The Cybersecurity (CS) Digest is a curated bi-weekly news summary for cybersecurity professionals. It is transmitted in an HTML-formatted email and provides links to articles and news summaries across a spectrum of cybersecurity topics.

CSIAC ANNOUNCEMENTS:

In Case You Missed It – CSIAC Webinar : Learning to Win: Making the Case for Autonomous Cyber Security Solutions - CSIAC

This webinar describes the benefits of machine learning based approaches for autonomous control in the cyber domain. We discuss emerging autonomous machine learning technologies and their recent successes, technical and non-technical challenges to overcome, and potential near-term applications to cyber security.

CSIAC Webinar Companion Document - CSIAC

The purpose of this article is to make the case for increased research and development of autonomous control machine learning approaches in the cyber domain. In it, we discuss emerging autonomous machine learning technologies and their recent successes, technical and non-technical challenges that still need to be overcome for practical autonomous applications of machine learning, and finally some thoughts on potential near-term applications of autonomous machine learning to cyber security.

NEW CSIAC Journal of Cyber Security and Information Systems – Cyber-As-Zoo: Multidisciplinary Cyber Struggle - CSIAC

This quarter's CSIAC Journal contains five articles that offer some perspectives to address the often-heard phrase "Cyber Is Hard", usually associated with gnashing of teeth and exasperated sighs.

FEEDBACK FROM PREVIOUS DIGEST:

Critical Infrastructure:

DHS Will Shore Up Cybersecurity for America’s Infrastructure - Wired

As the threat of cyberattacks on the United States launched by foreign adversaries grows, the federal government has been slow to respond. But changes announced Tuesday at the Department of Homeland Security, along with a new bipartisan bill aimed at shoring up DHS cybersecurity initiatives, could give newfound purpose to defenses against critical infrastructure hacking. Reade

Hackers Breached US Electric Utilities: Analysts - The Hill

Security analysts have discovered a new hacking group that has been successful in breaching networks of electric utilities in the United States.

ICS Threat Broadens: Nation-State Hackers Are No Longer The Only Game In Town - Cyber Reason

The U.S. government, realizing that a cyberattack on energy utilities would have major repercussions for businesses and citizens alike, this November will test the ability of the nation's power grid to bounce back from a simultaneous cyberattack on electric, oil and natural gas infrastructure.

RECENT HEADLINES:

Cyberwarfare:

Microsoft Alleges New Russian Attacks Ahead of Midterm Elections - ABC News

Microsoft has thwarted newly attempted cyberattacks by Russian hackers targeting U.S. political campaigns before the midterm elections, the company alleged Monday.

China Believes Its Cyber Capabilities Lag Behind US: Pentagon - Security Week

China believes its cyberwarfare capabilities lag behind the United States, but it's working on closing the gap, according to the U.S. Department of Defense (DOD). In its annual report to Congress, the Pentagon describes the cyber capabilities and cyber operations of the People's Liberation Army (PLA), and warns that China continues to launch cyberattacks against organizations around the world, including in the United States.

Defense Inspector General Finds Key Air Force Space Programs Vulnerable to Cyber Attacks, Sabotage - Space News

An audit by the Defense Department's inspector general office found security cracks in the supply chain of four critical military space programs. As a result, an adversary has "opportunity to infiltrate the Air Force Space Command supply chain and sabotage, maliciously introduce an unwanted function, or otherwise compromise the design or integrity of the critical hardware, software and firmware," said a redacted IG report released Aug. 14.

Data Security:

80 to 0 in Under 5 Seconds: Falsifying a Medical Patient’s Vitals - McAfee

With the explosion of growth in technology and its influence on our lives, we have become increasingly dependent on it. The medical field is no exception: Medical professionals trust technology to provide them with accurate information and base life-changing decisions on this data. McAfee's Advanced Threat Research team is exploring these devices to increase awareness about their security.

New Modular Downloaders Fingerprint Systems, Prepare for More – Part 1: Marap - Proofpoint

Proofpoint researchers recently discovered a new downloader malware in a fairly large campaign (millions of messages) primarily targeting financial institutions. The malware, dubbed "Marap" ("param" backwards), is notable for its focused functionality that includes the ability to download other modules and payloads. The modular nature allows actors to add new capabilities as they become available or download additional modules post infection. To date, we have observed it download a system fingerprinting module that performs simple reconnaissance.

U.S. Government Seeks Facebook Help to Wiretap Messenger – Sources - Reuters

The U.S. government is trying to force Facebook Inc to break the encryption in its popular Messenger app so law enforcement may listen to a suspect's voice conversations in a criminal probe, three people briefed on the case said, resurrecting the issue of whether companies can be compelled to alter their products to enable surveillance.

FBI Warns of ‘Unlimited’ ATM Cashout Blitz - KrebsOnSecurity

The Federal Bureau of Investigation (FBI) is warning banks that cybercriminals are preparing to carry out a highly choreographed, global fraud scheme known as an "ATM cash-out," in which crooks hack a bank or payment card processor and use cloned cards at cash machines around the world to fraudulently withdraw millions of dollars in just a few hours.

Researchers Disclose New Foreshadow (L1TF) Vulnerabilities Affecting Intel CPUs - Bleeping Computer

Academics and private sector researchers have revealed details today about three new vulnerabilities affecting Intel CPUs.

Legislation and Regulation:

The Cybersecurity 202: Sen. Whitehouse Says Congress Should Consider Letting Companies ‘Hack Back’ After Cyberattacks - Washington Post

Sen. Sheldon Whitehouse (D-R.I.) will use a congressional hearing on cybersecurity today to float an idea that's controversial among security experts: "hacking back" against digital adversaries after a cyberattack.

Number of Third-Party Cookies on EU News Sites Dropped by 22% Post-GDPR - Bleeping Computer

The number of tracking cookies on EU news sites has gone down by 22% according to a report by the Reuters Institute at the University of Oxford, who looked at cookie usage across EU news sites in two phases, in April 2018 and July 2018, pre and post the introduction of the new EU General Data Protection Regulation (GDPR).

NIST Small Business Cybersecurity Act Becomes Law - Security Week

U.S. President Donald Trump signed the NIST Small Business Cybersecurity Act, S. 770 (formerly known as the MAIN STREET Cybersecurity Act) into law on Tuesday (August 14, 2018). It requires NIST to "disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks."

Network Security:

It’s Official: TLS 1.3 Approved as Standard While Spies Weep - The Register

An overhaul of a critical internet security protocol has been completed, with TLS 1.3 becoming an official standard late last week.

CSIAC Supported Communities

CSIAC supports several communities of practice, such as the Cyber Community of Interest (COI) Group and research & development working groups.

Technical Resources, Policy and Guidance

This list of related sites provides additional sources to pursue the topic of Cybersecurity. The sites include Government organizations, including federal agencies, Department of Defense and military service agencies, commercial organizations, and academic institutions.

The CS Digest provides links to third party Websites. The CSIAC is not responsible for the availability of, and content provided on, third party Websites. You should refer to the policies posted by other Websites regarding their privacy and other topics before you use them. The CSIAC is not responsible for third party content accessible through the CSIAC CS Digest, including opinions, advice, statements, advertisements and endorsements, and you bear all risks associated with the use of such content.