Latest Entries »

Skype is recommending that users upgrade to the most recent version of
the software following the discovery that ransomware is spreading
through instant messages. Users who click on links accompanying a
message asking, “Is this your new profile pic?” are putting themselves
at risk of being locked out of their computers. The attackers demand a
ransom of US $200 within 48 hours or they threaten to delete the users’
files. Infected machines also display a screen telling users that their
computers have been used to visit questionable sites and that the
activity will be reported to the government.


Researchers at RSA say “underground chatter” indicates that hackers are
planning cyberattacks that will affect online bank accounts at about 30
US financial institutions. The plan appears to be for a “cybersyndicate”
to infect users’ computers with a Trojan horse program that would allow
the attackers to hijack live online banking sessions and make
unauthorized wire transfers. The masterminds of the plot are reportedly
attempting to recruit 100 botmasters to help them.

The DHS Task Force on CyberSkills released an 11-step roadmap to close
the critical gaps in cyber skills in the United States in general and
at DHS specifically, and DHS leaders have established “tiger teams” to
implement each of the steps. This is the first authoritative report to
define the “red zone” jobs where the cyberskills shortages exist, and
along with the definitions the task force listed consequences of
continuing to allow people to hold cybersecurity jobs when they do not
have the hands-on skills needed to protect their systems. The Task Force
also outlined key steps to increase the supply of people with red zone
skills by building upon cybersecurity programs at colleges and by
creating new, intensive fast-track programs at community colleges.
The Task Force Report:

A draft report from the US House of Representatives Intelligence
Committee recommends that American companies refrain from conducting
business with Chinese technology companies Huawei and ZTE. According to
the document, both companies have “failed to assuage the committee’s
significant security concerns presented by their continued expansion in
the US.” Analysts say the recommendations may be motivated more by
politics than by security concerns. Both companies maintain that their
products do not pose security threats, and there appears to be no hard
evidence to demonstrate that their products pose a threat to national
security. The report recommends that the companies be barred from
mergers and acquisitions in the US market. Some have questioned why
these two firms are being singled out and why other foreign companies
are not being subjected to the same scrutiny. The UK government is
standing by Huawei, saying that its own testing procedures through the
Cyber Security Evaluation Centre are adequate.

The FBI and Phone Passwords

Earlier this year, Google refused to provide the FBI with access to an
Android phone that belonged to a suspect, even in the face of a search
warrant. The US Supreme Court’s Third Party Doctrine can often allow
government agents to access data stored with third parties without the
need for a warrant, but the doctrine does not address sensitive data
such as passwords, which can be used to gain access to a variety of
personal information, like texts and emails. When law enforcement agents
have access to a suspect’s phone, they often download the device’s
memory, but occasionally they find they cannot access a phone or that
the information is encrypted. When this is the case, they use a grand
jury subpoena to ask the phone’s owner for the password. This can be
seen to run afoul of the Fifth Amendment protection from
self-incrimination, so law enforcement agents are now turning to makers
of smartphone software to help them bypass the need for passwords. The
companies do not always comply, but they have in some cases.
(Please note that the Wall Street Journal requires a paid subscription.)

According to a request for information from several agencies, the US
government is seeking to develop “a capability framework for a healthy
and resilient cyber ecosystem using automated collective action.” The
RFI is seeking input on the overall vision, as well as the capabilities
that would be required to implement it and what might prevent it from
being successful before going ahead with the development. The system
would ideally have computers around the world work together to suppress
attacks by taking “collective action.” The system would effectively act
as a worldwide immune system for the Internet, behaving the same way
“the human body responds to an infection,” working both at the local
level and sending information to the larger system so it can help with

According to a new report from Symantec, the hackers behind the attack
on Google and more than 30 other companies in 2009 have launched new
attacks since then, many of which exploit zero-day vulnerabilities in
Microsoft and Adobe software. Most of the targeted organizations have
been in the defense, energy, and finance sectors; educational
institutions and NGOs have been hit as well. The report posits that the
scope and duration of the attacks, together with the difficulties
involved with identifying and creating exploits for zero-day flaws means
that the campaign must be the work of “a large criminal organization,
attackers supported by a nation state, or a nation state itself.” Some
have expressed skepticism about Symantec’s conclusions, noting that
zero-days are not “as big a deal as Symantec makes it out to be.”

A campaign issue is arising over the White House’s approach to
cybersecurity. (See the first story in this issue for background.) The
President’s staff has put him between a “rock and a hard place.” The
cyber threat is surging – so much so that 70 days ago Jonathan Evans
Director-General of the UK MI5 called it an “astonishing” new level of
attack. Last month’s Aramco attack turned 30,000 computers permanently
into bricks and disabled the company. Given the source of the attack,
had it been launched against Exxon instead, Washington Post headlines
would be talking about the “first large scale cyber warfare campaign
against the U.S.” For the President, inaction now on a strong Executive
Order is tantamount to inviting debilitating attacks against our
critical infrastructure. But his staff is so afraid of making any
lobbyist or bureaucrat unhappy that they have removed all immediacy from
the EO; leaving only a counterfeit claim to be “doing something.” A
promising path forward would be to follow the lead of the UK, in it’s
national adoption of the public-private CSIS “20 Critical Controls” for
government and for companies in the critical infrastructure.

An FBI spokesperson said that it is “aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs (unique device identifiers) was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI
either sought or obtained this data.” A subgroup of hackers claiming affiliation with Anonymous said that it had obtained the file from an FBI laptop. Apple says it never gave such a list to the FBI, and an Apple spokesperson said the company “will soon be banning the use of the UDID.” The authenticity of the data have been verified, so the question remains: where did the data come from?

Huawei has issued a public statement asserting that it has never been involved in cyber espionage or other illegal acts. The statement follows close on the heels of news that Huawei and ZTE have been invited to testify before a US Congressional subcommittee regarding cyberthreats to the US critical infrastructure from its networking equipment.