Foreshadow speculative execution issue. Election security. Crypto wars. More assertive US cyber policies.

Foreshadow: a new speculative execution vulnerability.

A new speculative execution issue has been identified in Intel central processing units. The flaws, collectively called "Foreshadow," join the well-known family of Spectre and Meltdown. Foreshadow is in the process of being mitigated. There's so far no known instance of Foreshadow exploitation in the wild, and it seems unlikely that hackers could easily make use of it to attack systems (Bleeping Computer).

Securing the vote.

The states, which under the US system are responsible for conducting elections, remain concerned about the integrity of the ballot. Thirty-six  states have now deployed Albert sensors on their voting infrastructure to allow the Department of Homeland Security to observe state systems that manage either voter information or voting devices (Reuters).

The states also want the Feds to share more threat intelligence. Forty-four states and the District of Columbia took part in a Department of Homeland Security exercise this week  (US Department of Homeland Security). The states appear to have gained enough insight into the value of threat intelligence to decide that they want more of it (Reuters). Some advocate Federal standards for the conduct of elections, perhaps even mandatory standards (Atlantic Council).

The National Guard Bureau says several state governors have asked their Guard to review cybersecurity in advance of the midterm elections (C4ISRNET).

Election hacking...

MIT's Technology Review published a useful guide to the electoral attack surface, which they divide into quadrants. The first comprises voter registration systems that maintain records of who's authorized to vote. These systems tend to be old, accessed by many, and susceptible to hacking. The potential risk is a technically advanced version of having the dead cast ballots. 

The second involves voter check-in. Where poll workers use tablets instead of paper books, these networked devices are in principle vulnerable to compromise. A voter might be told—falsely—that they'd already voted and can't do so again.

The voting machines themselves resent the third attack surface. These tend to be either optical scanning devices that read and record paper ballots, or direct-recording electronic systems, for which a paper record may or may not be generated. There's some movement away from the more advanced and convenient (but more hackable) direct-recording electronic systems and back to paper, but thirteen states still use paperless machines, and five of them use nothing but.

Finally are the systems that tally and report votes. It would be more difficult to cook up a desired election result than many seem to think, but widespread hacking of these systems could cast doubt on results. There may be one historical case of this being done: some suspect that the Russian government deleted essential files from Ukraine's central election commission in ways that mucked up the 2014 vote. But in the US there are generally checks on outcomes done on a precinct-by-precinct basis. 

Any of these four families of technology, of course, could be hit with irritating malicious encryption in the form of ransomware or, more probably, distributed denial-of-service attacks. Such incidents are the usual coin of commodity cyberattacks, whether criminal or state-run.

...and election-focused influence operations.

It's worth distinguishing the hacking of electronic voting systems from malicious influence exerted online. Call these, respectively, cyberattack and information operations. There's been evidence over the last three years of foreign probing of US state voter databases. This can be considered the reconnaissance phase of a potential cyberattack, but much of what gets called "election hacking" involves influence operations. This is the sort of activity that's put pressure on social media, which in turn has prompted a civil libertarian backlash about censorship.

You will recall Facebook's removal of some thirty-two pages that were engaged in what the social medium called "inauthentic behavior." The inauthentic users were accounts created with bogus or at least dubious personae that were heavily involved in pushing various inflammatory political memes. Facebook didn't say it was a Russian trolling operation, but it strongly hinted so, and others have noted the similarity between their content and kinds of lines pushed by Moscow and St. Petersburg troll farms (Washington Post).

The Associated Press talked about this with various academic experts in communications and marketing and concluded that the Facebook pages the social medium recently expunged were following typical advertising playbooks, with affinity marketing supplemented by a heavy dose of moralistic aversion. The goal is discord, the method rumor, and the amplification is all on the regular people clicking, sharing, and liking. So there's nothing new here, but the skill shown by the presumably Russian persuaders is striking. They've demonstrated a solid understanding of their market, accurately hitting American social fissures. The endgame is mistrust. It's not so much that they want you to vote one way as opposed to another. They'd apparently rather you just stayed home, going out only to riot, because elections are, the troll farmers would suggest, nothing more than a sham (Buzzfeed).

Facebook continues to receive adverse scrutiny for its intensely targeting marketing capabilities. Sarah Golding of the Institute of Practitioners in Advertising says that Facebook "has essentially weaponized ad technology designed for consumer products and services.” The kind of "microtargeting" the platform can deliver, addressing cohorts as small as twenty with content specifically devised for them, is found as disturbing by the Institute and some members of both the UK's Parliament and the US Congress as it was found attractive by the Presidential campaigns of Presidents Obama and Trump (New York Times). Some form of regulation is under early consideration on both sides of the Atlantic. Last month the Information Commissioner's Office in Britain called for an "ethical pause" in microtargeting and some serious reflection on the implications of the technology for democratic systems (ICO). US Senator Warner (Democrat of Virginia) has a white paper addressing various approaches to election security (Axios).

The Mueller investigation into Russian hacking and influence operations during the 2016 US election continues (Bloomberg). President Trump, after stripping former Director of Central Intelligence Brennan of his security clearance over what the President characterizes as Brennan's complicity in a bogus witch hunt for Russian collusion (Wall Street Journal), is said to be considering taking away other former officials' clearances too (Washington Post). Brennan calls it all "hogwash" born of desperation (Military Times). FBI Special Agent Peter Strzok was fired by the Bureau this week. He was formerly involved in the Mueller investigation until his dismissal over texts appearing to suggest that political considerations were shaping investigations into Russian election meddling (New York Times).  

Crypto-wars update, Australian edition. 

There's a fresh offensive in the crypto wars, and this one comes out of Australia. The Government has announced its proposed regulations that would address encrypted communications used for criminal or espionage purposes, but explicitly ruled out any intention of backdooring systems. Instead, in cases of criminal investigations, national security matters, or significant threats to the financial system, the Government would be able to require individuals and companies to render various forms of assistance (Gizmodo). 

This hasn't mollified opponents of the measure, who don't see how the regulations could accomplish their purpose without unacceptable compromises of end-to-end encryption (Ars Technica).

Be careful when downloading Fortnite.

Epic Games, makers of the wildly popular Fortnite, pulled their signature game from Google Play as a business move to avoid Google's thirty-percent cut of downloads—understandable, because that's a lot of Vbucks by any standard. Cybercriminals have noticed this, and are using bogus Fortnite download sites to spread various forms of malware. If you want to upgrade your skin from Recon Specialist to Whiteout, be sure you're downloading the genuine article (WIRED).

You go on one little trade mission and now they're hacking you...

There are fresh signs of renewed Chinese industrial espionage. On Thursday Recorded Future blogged that much of the online spying is being staged through Tsinghua University infrastructure. While taking a look at Chinese government cyber surveillance of Tibetan groups, the company observed what it called a "novel Linux backdoor," called "ext4," in use. Their analysis of ext4 led the researchers to discover connection attempts to a compromised Tsinghua University CentOS server.

The operations run through university infrastructure served economic development as well as domestic security goals. Chinese intelligence services took a particular interest in the US state of Alaska, targeting Alaskan state government sites, including the Alaska Department of Natural Resources. Alaskan extraction industries are major exporters to China, selling timber, lead and gold ores, petroleum byproducts, and—the biggest category of export—seafood. A noticeable spike in attention to Alaska appeared after a May trade mission the state sent to China (Reuters).

Patch notes.

August's Patch Tuesday occurred this week. Microsoft addressed sixty flaws, two zero-days among them (KrebsOnSecurity). The zero-days were CVE-2018-8414 and CVE-2018-8373. 

CVE-2018-8414 involves the use of SettingContent-ms files, and these are Windows 10 control panel shortcuts, to distribute malware. Signs of this sort of exploitation began to appear early last month, and Redmond has now upgraded Windows 10 so that Windows Shell now validates file paths when SettingContent-ms files are executed.

CVE-2018-8373 is a remote code execution vulnerability that arises from the scripting engine's problematic handling of objects in memory in Internet Explorer.

Among other vulnerabilities attracting attention is CVE-2018-8340, discovered by researchers at Okta. This one is a security bypass exploit that's made possible when Active Directory Federation Services (ADFS) mishandling of multi-factor authentication requests. Okta's account suggests the vulnerability would be most easily used by a malicious insider interested in achieving elevated privileges or in spoofing another legitimate user's account. An outside threat could also exploit the issue, although in this case they'd need to support their effort with more ambitious phishing or other forms of social engineering. But such efforts have been successful in the past, and organizations should patch, especially organizations that use ADFS as an identity gatekeeper (SecurityWeek).

Adobe also patched, fixing eleven problems in its products. The breakdown is as follows: five issues were fixed in Adobe Flash Player, three in Adobe Experience Manager, two in Adobe Acrobat and Adobe Reader, and one in the Adobe Creative Cloud Desktop Application. The potential impact of unpatched systems' exploitation includes information compromise, privilege escalation, arbitrary code execution, and unauthorized data manipulation or alteration (SecurityWeek).

Crime and punishment. 

A teenager in Melbourne, Australia, appeared in Children's Court Thursday to plead guilty to charges of hacking Apple servers and obtaining some 90 Gb of material he shouldn't have had, including customer information. His name is being withheld because he's a minor, and so are details of the hack, which defense counsel says would lead to his being identified, since he's become "well-known in the international hacking community" (The Age).

Courts and torts.

A cryptocurrency speculator is suing AT&T over his loss of $24 million in alt-coin due to a sim-swap fraud. He's also seeking $200 million in punitive damages, alleging that an AT&T employee was responsible for the loss, and that the company was indifferent to this form of criminality (Globe Newswire).

Policies, procurements, and agency equities.

The National Defense Authorization Act (NDAA) for Fiscal Year 2019, passed by Congress at the beginning of the month and signed into law by the President on Monday, contains some direction for more American assertiveness in cyberspace. The bill states that the Secretary of Defense has authority to conduct military operations in cyberspace in defense of the US and its allies. "All instruments of national power," including particularly cyber offensive capabilities, are available for use against foreign powers operating against American interests in cyberspace.

The NDAA also addresses deterrence, saying that the US "must develop and, when appropriate, demonstrate to adversaries the existence of cyber capabilities to impose costs on any foreign power targeting the United States." Congress is specifically interested in hearing about specific plans for imposing costs on adversaries, and it wants the Administration to tell it when it needs regulatory or legislative action in support of cyber deterrence. The NDAA desires progress in "advancing technologies for attribution, inherently secure technology and artificial intelligence society-wide" (SIGNAL).

Congressional action anticipated Presidential action. On Tuesday Administration officials acknowledged that the President has rescinded his predecessor's Presidential Policy Directive 20, presumably in the direction of greater delegation of authority to conduct offensive cyber operations, particularly in response to foreign cyber attacks on the US. Those who welcomed the news think it's a sign of greater US agility in cyberconflict. Critics are of two minds. Hawks fear it won't go far enough to deter adversaries and would like to see an even more active posture (Fifth Domain). Skeptics who liked PPD 20 fear that scrapping it will make a muddle of coordination and target selection (Washington Post).

The US Securities and Exchange Commission has issued more stringent rules about breach disclosure (Forbes). 

In a generally well-reviewed move, the FBI appointed Amy Hess Executive Assistant Director of the Criminal, Cyber, Response, and Services Branch (FBI). Hess, a veteran of the FBI's science and technology arm, is among other things regarded as relatively speaking a crypto-wars dove, at least by Bureau standards (Washington Post). 

Fortunes of commerce.

Kaspersky Lab and the Government have filed their final briefs in the security company's law suit challenging Congressional and Administration action banning it from US Government networks. Kaspersky contends, essentially, that the ban amounts to an unconstitutional bill of attainder, illegitimate legislative punishment. A judicial panel will hear the case on September 14th (Nextgov).

Google employees aren't happy about their company's flirtation with a censored search engine for the Chinese government (New York Times).

The labor market.

That Australian teenager who hacked Apple servers supposedly did so because he was a huge fan of the company and hoped to work there some day. Pro-tip, kids: this isn't the best way of getting a recruiter to put your resume at the top of the pile (Naked Security).

Mergers and acquisitions.

Comodo CA has acquired website disaster recovery shop CodeGuard (CRN).

EZShield has acquired IdentityForce for its identity protection capabilities (BusinessWire).

Cisco beat earnings this week. Analysts attribute the good results to the company's focus on security, and they like its recent acquisition of Duo (TechCrunch).

Investments and exits.

Exabeam, aspiring to "be the next Splunk," has raised $50 million in a Series D round led by Lightspeed Venture Partners, with participation by Cisco Investments, Norwest Venture Partners, Aspect Ventures, Icon Ventures, and Shlomo Kramer (Venture Beat).

Portland, Oregon, based Twistlock, specializing in container security, has raised a Series C round of $33 million led by ICONIQ Capital (SecurityWeek).

Safe-T is going public. The company, which will trade on the Nasdaq, intends to use the proceeds for R&D, and for scaling up sales and marketing (StreetInsider)

And security innovation.

IARPA's new director wants to invest in research that could lead to methods of predicting cyberattacks (Fifth Domain).

Israel is investing the equivalent of $24 million to support cybersecurity innovation (Reuters).

Facebook awarded a total of $200 thousand to the top three winners of its Internet Defense Prize at USENIX in Baltimore this week (Facebook Research).