Articles

Defining data protection standards could be a hot topic…

lead centered=”no”
Some states could follow the New York Shield Act’s lead and set clearer regulatory expectations for reasonable cybersecurity. Election security legislation likely not on the agenda.
/lead

Following nationwide elections, a new line-up of state lawmakers will be joining their veteran peers to dig into a host of cybersecurity issues during 2021. Since March, many, if not most, cybersecurity issues at the state level have been derailed so that legislators could grapple with the coronavirus’s overwhelming challenges. Most experts see cybersecurity matters continuing to take a back seat through at least the early months of 2021.

Aside from the pandemic, another factor driving a possible delay in state legislative momentum is the political division throughout the country. “States are going to ask, ‘What’s the likelihood we’re going to pass legislation and it’s going to get overturned at the national level,’” says Aaron Tantleff, a partner focused on cybersecurity and data privacy at Foley and Lardner. “There’s going to be a little more of ‘Let’s wait and see what’s going to happen at the national level.’”

Once the immediacy of the pandemic dissipates and the political heat cools, cybersecurity issues will likely surface again in new or revived legislation in many states, even if weaved throughout other related matters. It’s difficult to separate cybersecurity per se from adjoining issues such as data privacy, which has generally been the biggest topic to involve cybersecurity issues at the state level over the past four years. “You really don’t have this plethora of state cybersecurity laws that would be independent of their privacy law brethren,” Tantleff said.

According to the National Conference of State Legislatures, at least 38 states, along with Washington, DC, and Puerto Rico introduced or considered more than 280 bills or resolutions that deal significantly with cybersecurity as of September 2020. Setting aside privacy and some grid security funding issues, there are two categories of cybersecurity legislative issues at the state level to watch during 2021. The first and most important is spelling out more clearly what organizations need to meet security and privacy regulations. The second is whether states will pick up election security legislation left over from the 2020 sessions.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Lars Kienle on Unsplash

 

Articles

Passage of California privacy act could spur similar new…

lead centered=”no”
Voters approved the California Privacy Rights and Enforcement Act (CPRA), which in part limits how organizations can use personal data. Legal experts expect other states to follow suit.
/lead

On November 3, California citizens approved the California Privacy Rights and Enforcement Act (the CPRA), a comprehensive privacy law that amends another privacy law that went into effect in the state on January 1, the California Consumer Privacy Act (CCPA). The CPRA is intended to strengthen privacy regulations in California by creating new requirements for companies that collect and share sensitive personal information. It also creates a new agency, the California Privacy Protection Agency, that will be responsible for enforcing CPRA violations.

Most privacy attorneys agree that the CPRA was created with the European Union’s General Data Protection Regulation (GDPR) in mind, adding teeth to the stipulations that existed in the CCPA. Consumers will be able to correct inaccurate personal information that business hold, and fines are steep for violating the children’s data protection requirements under the CPRA. Most of the law’s provisions will go into effect on January 1, 2023, with some provisions requiring a look-back to 2022.

The CPRA defines “sensitive personal information” to include an expansive range of data elements, including government-issued identifiers such as drivers licenses, passports, and Social Security numbers as well as financial account information, geolocation, race, ethnicity, religion, union membership, personal communications, genetic and biometric data, health information, and information about sex life or sexual orientation.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Nathan Guisande on Unsplash

 

Advanced Persistent Threat

US DOJ indictments might force Russian hacker group Sandworm…

lead centered=”no”
Experts hope that indictments against six Russian military intelligence agents will make Russia rethink plans to disrupt the US election.
/lead

The US Department of Justice (DOJ) unsealed charges against six hackers who allegedly are part of Sandworm, a Russian military intelligence group responsible for a string of damaging and unprecedented acts of malicious digital activity. The breadth of crimes that DOJ accuses the hackers of committing is extensive, from shutting down Ukraine’s power grid — twice — to the launch of faux ransomware NotPetya, which caused billions of dollars in damages globally, to devastating cyberattacks on the 2018 Olympics in South Korea.

The indictment spells out multiple computer fraud and conspiracy charges against each defendant and is the first time Russia has been identified as the culprit behind the Olympic attacks. In those incidents, attackers deployed destructive malware called Olympic Destroyer to disrupt the 2018 games. The Russian hackers had attempted to blame North Korea, China and other adversaries as the culprit of those assaults through a series of false flags implanted in the malware that were designed to throw investigators off track.

The DOJ further alleges that the hackers and their co-conspirators helped Russia retaliate against former Russian spy Sergei Skripal by poisoning him, along with his daughter, with a weapons-grade nerve agent, Novichok. Other crimes outlined in the indictment are a series of spear phishing attacks against the country of Georgia and Georgian non-government organizations in January 2018 and a cyberattack in Georgia around October 2019 that defaced approximately 15,000 websites and disrupted service to them.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Steve Harvey on Unsplash

 

Articles

Common pitfalls in attributing cyberattacks

lead centered=”no”
Attack attribution is always difficult as criminal groups often share code and techniques, and nation-state actors excel at deception. Here, security researchers share their techniques and common pitfalls.
/lead

Attributing cyberattacks to a particular threat actor is challenging, particularly an intricate attack that stems from a nation-state actor, because attackers are good at hiding or erasing their tracks or deflecting the blame to others.

The best method for arriving at a solid attribution is to examine the infrastructure and techniques used in the attack, but even then, researchers can often get it wrong, as Paul Rascagneres and Vitor Ventura of Cisco Talos illustrated in a talk at the VB2020 conference on September 30.

Researchers typically rely on three sources of intelligence, Rascagneres said: open-source intelligence (OSINT), which is publicly available information on the internet, technical intelligence (TECHINT) that relies on malware analysis, and proprietary data available only to the organizations involved in the incident.

Nation-state intelligence agencies serve as another source of intelligence because they have more information and additional resources than the private sector, but intel agencies are often secretive about their methods. “In public sectors, they don’t give everything,” Rascagneres said. “They don’t explain how they get all the detail. How does it make the link?”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Kaitlyn Baker on Unsplash

 

Articles

Late-game election security: What to watch and watch out…

lead centered=”no”
Despite disruption of the Trickbot botnet network, last-minute leaks of stolen documents and post-election undermining of trust in the election system remain big concerns.
/lead

As we head into the final inning of what has been a dramatic US presidential election season, it’s clear the country has so far been spared the kind of high-stakes hacking and disinformation campaigns that marred the 2016 election. Still, US intel and cyber defense organizations are on the lookout for last-minute ransomware attacks and have been joined by their private sector counterparts while social media companies appear to be clamping down on disinformation efforts.

The most striking evidence that the US  may be better prepared than it was in 2016  is the extraordinary actions taken by US CyberCommand (CyberCom) to meddle with the Russian-language Trickbot botnet network, used to deliver malware, including ransomware, and frequently exploited by Russian military intelligence for plausible deniability. Following a scoop by journalist Brian Krebs that an unknown actor was meddling with Trickbot, news leaked over the weekend that CyberCom was the meddler.

CyberCom’s goal was to thwart any possible ransomware attacks on selected or strategically important jurisdictions. The military cyber arm might have also been pushed into action by a Trickbot-enabled ransomware attack on top healthcare provider Universal Health Services (UHS), which was forced to shutter digital operations when 400 of its computer systems were locked up by Ryuk ransomware.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

How SilentFade group steals millions from Facebook ad spend…

lead centered=”no”
SilentFade steals credentials and ad spend account information and sells the information to other bad actors. The group returned with improved malware after Facebook’s initial mitigation efforts.
/lead

Facebook is a magnet for scammers, thieves and other bad actors looking to swindle and manipulate the social media giant’s vast pool of users. One group discovered by Facebook’s in-house researchers took such a sophisticated approach to bilking Facebook users that it walked away with $4 million in an elaborate ad fraud scheme that went undetected by its victims.

Sachit Karve, speaking both for himself and fellow Facebook security researcher Jennifer Urgilez, offered more details about this scheme at the VB 2020 conference last week. Facebook insiders call the group behind it SilentFade and discovered that it came from a Chinese malware ecosystem that used different types of malware in its cybercrime sprees.

Facebook discovered the malware family near the end of 2018 but traced its origins back to 2016. SilentFade has a keen focus on social media targets. “SilentFade is interesting to us as it explicitly targets users of social networks and more recently services with social components like Amazon,” Karve said.

The name SilentFade comes from “Silently running Facebook ads with exploits.” “The malware is capable of running ads on Facebook, without the user’s knowledge, by exploiting a bug on the platform,” Karve said at the conference.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Brett Jordan on Unsplash

 

Articles

New FBI strategy seeks to disrupt threat actors, help…

lead centered=”no”
The FBI sharpens its focus on collaboration among US and foreign government agencies and the private sector. It will acting as a central hub to deal with cybersecurity threats.
/lead

Last week, the US Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint announcement about the potential threat that foreign-backed online journals pose in spreading misinformation ahead of the crucial 2020 US presidential election. This alert, intended to raise public awareness based on government intelligence, reflects a new strategic direction by the FBI to work with partners across the federal landscape to better protect the American public and its allies from cyber threats.

“It’s a complex threat environment where our greatest concerns involve foreign actors using global infrastructure to compromise US networks,” Tonya Ugoretz, deputy assistant director of the FBI’s Cyber Division said during a conference at Auburn University’s McCrary Institute organized to debut the Bureau’s new strategy.

Ugoretz said that among the many factors the FBI must now juggle in dealing with cyber threats are:

  • The increased attack surfaces stemming from widespread work-at-home arrangements due to the COVID-19 crisis
    Attackers’ growing willingness to exploit the increased vulnerabilities the wider attack surface make possible
    The increase in availability of tools that threat actors use to launch attacks
    Growth in the number of both criminal and nation-state threat actors.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Jack Young on Unsplash

 

Articles

CIOs say security must adapt to permanent work-from-home

lead centered=”no”
Both private- and public-sector CIOs see many more employees permanently working remotely, and say security needs to adapt to new threats and how they communicate.
/lead

The entire US economy and government were forced to shut down in-person facilities and operations almost overnight in March as COVID quarantines began. The new conditions forced organizations to quickly find ways to secure tens of millions of new, vulnerable endpoints created by at-home workers. Now, six months later, technology leaders are taking stock of what happened and considering how a post-COVID landscape might look.

COVID has resulted in a lot of forward-looking changes, Jim Weaver, CIO of Washington State, said at the second day of the annual Cybersecurity Summit hosted by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA). “COVID has been our chief innovation officer. Now as a state we’re pivoting to change our service methodologies while in the middle of a pandemic and economic downturn.” Washington was the first state with a positive COVID case on January 14.

“Governor Inslee has been a big proponent for remote work for a lot of reasons and so we did have a culture and mindset in place already enabled to support it,” Weaver said. Washington had to jump from an average of 3,000 to 4,000 remote concurrent connections to 65,000 to 70,000 almost overnight. “That went pretty flawlessly, I’m pleased to say.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Charles Deluvio on Unsplash

 

Articles

Preventing insider threats: What to watch (and watch out)…

lead centered=”no”
Understanding human behaviors that precede malicious actions from an insider is the best way to avoid data loss or disruption, experts say.
/lead

September is officially National Insider Threat Awareness Month (NIATM) and the theme of this year’s NIATM is resilience. Of all the digital threats facing organizations, the insider threat can be the most vexing to tackle given how uncomfortable it can feel to suspect one’s own colleagues of wrongdoing. It’s challenging to set up systems and processes that might catch well-regarded peers or superiors in a harmful act.

At last week’s inaugural Insider Risk Summit, experts at corporations and cybersecurity firms gathered to talk about the top trends driving insider security threats and what security officers should know in trying to combat those threats. “There’s not one type of threat but there is a common aspect, which is that insiders are looking to get at critical assets of the organization — people, information, technology and facilities,” Michael Theis, chief engineer, Strategic Engagements at the US Community Emergency Response Team’s (CERT’s) National Insider Threat Center, said during his keynote talk.

Theis based most of his talk on the fraud model that CERT’s threat center has built on a data set of 2,500 verified insider incidents that resulted in sabotage or corporate threat. It’s important to define what exactly an insider threat is, Theis said. “It’s the potential for an individual who has or had authorized access to an organization’s assets to use their access, either maliciously or unintentionally to act in a way that could negatively affect the organization.” The people who could be considered insiders encompass a wide range of individuals from current or former full-time employees, part-time employees, temporary employees, contractors, and trusted business partners.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Austin Distel on Unsplash

Articles

FEATURE – The Mysterious Case of the Missing 250-Ton…

lead centered=”no”
In May, the Trump administration seized a $3 million transformer on its way to Colorado. What happened to it, and where is it now?
/lead

In May, the Trump administration seized a 250-ton, $3 million Chinese high-voltage transformer that was on its way to Colorado. It was taken to Sandia National Labs in New Mexico for reasons unknown. What happened to it still remains a mystery.

On May 1, the Trump Administration issued a surprise Executive Order (EO), “Securing the United States Bulk Power System.” The directive aims to keep critical equipment supplied by foreign adversaries out of the nation’s power grid due to supposed supply chain security threats. It requires the Secretary of Energy to work with other agencies in identifying the specific equipment from adversarial suppliers, particularly Chinese suppliers, that the government should bar from the bulk-power system.

The Department of Energy (DOE) has to issue relevant rules on the matter within 150 days, or by September 28. Shortly after the EO’s release came the surprising revelation that a federally owned utility managed by DOE, the Western Area Power Administration (WAPA), hijacked a nearly $3 million Chinese-manufactured transformer initially intended for one of its substations in Colorado. WAPA instead diverted it to one of DOE’s national laboratories, Sandia National Labs, in New Mexico.

The manufacturer of the high-voltage 500,000-pound transformer was Chinese company JiangSu HuaPeng Transformer Co., Ltd., or JSHP, which shipped the transformer from Shanghai to the Port of Houston in August 2019.JSHP’s North American representative Jim Cai told Motherboard his company planned to spend a couple of hundred thousand dollars to transport the high-grade steel using a particular kind of railroad car to WAPA’s Ault substation in Colorado, where JSHP would then install it. Like all electric substations, the Ault facility’s main purpose is to “step down” high-voltage electricity, typically above 1,000 volts, to lower, more manageable levels that can be distributed safely to homes and businesses.

Before the ship docked in Texas, WAPA told JSHP to cancel its plans to transport and install the transformer and to forget about selling a warranty on the equipment, which is almost always mandatory for highly specialized, expensive electrical system equipment. The utility then transported the transformer itself to Sandia. Since then, WAPA and DOE have been silent on this odd development, which has sparked confusion and concerns among utilities and industrial control system (ICS) security specialists.

This article appeared in Vice News. To read the rest of the article please visit here.

Photo by ETA+ on Unsplash