IT Security News Blast 3-3-2017

On #1, congratulations to Congressman Kilmer’s staff who worked on this bill for about a year. This is a big deal, and intended to protect water purification, waste treatment, 911, comms for public safety, and all the other stuff that state and local government does to keep the wheels on society.

Bipartisan bill would give cybersecurity grants to state and local governments

On Thursday, Reps. Barbara Comstock (R-Va.) and Derek Kilmer (D-Wash.), along with Sens. Cory Gardner (R-Colo.) and Mark Warner (D-Va.), introduced the State Cyber Resiliency Act, which would fund Federal Emergency Management Agency–administered grants for cybersecurity planning and implementation. […] “Cities manage substantial amounts of sensitive data, including data on vital infrastructure and public safety systems. It should come as no surprise that cities are increasingly targets for cyberattacks from sophisticated hackers” […] “Cities need federal support to provide local governments with the tools and resources needed to protect their citizens and serve them best.”

http://thehill.com/policy/cybersecurity/322050-bipartisan-bill-would-give-cybersecurity-grants-to-state-and-local

Time for a cybersecurity grant program for the states

Congress and DHS should show their seriousness about states’ cyber defenses by directing some of President Trump’s $1 trillion infrastructure investment toward expenditures on shoring up states’ critical cyber infrastructure.  This is an imperative stemming from the persistent and growing gap between the cyber threat to state governments and their ability to mitigate it.  They need federal help.

http://thehill.com/blogs/congress-blog/technology/321871-time-for-a-cybersecurity-grant-program-for-the-states

Welcome to Cybersecurity in Public Sector

Agencies in Public Sector (good guys) are fighting a losing battle at every level (e.g. Federal, State, and local) using a silo based security strategy focused on “buying top quadrant ranked security devices” in a world of automation, analytics, and global zero day threats.  These security devices create mountains of log data which contain clues to potential attacks as well as tons of false positives. An extremely competitive cybersecurity job market adds additional risk and stress to executives managing environments in public sector.

http://blogs.cisco.com/government/welcome-to-cybersecurity-in-public-sector

Protecting Wealthy Clients From Cyber Attack

So, how can leadership of a family office defend against the multitude of technology-borne threats? For starters, leadership must let go of the fallacy that produced this dangerous state of affairs. New technology alone can’t fix this mess we’re in, nor is there a purely technological expert who can guide a business to safety. […] Retain an Expert Cybersecurity Firm. IT and cybersecurity expertise overlap but aren’t the same thing. People who regularly investigate cyber attacks and ethical attackers, who work daily to spot and close security holes, see more and know more about protecting businesses than IT professionals tasked with maintaining systems in the ordinary course.

http://www.wealthmanagement.com/high-net-worth/protecting-wealthy-clients-cyber-attack

Public officials can’t shield government business by using personal email, stat Supreme Court rules

California’s highest court decided unanimously Thursday that government officials may be required to make public what they said about official business on their private telephones and personal computers. In a decision written by Justice Carol A. Corrigan, the California Supreme Court said the state’s Public Records Act requires public officials to disclose emails, texts and voicemails from private devices if the communications involved government affairs.

http://www.latimes.com/local/lanow/la-me-ln-public-officials-email-20170302-story.html

I infected my Windows computer with ransomware to test RansomFree’s protection

Since I have experience cleaning up the devastation left behind by malware—but not with infecting a machine on purpose—I decided to run this test twice after taking a snapshot of the VM as a point-in-time prior to the introduction of malicious code. The first time through, I would do so without RansomFree to see how the ransomware would operate on the system. Once it was confirmed to have worked, I would rerun the test with RansomFree installed to gauge how effective it was against this strain of ransomware, since now I’d have a good idea of what to look for.

http://www.techrepublic.com/article/i-infected-my-computer-with-ransomware-to-test-ransomfrees-protection-for-windows/?ftag=TREa988f1c&bhid=19826817703580555754097899032323

How an Illegal Canadian Spy Program Sailed Through Regulatory Checks

In its ruling on the Operational Data Analysis Centre (ODAC), the federal court also concluded that the Canadian Security Intelligence Service (CSIS)—the country’s domestic CIA analogue—had breached its duty of candour by not fully briefing the court on the program until forced. Former ministers clamored to avoid blame for approving the program or being aware of it, and CSIS halted its metadata analysis.

https://motherboard.vice.com/en_us/article/how-an-illegal-canadian-spy-program-sailed-through-regulatory-checks-opc-odac-csis

Broadband lobbyists celebrate as FCC halts data security requirements

The data security rule that was scheduled to take effect today would have required ISPs and phone companies to take “reasonable” steps to protect customers’ information—such as Social Security numbers, financial and health information, and Web browsing data—from theft and data breaches. The FCC issued a stay of the rule yesterday, and Chairman Ajit Pai said he wants to shift authority over data security and privacy entirely to the Federal Trade Commission.

https://arstechnica.com/tech-policy/2017/03/isps-cheer-pause-of-rule-that-guards-private-data-from-security-breaches/

House panel approves cybersecurity framework bill

A House panel on Wednesday approved a bill designed to encourage federal agencies to adopt cybersecurity framework developed by the National Institute of Standards and Technology (NIST). The legislation would direct NIST to develop metrics for evaluating federal agencies’ cybersecurity and submit an initial assessment and regular audits to Congress on cybersecurity measures put in place by federal agencies. […] The bill could work as a complement to President Trump’s forthcoming executive order on cybersecurity, which is rumored to contain a provision requiring federal agencies to follow NIST’s framework.

http://thehill.com/policy/cybersecurity/321864-house-panel-approves-cybersecurity-framework-bill-along-party-lines

Fast data lookups in R: dplyr vs data.table

R is a vector-oriented language and most of the things you do in R is optimised for that, but what if you need something less typical… What if you need to find a specific element in a dataset? There are a lot of options to do that in R, but when your dataset has a few million rows or more lookups may be extremely slow. […] In this post I’m going to compare different methods that can be used to improve lookup times in R. In our case, we were able to improve lookup speed 25 times by using data.table indexes.

http://blog.appsilondatascience.com/rstats/2017/03/02/r-fast-lookup.html

Cisco Warns of High Severity Bug in NetFlow Appliance

The bug (CVE-2017-3826) is due to incomplete validation of SCTP packets being monitored on the NGA data ports, Cisco wrote. It impacts Cisco NetFlow Generation Appliances NGA 3140, NGA 3240 and NGA 3340. NetFlow Generation Appliances are located within enterprise data centers and designed to monitor Gigabit Ethernet high-throughput networks.

https://threatpost.com/cisco-warns-of-high-severity-bug-in-netflow-appliance/124053/

Robots Rife With Cybersecurity Holes

“We found robots with insecure features that couldn’t be easily disabled or protected, as well as features with default passwords that were either difficult to change or could not be changed at all,” according to the report. In a closer examination of the robot ecosystems, IOActive Labs said many of the robot platforms it analyzed use open source frameworks and libraries that suffer from known vulnerabilities such as cleartext communication, authentication issues, and weak authorization schemes.

https://threatpost.com/robots-rife-with-cybersecurity-holes/123989/

Cyber security need not cost a fortune, says researcher

“Organisations can use these resources from academia and government to ensure they are better informed about cyber security so that they can allocate budget more wisely and effectively,” he said. By being better informed, organisations can ensure they have the most appropriate cyber security policies in place, which can also be done free of charge, he said. But at the same time, Venables said getting the workforce on board is “absolutely essential” and also requires a good understanding of the topic.

http://www.computerweekly.com/news/450414101/Cyber-security-need-not-cost-a-fortune-says-researcher

Game theory could improve cyberwarfare strategy

The new study, published in Proceedings of the National Academy of Sciences this week, examines when a victim should tolerate a cyber attack, when a victim should respond—and how. The researchers, including others from the University of Michigan and their colleagues at the University of New Mexico and IBM Research, use historical examples to illustrate how the Blame Game applies to cases of cyber or traditional conflict involving the United States, Russia, China, Japan, North Korea, Estonia, Israel, Iran and Syria.

https://phys.org/news/2017-03-game-theory-cyberwarfare-strategy.html

China warns against cyber ‘battlefield’ in internet strategy

Countries should not engage in internet activities that harm nations’ security, interfere in their internal affairs, and “should not engage in cyber hegemony”. “Enhancing deterrence, pursing absolute security and engaging in a (cyber) arms race – this is a road to nowhere,” Long Zhao, the Foreign Ministry’s coordinator of cyberspace affairs, said at a briefing on the strategy. “China is deeply worried by the increase of cyber attacks around the world,” Long said.

http://www.reuters.com/article/us-china-internet-idUSKBN16849M

NSA Director Wants to Contract Companies to Build Future Cyber Weapons

“On the offensive side, to date, we have done almost all of our weapons development internally,” Rogers said. “And part of me goes, five to 10 years from now–is that a long-term sustainable model? Does that enable you to access fully the capabilities resident in the private sector? I’m still trying to work my way through that, intellectually.” Rogers said he wants Cyber Command and technology companies to integrate so that the entities are housed in the same location. For example, private sector partners would be based in Fort Meade, Md., alongside Cyber Command.

https://www.meritalk.com/articles/nsa-contract-build-cyber-weapons-michael-rogers-cyber-command/

Cybersecurity in radar/electronic warfare systems

As radar and EW systems continually get smarter “it’s clear that IP [intellectual property] security is a critical aspect going forward,” says Haydn Nelson, director, Marketing and Appli-cations Engineering, 4DSP Products at Abaco Systems in Austin, Texas. “The algorithms to sense and deny sensing are often classified; thus, our signal-processing products need to be open so our customers can insert their classified IP and keep it protected and under the control of defense agencies.

http://mil-embedded.com/6364-cybersecurity-in-radarelectronic-warfare-systems/

Cyber Strategy & Policy: International Law Dimensions

Chairman McCain, Ranking Member Reed, members of the committee, and staff. I appreciate the opportunity to address this critical topic. In discussing cyber policy and deterrence, I have been asked specifically to address some of the international law questions most relevant to cyber threats and U.S. strategy. These include whether and when a cyber-attack amounts to an “act of war,” or, more precisely, an “armed attack” triggering a right of self-defense. I would also like to raise the issue of how the international legal principle of “sovereignty” could apply to cyber activities, including to the United States’ own cyber-operations.

https://www.lawfareblog.com/cyber-strategy-policy-international-law-dimensions

Yahoo Tells SEC Executives Failed to Act on Breach

The company admitted to the SEC and its investors that its security team was aware of the account compromises and the use of forged Yahoo cookies by an alleged state-sponsored actor, but executives ignored the gravity of the situation. “While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team,” Yahoo said in its filing.

https://threatpost.com/yahoo-tells-sec-executives-failed-to-act-on-breach/124017/

Just How Secure Are Those Encrypted Apps Leaking Trump’s Secrets?

[It’s] possible that any officials using those apps for government business could break the law requiring administration comms be preserved for future records. As noted by Congressmen Ted Lieu and Don Beyer earlier this month, however, those apps could be crucial for whistleblowers to provide information to the press about matters of real public interest. But what are those apps and how secure are they really? Lieu and Beyer recommended three. First, the de facto king of the crypto comms market, Signal. The free app is widely considered the best amongst cryptography experts. Lieu and Beyer also recommended WhatsApp, which uses Signal code to guarantee the security and authenticity of messages, as well as Telegram.

https://www.forbes.com/sites/thomasbrewster/2017/02/28/signal-whatsapp-telegram-leaking-trump-secrets-secure-or-not/#186c034a7238

//]]>