Articles

Biden’s cryptocurrency executive order addresses illicit financial risks

Early indications are that the cryptocurrency industry will work with the U.S. government to help minimize risk and make it harder for cybercriminals to profit from their activities.

The Biden administration issued its much-anticipated cryptocurrency executive order, laying out a wide-ranging investigation into digital assets to gain at least a preliminary grasp on how to address the rapidly growing $3 trillion financial market and its role in ransomware and other illicit activities. The order, entitled “Ensuring Responsible Development of Digital Assets,” outlines a series of far-reaching goals, including reducing the risks that digital assets could pose to consumers and investors, improving business protections, financial stability, and financial system integrity, combating and preventing crime and illicit finance, enhancing national security, fostering human rights and financial inclusion, and addressing climate change and pollution.

“Without oversight, the explosive growth in cryptocurrency use would pose risks to Americans and to the stability of our businesses, our financial system, and our national security,” an administration official said during a press briefing preceding the order’s release. “The absence of sufficient oversight can also provide opportunities for criminals and other malicious actors to leverage cryptocurrencies to launder the proceeds of their crimes or circumvent justly-applied sanctions,” the official said.

Reflective of the order’s even-handed tone, the official added, “At the same time, however, digital assets can also provide opportunities for American innovation and competitiveness, and promote financial inclusion.” To ensure that the U.S. government is not left out of these opportunities, the order also spells out a series of measures to create a federal central bank digital currency (CBDC) that at least 80 monetary authorities around the world are also exploring, and, in some cases, have introduced.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

 

Articles

Purported massive leak of Russian soldiers’ data could sink…

The publication of personal data on 120,000 Russian soldiers, if accurate, could provide a means to demoralize troops in Ukraine and make them targets for cyber campaigns.

In what security experts say is an unprecedented wartime leak, Ukrainian newspaper Ukrayinska Pravda published what it claims are the personal details of 120,000 Russian service personnel fighting in Ukraine. The nearly 6,000 pages of information, if accurate, contain names, registration numbers, and place of service for well over half of the estimated number of Russian soldiers who have invaded Ukraine.

The data was obtained by a Ukrainian think tank called The Center for Defense Strategies, which was created to monitor defense reforms and develop key government policies affecting Ukraine’s security and defense sector, with a particular focus on building independent analytical capabilities “at the level of the United States and Britain.” The Center is headed by former Ukraine Defense Minister Andriy Zahorodniuk. Its board includes international security expert Alina Frolova, state asset management expert Oleksiy Martsenyuk, former Ukrainian Foreign Minister Volodymyr Ohryzko, and economic and energy security expert Oleksandr Kharchenko.

High-profile Western security experts also sit on the Center’s board. Among them are the former U.S. Ambassador to Ukraine William Taylor, former Commander-In-Chief of U.S. European Command General Wesley Clark, former Special Defense Advisor to the Ukrainian Defense Ministry from Britain Phil Jones, and Professor of the Department of War Studies at King’s College Neville Bolt.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Kevin Schmid on Unsplash

 

 

Articles

Rash of hacktivism incidents accompany Russia’s invasion of Ukraine

Some in the cybersecurity community say actions on behalf of Ukraine help even the odds, while others warn that unauthorized hacking could interfere with government cyber operations.

In keeping with the hybrid nature of Russia’s invasion of Ukraine, several hacktivist groups and hackers have joined the fight in the embattled nation, including some hacktivists encouraged by the government of Ukraine itself. Although the hacktivists have been waging their version of cyber warfare mostly against Russian organizations, hacktivists sympathetic to Russia are also turning their weapons against Ukraine.

The following are notable hacktivist events that have occurred so far related to the Russian invasion of Ukraine.

  • IT Army of Ukraine emerges: Developers in Ukraine are joining an “IT army,” the IT Army of Ukraine, which has assigned them specific challenges. Announced on February 26, the group already has nearly 200,000 users on its main Telegram channel that it uses to hand out assignments and coordinate operations. The group was ostensibly responsible for shutting down the API for Sberbank, one of Russia’s major banks and Kremlin-aligned Belarus’s official information policy site. It’s not clear if the Ukraine government is behind the IT Army of Ukraine, even though Ukrainian officials have endorsed the effort.
  • Anonymous claims credit for website take-downs. Late last week, a Twitter account purporting to represent Anonymous wrote that “The #Anonymous collective has taken down the website of the #Russian propaganda station RT News.” The Russian state-run TV channel RT website said it was a victim of a hacker attack, which it attributed to Anonymous.
  • Cyber Partisans of Belarus claim train hacks. Activist hackers in Belarus called the Cyber Partisans allegedly breached computers that control that country’s trains and brought some to a halt in the cities of Minsk and Orsha and the town of Osipovichi. The hackers purportedly compromised the railway system’s routing and switching devices and rendered them inoperable by encrypting data stored on them.
  • AgainstTheWest targeted Russian interests. Another hacktivist group known as AgainstTheWest claims to have hacked a steady stream of Russian websites and corporations, including Russian Government contractor promen48.ru, Russian Railways, the State University Dubna, and the Joint Institute for Nuclear Research.
  • The Anon Leaks says it messed with Putin’s yacht information. The Anon Leaks, a group purportedly an offshoot of Anonymous, said it changed the callsign of Russian President Vladimir Putin’s superyacht Graceful on MarineTraffic.com to FCKPTN. The hackers also found a way to alter the yacht’s tracking data, making it look as if it had crashed into Ukraine’s Snake Island and changing its destination to “hell.”
  • Presumed hacktivists hacked Russian EV charging stations. Hackers, presumably activists, hacked electric vehicle charging stations along Russia’s M11 motorway to display anti-Russian messages. The hackers likely gained access through a Ukrainian parts supplier called AutoEnterprise.
  • “Patriotic Russian hackers” helped hit Ukraine websites with DDoS attacks: Last week, some independent Russian hackers, so-called “patriotic Russian hackers,” or vigilantes who operate in a hacktivist-like mode, claim they helped bring down Ukrainian websites during the second round of DDoS attacks that hit the country.
  • Russian media outlets hacked to display anti-Russian messages. The websites of several Russian media outlets were hacked to display anti-Russian messages, with some of the sites going offline. The sites affected were TASS rbc.ru, kommersant.ru, fontanka.ru, and iz.ru of the Izvestia outlet. Some Russian media sources say anonymous was the source of these hacks.
  • Researcher leaked Conti gang’s messages: A Ukrainian security researcher leaked over 60,000 internal messages belonging to the Conti ransomware operation after the gang publicly sided with Russia over the invasion of Ukraine. (Conti backpedaled from its robust support of Russia after its Ukrainian affiliates objected). The leaked messages were taken by a Ukrainian security researcher who reportedly had access to Conti’s backend XMPP server from a log server for the Jabber communication system used by the ransomware gang.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Max Kukurudziak on Unsplash

 

Articles

NIST seeks information on updating its Cybersecurity Framework

Security community welcomes the update, but a U.S. GAO report cites slow adoption among government.

As it begins planning to revise its widely praised Cybersecurity Framework (CSF), the National Institute of Standards and Technology (NIST) has requested that interested parties supply comments on how NIST can improve the effectiveness of the CSF and its alignment with other cybersecurity resources. NIST’s last update of the framework, first released in 2014 under an executive order issued by President Obama, was in 2018.

“There is no single issue driving this change,” NIST Chief Cybersecurity Advisor Kevin Stine said in a statement. “This is a planned update to keep the CSF current and ensure that it is aligned with other tools that are commonly used.”

This article appeared in CSO Online. To read the rest of the article please visit here.

 

 

Articles

Skyrocketing cryptocurrency bug bounties expected to lure top hacking…

Bounties as high as $10 million dollars make hunting cryptocurrency vulnerabilities lucrative for those with the proper skillsets. It might eventually drive up fees for traditional bounties, too.

As high-stakes cryptocurrency and blockchain projects proliferate and soar in value, it’s no surprise that malicious actors were enticed to steal $14 billion in cryptocurrency during 2021 alone. The frantic pace of cryptocurrency thefts is continuing into 2022.

In January, thieves stole $30 million in currency from Crypto.com and $80 million in cryptocurrency from Qubit Finance. February started with the second-largest decentralize finance (DeFi) theft to date when a hacker exploited a token exchange bridge in Wormhole to steal $320 million worth of Ethereum.

The largest cryptocurrency hack so far took place last August when blockchain interoperability project Poly Network suffered a hack that resulted in a loss of over $600 million. In an unusual move, Poly unsuccessfully attempted to publicly negotiate with the hacker a post-theft “bug bounty” of $500,000 in exchange for returning the $600 million, a bounty worth six times more than that typically offered in traditional cryptocurrency bug bounty programs.

This article appeared in CSO Online. To read the rest of the article please visit here.

Image by WorldSpectrum from Pixabay

 

Articles

NIST releases software, IoT, and consumer cybersecurity labeling guidance

The new guidance aims to tighten security requirements for federally purchased software and give consumers better insight into the security of software and devices they buy.

On February 4, the National Institute of Standards and Technology (NIST) issued several documents and updates that spell out software security guidance and recommended consumer labeling practices for software and IoT devices. NIST also laid out its approach to consumer cybersecurity labeling projects.

These initiatives were mandated under President Biden’s wide-ranging executive order (EO) issued last May. They aim to tighten the federal government’s security requirements for the software products it purchases, hoping that the benefits will also flow to the private sector. The labeling initiatives aim to provide consumers greater insight into the security of the software and devices they purchase and spur greater transparency by consumer software and IoT device makers.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

 

Articles

4 alternatives to encryption backdoors, but no silver bullet

Alternatives to backdoors in end-to-end encryption exist, but not all address privacy and security concerns, say experts at last week’s Enigma conference.

End-to-end encrypted communication has been a boon to security and privacy over the past 12 years since Apple, Signal, email providers, and other early adopters first started deploying the technology. At the same time, law enforcement authorities around the globe have pushed for technological solutions to pry open the chain of protected end-to-end encrypted content, arguing that the lack of visibility provides a haven for criminals, terrorists and child abusers to hatch their plans with impunity.

In 2016, Apple prevailed in a now-famous legal standoff with FBI Director James Comey to unlock an encrypted phone used by a mass shooter in San Bernardino, California. In 2019, Attorney General William Barr revived the so-called backdoor debate to advocate some means of breaking encryption to thwart those who distribute child sexual abuse material. Last month, the UK government kicked off a PR campaign to lay the groundwork for killing off end-to-end encryption ostensibly to crack down on child sex abusers.

This article appeared in CSO Online. To read the rest of the article please visit here.

Image by Tumisu, please consider ☕ Thank you! 🤗 from Pixabay

 

Alejandro Mayorkas

DHS creates Cyber Safety Review Board to review significant…

The CSRB will advise the President and Department of Homeland Security director, as well as review major security events starting with the Log4j exploits.

Following President Biden’s cybersecurity executive order issued last May, the Department of Homeland Security (DHS) announced on February 3 the creation of the Cyber Safety Review Board (CSRB). This public-private initiative is charged with reviewing and assessing significant cybersecurity incidents across government and the private sector. “The CSRB will provide a unique forum for collaboration between government and private sector leaders who will deliver strategic recommendations to the President and the Secretary of Homeland Security,” DHS said in announcing the statement.

The CSRB will start with 15 top cybersecurity leaders from the federal government and the private sector, including Robert Silvers, DHS undersecretary for policy, who will serve as chair, and Heather Adkins, Google’s senior director for security engineering, who will serve as deputy chair. DHS’s Cybersecurity and Infrastructure Security Agency (CISA) will manage, support and fund the board. CISA Director Jen Easterly is responsible for appointing CSRB members, in consultation with Silvers, and convening the board following significant cybersecurity events.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Markus Spiske on Unsplash

 

Articles

Alpha-Omega Project takes a human-centered approach to open-source software…

The Linux Foundation and OpenSSF project, with backing from Microsoft and Google, aims to improve security of 10,000 open-source projects.

The Log4j vulnerability crisis that erupted in late-2021 heightened the security world’s awareness of supply chain risks in free and universally deployed open-source software. Following an intense holiday season push by admins and cybersecurity professionals to track and remediate the Log4j flaw, the White House held a meeting of industry leaders to discuss improving open source software security.

In a sign that the tech sector is stepping up efforts, the Linux Foundation and the Open Source Security Foundation (OpenSSF) have announced the Alpha-Omega Project. Backed by $5 million in initial funding from Microsoft and Google, the project seeks to improve software supply chain security for 10,000 open-source software projects by systematically looking for undiscovered vulnerabilities in open-source code and then working with project maintainers to get them fixed.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Markus Spiske on Unsplash

 

Articles

OMB issues zero-trust strategy for federal agencies

All federal agencies must meet zero-trust goals that the U.S. Office of Management and Budget has set by 2024, building on earlier federal cybersecurity initiatives.

Through a memo issued by the Office of Management and Budget (OMB), the Biden administration issued a 30-page strategy to move the U.S. government toward a zero trust approach to cybersecurity. The strategy “represents a key step forward” in delivering on the president’s sweeping May executive order (EO) on cybersecurity, which contains a directive for federal government agencies to develop a plan to advance towards a zero trust architecture.

A hot buzz phrase in the cybersecurity world, zero trust is a model premised on the notion of “never trust, always verify.” The executive order defines zero trust as a security concept that “eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.” OMB says that a “key tenet of a zero trust architecture is that no network is implicitly considered trusted.”

This article appeared in CSO Online. To read the rest of the article please visit here.