Articles

US cryptocurrency exchange sanctions over ransomware likely not the…

The sanctions against Suex, aimed to cut ransomware gangs off from their revenue, sends a signal to other exchanges that support criminal activity.

Days after the Russia-linked BlackMatter ransomware gang hit an Iowa grain cooperative with a ransomware attack, the Biden administration unveiled its latest effort to address the ongoing ransomware crisis. In a move designed to cut off ransomware gangs from their financial rewards, the Treasury Department announced that its Office of Foreign Asset Control (OFAC) placed Czech Republic-registered but Russian national-owned and -operated cryptocurrency exchange Suex on its sanctioned entity list, formally called the Specially Designated Nationals and Blocked Persons (SDN) List.

Suex facilitates “financial transactions for ransomware actors, involving illicit proceeds from at least eight ransomware variants,” according to the announcement. Treasury says that over 40% of Suex’s known transaction history is associated with illicit actors, representing $370 million in illicit trading.

OFAC included on the SDN list a total of 25 bitcoin, ethereum, and tether addresses known to be controlled by Suex. These addresses received more than $934 million in various crypto assets overall. In addition, blockchain transactions tracking company Chainanalysis said that the Suex addresses have received more than $160 million in bitcoin alone from “ransomware actors, scammers, and dark net market operators” since the exchange was founded in 2018.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Jon Tyson on Unsplash

Articles

Software cybersecurity labels face practical, cost challenges

The federal government wants consumer software to have cybersecurity labels; experts question the feasibility of the mandate.

As part of his extensive cybersecurity executive order issued in May, President Biden directed the National Institute of Standards and Technology (NIST) to develop two pilot labeling programs on the cybersecurity capabilities of internet-of-things (IoT) consumer devices and software development practices. Although these pilot programs won’t be mandatory for device or software sellers, they could likely raise market expectations. In addition, whatever labels come out of these programs would also carry with them some sense of government authority and might ultimately become part of the government contracting process.

Last week NIST held a two-day workshop on these topics. Of the two pilot programs, the consumer software labeling initiative is the trickier one given the ever-changing nature of software and the absence of any similar existing consumer software labeling initiative.

To help it grasp the more complex task of developing labels for software, NIST solicited one- to two-page labeling position papers from interested parties. In calling for these papers, NIST cited “the challenges and practical approaches to consumer software labeling,” asking` for feedback on the “technical criteria needed to support validation of consumer software security assertions that reflect a baseline level of secure practices.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Jon Tyson on Unsplash

Articles

Federal agencies face new zero-trust cybersecurity requirements

The OMB and CISA issue guidance to move all federal agencies to a shared zero-trust maturity model for FY22-24. The catch: No new funding.

As part of the Biden administration’s wide-ranging cybersecurity executive order (EO) issued in May, the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) issued three documents on zero trust last week. Zero trust is a security concept that “eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses,” according to the EO.

From a cybersecurity practitioner’s perspective, zero trust is a security approach that, among other things, relies on stringent authentication and authorization processes to give users needed access to digital assets but in constrained ways that limit damage when a breach or compromise occurs. The EO repeatedly references zero trust and directs CISA and OMB to develop initiatives to incorporate zero-trust cybersecurity security models throughout the federal government.

The documents released last week offer draft versions of these models. CISA and OMB call them “strategic and technical guidance documents meant to move the US government towards a zero-trust architecture.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Laura Heimann on Unsplash

Articles

Federal agencies face new zero-trust cybersecurity requirements

The OMB and CISA issue guidance to move all federal agencies to a shared zero-trust maturity model for FY22-24. The catch: No new funding.

As part of the Biden administration’s wide-ranging cybersecurity executive order (EO) issued in May, the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) issued three documents on zero trust last week. Zero trust is a security concept that “eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses,” according to the EO.

From a cybersecurity practitioner’s perspective, zero trust is a security approach that, among other things, relies on stringent authentication and authorization processes to give users needed access to digital assets but in constrained ways that limit damage when a breach or compromise occurs. The EO repeatedly references zero trust and directs CISA and OMB to develop initiatives to incorporate zero-trust cybersecurity security models throughout the federal government.

The documents released last week offer draft versions of these models. CISA and OMB call them “strategic and technical guidance documents meant to move the US government towards a zero-trust architecture.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Laura Heimann on Unsplash

Articles

China’s PIPL privacy law imposes new data handling requirements

The Personal Information Protection Law will force global companies doing business in China to be more careful with cross-border flow of personal information.

As part of the country’s growing scrutiny over the tech sector, China enacted on August 21 a sprawling and comprehensive data privacy law, the Personal Information Protection Law (PIPL), which goes into effect on November 1, 2021. In combination with China’s newly enacted and still little-understood Data Protection Law, which goes into effect on September 1, 2021, this law promises to impose a host of new data privacy, security, and protective obligations on all US and global companies doing business in China.

These significant laws fit into China’s broad “informatization policy,” which Chinese President Xi Jinping has described as the modern equivalent of industrialization. However, the data protection law comes closer to serving more as a cybersecurity law than the PIPL. In his efforts to boost China to” cyber superpower” status, President Xi has famously said that “cybersecurity and informatization are two wings of one body, and two wheels of one engine.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Alejandro Mayorkas

Tech giants pledge at least $30 billion to improve…

Technology, financial, and education leaders commit to a wide range of initiatives to enhance the nation’s cybersecurity posture in collaboration with the Biden Administration.

Industry leaders from the technology, financial, and education sectors have pledged a wide range of private-sector initiatives to tackle the nation’s cybersecurity problems. Those efforts include increasing the cybersecurity talent pool, boosting security awareness, and better securing the software supply chain. Microsoft pledged $20 billion and Google pledge $10 billion to develop more advanced security solutions in areas such as security by design, zero-trust, software supply chain, and open-source software.
That announcement came at a meeting hosted by the Biden Administration yesterday where private sector leaders met with national security and cabinet team members to tackle the nation’s cybersecurity problems. Among the attendees from the government were:

Commerce Secretary Gina Raimondo
Energy Secretary Jennifer Granholm
Homeland Security Secretary Alejandro Mayorkas
SBA Administrator Isabel Guzman
National Security Advisor Jake Sullivan
Director of the National Economic Council Brian Deese
Senior Advisor and Director of the Office of Public Engagement Cedric Richmond
Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger
National Cyber Director Chris Inglis
Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly

This article appeared in CSO Online. To read the rest of the article please visit here.

Apple

Apple plan to scan users’ iCloud photos raises new…

Experts argue that Apple is clearing a path for governments to gain access to their citizens’ data–essentially an encryption backdoor.

A firestorm emerged on Friday and raged during the weekend over Apple’s new “Expanded Protections for Children,” a series of measures across Apple’s platforms aimed at cracking down on child sexual abuse material (CSAM). The new protections address three areas, including communications tools for parents and updates to Siri and search to help children and parents deal with unsafe situations.

The flashpoint for cryptographers, cybersecurity specialists, and privacy advocates is Apple’s planned use of “new applications of cryptography to help limit the spread of CSAM online, while designing for user privacy.” The plan is to scan users’ photo libraries and then apply a new form of encryption to compare those photos to images from existing CSAM libraries.

The new cryptography applications in iOS and iPadOS would allow Apple to scan users’ entire photo libraries hunting for known CSAM images uploaded from their devices to iCloud Photos and then report these instances to the National Center for Missing and Exploited Children (NCMEC). Apple says, “the hashing technology, called NeuralHash, analyzes an image and converts it to a unique number specific to that image,” which allows systems “to perform on-device matching using a database of known CSAM image hashes provided by NCMEC and other child-safety organizations.”

“This is a really bad idea,” leading cryptographer Matthew Green tweeted at the start of a lengthy thread that sparked the now widespread uproar over Apple’s plan. The problem is that this system could be the tip of the spear that essentially provides an encryption backdoor that the US and other global authorities have sought since the 1990s. “This sort of tool can be a boon for finding child pornography in people’s phones, but imagine what it could do in the hands of an authoritarian government,” Green tweeted.

As the implications of what Apple is proposing became clear, over 4,000 security and privacy experts, cryptographers, researchers, professors, legal experts, and Apple customers signed An Open Letter Against Apple’s Privacy-Invasive Content Scanning Technology. The signatories, including NSA whistleblower Edward Snowden, contend that “Apple’s proposal introduces a backdoor that threatens to undermine fundamental privacy protections for all users of Apple products.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by iMattSmart on Unsplash

Articles

CISA unveils Joint Cyber Defense Collaborative with tech heavyweights…

The new initiative aims to provide organizations with unprecedented levels of information and context with an initial focus on ransomware and incident response for cloud providers.

Jen Easterly, the freshly installed head of the Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA), unveiled yesterday a new federal initiative called the Joint Cyber Defense Collaborative (JCDC) which has been structured to help lead the development of the country’s cyber defense plans. The JCDC aims to bring together the public and private sectors in a joint planning capacity to tackle cyber readiness and threats.

CISA’s announcement of the JCDC states that it will “bring together public and private sector entities to unify deliberate and crisis action planning while coordinating the integrated execution of these plans.”  The hope is that the plans will “promote national resilience by coordinating actions to identify, protect against, detect, and respond to malicious cyber activity targeting US critical infrastructure or national interests.”

The West Point-trained Easterly has a long career in the government, having served in the military, at US Cyber Command and the National Security Agency (NSA), and as senior director for counterterrorism on the National Security Council during the Obama administration. She also served a stint as head of global cybersecurity at Morgan Stanley. Speaking at the Black Hat conference, she appealed to the industry to help CISA refine the JCDC’s products to be more valuable and helpful.

Easterly relied on her military background to underscore the importance of planning in cybersecurity. “You got to plan in peacetime to prepare for wartime,” she said.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

NSA, CISA release Kubernetes hardening guidance following Colonial Pipeline,…

The guidance seeks to educate IT administrators about cloud security risks and best practices for implementing and maintaining Kubernetes.

Earlier this week, the US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA)  issued a joint document entitled Kubernetes Hardening Guidance. Kubernetes is an open-source orchestration system that relies on containers to automate the deployment, scaling and management of applications, usually in a cloud environment. According to the most recent State of Kubernetes Security report by RedHat, more than half the security professionals surveyed said they delayed deploying Kubernetes applications into production due to security.

In addition, almost all the security respondents said they had one security incident in their Kubernetes environment during the past year. Underscoring the depth of security concerns surrounding Kubernetes, 59% of respondents said they are most worried about unaddressed security and compliance needs or threats to containers.

The rapid shift to cloud environments, particularly since the advent of the pandemic, undoubtedly heightens these security concerns. It’s little surprise, then, that NSA and CISA felt the need to help organizations deal with security in a containerized environment, which is more complex than “traditional, monolithic software platforms.” Although the agencies tailored their guidance to system administrators of national security systems (systems containing classified or intelligence information) and critical infrastructure, they encourage administrators of federal and state, local, tribal, and territorial (SLTT) government networks to also implement the recommendations.

Within the Kubernetes architecture are clusters composed of control planes and one or more physical or virtual machines called worker nodes, which host pods that comprise one or more containers. The containers house software packages and all their dependencies.

The joint guidance says that while Kubernetes has always been a target for malicious actors to steal data, threat actors are increasingly drawn to Kubernetes systems to steal computation power, often for cryptocurrency mining.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Sigmund on Unsplash

Articles

TSA issues second cybersecurity directive for pipeline companies

Experts applaud the agency’s new, detailed security requirements for US pipeline operators but question how they will be enforced or monitored.

The Department of Homeland Security’s (DHS) Transportation Safety Administration (TSA) yesterday announced a second security directive that requires owners and operators of TSA-designated critical pipelines to implement cybersecurity measures that help protect against malicious digital incidents. This directive is a more expansive follow-up to an initial pipeline security directive issued on May 27, roughly two weeks after the highly disruptive ransomware attack against Colonial Pipeline.

The initial directive required pipeline companies to report cybersecurity incidents to DHS’s Cybersecurity and Infrastructure Security Agency (CISA). It also required pipeline owners and operators to designate a cybersecurity coordinator available around the clock to coordinate cybersecurity practices and any cybersecurity incidents with TSA and CISA. Finally, that directive required companies to examine their cybersecurity practices and assess risks, identify gaps, develop remediation measures, and report the results to TSA and CISA.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Mike Benna on Unsplash