Senate Group Wants CISA to Protect Open-Source Software

Senate Homeland Security Committee leaders Gary Peters (D-Michigan) and Rob Portman (R-Ohio) have introduced a bill requiring a risk framework for open-source code. The proposed legislation would require the Cybersecurity and Infrastructure Security Agency to develop the risk evaluation process for open-source software being used by federal agencies and critical infrastructure. The move follows the discovery in December of a vulnerability in the Apache Software Foundation’s popular Log4j Java logging utility. Peters said the Log4j incident presented a serious threat to banks, hospitals, and utility companies, among other national security operations. Continue reading Senate Group Wants CISA to Protect Open-Source Software

Agencies Warn That Hackers Are Targeting Control Systems

The White House has issued a warning about hackers attempting to disrupt the energy grid and other industrial control systems with “a Swiss Army knife” of custom-coded malicious software. A joint bulletin issued by the FBI, NSA, DHS and Energy Department cautioned businesses to be on the lookout for “advanced persistent threat actors,” or APTAs, a commonly used way to describe state-backed hackers. Specific reference was made to devices from Japanese electronics firm Omron and the French firm Schneider Electric, suppliers of industrial automation equipment. Continue reading Agencies Warn That Hackers Are Targeting Control Systems

U.S. Cybersecurity Agency Enlists Amazon, Google, Microsoft

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), part of the Department of Homeland Security, debuted the Joint Cyber Defense Collaborative (JCDC), which will leverage the expertise of Big Tech companies including Amazon, Google and Microsoft. According to CISA director Jen Easterly, the initiative’s aim is first to combat ransomware and cyberattacks on cloud-computing providers and ultimately to improve defense planning and information sharing between the government and private sectors. Continue reading U.S. Cybersecurity Agency Enlists Amazon, Google, Microsoft

Senators Press Ad-Auctioneers for Personal Data Sales Info

Senate Finance Committee chair Ron Wyden (D-Oregon) heads a bipartisan group of U.S. senators attempting to understand more about digital advertising auctions and their relationship to personalized ads. The group sent a letter to the largest companies that run these auctions, including AT&T, Index Exchange, Google, Magnite, OpenX Software, PubMatic, Twitter and Verizon Communications. The senators want the names of all foreign clients gaining access to user data through the auctions, citing concerns of national security. Continue reading Senators Press Ad-Auctioneers for Personal Data Sales Info

Cybersecurity: White House Pursues Public-Private Alliances

Russia and China recently ran sophisticated hacks from servers inside the United States, going undetected by the National Security Agency, which is prohibited from conducting surveillance in the U.S., as well as the FBI and Department of Homeland Security. Private computer security firms were the first to raise the alarm on these foreign attacks, and Microsoft reported that its patches are being reverse-engineered by criminal groups to launch ransomware attacks on corporations. The White House is paying attention. Continue reading Cybersecurity: White House Pursues Public-Private Alliances

White House Names Official to Lead Probe of Expansive Hack

In December, suspected Russian hackers compromised SolarWinds Corp., a small software vendor, leveraging it to infiltrate the U.S. departments of Commerce, State and Treasury, as well as numerous private companies. An in-depth investigation revealed that the hack’s scope was larger than first known, with about one-third of those hacked having no direct connection with SolarWinds. Now, the Biden administration has selected White House National Security Council senior official Anne Neuberger to lead the response. Continue reading White House Names Official to Lead Probe of Expansive Hack

Oracle-TikTok Deal Is Under Review by Federal Government

In an effort to avoid a ban in the U.S., popular social video platform TikTok aims to partner with cloud services company Oracle. TikTok parent ByteDance proposed a deal in which Oracle would serve as tech provider in the U.S., although details have not been revealed regarding any potential changes to TikTok’s ownership structure. ByteDance submitted the proposal to the U.S. Treasury Department and Secretary Steve Mnuchin announced plans to review it this week with a particular emphasis on security issues. If approved, the deal could make Oracle a major advertising player that is more relevant to younger audiences. Continue reading Oracle-TikTok Deal Is Under Review by Federal Government

Commission Finds U.S. Is Unprepared for Major Cyberattacks

The Cyberspace Solarium Commission released a report based on a months-long study that showed the U.S. government’s lack of ability to block cyber threats. The Commission lists 75 recommendations for major structural changes, including the creation of Congressional committees dedicated to cybersecurity and a White House-based national cybersecurity director to be confirmed by the Senate. The report is blunt in its assessment that the U.S. government’s current approach to cyberattacks is “fundamentally flawed.” Continue reading Commission Finds U.S. Is Unprepared for Major Cyberattacks

NSA Discovers Windows Vulnerability — and Tells Microsoft

The National Security Agency (NSA) discovered a vulnerability in versions of Windows and, instead of retaining it, reported it to Microsoft, which is now patching the flaw in its handling of certificate and cryptographic messaging functions. The vulnerability could have enabled attackers to use malicious code that would pretend to be legitimate software. Microsoft also warned all current users of Windows 7 Home Basic, Home Premium, Professional or Ultimate to upgrade immediately. Continue reading NSA Discovers Windows Vulnerability — and Tells Microsoft

Chinese, Iranian, Russian Hackers Honing Their Attack Skills

The National Security Agency and security firm FireEye recently detected extensive attacks by Iran on U.S. banks, businesses and government agencies, prompting the Department of Homeland Security to declare an emergency during the government shutdown. The attacks from Iran took place at the same time that China renewed its efforts to steal trade and military secrets, from Boeing, General Electric Aviation and T-Mobile. Meanwhile, Microsoft detected a Russian government operation targeting think tanks critical of Russia. Continue reading Chinese, Iranian, Russian Hackers Honing Their Attack Skills

Federal Government Takes Additional Steps to Block Huawei

The U.S. government is reportedly pushing for foreign allies to stop using hardware from China-based Huawei Technologies Co. According to people familiar with the initiative, the government is aiming to convince wireless and Internet service providers to avoid telecom equipment that comes from Huawei in an effort to increase security. Washington officials are particularly concerned about countries that host military bases. The U.S. and Australia already have bans in place to curb the risk of cyberattacks. Huawei is the world’s largest telecommunications provider. Continue reading Federal Government Takes Additional Steps to Block Huawei

Oregon Senator Proposes a Consumer Data Protection Bill

Oregon Democratic Senator Ron Wyden drafted a data privacy bill akin to the recent General Data Protection Regulation (GDPR) legislation in Europe. Dubbed the Consumer Data Protection Act, Wyden’s bill would give users more control over selling and sharing their data, and would give the Federal Trade Commission authority to set privacy and security standards and fine those companies that do not protect consumer data. One provision is a “Do Not Track” feature that would allow people to opt out of being tracked. Continue reading Oregon Senator Proposes a Consumer Data Protection Bill

Facebook Offers More Hack Details, Exposes Web Scraping

Facebook downgraded the number of users hacked two weeks ago to 30 million, revealing that the personal information stolen was more substantial for 14 million of the those hacked, including gender, religion, telephone number, email addresses and computing devices used to connect to Facebook. Hackers also captured the last 15 people or things the user had searched for on Facebook and the last 10 physical locations he had checked into. Another 15 million profiles were scraped for names and contact information. Continue reading Facebook Offers More Hack Details, Exposes Web Scraping

New Uber CEO Faces the Impact of Undisclosed Data Breach

Uber Technologies acknowledged that one year ago it paid hackers $100,000 to hide a data breach that impacted 47 million accounts. The company fired then-chief security officer Joe Sullivan and deputy Craig Clark for both the breach itself and concealing it. The hackers got the names, emails and phone numbers of millions of riders as well as 600,000 drivers’ license numbers, although apparently Social Security numbers and credit card numbers were not accessed. Uber says it will inform those impacted by the breach in “coming days.” Continue reading New Uber CEO Faces the Impact of Undisclosed Data Breach

Security Update: 3 Billion Yahoo Accounts Hit in 2013 Attack

Yahoo announced yesterday that all 3 billion of its user accounts were affected by a previously disclosed August 2013 cyberattack, originally reported by the company as affecting 1 billion accounts. Yahoo had earlier reported that a separate 2014 attack affected 500 million accounts. Last year we learned that, “digital thieves made off with names, birth dates, phone numbers and passwords of users that were encrypted with security that was easy to crack,” according to The New York Times. “The intruders also obtained the security questions and backup email addresses used to reset lost passwords.” Continue reading Security Update: 3 Billion Yahoo Accounts Hit in 2013 Attack