Washington, DC: the 10th Annual Billington CyberSecurity Summit
Analysis | The Cybersecurity 202: New NSA cyber lead says agency must share more info about digital threats (Washington Post) Ann Neuberger will lead the new NSA Cyber Directorate launching Oct. 1.
NSA Cyber Chief Wants to Share Digital Threats Early and Often (Nextgov.com) The agency has historically been slow to share threat intelligence but accelerating that process would help the government get ahead of cyber adversaries, according to Anne Neuberger.
NSA looks to ‘up its game’ in cyber defense (Fifth Domain) NSA's new cybersecurity directorate seeks to provide private sector with better unclassified intelligence.
OMB's CyberStat program is 'evolving' (FCW) Following an audit that found the Office of Management and Budget could be making better use of the cybersecurity reviews, Federal CISO Grant Schneider said agency is looking at revamping the program ahead of next fiscal year.
Top IT official names China as main cyber threat to US (TheHill) A top IT government official on Wednesday said China poses the biggest cyber threat to the U.S.
Pentagon, NSA Laying Groundwork for AI-Powered Cyber Defenses (Nextgov.com) Officials are developing a consistent framework for collecting cyber data, which could ultimately help train tools to monitor networks and detect suspicious behavior.
CISO Schneider: OMB Focused on ‘Maximum Support’ for Agency Cyber (MeriTalk) Grant Schneider, the Federal government’s chief information security officer, said the Office of Management and Budget (OMB) is aiming to provide “maximum support” to Federal agencies as they work to improve network security.
Here are the 2020 priorities for DHS’ cyber initiative (Fifth Domain) The Department of Homeland Security in the next three months will roll out a visualization agent allowing agencies to better apply data on their cybersecurity risks and vulnerabilities.
Cox Previews CDM Program Office Priorities for FY2020 (MeriTalk) Kevin Cox, program manager for the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program, today detailed several priorities for the program office in FY2020 that begins next month. Those include focus on the Agency-Wide Adaptive Risk Enumeration (AWARE) algorithm, the new dashboard ecosystem, enterprise mobility management, cloud security, and protection of high-value assets.
DOD: Contractors Will Need Cyber Certification Beginning Next Summer (Air Force Magazine) Bidders for USAF contracts, or any DOD business, will have to get certified as cybersecure before they can win the work starting next year, the newly minted chief information security officer for the assistant defense secretary for acquisition said.
A FedRAMP plan to strengthen cloud security (Federal Times) The Federal Risk and Authorization Management Program wants threat intelligence reports to make its audit process smarter.
The Army wants more coders alongside operators (Fifth Domain) The Army is embedding coders with its cyber operators to help solve problems in real time.
No, NASA Did Not Say It's Developing Its Own Cryptocurrency (Gizmodo) Let’s get one thing straight right now: “crypto” means “cryptography.” It does not mean “cryptocurrency.” Unless you’re a person who thinks the blockchain is the future, that is, which is how we ended up with the dumbest news cycle this side of a measles outbreak.
Cyber Attacks, Threats, and Vulnerabilities
‘We’re at War’: A Covert Social Media Campaign Boosts Military Rulers (New York Times) After protesters were killed in Sudan, an obscure Egyptian company ramped up a covert influence operation that spanned the Middle East and North Africa.
China hacked Asian telcos to spy on Uighur travelers: sources (Reuters) Hackers working for the Chinese government have broken into telecoms networks to...
UPSynergy: Chinese-American Spy vs. Spy Story (Check Point Research) Earlier this year, our colleagues at Symantec uncovered an interesting story about the use of Equation group exploitation tools by an alleged Chinese group named Buckeye (a.k.a APT3, or UPS team). One of the key findings in their publication was that variants of the Equation tools... Click to Read More
Hong Kong Protesters Are Using This ‘Mesh’ Messaging App—But Should They Trust It? (Forbes) Bridgefy has gained a significant following in Hong Kong. But is it secure and trustworthy?
A Chinese APT is now going after Pulse Secure and Fortinet VPN servers (ZDNet) Security researchers spot Chinese state-sponsored hackers going after high-end enterprise VPN servers.
Chinese APT group targets Fortinet and Pulse servers (SC Media) VPN servers in the firing line from state-sponsored hackers.
China Set Traps To Capture Dangerous NSA Cyberattack Weapons: New Report (Forbes) Cybersecurity researchers at Check Point claim China deliberately captured NSA cyberweapons to target U.S. allies.
Chinese cyber hackers have built a backdoor in US-China trade war, says report (Fox News) China is now trying to hack into U.S. networks to exploit the ongoing trade war, experts say.
Monster.com says a third party exposed user data but didn’t tell anyone (TechCrunch) An exposed web server storing résumés of job seekers — including from recruitment site Monster — has been found online. The server contained résumés and CVs for job applicants spanning 2014 and 2017, many of which included private information like phone numbers and home addresses, but also email ad…
Zero-day privilege escalation disclosed for Android (Ars Technica) Google has so far remained mum on the flaw, which affects fully patched devices.
Warning over new Android spyware, dubbed Joker, found in 24 malicious apps in Google's Play store (Computing) Joker malware can read SMS messages, contact lists and other information on victims' Android handsets
#privacy: “Joker” trojan signs users up for premium subscriptions (PrivSec Report) A new Android trojan dubbed “Joker” has been discovered with malware dropper and spyware capabilities in 24 Google Play Store apps. In a blog post, researcher Aleksejs Kuprins from CSIS Security Group described how he had observed the Joker on Google Play. It was detected in 24 apps with over 472,000 installs in total. It …
Analysis of Joker — A Spy & Premium Subscription Bot on GooglePlay (Medium) Over the past couple of weeks, we have been observing a new Trojan on GooglePlay. So far, we have detected it in 24 apps with over…
URGENT/11 - New ICS Threat Signatures by Nozomi Networks Labs (Nozomi Networks) A well-known RTOS (Real-Time Operating System), widely used in industrial sectors, is at risk from a series of 11 vulnerabilities dubbed URGENT/11. Nozomi Networks Labs conducted research on the vulnerable devices and has released threat signatures for URGENT/11 that identify threats in typical industrial networks without generating high numbers of false positive alerts.
Facebook loses control of key used to sign Android app (Naked Security) What should be a private key used to vouch for the ‘Free Basics by Facebook’ app was used to sign unrelated apps.
Hackers Hit Twitter C.E.O. Jack Dorsey in a ‘SIM Swap.’ You’re at Risk, Too (New York Times) Hackers have been targeting regular people and celebrities with the attack. Last week, it was used to hijack the Twitter account of Twitter’s C.E.O.
Report: Data Breach Reveals Private Emails of International Manufacturing Firm (vpnMentor) Led by Noam Rotem and Ran Locar, vpnMentor’s research team has found a data breach in the email platform used by a South Korean company, DKLOK. DKLOK is an ...
FUSD schools closed Thursday due to cybersecurity intrusion (Arizona Daily Sun) Flagstaff Unified School District has canceled classes at all of its schools Thursday, September 5 after officials discovered powerful malware in its servers Wednesday morning.
Ransomware demanded $5.3M from Massachusetts city in July attack (StateScoop) New Bedford, Mass., initially tried negotiating with the hackers behind the Ryuk virus, but ended up fixing its systems itself after a counteroffer was rejected.
Texas says half of agencies hit by ransomware have recovered (Washington Post) Texas authorities say they aren’t aware of any money paid to hackers who used ransomware to target more than 20 communities
Why Social Media is Increasingly Abused for Phishing Attacks (PhishLabs) For more than a decade the use of social media has grown, and along with it, so have the tactics used by threat actors to abuse each kind.
Rockwell Automation Allen-Bradley PowerMonitor 1000 (Update A) (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 9.8
ATTENTION: Exploitable remotely/low skill level to exploit/public exploits are available
Vendor: Rockwell Automation
Equipment: Allen-Bradley PowerMonitor 1000
Vulnerabilities: Cross-site Scripting and Authentication Bypass
2.
Red Lion Controls Crimson (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 7.8
ATTENTION: Exploitable remotely/low skill level to exploit
Vendor: Red Lion Controls
Equipment: Crimson (Windows configuration software)
Vulnerabilities: Use After Free, Improper Restriction of Operations within the Bounds of a Memory Buffer, Pointer Issues, Use of Hard-coded Cryptographic Key
Rockwell Automation Arena Simulation Software (Update A) (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 8.6
ATTENTION: Low skill level to exploit
Vendor: Rockwell Automation
Equipment: Arena Simulation Software
--------- Begin Update A Part 1 of 3 ---------
Vulnerabilities: Use After Free, Information Exposure, Type Confusion, Insufficient UI Warning of Dangerous Operations
--------- End Update A Part 1 of 3 ---------
BD Pyxis (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 7.6
ATTENTION: Exploitable remotely/low skill level to exploit
Vendor: Becton, Dickinson and Company (BD)
Equipment: Pyxis
Vulnerability: Session Fixation
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow the Active Directory (AD) credentials of a previously authenticated user to gain access to the device.
The transitive property of cloud security - the weakest link can be the one you didn’t know existed (Diginomica) Security concerns around cloud services adoption.
Over 600,000 China-made GPS trackers have '123456' as default password (CNET) The trackers, advertised for children and the elderly, are being used in the US, Europe and elsewhere. And they've got some serious security issues.
Security Patches, Mitigations, and Software Updates
Too bad, so sad, exploit devs: Google patches possibly several million dollars' worth of security flaws in Android (Register) Except one – a 'your phone is now my phone' bug reported months ago and still not fixed
Cyber Trends
Terrorism, espionage, and cyber: ASIO's omne trium perfectum (ZDNet) ASIO's outgoing Director-General of Security reflects on the 'security triptych' that is of upmost concern to Australia's national security.
New Global Kaseya Survey Examines State of IT Operations for SMB; Highlights Stagnant Maturity and Need for Proactive IT Management (Kaseya) Fifth annual survey of SMBs and midmarket enterprises shows no improvement in IT maturity levels in three years, while security remains top concern
2019 IT Operations Survey Report (Kaseya) Download a free copy of the 2019 IT Operations Benchmark Survey Report to get a deeper insight into the inner workings of IT departments in SMBs.
Netwrix survey: 98% of educational institutions are not hiring dedicated staff to improve cloud security (Netwrix) Even though cloud technologies are becoming more popular in the education sector, management is still reluctant to invest in cloud data security initiatives, study finds.
Both Liberals, Conservatives Say They Are Confident They Can Spot Fake News as the 2020 U.S. Presidential Election Draws Near (Business Insider) People are aware of fake news on social media and are confident in their ability to spot it, according to a new su...
McAfee CEO Chris Young Contemplates The Future Of Cyber Security (Forbes) Chris Young has been in the cyber security industry for a quarter of a century, having been an entrepreneur in the space, having run security businesses units within Intel, Cisco, and AOL, and now as the CEO of McAfee. In this interview, he describes how he stays current in a rapidly evolving field.
Marketplace
Palo Alto Networks Acquires IoT Security Firm Zingbox for $75 Million (SecurityWeek) Palo Alto Networks acquires IoT security firm Zingbox for $75 million and announces financial results for FY 2019.
Palo Alto Networks Integrates IoT Security, Firewall With Zingbox Buy (CRN) Palo Alto Networks will become the only vendor capable of delivering IoT security as an integrated service through the firewall following its acquisition of Zingbox, said Chief Product Officer Lee Klarich.
BigID announces $50M Series C investment as privacy takes center stage (TechCrunch) It turns out GDPR was just the tip of the privacy iceberg. With California’s privacy law coming on line January 1st and dozens more in various stages of development, it’s clear that governments are taking privacy seriously, which means companies have to as well. New York-startup BigID, …
Palantir to Seek Funding on Private Market, Delay IPO (Bloomberg) Peter Thiel’s data company in talks with non-U.S. investors. IPO could be postposend until 2022 or 2023, sources say.
Vietnam's Viettel shuns Huawei 5G tech over cybersecurity (Nikkei Asian Review) Country's top three carriers choose alternatives to Chinese gear supplier
Here's a peek at how reporter Becky Peterson got inside the notorious and secretive NSO Group (Business Insider) Business Insider is taking you behind the scenes of our best stories with our new series "The Inside Story."
Foremost IAM Experts Join Semperis to Capture Global Demand for Identity-Driven Enterprise Protection (BusinessWire) Foremost IAM Experts Join Semperis to Capture Global Demand for Identity-Driven Enterprise Protection
Brunswick Taps Ex-US Cyber Command Chief Rogers (O'Dwyers PR) Mike Rogers, retired US Navy admiral who served as commander of the US Cyber Command and director of the National Security Agency, has joined Brunswick Group in its Washington office.
Products, Services, and Solutions
Speeding IT Visibility into OT: New Integrations with Fortinet (Nozomi Networks) Fortinet and Nozomi Networks achieved another partnership milestone with two new integrations that deliver full security visibility and management across IT and OT environments. Now with comprehensive integrations for FortiGate, FortiNAC, and FortiSIEM, we’re helping eliminate the gap between IT and OT. Read on to learn how the integrations provide full visibility across IT and OT, allowing customers to detect and respond to threats more effectively.
DigiCert Announces Post-Quantum Computing Test Kit (DigiCert) This PQC test kit is designed for technical users who want to try out the process of installing the hybrid RSA/PQC certificate (TLS or IoT). The kit will be useful for PKI architects and technical solution designers across a variety of industries
Proofpoint Expands Okta Partnership to Protect Users Most Targeted by Cyberattacks; Integrates People-Centric Intelligence with Okta’s Identity Cloud (Proofpoint US) Proofpoint, Inc., a leading cybersecurity and compliance company, today announced an expansion to its technology partnership with Okta, Inc, the leading independent provider of identity for the enterprise, to bolster how organizations protect their most at-risk users from sophisticated cyberattacks.
DivvyCloud Announces New Channel Partner Program to Meet Growing Demand for Automated Cloud Security and Compliance (BusinessWire) DivvyCloud Announces New Channel Partner Program to Meet Growing Demand for Automated Cloud Security and Compliance
SyncDog Announces Partnership with Symantec to Provide a Holistic Approach to Mobile Threat Defense (BusinessWire) SyncDog Announces Partnership with Symantec to Provide a Holistic Approach to Mobile Threat Defense
ThreatModeler Announces New U.S. Distribution Relationship with Promark (PR Newswire) ThreatModeler™, provider of the industry's #1 automated threat modeling platform, announced today it has...
Exabeam Expands International Availability of Cloud-based SIEM to Help Organizations Modernize Security Operations - Exabeam (Exabeam) With Exabeam SaaS Cloud, security teams across Canada, Europe, Asia-Pacific and South America can now easily migrate security[...]
DataBank Enhances Data Protection Services with Turn-key Disaster Recovery as a Service Offering (PR Newswire) DataBank, a leading provider of enterprise-class data center, connectivity and managed services, announces the...
Guardicore Partners with Mellanox to Deliver Agentless and High-Performance Micro-Segmentation in Data Centers (PR Newswire) Guardicore, a leader in internal data center and cloud security, today announced that it has...
Cyxtera Federal Group Receives GSA IT Schedule 70 Contract (Cyxtera) Cyxtera provides data center colocation, enterprise application cloud computing provider, hybrid cloud, cybersecurity and analytics solutions.
101domain expands security offering to include nearly two dozen new SSL Certificate solutions to fit every business and budget (PR Newswire) Security isn't one size fits all. For this reason, 101domain has added nearly two dozen new SSL Certificates...
Machine Learning is Helping to Combat Cyberthreats (PR Newswire) Domain Name Server (DNS) tunneling remains a popular method used for cyberattacks because too many organizations...
Technologies, Techniques, and Standards
Voting Machine Makers Give U.S. Access in Fight Against Hackers (Bloomberg) ‘We know what makes up the systems’: Homeland official Manfra, Cyber Command chief Nakasone cites a ‘safe and secure’ 2018.
Why 5G requires new approaches to cybersecurity (Brookings) Ensuring the security of 5G networks is paramount, requiring action from both business and government.
DoD unveils new cybersecurity certification model for contractors (Federal News Network) A draft version of the Defense Department’s Cybersecurity Maturity Model Certification, an assessment designed to measure and monitor cybersecurity practices of its contractors, is open for public…
Law Firms Need to Prioritize Privilege to Protect Client Information (CyberArk) Law firms have access to sensitive client information and other confidential data, but they don't always secure that data as well as they should.
It's Not Healthy to Confuse Compliance with Security (Dark Reading) Healthcare organizations should be alarmed by the frequency and severity of cyberattacks. Don't assume you're safe from them just because you're compliant with regulations.
Design and Innovation
Facebook, Microsoft launch contest to detect deepfake videos (Reuters) Facebook Inc is teaming up with Microsoft Corp, the Partnership on AI coalition ...
Facebook debuts vaccine education pop-up windows (CNN) Facebook, which owns Instagram, is rolling out new educational pop-up windows on both platforms to combat the spread of misinformation about vaccines, particularly anti-vaccination content.
Influencers are fighting for attention as Instagram tests removing likes from its platform: 'There’s no audience applause at the end of a performance' (Business Insider) The removal of likes is designed to improve the lives of consumers, but influencers are starting to feel the impact of the change.
Google Wants to Help Tech Companies Know Less About You (Wired) By releasing its homegrown differential privacy tool, Google will make it easier for any company to boost its privacy bona fides.
Legislation, Policy, and Regulation
Italy approves use of special powers over 5G supply deals (Yahoo) Italy's new government on Thursday approved its use of special powers in supply deals for fifth-generation (5G) telecom services by a number of domestic firms with providers including China's Huawei and ZTE Corporation. A government source told Reuters at the time the decision to strengthen
In Europe, U.S. defense secretary calls for greater effort to... (U.S.) U.S. Defense Secretary Mark Esper, in his first major speech, on Friday called f...
The United States Is Taking Action Against Cyber Foes (SIGNAL Magazine) The United States is waging active cyber operations against nations that conduct information operations against it.
NSA: Just say no to hacking back (FCW) The National Security Agency's chief counsel said organizations that suspect a cyberattack should call Homeland Security or the FBI instead.
Intelligence Community Security Demands Investment in People (ClearanceJobs) ClearanceJobs is your best resource for news and information on security-cleared jobs and professionals. Learn more with our article, "Intelligence Community Security Demands Investment in People ".
The World’s First Ambassador to the Tech Industry (New YorkTimes) Denmark appointed him to approach Silicon Valley as if it were a global superpower. His challenges show how smaller countries struggle to influence giant corporations.
Do We Trust Governments to Effectively Regulate Privacy? [Ask Security Professionals] (Venafi) IT security professionals want regulation, but do not trust their officials to draft effective guidelines. Read what we found out on Venafi’s blog.
DOD issues draft of new contractor cyber standards (FedScoop) The Department of Defense has issued long-awaited cybersecurity standards in draft form for contractors who work with the Pentagon’s sensitive data. Version 0.4 of the Cybersecurity Maturity Model Certification (CMMC) is now live, giving contractors a glimpse into the sort of cybersecurity standards they will need to meet if they want to work on contracts that handle controlled …
Opinion | I’m a tech CEO, and I don’t think tech CEOs should be making policy (Washington Post) Tech executives are a deeply unrepresentative group living in an elite bubble.
Litigation, Investigation, and Law Enforcement
WSJ News Exclusive | States to Launch Google, Facebook Antitrust Probes (Wall Street Journal) State attorneys general are formally launching separate antitrust probes into Facebook and Google starting next week, putting added pressure on tech giants already under federal scrutiny.
New York attorney general is investigating Facebook for possible antitrust violations (CNBC) Attorneys general of Colorado, Florida, Iowa, Nebraska, North Carolina, Ohio, Tennessee and the District of Columbia will join the probe.
Google accused of using secret web pages to leak users' personal data to advertising firms (Computing) The evidence in support of the claim was submitted to Ireland's Data Protection Commission by Brave's Johnny Ryan
How Google uses secret 'push pages' to share personal details with advertisers (Computing) Combined with tracking cookies supplied by Google, push pages enable organisations to identify individual web browsers, claims Brave's Johnny Ryan
Senator: Mark Zuckerberg should face “the possibility of a prison term” (Ars Technica) "He ought to be held personally accountable," Ron Wyden (D-OR) said.
Accused Capital One hacker pleads not guilty to all charges (CyberScoop) Paige Thompson has pleaded not guilty to charges in connection with a data breach at Capital One that impacted roughly 106 million people.
Author of record-setting IoT botnets pleads guilty (Naked Security) He kept working on new botnets (and swatting a co-conspirator-cum-competitor) while indicted and on supervised release.
Haverford student who tried to hack IRS for Trump tax returns pleads guilty, could get 2 years in jail, $200,000 fine (Philadelphia Inquirer) Andrew Harris, 23, was the second Haverford student to plead guilty in the attempted hack. They didn't get Trump's returns because a Louisiana private eye had already tried to set up a FAFSA account.
Riverdale, Conley residents among 7 named in federal indictment in Verizon identity fraud case (Clayton News) Two people from Clayton County have been indicted, along with five former Verizon store employees, on federal charges that they stole people's identities, opened Verizon accounts, then charged
The Doghouse: Crown Sterling (Schneier on Security) A decade ago, the Doghouse was a regular feature in both my email newsletter Crypto-Gram and my blog. In it, I would call out particularly egregious -- and amusing -- examples of cryptographic "snake oil."