code needs to be tested regularly. The Software Assurance Marketplace was developed to make it easier to consistently test the quality and security of applications and bring a transformative change to the software assurance landscape by reducing the number of weaknesses deployed in software.
October is National Cyber Security Awareness Month which is an annual campaign to raise awareness about the importance of cybersecurity. The Internet touches almost all aspects of everyone's daily life, whether we realize it or not. National Cyber Security Awareness Month (NCSAM) is designed to engage and educate public and private sector partners through events and initiatives to raise awareness about the importance of cybersecurity, provide them with tools and resources needed to stay safe online, and increase the resiliency of the Nation in the event of a cyber incident.
CSIAC's plans for National Cyber Security Awareness Month 2017 are already underway. Check this webpage in the coming weeks for more details.
Learn about Public Key Infrastructure or PKI. This short video describes the purpose of PKI and how it is used to manage public-key encryption. This is part 3 of a 3 part series on the topic of encryption.
DHS S&T Awards $640K to the Critical Infrastructure Resilience Institute for Supply Chain Cyber-Threats Research - DHS
The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) today announced a $640,000 award to the Critical Infrastructure Resilience Institute (CIRI) for research into prepositioned cyber-threats in mobile devices that originate in the supply chain.
CIRI, a DHS S&T Center of Excellence (COE) led by the University of Illinois at Urbana-Champaign, will team with Kryptowire, LLC of Fairfax, Virginia for this research and development (R&D) project. They will examine mobile devices and related supply-chain vectors for prepositioned cyber-threats, including malware or questionable behavior built into the devices by design. The project is being managed by the Homeland Security Advanced Research Project Agency's Cyber Security Division (CSD) in partnership with the Office of University Programs (OUP).
Tags: Critical Infrastructure Protection (CIP)
The energy sector has become an area of increased interest to cyber attackers over the past two years. Most notably, disruptions to Ukraine's power system in 2015 and 2016 were attributed to a cyber attack and led to power outages affecting hundreds of thousands of people. In recent months, there have also been media reports of attempted attacks on the electricity grids in some European countries, as well as reports of companies that manage nuclear facilities in the U.S. being compromised by hackers.
The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so. Symantec customers are protected against the activities of the Dragonfly group.
Tags: Critical Infrastructure Protection (CIP)
Is the Power Grid Getting More Vulnerable to Cyber Attacks? - Scientific American
Two weeks ago it was cyberattacks on the Irish power grid. Last month it was a digital assault on U.S. energy companies, including a nuclear power plant. Back in December a Russian hack of a Vermont utility was all over the news. From the media buzz, one might conclude that power grid infrastructure is teetering on the brink of a hacker-induced meltdown.
The Trump administration on Thursday sanctioned seven Iranian nationals and an Iran-based computer security company for their role in cyberattacks targeting the U.S. financial system. The treasury Department announced sanctions on 11 entities and individuals for supporting Iran's elite Islamic Revolutionary Guards Corps (IRGC) and networks responsible for cyberattacks targeting the U.S. financial system.
Cyber-attacks will happen and so developing a means to isolate intrusions at sea and keep moving is imperative, said the Navy's top intelligence officer.
Now, once security experts detect a cyber-attack, the typical response is shut down all systems and then scrub them for malicious code or software, said Vice Adm. Jan Tighe, Deputy Chief of Naval Operations, Information Warfare/Director of Naval Intelligence. Tighe was speaking Thursday about the Navy's preparations for cyber-attacks during an event sponsored by the U.S. Naval Institute at the Washington D.C.-based Center for Strategic and International Studies.
Tags: Cyber Decision Making, Cyberwarfare
After a series of global cyber attacks disrupted multinational firms, ports and public services on an unprecedented scale this year, governments are seeking to stop hackers from shutting down more critical infrastructure or crippling corporate and government networks.
Unlike other data breaches, those affected by the breach may not even know they're customers of the company.
Equifax (EFX) is one of three nationwide credit-reporting agencies that track and rate the financial history of consumers. The company gets its data from credit card companies, banks, retailers and lenders -- sometimes without you knowing.
According to Risk Based Security, which tracks data breaches worldwide, more than 2,200 data breaches occurred in the first half of 2017 alone. These cyber incidents are so common because our online exposure is vast and a single method of entry can start a chain of events that leads to a data breach.
In case you missed it: The credit rating giant admitted hackers had targeted the company in the past few months, stealing records on as many as 143 million consumers. The company went into disaster management mode (albeit with a six-week head start) and flubbed the incident response. Not only did the company botch the roll out of the support site, it also threw potential victims into legalistic chaos with nobody knowing for sure for hours whether or not the site was automatically opting out customers from a future class action suit.
Add one more thing to the dumpster fire of this incident response "omni-shambles."
The checker, hosted by TrustedID (a subsidiary of Equifax) that millions of users are checking to see if their private information has been stolen doesn't appear to be properly validating entries.
In other words: it is giving out incorrect answers.
Microsoft has unleashed its September Patch Tuesday bug fix bonanza, patching 82 flaws in total.
Among the 82 fixes, 26 of which have been rated 'critical', includes a patch for an actively exploited zero-day vulnerability tied to Microsoft's .NET framework.
Tags: Microsoft, Zero-day Exploits
Hours after the hack was disclosed, hackers established a searchable database named Doxagram allowing users to search for victims' contact information for $10 per search. The hacker provided a list of 1,000 accounts they said were available for searching on Doxagram to the Daily Beast, and the list included most of the 50 most-followed accounts on the service. Instagram still will not say how many accounts were affected, other than that it is a "low percentage of Instagram accounts." There are more than 700 million active Instagram accounts; hackers say they have information on file for 6 million users. Users' passwords were not exposed in the hack, Instagram said.
Tags: Mobile Security
The FBI has arrested a Chinese citizen for allegedly distributing malware used in the 2015 massive OPM breach that resulted in the theft of personal details of more than 25 Million U.S. federal employees, including 5.6 Million federal officials' fingerprints.
Yu Pingan, identified by the agency as the pseudonym "GoldSun," was arrested at Los Angeles international airport on Wednesday when he was arrived in the United States to attend a conference, CNN reported.
The 36-year-old Chinese national is said to face charges in connection with the Sakula malware, which was not only used to breach the US Office of Personnel Management (OPM) but also breached Anthem health insurance firm in 2015.
Hackers have proven just how urgently a gaping flaw in the global telecoms network, affecting what's known as Signalling System No. 7 (SS7), needs to be fixed. In a video demonstration, shown to Forbes ahead of publication today, benevolent hackers from Positive Technologies were able to take control of a Coinbase bitcoin wallet and start pilfering funds via the SS7 flaws.
In 2016 we began observing actors we believe to be North Korean utilizing their intrusion capabilities to conduct cyber crime, targeting banks and the global financial system. This marked a departure from previously observed activity of North Korean actors employing cyber espionage for traditional nation state activities. Yet, given North Korea's position as a pariah nation cut off from much of the global economy - as well as a nation that employs a government bureau to conduct illicit economic activity - this is not all that surprising. With North Korea's tight control of its military and intelligence capabilities, it is likely that this activity was carried out to fund the state or personal coffers of Pyongyang's elite, as international sanctions have constricted the Hermit Kingdom.
Russian president Vladimir Putin has joined the war of words concerning the international race to develop artificial intelligence. Speaking to students last Friday, Putin predicted that whichever country leads the way in AI research will come to dominate global affairs.
Scientists have harnessed the power of artificial intelligence (AI) to create a program that, combined with existing tools, figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles. Yet the researchers say the technology may also be used to beat baddies at their own game.
Apple's approach is typical of the company's ethos: it's focused on doing AI on your device instead. We saw this back in June 2016, when the company introduced "differential privacy" (using statistical methods to mask users' identity when collecting their data), and at WWDC this year when it unveiled its new Core ML API. The "neural engine" is just a continuation of the same theme. By having hardware on the phone itself that's dedicated to AI processing, Apple sends less data off-device and better protects users' privacy.
Tags: Artificial Intelligence (AI)
Android Toast Overlay Attack: “Cloak and Dagger” With No Permissions - PaloAltoNetworks
Palo Alto Networks Unit 42 researchers have uncovered a high severity vulnerability in the Android overlay system, which allows a new Android overlay attack by using the "Toast type" overlay. All Android devices with OS version < 8.0 are affected by this vulnerability and patches are available as part of the September 2017 Android Security Bulletin. Android 8.0 was just released and is unaffected by this vulnerability. Because Android 8.0 is recent, this vulnerability affects nearly all Android devices currently in the market (see Table 1) and users should apply updates as soon as possible.
Tags: Mobile Security
The idea is to marry current 2FA with systems that "reduce mobile identity risks by analyzing data and activity patterns on a mobile network to predict, with a high degree of certainty, whether the user is who they say they are," according to the news release.
The problem with SMS authentication is that skilled hackers have successfully hijacked SMS codes in the past, often simply by contacting the carrier and impersonating the victim. It also falls apart if thieves grab your smartphone along with your PC, gain access to your phone via malware, or just steal a glance at a 2FA message on your lockscreen.
Tags: Mobile Security
On September 5, 2017, the Apache Software Foundation released security bulletins that disclosed three vulnerabilities in the Apache Struts 2 package. Of these vulnerabilities, the Apache Software Foundation classifies one as Critical Severity, one as Medium Severity, and one as Low Severity.
Feds Move to Ramp up Cyber Hiring - The Hill
The federal government will host the first-ever government-wide event to recruit new IT and cybersecurity talent, at a time when agencies and department are struggling to fill these positions. The General Services Administration (GSA) on Thursday announced the event, which will be held November 6-7 in Maryland. The administration is looking to recruit computer scientists, cyber analysts, engineers and others in order to "fill critical skills gaps" in top IT and cybersecurity roles across the federal government.
Tags: Cyber Workforce
After careful consideration of available information and consultation with interagency partners, Acting Secretary of Homeland Security Elaine Duke today issued a Binding Operational Directive (BOD) directing Federal Executive Branch departments and agencies to take actions related to the use or presence of information security products, solutions, and services supplied directly or indirectly by AO Kaspersky Lab or related entities.
Lawmakers alarmed by Equifax breach - The Hill
Equifax reported the breach--likely to be one of the most devastating in history--in a statement late Thursday, explaining that cyber criminals exploited a U.S. website application vulnerability and gained unauthorized access to personally identifiable information, including Social Security numbers, on potentially millions of Americans.
The information was exposed to hackers for more than a month before Equifax detected the breach on July 29.
The credit reporting firm, one of the largest in the United States, has come under increased scrutiny following the disclosure. Bloomberg reported that three senior Equifax executives sold stock in the company worth nearly $1.8 million after the breach was discovered. The company's stock has been plummeting since Thursday.
A US government decision to stop using security software from Kaspersky Lab is "regrettable" said the Kremlin. The Russian statement came in response to the 90-day deadline given to US federal agencies to remove the software. The US Department of Homeland Security said it was concerned about ties between company officials and the Russian intelligence services. Kaspersky Lab has repeatedly denied that it has ties to the Kremlin. In addition, US retailer Best Buy has said it will no longer sell Kaspersky products in its stores.
Tags: Network Security
The 4th International Conference on Quantum Technologies held in Moscow last month was supposed to put the spotlight on Google, who were preparing to give a lecture on a 49-qubit quantum computer they have in the works.
A morning talk presented by Harvard University's Mikhail Lukin, however, upstaged that evening's event with a small announcement of his own – his team of American and Russian researchers had successfully tested a 51-qubit device, setting a landmark in the race for quantum supremacy.
Tags: Quantum Computing
On Monday, Cisco's Talos security research division revealed that hackers sabotaged the ultra-popular, free computer-cleanup tool CCleaner for at least the last month, inserting a backdoor into updates to the application that landed in millions of personal computers. That attack betrayed basic consumer trust in CCleaner-developer Avast, and software firms more broadly, by lacing a legitimate program with malware-one distributed by a security company, no less.
CSIAC supports several communities of practice, such as the Cyber Community of Interest (COI) Group and research & development working groups.
This list of related sites provides additional sources to pursue the topic of Cybersecurity. The sites include Government organizations, including federal agencies, Department of Defense and military service agencies, commercial organizations, and academic institutions.
The CS Digest provides links to third party Websites. The CSIAC is not responsible for the availability of, and content provided on, third party Websites. You should refer to the policies posted by other Websites regarding their privacy and other topics before you use them. The CSIAC is not responsible for third party content accessible through the CSIAC CS Digest, including opinions, advice, statements, advertisements and endorsements, and you bear all risks associated with the use of such content.