Apple

Apple plan to scan users’ iCloud photos raises new…

Experts argue that Apple is clearing a path for governments to gain access to their citizens’ data–essentially an encryption backdoor.

A firestorm emerged on Friday and raged during the weekend over Apple’s new “Expanded Protections for Children,” a series of measures across Apple’s platforms aimed at cracking down on child sexual abuse material (CSAM). The new protections address three areas, including communications tools for parents and updates to Siri and search to help children and parents deal with unsafe situations.

The flashpoint for cryptographers, cybersecurity specialists, and privacy advocates is Apple’s planned use of “new applications of cryptography to help limit the spread of CSAM online, while designing for user privacy.” The plan is to scan users’ photo libraries and then apply a new form of encryption to compare those photos to images from existing CSAM libraries.

The new cryptography applications in iOS and iPadOS would allow Apple to scan users’ entire photo libraries hunting for known CSAM images uploaded from their devices to iCloud Photos and then report these instances to the National Center for Missing and Exploited Children (NCMEC). Apple says, “the hashing technology, called NeuralHash, analyzes an image and converts it to a unique number specific to that image,” which allows systems “to perform on-device matching using a database of known CSAM image hashes provided by NCMEC and other child-safety organizations.”

“This is a really bad idea,” leading cryptographer Matthew Green tweeted at the start of a lengthy thread that sparked the now widespread uproar over Apple’s plan. The problem is that this system could be the tip of the spear that essentially provides an encryption backdoor that the US and other global authorities have sought since the 1990s. “This sort of tool can be a boon for finding child pornography in people’s phones, but imagine what it could do in the hands of an authoritarian government,” Green tweeted.

As the implications of what Apple is proposing became clear, over 4,000 security and privacy experts, cryptographers, researchers, professors, legal experts, and Apple customers signed An Open Letter Against Apple’s Privacy-Invasive Content Scanning Technology. The signatories, including NSA whistleblower Edward Snowden, contend that “Apple’s proposal introduces a backdoor that threatens to undermine fundamental privacy protections for all users of Apple products.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by iMattSmart on Unsplash

Articles

CISA unveils Joint Cyber Defense Collaborative with tech heavyweights…

The new initiative aims to provide organizations with unprecedented levels of information and context with an initial focus on ransomware and incident response for cloud providers.

Jen Easterly, the freshly installed head of the Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA), unveiled yesterday a new federal initiative called the Joint Cyber Defense Collaborative (JCDC) which has been structured to help lead the development of the country’s cyber defense plans. The JCDC aims to bring together the public and private sectors in a joint planning capacity to tackle cyber readiness and threats.

CISA’s announcement of the JCDC states that it will “bring together public and private sector entities to unify deliberate and crisis action planning while coordinating the integrated execution of these plans.”  The hope is that the plans will “promote national resilience by coordinating actions to identify, protect against, detect, and respond to malicious cyber activity targeting US critical infrastructure or national interests.”

The West Point-trained Easterly has a long career in the government, having served in the military, at US Cyber Command and the National Security Agency (NSA), and as senior director for counterterrorism on the National Security Council during the Obama administration. She also served a stint as head of global cybersecurity at Morgan Stanley. Speaking at the Black Hat conference, she appealed to the industry to help CISA refine the JCDC’s products to be more valuable and helpful.

Easterly relied on her military background to underscore the importance of planning in cybersecurity. “You got to plan in peacetime to prepare for wartime,” she said.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

NSA, CISA release Kubernetes hardening guidance following Colonial Pipeline,…

The guidance seeks to educate IT administrators about cloud security risks and best practices for implementing and maintaining Kubernetes.

Earlier this week, the US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA)  issued a joint document entitled Kubernetes Hardening Guidance. Kubernetes is an open-source orchestration system that relies on containers to automate the deployment, scaling and management of applications, usually in a cloud environment. According to the most recent State of Kubernetes Security report by RedHat, more than half the security professionals surveyed said they delayed deploying Kubernetes applications into production due to security.

In addition, almost all the security respondents said they had one security incident in their Kubernetes environment during the past year. Underscoring the depth of security concerns surrounding Kubernetes, 59% of respondents said they are most worried about unaddressed security and compliance needs or threats to containers.

The rapid shift to cloud environments, particularly since the advent of the pandemic, undoubtedly heightens these security concerns. It’s little surprise, then, that NSA and CISA felt the need to help organizations deal with security in a containerized environment, which is more complex than “traditional, monolithic software platforms.” Although the agencies tailored their guidance to system administrators of national security systems (systems containing classified or intelligence information) and critical infrastructure, they encourage administrators of federal and state, local, tribal, and territorial (SLTT) government networks to also implement the recommendations.

Within the Kubernetes architecture are clusters composed of control planes and one or more physical or virtual machines called worker nodes, which host pods that comprise one or more containers. The containers house software packages and all their dependencies.

The joint guidance says that while Kubernetes has always been a target for malicious actors to steal data, threat actors are increasingly drawn to Kubernetes systems to steal computation power, often for cryptocurrency mining.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Sigmund on Unsplash

Articles

Biden memo, infrastructure deal deliver cybersecurity performance goals and…

The White House initiatives and expected passage of the US infrastructure plan will set new cybersecurity standards for critical infrastructure, provide money to state and local governments.

Both the Biden administration and the Congress continued their frenetic pace this week to beef up the country’s digital infrastructure protections through two highly consequential and unprecedented initiatives. Both efforts aim to prepare the nation for the next significant cybersecurity incidents, making up for lost time due to the previous administration’s relative inattention to the topic.

First, the White House issued a National Security Memorandum (NSM) on “Improving Cybersecurity for Critical Infrastructure Control Systems.” The memo requires the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) and the Department of Commerce’s National Institute of Standards and Technology (NIST), working with other agencies, to develop cybersecurity performance goals for critical infrastructure. The hope is that companies responsible for providing essential services like power, water, and transportation would follow those voluntary goals to strengthen their cybersecurity.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Lucas Sankey on Unsplash

Articles

TSA issues second cybersecurity directive for pipeline companies

Experts applaud the agency’s new, detailed security requirements for US pipeline operators but question how they will be enforced or monitored.

The Department of Homeland Security’s (DHS) Transportation Safety Administration (TSA) yesterday announced a second security directive that requires owners and operators of TSA-designated critical pipelines to implement cybersecurity measures that help protect against malicious digital incidents. This directive is a more expansive follow-up to an initial pipeline security directive issued on May 27, roughly two weeks after the highly disruptive ransomware attack against Colonial Pipeline.

The initial directive required pipeline companies to report cybersecurity incidents to DHS’s Cybersecurity and Infrastructure Security Agency (CISA). It also required pipeline owners and operators to designate a cybersecurity coordinator available around the clock to coordinate cybersecurity practices and any cybersecurity incidents with TSA and CISA. Finally, that directive required companies to examine their cybersecurity practices and assess risks, identify gaps, develop remediation measures, and report the results to TSA and CISA.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Mike Benna on Unsplash

Articles

18 new cybersecurity bills introduced as US congressional interest…

The new bills, many with bi-partisan support, aim to increase cybersecurity funding, improve breach reporting, investigate cryptocurrencies, and more.

The series of alarming cybersecurity incidents that spurred the Biden Administration to take swift action during its first six months has also prompted the US Congress to introduce new cybersecurity bills. In the little more than two months since CSO reported on what was then a busy Congressional cybersecurity agenda, lawmakers have introduced at least 18 additional bills to shore up and expand the nation’s cybersecurity capabilities.

In a sign that cybersecurity is becoming an increasingly higher legislative priority, the pace of Congress’ interest in a range of digital security matters seems to be accelerating. Last week alone, the House Committee on Energy and Commerce voted to advance six bills that primarily deal with digital security and two other bills that contain significant cybersecurity provisions.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

Biden administration, US allies condemn China’s malicious hacking, espionage…

Global coalition calls on China to curtail its cyber activities. For the first time, the US blames China directly for ransomware attacks.

Following a  push by the White House to address the ransomware crisis emanating from Russia and the imposition of sanctions on Russia for its spree of malicious cyber actions, the Biden administration has launched a multi-part strategy to shame another digital security adversary, China, into halting its digital malfeasance.

First, the administration formally accused China of breaching Microsoft’s Exchange email servers to implant what most experts consider reckless and damaging surveillance malware. Although Microsoft has long attributed that incident to a Chinese hacking group it calls HAFNIUM, the White House has now finally and officially acknowledged China’s role in that supply chain attack.

In a statement, the White House said it is attributing “with a high degree of confidence that malicious cyber actors affiliated with PRC’s MSS conducted cyber-espionage operations utilizing the zero-day vulnerabilities in Microsoft Exchange Server disclosed in early March 2021.”

Secretary of State Anthony Blinken said in a statement that “the United States government, alongside our allies and partners, has formally confirmed that cyber actors affiliated with the MSS exploited vulnerabilities in Microsoft Exchange Server in a massive cyber-espionage operation that indiscriminately compromised thousands of computers and networks, mostly belonging to private sector victims.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Nick Fewings on Unsplash

Articles

Biden Administration announces flurry of new anti-ransomware efforts

The defensive initiatives include a reward for information on nation-state actors and the formation of a new interagency ransomware task force.

Under pressure to halt ongoing and highly damaging ransomware attacks from Russian criminal groups, the Biden administration yesterday announced a flurry of defensive initiatives to deal with the crisis. These announcements come one week after President Biden issued a stark warning to Russian President Vladimir Putin to deal with the ransomware threat groups in his country or else the US will take action to dismantle the threat.

First, the State Department announced that its Rewards for Justice program, which the Diplomatic Security Service administers, will give a $10 million reward to anyone offering information that leads to identifying state-sponsored threat actors. Specifically, rewards will be given to those who supply information that leads to the “identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against US critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).”

The Rewards for Justice (RFJ) program has set up a Tor-based dark web reporting site to protect the safety and security of potential sources. Additionally, the RFJ program works with interagency partners to enable the rapid processing of information and the possible relocation of and payment to sources.

Second, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) announced it would convene a FinCEN Exchange in August 2021 focused on ransomware concerns. The Exchange will be composed of financial institutions, other key industry stakeholders, and federal government agencies. The goal of the meeting is to inform FinCEN’s next steps in addressing ransomware payments.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

NIST’s EO-mandated software security guidelines could be a game-changer

While experts applaud the new security guidance, it’s unclear whether software vendors will completely embrace and implement the needed security practices.

Following a string of high-profile supply chain hacks, President Biden’s wide-ranging executive order on cybersecurity (EO) issued on May 12 directed the National Institute of Standards and Technology (NIST) to produce guidance on a series of software security matters. First, the EO asked NIST to produce a definition of critical software, which it released at the end of June. Second, the EO directed NIST to publish guidance on security measures for EO-critical software use, which NIST released last Friday.

To tackle the complex issue of keeping software secure, NIST solicited papers from interested parties and held a two-day workshop to gain insight from industry and other experts.  NIST defined five objectives for the operational-only (not covering development and acquisition matters) security measures:

  1. Protect EO-critical software and EO-critical software platforms (the platforms on which EO-critical software runs, such as endpoints, servers, and cloud resources) from unauthorized access and usage. Measures here include use of multi-factor authentication, following privileged access management principles, and employing boundary protection techniques.
  2. Protect the confidentiality, integrity, and availability of data used by EO-critical software and EO-critical software platforms. Measures here include maintaining a data inventory, protecting data at rest and in transit, and back up data with a tested recovery plan.
  3. Identify and maintain EO-critical software platforms and the software deployed to those platforms to protect the EO-critical software from exploitation. Measures here include maintaining a software inventory, have a patch management plan, and use configuration management practices.
  4. Quickly detect, respond to, and recover from threats and incidents involving EO-critical software and EO-critical software platforms. Measures here include recording necessary logging information, continuous security monitoring, and using endpoint and network security protection.
  5. Strengthen the understanding and performance of humans’ actions that foster the security of EO-critical software and EO-critical software platforms. Measures here include training all users and administrators of EO-critical software and conducting frequent awareness activities.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Fotis Fotopoulos on Unsplash

 

Articles

Ransomware talks: How Biden could push Putin to the…

Under pressure to end the ransomware scourge, the White House faces strong headwinds. The problem: Putin has no motivation to change the status quo.

As the United States comes out of yet another major attack by a Russian ransomware gang, this one leveled at Florida-based software provider Kaseya by the REvil threat group, the administration is ramping up its rhetoric about holding Russia responsible for the criminal actions taking place within its borders. During a recent press briefing White House press secretary Jen Psaki said that a “high level” of U.S. national security has been in touch with top Russian officials about the Kaseya attack. She also said that another ransomware-focused meeting between the two countries is scheduled for next week.

Psaki also passed on a warning to Russia. “As the president made clear to President Putin , if the Russian government cannot or will not take action against criminal actors residing in Russia, we will reserve the right to take action on our own.”

The next day, Biden called together his top advisors, including key players from the Department of Justice and the Department of Homeland Security, for a ransomware strategy session in the White House Situation Room. It’s not clear yet what the brainstorming produced, but the pressure is on the administration to end the ransomware scourge.

Crowdstrike co-founder and former CTO Dmitri Alperovitch and Russia expert and Director of the Wilson Center’s Kennan Institute Matthew Rojansky penned an op-ed urging Biden to give Russian President Vladimir Putin an ultimatum on ransomware. “If Putin chose to take the problem seriously, as Biden demands, Russian security officials could quickly identify and interdict the attackers and force them to unlock the data to stop the damage to businesses worldwide, including in the United States,” they wrote.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Artem Beliaikin on Unsplash