Feed aggregator

Russia, Nigeria Use Law to Stop Speech Against Government

Info Security - Fri, 03/08/2019 - 18:43
Russia, Nigeria Use Law to Stop Speech Against Government

Russia has proposed legislation that would ban the spread of fake news, as well as the use of the internet to disrespect government officials and state symbols. The law appears to be similar to one enforced in Nigeria, where a journalist has been charged with cybercrimes for speaking out against the government, according to the Committee to Protect Journalists (CPJ).

The Russian news outlet, Meduza, reported that on March 6, 2019, the State Duma approved a bill banning fake news by an overwhelming 327 to 42 vote. According to CPJ, one lawmaker, the US-funded Radio Free Europe/Radio Liberty (RFE/RL), abstained from the vote. The bill makes the publication of fake news punishable by law, with the exclusion of newspapers, TV channels, radio stations and news aggregators. For those media outlets, sites spreading fake news will be blocked.

The head of the State Duma’s information policy committee, Leonid Levin, told Meduza that journalists would first have an opportunity to "immediately" correct a mistake before the misinformation was blocked.

In Nigeria, Obinna Don Norman, owner and editor-in-chief of the online news outlet The Realm News, has reportedly been charged in an Abia magistrate court under both an anti-terrorism and kidnapping law from 2009 and Nigeria’s 2015 cybercrime act, the CPJ said.

The two charge sheets fail to specify any articles or comments made by Norman that are related to the charges, though he adamantly asserts that his reporting and criticism of the Abia state government are the reasons for his arrest and detention, according to Jonathan Rozen, CPJ's Africa researcher.

“Norman has multiple lawyers now, but he did not have a lawyer present when he was first arraigned on March 1 on cybercrime charges,” Rozen wrote in an email. “Since then, he has not been granted bail and remains in detention. Issac Anya, one of Norman's lawyers, told CPJ that a federal high court in Umuahia today reviewed Norman's bail application, but bail was not granted because jurisdiction was transferred to a state court as a result of yesterday's additional charge under an Abia state anti-terrorism and kidnapping law.”

In addition, Rozen said that CPJ is currently investigating multiple instances of journalists being intimidated ahead of the March 9 elections and Nigeria's 2015 cybercrime act has been, in recent years, repeatedly used against the press.

Categories: Cyber Risk News

Researchers Hack the 'Unhackable' Smart Car Alarm

Info Security - Fri, 03/08/2019 - 17:47
Researchers Hack the 'Unhackable' Smart Car Alarm

Researchers at Pen Test Partners revealed in a proof of concept (PoC) that they were able to exploit vulnerabilities in two high-end "smart" alarms.

In their PoC, the pen testers debunked third-party car alarm vendors' claim to be the solution to key relay attacks on keyless-entry cars.

“We have shown that fitting these alarms can make your vehicle EVEN LESS SECURE! These alarms can expose you to hijack, may allow your engine to be stopped whilst driving and it may even be possible to steal vehicles as a result,” researchers wrote.

Despite reportedly having advertised that its solution was unhackable, attackers were able to hijack the app.

Credit: Pen Test Partners

In fact, of the many alarms tested, researchers found security vulnerabilities in two system providers, Pandora and Viper. Pandora's Smart and Viper's SmartStart systems were found to have security flaws that allowed an attacker to, among other things, disable the alarm, unlock the car and in some cases kill the engine while the car was in drive.

Leveraging a vulnerability in the POST request on the Pandora alarm let the researchers reset the password. “After the password is reset, one can simply login to the app and obtain full functionality. This attack could also be used against admin users which could give access to multiple vehicles. There is significant data leakage online also.”

According to researchers, the vulnerabilities are rather “straightforward insecure direct object references (IDORs) in the API.

“Simply by tampering with parameters, one can update the email address registered to the account without authentication, send a password reset to the modified address (i.e. the attacker’s) and take over the account.”

In the Viper Smart Start alarm, researchers were able to easily exploit an IDOR vulnerability in the "modify user" request, which allows an attacker to change user credentials and interact with the alarm while locking the legitimate user out of the account.

Categories: Cyber Risk News

Multiple Healthcare Orgs Warn of Third-Party Attack

Info Security - Fri, 03/08/2019 - 17:00
Multiple Healthcare Orgs Warn of Third-Party Attack

A September 2018 ransomware attack on Wolverine Solutions Group (WSG) has had widespread impact, resulting in hundreds of thousands of customers being warned that their personal information may have been part of a data breach, according to Detroit Free Press.

In a statement to its clients, Wolverine Solutions Group wrote, “On approximately September 25, 2018, WSG discovered that an unauthorized party gained access to its computer system and infected the system with malware. The malware encrypted many of WSG’s records (including those pertaining to our Healthcare Clients), which made them inaccessible to WSG in an effort to extort money from WSG. This is commonly referred to as 'ransomware.'”

While it is believed that the records were only encrypted, as there was no initial evidence that information was extracted from the servers, an investigation into the attack of the Detroit-based contractor remains ongoing.

Multiple hospitals and healthcare companies have potentially been impacted by the security incident, including Mary Free Bed Rehabilitation Hospital, where more than 4,500 patients may have had their records compromised, according to Fox 17 News.

Given that WSG provides third-party services for hospitals and healthcare organizations, several companies have issued security notices to their customers. Blue Cross Blue Shield of Michigan (BCBSM), Health Alliance Plan (HAP) and McLaren Health Care are among those that have sent notifications of a potential security incident.

*A spokesperson for BCBSM wrote in an email, "We have no indication that any member information was extracted during the incident. We were told that Blue Cross Blue Shield of Michigan was not the only client company of Wolverine impacted by this incident. About 150,000 of our members were impacted, with about 100,000 of them residing in Michigan. The others are dispersed across many other states. BCBSM offered our members 24 months of credit protection through AllClear ID. We are working with Wolverine on a remediation plan they developed in response to the incident.

According to the February 27, 2019, notice of a data security incident impacting McLaren Health Care, there was “a ransomware incident (a malicious software attack). McLaren received notice of this incident on December 10, 2018, when the WSG forensic team uncovered initial evidence that McLaren patient information may have been included on the impacted servers. WSG also reported this incident to local law enforcement authorities and the FBI.”

When Infosecurity contacted HAP, a spokesperson responded, "This is a Wolverine Solutions Group breach that we understand impacted many of their customers, including many healthcare organizations. You really should be talking to WSG – they are your best bet." According to Detroit Free Press, HAP notified more than 120,000 clients of a third-party security breach that may have resulted in their personal information being compromised.

*Update - this article has been updated with comment from Blue Cross Blue Shield of Michigan.

Categories: Cyber Risk News

#Infosec19 Poll: Men Still Have More Opportunities in Cyber

Info Security - Fri, 03/08/2019 - 11:13
#Infosec19 Poll: Men Still Have More Opportunities in Cyber

Men still have more opportunities to reach senior roles in cybersecurity sector, according to a new poll from Infosecurity Europe.

Timed to coincide with International Women’s Day today, the social media poll garnered responses from over 14,700 followers of Europe’s number one security event.

Disappointingly, 61% claimed that women still have fewer opportunities to progress in the industry while a similar number (63%) believe that there isn’t enough guidance and support available for women.

Over half (56%) claimed there’s a dearth of female role models in the sector.

To help address these issues, Infosecurity Europe will be hosting the third annual Women in Cybersecurity networking event on Wednesday, June 5 with a keynote from evangelist Sue Black.

“I'm not surprised by the results of this survey, the majority believe the same as me: that we really need to do something about the lack of guidance and support for women wanting a career in cyber and information security,” she said.

“There are many awesome women working in these areas, but we haven't heard about them enough. Stories about the trailblazing women that have done incredible things in technology like Dame Stephanie Shirley, UK technology pioneer, and the women recently portrayed in the film Hidden Figures, Dorothy Vaughan and Mary Jackson, have not been heard until now. Yet the history of computing is built on the work of women like them.”

The findings of the Infosecurity Europe survey chime somewhat with those of a Forrester report, which claimed back in 2017 that men held 87% of the CISO roles in Fortune 500 companies.

According to (ISC)2 figures, women now comprise 24% of the information security workforce, up from 11% a couple of years ago. However, with skills shortages reaching close to three million today, there’s a clear need to encourage more gender diversity in the sector.

Deshini Newman, EMEA managing director at (ISC)2, praised initiatives like the National Cyber Security Centre’s (NCSC) CyberFirst Girls competition, designed to encourage school-age girls to find out more about the industry.

“The argument is clear — a balanced world is a better world for creativity and innovation. We’ve seen great strides and efforts to bring gender balance to STEM subjects and careers, along with addressing gender pay gaps — but more work still needs to be done,” she argued. “The same applies across the wider IT industry as well as in business leadership roles. Greater gender diversity can only serve to bring benefits to business and society.”

Forrester has some tips on how employers can address cybersecurity gender disparity here.

Categories: Cyber Risk News

MongoDB Security Error Leaks 808m Records

Info Security - Fri, 03/08/2019 - 10:36
MongoDB Security Error Leaks 808m Records

Security researchers have discovered a massive trove of over 808 million records, including email addresses, phone numbers and other personal information (PII) left exposed on a MongoDB instance.

Bob Diachenko claimed to have found the non-password protected, 150GB MongoDB instance at the end of February.

A “mailEmailDatabase” contained three folders: with over 798 million email records in one; around 4.2 million email-plus-phone records in another; and 6.2 million “business leads” records in a third including gender, date of birth, mortgage details, corporate information, social media accounts and more.

“As part of the verification process I cross-checked a random selection of records with Troy Hunt’s HaveIBeenPwned database. Based on the results, I came to conclusion that this is not just another ‘collection’ of previously leaked sources but a completely unique set of data,” explained Diachenko in a blog post.

“Although, not all records contained the detailed profile information about the email owner, a large amount of records were very detailed. We are still talking about millions of records.”

The researcher at first believed the plain text trove belonged to a professional spammer, but soon found out that the database owner was actually an “email validation” firm, Verifications.io — which tries email lists on behalf of its clients to see if they are still working accounts.

“The database(s) included email accounts they use for sending mail as well as hundreds of SMTP servers, email, spam traps, keywords to avoid, IP addresses to blacklist, and more. This is why I initially thought they were potentially engaged in spam-related activities,” he explained.

“It turns out that technically they actually are sending unwanted and unsolicited emails. This is the worst kind of spam because they send millions of completely worthless ‘hello’ emails that no one can understand.”

In fact, the service could even be used by cyber-criminals as a quick, easy and quiet way of validating their own email lists to improve the success rates of phishing/brute forcing campaigns, he suggested.

Verifications.io took the list down as soon as it was notified by Diachenko and co-researcher Vinny Troya, but claimed in an email to him that it was public and not client data. The entire site is now down.

Categories: Cyber Risk News

Breaches and Leaks Soared 424% in 2018

Info Security - Fri, 03/08/2019 - 10:08
Breaches and Leaks Soared 424% in 2018

Nearly 15 billion identity records circulated in underground communities in 2018, a 71% increase over the year as hackers targeted smaller organizations more widely, according to a new report from 4iQ.

The identity intelligence company scanned the surface, social, deep and dark web for identity related breaches to compile its latest annual report, The Changing Landscape of Identities in the Wild: The Long Tail of Small Breaches.

It claimed that, once normalized and cleansed, the stolen identity data numbered 3.6 billion records — a much lower figure than the headline raw data numbers, but still representing a 20% increase on 2017.

The firm also confirmed 12,449 breaches and leaks last year, a 424% increase on 2017, although the average size of the breach/leak was 4.7 times smaller than 2017, at nearly 217,000 records.

That’s due in part to hackers targeting larger numbers of small businesses, according to the vendor.

“Small businesses and suppliers for large companies present weak links in the value chain — they have little to no cybersecurity budgets and are far less able to secure themselves from increasingly organized hackers who are systematically targeting them,” the report noted. “Not surprisingly, in 2018, we saw a significant increase in the number of attacks on small entities.”

Cyber-criminals are also getting smarter about how they organize, aggregate and package data sets. Stolen personally identifiable information (PII) is combined with publicly available data to enable more successful account takeover, identity theft, phishing and other social engineering attacks, 4iQ said.

The report also detailed the assembly and sale of bigger “combo password lists” which collect clear text log-ins from hundreds of breaches.

“Each time a combo password collection is repackaged, new credentials are added to increase the total size, and each new package fuels renewed credential stuffing and account takeover attempts,” it said. “Combo lists containing 1.82 billion credentials resurfaced throughout 2018 and in early 2019.”

Finally, 2018 saw an uptick in the volume of voter records and government data being circulated on the cybercrime underground. In fact, public sector identity exposures jumped 291% year-on-year, a trend possibly influenced by growing geopolitical tensions, 4iQ claimed.

Categories: Cyber Risk News

#RSAC: C&C Malware Can be Detected for Free

Info Security - Thu, 03/07/2019 - 22:40
#RSAC: C&C Malware Can be Detected for Free

Speaking at RSA Conference 2019, Black Hills Information Security owner John Strand discussed threat hunting and how this can be done on a small budget.

He admitted that identifying command and control (C&C) traffic is “very difficult” as we have got to the stage where malware can be stealthy and uses C&C to hide, and encryption is used within encryption, while we rely on the impossible task of writing signatures.

Strand said: “After a pen test we talked to a customer and went through the debrief report and we were excited as the company did everything ‘right’ and it was a hard engagement for my team, but as we went over the report with them we could see the blood draining from their faces as we told them they had a blind spot for C&C.” 

Demonstrating that malware using a C&C typically transmits at consistent intervals and exhibits patterns, the best tactic is to try and identify clusters and patterns, and also cluster for data sizes.

Strand explained the use of the free tool RITA, named after Strand’s late mother who asked him to keep the tool free, which he said can do analysis of connections leaving your environment.

“When we started using RITA three years ago we ingested logs and realized the concept of time variables, as some technologies mark the beginning or end of a connection as the connection time,” he said. “One device logs a connection as the beginning and at about noon, it then switched to mark the end of the connection. Also with BRO/ZEKE you’re getting logs and consistency is incredibly important.”

In recommendations on what to do next, Strand advised blocking adverts, and regularly cleaning your network for data being transferred out. 

Giving some examples of how RITA had been used, he said in one case it was discovered that security cameras were beaconing out data, and whether it was malicious or not is irrelevant.

He concluded by reiterating that detecting C&C is getting harder “but it doesn’t require you dropping $75,000 in a box or investing $1m in a threat hunting team in your environment,” as it can be done for free using available tools.

Categories: Cyber Risk News

#RSAC: How Machine Learning Can Bolster Email Threat Detection

Info Security - Thu, 03/07/2019 - 20:30
#RSAC: How Machine Learning Can Bolster Email Threat Detection

At RSA Conference 2019 Dena Bauckman, VP product management, Zix, explored email attack threat evolutions and how machine learning can be used to better detect email-based attacks.

“Today, attackers are getting more targeted, and they’re not sending out bulk campaigns anymore,” she said. Email attack campaigns are becoming more intricate and “we need a better way of identifying those threats when they are constantly changing. That’s where we started to see that machine learning can really help us in that area.”

Bauckman defined machine learning as “the ability to teach a machine to do something that humans do naturally, and that is learn from experience.”

She added that there are two different types of machine learning techniques used in threat detection: supervised and unsupervised machine learning.

With supervised machine learning, you feed the system with a large sample of email threats so it can analyze attributes of email threats. Then, the system builds a model to predict future email threats. Email traffic is fed through the system and the model assigns a probability that an email is a threat, and then rules can be defined to handle potential threat scenarios.

With unsupervised machine learning, you feed the system normal email traffic and it learns over time what normal email communications look like. The system can then identify anomalies in email communication and data can be analyzed with other network and system behavior to identify threats.

To conclude, Bauckman said that “machine learning does automate our ability to identify threats, and it goes beyond and builds on top of the other capabilities that we have.”

It also “allows us to have our limited resources of the human threat analyst focus in on the big, new evolving threats.”

However, Bauckman was quick to point out that machine learning on its own is not enough, and it must be used as a piece of a multi-layered defense approach. “It is not a panacea.”

Categories: Cyber Risk News

#RSAC: How Machine Learning Can Bolster Email Threat Defenses

Info Security - Thu, 03/07/2019 - 20:30
#RSAC: How Machine Learning Can Bolster Email Threat Defenses

At RSA Conference 2019 Dena Bauckman, VP product management, Zix, explored email attack threat evolutions and how machine learning can be used to better detect email-based attacks.

“Today, attackers are getting more targeted, and they’re not sending out bulk campaigns anymore,” she said. Email attack campaigns are becoming more intricate and “we need a better way of identifying those threats when they are constantly changing. That’s where we started to see that machine learning can really help us in that area.”

Bauckman defined machine learning as “the ability to teach a machine to do something that humans do naturally, and that is learn from experience.”

She added that there are two different types of machine learning techniques used in threat detection: supervised and unsupervised machine learning.

With supervised machine learning, you feed the system with a large sample of email threats so it can analyze attributes of email threats. Then, the system builds a model to predict future email threats. Email traffic is fed through the system and the model assigns a probability that an email is a threat, and then rules can be defined to handle potential threat scenarios.

With unsupervised machine learning, you feed the system normal email traffic and it learns over time what normal email communications look like. The system can then identify anomalies in email communication and data can be analyzed with other network and system behavior to identify threats.

To conclude, Bauckman said that “machine learning does automate our ability to identify threats, and it goes beyond and builds on top of the other capabilities that we have.”

It also “allows us to have our limited resources of the human threat analyst focus in on the big, new evolving threats.”

However, Bauckman was quick to point out that machine learning on its own is not enough, and it must be used as a piece of a multi-layered defense approach. “It is not a panacea.”

Categories: Cyber Risk News

#RSAC: Realize Reality of Workplace Burnout

Info Security - Thu, 03/07/2019 - 19:20
#RSAC: Realize Reality of Workplace Burnout

In a discussion chaired by PTC CSO and I Am The Cavalry founder Josh Corman, Christina Maslach, professor of psychology, Emerita at the University of California, Berkeley discussed the common reasons for stress and burnout in the workplace, and how to spot and deal with the common traits.

Opening the session at RSA Conference 2019, Corman said that burnout is too often seen as a sign of weakness and “something which happens to someone else,” but asked how many people had missed family events because of an incident response scenario or through being at a conference. “We’ve seen people get jaded and cynical, and lost some to suicide and alcohol and substance abuse,” he said.

Acknowledging research on the issue of burnout at BSides Las Vegas which had been met with criticism on social media, Corman said that we “attract people in and churn them out, so RSA wanted us to stop talking about it and do something about it.”

Maslach, who created the Maslach Burnout Index, said that the term burnout was acknowledged better by people than just stress, and it is “seen as a thermometer” of performance. “There are consequences in terms of poor performance and errors, and physical health problems which affects your family, and if it begins to be a problem we see depression and suicide,” she said. 

“It is not just ‘having a bad day,’ it has long term implications for everyone we get in touch with and becomes part of a socially toxic environment.”

Maslach highlighted three measurements:

  • Exhaustion – a classic stress response which comes from an inbalance from demands and resources to meet those demands
  • Cynicism – a “much more classic bottom line for burnout” where someone becomes very negative and hostile at work, and rather than trying to do their best they do the bare minimum. “Take this job and shove it mentality means quality of work goes down and affects clients, and colleagues”
  • Efficacy and futility – a syndrome of beginning to lose the sense of being good at what you do, and this erodes not just feelings of energy, but the feeling of not being good enough.

Maslach also highlighted six areas of inbalance:

  • Workload – where the balance of workload and resources to do them are low
  • Control – making the autonomous choices on how to get the job done
  • Social reward – recognition; doing something well and it gets noticed by others
  • Workplace community – people you have relationships with and who you are in regular contact with, and unresolved conflict can be an issue
  • Fairness – where things are done fairly in an office, and where it is unfair if you have biases and glass ceilings
  • Values – meaning or purpose, and what makes you excited and proud about doing your work, and are you working in an environment with ethical concerns?

Corman acknowledged the problem of security invariably looking for things that people have done wrong, such as in code review, and that when you have a secret and hold onto it for too long “there is almost a radioactive half life to it and a weight to it which we need to put down.”

The speakers cited the reference of the canary in the coalmine, and that you don’t tell the canary to “toughen up or do yoga,” instead that bird is the warning sign of a toxic environment, and an unsafe place for people to work.

In conclusion, Corman said that you have a choice in this matter; to laugh at it, or to “focus on better angels and people who make this work and treat others as humans."

Categories: Cyber Risk News

Ultrasounds Lack Ultra Security, Research Shows

Info Security - Thu, 03/07/2019 - 19:16
Ultrasounds Lack Ultra Security, Research Shows

Ultrasound technology using an outdated operating system is vulnerable to attack, according to new research from Check Point.

In a video demonstration, researchers revealed that connected ultrasound machines running Windows 2000 are able to be exploited. Because the Windows 2000 platform no longer receives patches or updates, the machines were rather easy for researchers to exploit.

“Due to old and well known security gaps in Windows 2000, it was not difficult for our team to exploit one of these vulnerabilities and gain access to the machine’s entire database of patient ultrasound images,” researchers wrote in today’s blog post.

If it's exploited, a hacker could reportedly have full-range access and be able to edit medical data. While an attacker would not be able to access personal information about pregnant women, they could theoretically change patient results and use medical information to blackmail people.

Having access to the ultrasound system would also enable an attacker to put ransomware on the system. “Ultrasound technology has made huge advancements over recent years to provide patients and doctors alike with detailed and potentially lifesaving information,” researchers wrote.

“Unfortunately, though, these advancements have not extended to the IT security environment in which these machines sit, are now connected to and transfer images within.”

According to the research, healthcare organizations are at an elevated risk of cyber-attack because of the complexities of updating and patching systems. Hospitals and medical facilities rely on a wide range of devices from a vast number of manufacturers, and each device comes with its own inherent risks.

“Healthcare organizations must be aware of the vulnerabilities that come with these devices that increase their chances of a data breach. Network segmentation is a best practice that allows IT professionals in the healthcare sector the confidence to embrace new digital medical solutions while providing another layer of security to network and data protection, without compromising performance or reliability.”

Categories: Cyber Risk News

Some Denver Voters No Longer Need Absentee Ballots

Info Security - Thu, 03/07/2019 - 18:46
Some Denver Voters No Longer Need Absentee Ballots

A new pilot program for mobile voting will allow active-duty military, their families and overseas travelers to vote via mobile device in upcoming Denver elections, according to Tusk Philanthropies.  

Following West Virginia’s mobile voting program implemented last year, Denver is now the second to launch a mobile voting pilot program. “With turnout this low in national elections, of course we’re stuck with rampant polarization and dysfunction. That only changes if turnout soars. That only happens if we move into the 21st century and let people use the tool already in their pockets: their phone," said Bradley Tusk, founder and CEO of Tusk Philanthropies, in a press release.

Blockchain encryption in the mobile voting app by Voatz ensures that the voting is secured, and the ease of mobile voting will hopefully result in a higher voter turnout for members of the military and US citizens that are overseas come the May elections. "The Denver Elections Division deserves a tremendous amount of credit for being one of the first to implement an innovative and convenient solution to fix the underlying issues in our government,” said Bradley Tusk, founder and CEO of Tusk Philanthropies.

As the program, a collaboration between Denver, Voatz, Tusk Philanthropies, and the National Cybersecurity Center, gets under way, Denver is asking for volunteers to undergo the process of identity verification, which involves uploading a video with a picture of their photo ID and going through multifactor and biometric authentication in order to access the app where they will receive and cast their ballots.

After casting their votes, participants will receive a PDF confirmation of their ballot in order to ensure the information was recorded correctly.

“The Denver Elections Division is recognized nationally and internationally for putting voters first and for using technology to make voting easier and more transparent. We are widely known for being innovators in the world of election administration, so participating in this pilot program fits perfectly into our mission,” said Jocelyn Bucaro, deputy director of Elections at Denver Clerk and Recorder, in the press release.

“We believe this technology has the potential to make voting easier and more secure not only for our active duty military and overseas citizens, but also for voters with disabilities, who could potentially vote independently and privately using their phones’ assistive technology.”

Categories: Cyber Risk News

Some Denver Voters No Longer Need Absentee Ballots

Info Security - Thu, 03/07/2019 - 18:46
Some Denver Voters No Longer Need Absentee Ballots

A new pilot program for mobile voting will allow active-duty military, their families and overseas travelers to vote via mobile device in upcoming Denver elections, according to Tusk Philanthropies.  

Following West Virginia’s mobile voting program implemented last year, Denver is now the second to launch a mobile voting pilot program. “With turnout this low in national elections, of course we’re stuck with rampant polarization and dysfunction. That only changes if turnout soars. That only happens if we move into the 21st century and let people use the tool already in their pockets: their phone," said Nimit Sawhney, CEO and co-founder of Voatz, in a press release.

Blockchain encryption ensures that the voting is secured, and the ease of mobile voting will hopefully result in a higher voter turnout for members of the military and US citizens that are overseas come the May elections. "The Denver Elections Division deserves a tremendous amount of credit for being one of the first to implement an innovative and convenient solution to fix the underlying issues in our government,” said Bradley Tusk, founder and CEO of Tusk Philanthropies.

To get the program under way, Denver is asking for volunteers to undergo the process of identity verification, which involves uploading a video with a picture of their photo ID and going through multifactor and biometric authentication in order to access the app where they will receive and cast their ballots.

After casting their votes, participants will receive a PDF confirmation of their ballot in order to ensure the information was recorded correctly.

“The Denver Elections Division is recognized nationally and internationally for putting voters first and for using technology to make voting easier and more transparent. We are widely known for being innovators in the world of election administration, so participating in this pilot program fits perfectly into our mission,” said Jocelyn Bucaro, deputy director of Elections at Denver Clerk and Recorder, in the press release.

“We believe this technology has the potential to make voting easier and more secure not only for our active duty military and overseas citizens, but also for voters with disabilities, who could potentially vote independently and privately using their phones’ assistive technology.”

Categories: Cyber Risk News

Businesses Go Passwordless into Cloud Security

Info Security - Thu, 03/07/2019 - 17:41
Businesses Go Passwordless into Cloud Security

Security and risk management leaders are looking to better understand the link between risk and business goals, according to Gartner.

In its newly released list of the top seven security and risk management trends for 2019, Gartner identified the ongoing strategic shifts in the security ecosystem that, given their potential for disruption, are expected to have a significant impact on the industry.

The number one trend, "risk appetite statements are becoming linked to business outcomes," is indicative of the industry’s shifting focus on issues related to IT strategies. According to Peter Firstbrook, research vice president at Gartner, linking business goals to risk appetite statements “leaves no room for business leaders to be confused as to why security leaders were even present at strategic meetings.”

Additionally, continued investments in threat detection and prevention have created a need for more investment in security operations centers (SOCs). “Detection and response capabilities are a major security gap that’s important and urgent for many organizations to still address as the ability to know if one is compromised is fundamental to effective risk management,” said Matt Walmsley, EMEA director at Vectra.

“Prevention will fail, and attackers will get inside, as the headlines shouting about the latest successful cyber breach remind us with predictable regularity. For example, it takes a median of 177 days in Europe before an active attacker is discovered inside an organization, and whilst the latest reports show that attacker dwell times are slowly trending down, that doesn’t tell the whole story, nor should we be complacent.”

Data security continues to demand that businesses establish data security governance frameworks (DSGF), and analysts identified a lot of market traction around passwordless authentication. “The technology is being increasingly deployed in enterprise applications for consumers and employees, as there is ample supply and demand for it,” the release said.

Also trending in 2019 is the increased offering of skills and training services, along with investments in cloud security competencies as mainstream computing. “Public cloud is a secure and viable option for many organizations, but keeping it secure is a shared responsibility,” Firstbrook said in the press release.

“Organizations must invest in security skills and governance tools that build the necessary knowledge base to keep up with the rapid pace of cloud development and innovation.”

Categories: Cyber Risk News

#RSAC: A View from the Front Lines of Cybersecurity

Info Security - Thu, 03/07/2019 - 17:39
#RSAC: A View from the Front Lines of Cybersecurity

Speaking at RSA Conference 2019 Kevin Mandia, chief executive officer, FireEye, and Sandra Joyce, senior vice-president, global intelligence, FireEye, reflected on the global threat environment in 2018 and its impact on enterprises and agencies around the world.

Opening the discussion, Joyce said that there was some “good news” to report.

FireEye research showed that “dwell times continue to drop globally,” she said. “This is very important, because most incidents that happen actually start with legitimate credentials, so you really need to pay attention to what’s happening post-breach.”

In terms of threats emanating from some notable modern nations in 2018, Joyce said there had been some significant movements in North Korea, Iran, China and Russia.

“APT37 is a North Korean-sponsored group, and what was really interesting in 2018 was that we watched the group target very locally to the Peninsula, but then we saw it evolve over time and become more technically sophisticated to exploit zero-days, target internationally and there was even evidence they had destructive malware. North Korea continues to punch above its weight class.”

In Iran, Joyce explained that the APT39 group “was carrying out national security goals that were really targeted to individuals,” in 2018. The group was targeting the telecommunications industry and the travel industry, and was less focused “on the organization they were targeting and more focused on the actual individuals who were of interest to the Iranian government.”

Regarding China, Joyce said that “China has never really stopped stealing intellectual property” but what was different in 2018 was a change from “commercial IT theft” to a focus on “military and dual-use technologies. One group in particular, APT40, really stood out to us because they have been doing espionage for a long time, but they have been promoting a very international agenda” to uphold the maritime and naval capabilities of China.

Lastly, activities in Russia continued to be very disconcerting, said Joyce, with campaigns targeting safety systems of an ICS plant. “That’s the last step – the safety systems at an ICS facility are the last thing before a risk to human life.”

In terms of what might be coming next, Joyce said: “If things continue the way they are with brazen actions, increasingly destructive attacks with no guard rails, I think people are going to get hurt.”

To conclude, Mandia added that “we are going to need to come up with a [unified] set of rules” to aid in our defenses against global threats, as it’s always harder to defend than attack. “It’ll go a long way for all of us to figure out how we stop the escalation in cyber,” he said. “As we come up with rules for how countries should behave during times of peace” the nations and citizens who don’t/can’t abide by those rules “will end up having drastically different experiences on the internet than those in a more free world.”

Categories: Cyber Risk News

#RSAC: A View from the Front Lines of Cybersecurity

Info Security - Thu, 03/07/2019 - 17:39
#RSAC: A View from the Front Lines of Cybersecurity

Speaking at RSA Conference 2019 Kevin Mandia, chief executive officer, FireEye, and Sandra Joyce, senior vice-president, global intelligence, FireEye, reflected on the global threat environment in 2018 and its impact on enterprises and agencies around the world.

Opening the discussion, Joyce said that there was some “good news” to report.

FireEye research showed that “dwell times continue to drop globally,” she said. “This is very important, because most incidents that happen actually start with legitimate credentials, so you really need to pay attention to what’s happening post-breach.”

In terms of threats emanating from some notable modern nations in 2018, Joyce said there had been some significant movements in North Korea, Iran, China and Russia.

“APT37 is a North Korean-sponsored group, and what was really interesting in 2018 was that we watched the group target very locally to the Peninsula, but then we saw it evolve over time and become more technically sophisticated to exploit zero-days, target internationally and there was even evidence they had destructive malware. North Korea continues to punch above its weight class.”

In Iran, Joyce explained that the APT39 group “was carrying out national security goals that were really targeted to individuals,” in 2018. The group was targeting the telecommunications industry and the travel industry, and was less focused “on the organization they were targeting and more focused on the actual individuals who were of interest to the Iranian government.”

Regarding China, Joyce said that “China has never really stopped stealing intellectual property” but what was different in 2018 was a change from “commercial IT theft” to a focus on “military and dual-use technologies. One group in particular, APT40, really stood out to us because they have been doing espionage for a long time, but they have been promoting a very international agenda” to uphold the maritime and naval capabilities of China.

Lastly, activities in Russia continued to be very disconcerting, said Joyce, with campaigns targeting safety systems of an ICS plant. “That’s the last step – the safety systems at an ICS facility are the last thing before a risk to human life.”

In terms of what might be coming next, Joyce said: “If things continue the way they are with brazen actions, increasingly destructive attacks with no guard rails, I think people are going to get hurt.”

To conclude, Mandia added that “we are going to need to come up with a [unified] set of rules” to aid in our defenses against global threats, as it’s always harder to defend than attack. “It’ll go a long way for all of us to figure out how we stop the escalation in cyber,” he said. “As we come up with rules for how countries should behave during times of peace” the nations and citizens who don’t/can’t abide by those rules “will end up having drastically different experiences on the internet than those in a more free world.”

Categories: Cyber Risk News

#RSAC: The Power of People: Amplifying Our Human Capacity through Tech & Community

Info Security - Thu, 03/07/2019 - 16:45
#RSAC: The Power of People: Amplifying Our Human Capacity through Tech & Community

“You go where you are invited, but you stay where you are welcome.”

These were the words of Ann Johnson, corporate vice-president, Cybersecurity Solutions Group with Microsoft, speaking at RSA Conference 2019. The cybersecurity workforce shortage goes deeper than a skills gap, she argued. Employers also need to consider how to address other areas of concern for security workers, especially their stress levels.

About 70% of IT employers say they face serious staffing shortages. As a result, those on the frontline of security are overwhelmed by threats and alerts and spend their days chasing down false alarms. That means they don’t have the bandwidth to investigate and solve complex problems.

Stress is also overwhelming our cybersecurity and IT workforce. Johnson said two-thirds of these workers will take pay cuts just to have less stress. All of these factors mean that those on the frontline of security are outnumbered by threat actors.

“We must empower the defenders,” said Johnson.

Technology is one way to do that. When organizations adopt innovations like the cloud and AI, they increase their ability to detect and mitigate attacks, not in minutes but in milliseconds.

However, there needs to be a bigger investment in human capital, Johnson pointed out. Organizations need to tap into new potential talent by reaching out to a more diverse workforce. When you have more diverse talent, you get varied experiences and ideas to better solve problems.

Retention is also an issue. Johnson stressed the importance of caring for the security employee’s mental health. “Mounting stress on the first line of defense leads to more mistakes,” she said.

“Technology alone won’t solve our security problems,” Johnson added. “We must focus on the power of people.” We want people to fill these security jobs, but they’ll only stay if they are appreciated.

Categories: Cyber Risk News

#RSAC: The Role of Security Technologists in Public Policy

Info Security - Thu, 03/07/2019 - 16:19
#RSAC: The Role of Security Technologists in Public Policy

There is a need for public interest technologists, said Bruce Schneier, fellow and lecturer, Harvard Kennedy School, at RSA Conference 2019. That’s because we have a disconnect – or separate worlds – between technology and humanities. Technology is often developed without considering how these advances could upend society, while on the humanities/policy side, there is a lot of criticism of technology without understanding. Now, with everything we do and almost everything we use being connected to the internet, we need to find a way to bridge those two worlds.

“Today, technology and policy are deeply intertwined,” Schneier said. “Today, technology makes de facto policy that is more influential than any law, and law is trying to catch up with technology. It is no longer sustainable for technology and policy to be in different worlds.”

The role of a public interest technologist is going to be important in all areas of society but especially in security. Our government officials who create policy surrounding internet security and data privacy have no idea how the technology works. Instead, we need people like public interest technologists who are technology practitioners who focus on social justice, the common good and the public interest.

“We need these people to weigh in on public policy debates,” Schneier argued. With advances in technology like 5G, AI, ML, and with everything now connected to the internet, policymakers don’t have a clear understanding of the security risks involved. “Are we using 5G for security or surveillance? What about AI or robotics?” As the definition of internet security continues to broaden, there needs to be informed policy to meet these challenges.

“Technology is not policy or politically neutral,” Schneier added, “but every tool we build for good can do bad in the wrong hands.” We always knew that technology can subvert policy, but what Edward Snowden showed us is that policy can subvert technology. They both have to work together, or it won’t work at all.

Categories: Cyber Risk News

Huawei Sues US Government Over Ban

Info Security - Thu, 03/07/2019 - 11:42
Huawei Sues US Government Over Ban

Huawei is suing the US government over what it claims is an “unconstitutional” ban on federal use of its products, in an escalation of tensions between it and Washington.

The Shenzhen giant filed a complaint in a US District Court in Plano, Texas, focusing on Section 889 of the 2019 National Defense Authorization Act (NDAA) signed by Donald Trump in August.

That part of the law bans federal agencies from buying Huawei equipment and contracting with third-parties who do so.

Huawei alleges that Section 889 violates the Bill of Attainder Clause, by effectively punishing the firm without trial. It claims the law also violates the Due Process Clause and the Separation-of-Powers principles enshrined in the US Constitution — in the case of the latter, because Congress is “both making the law, and attempting to adjudicate and execute it.”

The firm claimed legal action is a last resort after failing to convince Congress to provide evidence behind its restrictions on its products. It also argued that the ban would “ultimately harm US consumers” by delaying the country’s 5G roll-out and losing $20bn in cost savings.

"Section 889 is based on numerous false, unproven, and untested propositions. Contrary to the statute's premise, Huawei is not owned, controlled, or influenced by the Chinese government. Moreover, Huawei has an excellent security record and program. No contrary evidence has been offered,” said Huawei chief legal officer, Song Liuping.

However, proving the firm is not influenced by the Chinese government may be difficult to do in an era in which president Xi Jinping has sought ever-tighter control over everything within China’s orbit. Most recently, Beijing hit back at Canada’s decision to extradite Huawei CFO Meng Wanzhou to the US almost immediately, by announcing new allegations of spying against two detained Canadians.

A Chinese Cybersecurity law passed in 2017 is said to further legitimize any state requests to access data flowing through Huawei equipment.

The firm’s assertion that it has an “excellent security record and program” is also somewhat at odds with assessments by the UK’s GCHQ.

“Last July, our annual Oversight Board downgraded the assurance we could provide to the UK government on mitigating the risks associated with Huawei because of serious problems with their security and engineering processes,” said National Cyber Security Centre boss, Ciaran Martin.

Categories: Cyber Risk News

NAO flags challenges facing UK digital ID scheme

Outlaw.com - Thu, 03/07/2019 - 11:06
A digital identity (ID) scheme developed by the UK government may become unaffordable to government departments once public funding for the initiative is removed next year, the National Audit Office (NAO) has warned.
Categories: Cyber Risk News

Pages