Cybersecurity
Latest
Department of Defense creates new cyberunit in Silicon Valley
In order to better combat cyberthreats to national security, the US Department of Defense is setting up shop in Silicon Valley. At a lecture today at Stanford University, Defense Secretary Ash Carter outlined the department's new focus on cyberdefense, including tapping into the ecosystem of Silicon Valley to drive innovation against cyber attacks against "US interests." Carter announced that he's setting up the Defense Innovation Unit X (X stands for Experimental) inside the DOD, staffed by active-duty and military personnel alongside reservists. "They'll strengthen existing relationships and build new ones; help scout for new technologies; and help function as a local interface for the department," Carter explained. "Down the road, they could help startups find new work to do with DOD."
House passes bill allowing corporations to share your data
If you wanted to explain the dilemma of privacy versus security to a curious relative, the Protecting Cyber Networks Act would be a good place to start. The bill has just been passed by the House of representatives (voting 307-116 in favor), and is designed to prevent future cyber attacks by allowing corporations to share information with each other and the government. Civil liberties groups claim the bill tramples on the privacy of the customers, and opens the door for agencies like the NSA to access their data (not that it needs much help, it seems).
Frenemies US and China join forces to fight cyber crime
The US and China are going to try to work together to take on cyber criminals. The Department of Homeland Security says that the US and China "intend to establish cyber discussions" on the path to reestablishing full government-to-government cyber security discussions. The DHS and China's Ministry of Public Sector agreed to focus on cross border cyber-enabled crimes like money laundering and online child sexual exploitation. The renewed interest in cooperation is the result of DHS Secretary Jeh Johnson's visit to Beijing.
UK report concludes Huawei's no threat to national security
For years, the UK government has been concerned that Huawei's networking equipment is aiding the Chinese government and threatening national security. In Britain, the company supplies major network providers such as BT, O2 and EE, which only amplifies the anxiety of politicians and security advocates. In 2012, Huawei opened a "Cyber Security Evaluation Centre" to alleviate some of their fears. It's designed to test all incoming updates to Huawei hardware and software used on UK networks. The problem is that all of the staff are employed by Huawei; in 2013, the UK's Intelligence and Security Committee said it was concerned about the arrangement, which effectively relies on self-policing. The government agreed, and said it would investigate the processes inside the centre.
PayPal acquires Israeli company that can predict future malware
It's always good news when a service that processes a lot of cash improves its security measures. PayPal, for instance, has just established a security center in Israel by acquiring a local company called CyActive. The company already has a Fraud and Risk Detection Center in Tel Aviv, but CyActive is a totally different beast: it "specializes in technology that can predict how malware will develop." It's sort of like Minority Report's PreCrime, except it uses predictive analytics instead of human precogs to foresee new cybersecurity threats. The startup's employees will now be in charge of implementing technology that will protect the payment platform from future cyberattacks.
Obama wants China to stop copying the NSA's surveillance plans
President Obama has criticized a Chinese plan to force US tech companies to install backdoors into their products for sale in the country. Without stopping for a moment to consider the phrase about glass houses and stones, he told Reuters that China would have to change its stance if it wanted to do business with the US.
Obama's executive order urges companies to share cyberthreat data
Attacks on the computers of large corporations were constantly in the headlines last year and now President Obama is taking steps that he says will help fight back. A month ago he announced a push for new legislation that would lay out ways for companies to share information about hacking activity so it can be investigated, while also protecting the privacy of consumers. Pushing that through Congress has been a failure since 2011, so he's following up with an executive order that mandates companies to do so. "There's only one way to defend America from these cyberthreats, and that is with government and [private] industry working together, sharing appropriate information," Obama said at today's White House cyber security summit at Stanford. The announcement comes just a few days after the President unveiled a new cyber warfare agency intended to "quickly assess and deter cyberthreats."
Obama pledges to 'protect a free and open internet,' tackle climate change
Leading up to the State of the Union, President Barack Obama criss-crossed the nation offering proposals on everything from free college, to cybersecurity and consumer privacy. But the president kept the details of these plans to a minimum during his address. Instead he used his pulpit to lay out a broader agenda, one that includes preserving Net Neutrality, combating global warming, promoting education and entrepreneurship.
Engadget Daily: Verizon Vehicle, Obama pushes for cybersecurity legislation, and more!
Remember back in 2011 when President Obama first approached the Senate with cybersecurity legislation and it was rejected? Well, today he announced it's time for round two, and in light of recent high-profile attacks, the odds are in his favor. Catch all the deets and more in the gallery below. Enjoy!
Obama renews push for comprehensive cybersecurity legislation
Barack Obama's last effort to get some cybersecurity legislation through Congress stalled in 2011, when it successfully cleared the Republican-held House, but withered in the Senate. After some high-profile attacks on government social networking accounts, Sony and others, he's resurrecting those plans. It will be one of the many things the president discusses during his upcoming State of the Union address, but he is delivering a preview of those plans today in a speech at the Department of Homeland Security. Obviously many of the details will need to be worked out by Congress, but Obama is pushing for some liability protection for companies that quickly respond and share information about attacks. The White House says there will also be strict requirements for the protection of personal data.
Moonpig flaw leaves customer accounts wide open for 17 months (update)
Over the years we've seen our fair share of security breaches and loopholes, but rarely do they take the companies involved almost 17 months to patch them up. Moonpig, the online mail order greeting card service, is guilty of this particular faux-pas after an external developer noticed a severe vulnerability back in August 2013. Here's how it worked: Using the Moonpig API, it was possible to impersonate any customer by submitting their unique ID number. With a little bit of technical know-how, anyone could have exploited it to place orders or, more worryingly, retrieve personal information such as credit card details, addresses and past purchases. "Whoever architected this system needs to be waterboarded," said Paul Price, who first spotted the problem. After notifying Moonpig in 2013, the company promised to "get right on it," but, as of yesterday, nothing had changed. Price then shared the vulnerability online, which, according to The Register, finally forced Moonpig to take action and pull the exposed APIs. The company is yet to comment on the whole affair, but if you've been a Moonpig customer in the past, now might be a good time to change your password or remove your account details altogether.
White House cybersecurity chief is proud to know nothing about cybersecurity
Even if their intentions are good, there's a reason that we don't let amateurs do brain surgery or design housing complexes. That logic doesn't seem to apply at the highest levels of government, however, after Michael Daniel boasted that about his lack of knowledge in his specialist field. In an interview with GovInfoSec, the White House cybersecurity co-ordinator has revealed that he's not technically-minded, but that he doesn't "have to be a coder in order to do really well." He added that "being too down in the weeds at a technical level could actually be a bit of a distraction." Sure, being able to see the wood for the trees when you're in charge of the nation's electronic safety is a good thing, but as Princeton's Ed Felten remarked, there'd be uproar if the attorney general bragged about a lack of legal expertise. Maybe we'll start working on our application to become the next surgeon general, after all, we have seen at least four episodes of ER.
Hospital network hackers nab personal info of 4.5 million US patients
In April and June, one of the largest hospital networks in the US was hacked. Community Health Systems says that cyber attacks originating in China stole the personal details of 4.5 million patients including names, addresses, telephone numbers, birth dates and Social Security numbers. In a regulatory filing, the company explained that an investigation into the breach showed "methods and techniques" used were similar to those employed by a group that's been active in the country. Said group usually goes after intellectual property (like medical equipment data) according to the report, so the company doesn't believe that the personal info would be exploited. What's more, both credit card numbers and clinical data weren't touched. Community Health Systems says it's removed the hackers' malware, and is in the process of notifying patients involved across its 206 hospitals that span 29 states. [Photo credit: Jonathan Wiggs/The Boston Globe via Getty Images]
US nuclear regulator hit by two foreign cyberattacks in three years
It's no secret that the White House is eager to protect the energy grid against cyberattacks, but it's now clear that the government is speaking from bitter, first-hand experience. Nextgov has confirmed that foreign hacker groups broke into the Nuclear Regulatory Commission's systems twice within the past three years, compromising PCs and accounts by tricking users into installing malware. A third, individually-launched attack also happened during the same time frame. While investigators couldn't determine the origins due to internet providers deleting their logs, the targets suggest that the attacks were government-backed -- the NRC knows the contents and health of reactors across the US. That logically draws suspicion toward China or Russia, although these could have simply been black market operators hoping to sell to the highest bidder.
UK spy agency gives thumbs up to grad degrees in online security
Good internet security isn't just about having the right tools to fend off cyber attacks; you need smart people, too. The UK government clearly knows this, as GCHQ has just accredited Master's degrees in online security that live up to the intelligence agency's "stringent criteria." If you pursue the right grad studies at one of six British universities (including London and Oxford), you'll both be well-equipped to handle digital threats and get an edge when hunting for that first big InfoSec job.
US officials reportedly duped into friending Iranian spies on social networks
A fair few government officials will be poring over their personal LinkedIn, Facebook and Twitter accounts today, following a warning about an elaborate hacking campaign that appears to stem from Iran. According to iSIGHT Partners, Iranian hackers have spent the last three years creating a fake news outlet -- Newsonair.org -- and then posing as journalists to give the website an air of credibility (even though all its content was simply plagiarized from elsewhere on the web). Over time, these impostors are alleged to have linked, friended and followed US military, diplomatic and congressional personnel who were attracted to Newsonair's stories. Once a basic connection had been established via a social network, the cyber-spy would then share another interesting-looking story with their target, but this time the shared link would be a so-called spear-phishing site designed to steal login credentials.
The White House explains why it keeps quiet on internet security flaws
We wouldn't blame you for worrying about the US government's willingness to remain silent on internet vulnerabilities in the name of national security; no one wants to be left open to a preventable attack. However, the White House sees these disclosures as a complicated issue, and has posted an explanation of its reasoning in an attempt to assuage fears. The administration argues that it has a "disciplined, rigorous and high-level" decision system that balances the risks to the public against the value of any intelligence. Agencies are more likely to share details of security flaws if there's a great potential for damage, or if it's likely that someone will use the exploits. At the same time, officials are more likely to stay hush-hush when there's a high-priority target, or if it's relatively safe to use an exploit for a short while.
NSA can keep quiet on internet flaws it discovers in 'clear national security' cases
When news of the Heartbleed internet security bug broke last week, Bloomberg reported that the NSA may have known about the OpenSSL flaw for years, using it to gain info instead of warning the public. The government agency was quick to deny that story, saying that it found when the rest of us did. But as it turns out, if they had kept the discovery secret in the interest of a national security threat, that would've been okay thanks to a January decision by President Obama. The New York Times reports that although details were never publicly reported by the White House, info about the choice began to surface after Friday's advance knowledge of the Heartbleed situation. The President determined that unless there's "a clear national security or law enforcement need," it's better for the government to publicly disclose those internet flaws that it uncovers -- in the interest of getting them fixed. Of course, this wording is quite vague, leaving quite a bit of room for interpretation. [Photo credit: Larry Downing/AFP/Getty Images]
This is Earth's malware threat, visualized
Ah, nothing like good old fashioned scare tactics to get you to install anti-virus software. In a thinly veiled advert for its security suite, Kaspersky Labs has created a real-time cyber threat map -- painting the globe with six shades of malware. The brightly colored map lists Russia as the world's most infected country, followed closely by the United States, India and Vietnam. It's a mesmerizing visualization, but take it with a grain of salt: the data it presents is pulled exclusively from Kaspersky's own security network, which might explain why the Russian security outfit's home turf is the "most infected." More users in the motherland probably translates to more virus' detected. That said, if you're looking for a colorful view the world's malware, you won't be disappointed. Check it out at the source link below.
Deutsche Telekom and RSA team on hack-resistant internet connections
It's easy to find security experts who can safeguard corporate internet connections against cyber attacks. However, it's hard to get someone who can stop attacks before they do any damage -- and that's where Deutsche Telekom hopes to make a difference. It's partnering with the security gurus at RSA on services that will include both early detection of attacks as well as "clean pipe" internet connections, which route data through hack-resistant lines. While the German provider isn't divulging its pricing just yet, it's targeting small- and medium-sized businesses willing to pay a fixed monthly fee; the toughened internet access is likely to be (relatively) affordable when it launches early next year. It's certainly well-timed. When many Europeans are already nervous about digital intruders, we wouldn't be surprised if Deutsche Telekom lands quite a few early customers.
