Tag Archives: Homeland

DHS details electrical grid attacks by Russian agents

The Department of Homeland Security has offered more details on electrical grid attacks by Russian agents, and experts said the details show how air-gapping isn’t as secure as some may think.

In a briefing on Monday, DHS officials expanded on details of electrical grid attacks by Russian groups like Dragonfly 2.0. The briefing was the first time DHS released this amount of information in an unclassified setting, according to a report by The Wall Street Journal.

DHS said Russian hackers first targeted key industrial control vendors in order to steal credentials and access air-gapped and isolated utility networks. DHS also expanded the scope of the electrical grid attacks, saying there were “hundreds of victims,” although it is unclear if “victims” in this case refers to systems, substations, or utilities and vendors combined. Attackers reportedly stole confidential information about the utilities to learn how the industrial control systems (ICS) work and DHS said they had enough access to “throw switches.”

Ray DeMeo, COO and co-founder of Virsec, noted that “relying on air-gapping for security is a dangerous anachronism.”

Air gaps are easily being bridged by social engineering, password theft, or, in the case of Stuxnet, a few rogue USBs left in Tehran coffee houses. With the increasing convergence of IT and OT systems, the control systems that manage critical infrastructure are increasingly networked and connected,” DeMeo wrote via email. “Plus, conventional security tools that rely on signatures must be connected in order to get the latest updates. Almost all of the recent attacks, successful attacks on power plants and other critical infrastructure have bypassed air gaps.”

Rohyt Belani, CEO and co-founder of Cofense, said even with isolation electrical grid attacks are still possible.

“Even though SCADA networks and other critical infrastructure may be segmented, there are always legitimate remote access systems in place from where administrators of those systems can log in and control them,” Belani wrote via email. “Attackers often gain their initial foothold in a corporate network via spear phishing and then move laterally to identify such key systems, which they then attempt to compromise to further their sphere of influence into critical systems.”

Michael Magrath, director of global regulations and standards at OneSpan Inc., said these electrical grid attacks, like other hacks “exploit the weakest link in the security chain — the people.” Magrath was also concerned about part of The Wall Street Journal report that claimed DHS was investigating if Russian hackers had ways to defeat multifactor authentication.

“To be clear, multifactor authentication is not ‘one size fits all.’ There are numerous approaches and technologies available with varying degrees of security and usability. For example, one-time passwords transmitted via SMS are very convenient and widely deployed. However, this multifactor authentication approach has been proven to be unsecure with [one-time passwords] being intercepted,” Magrath wrote via email. “Other solutions such as fingerprint biometrics, adaptive authentication, and utilizing public key cryptography techniques are far more secure and have gained widespread adoption. It remains to be seen what DHS learns.” 

DHS claimed it has been warning utilities about potential attacks since 2014. Joseph Kucic, CSO at Cavirin, said via email the utilities “have failed to implement the necessary changes so DHS went public to embarrass the utilities into taking the needed actions (timing was on the DHS side with all the Russia media attention).” 

David Vergara, head of security product marketing at OneSpan Inc., said “this is big game hunting for cybercriminals.”

“The motivation may pivot between political and monetization, but the impact to the target is the same, terror through vulnerability and exposure,” Vergara wrote via email. “It’s not difficult to extrapolate the outcome when an entire power grid goes offline during peak hours and the attack follows the weakest link, unsophisticated utility vendors or third parties.”

Potential damage of electrical grid attacks

It was unclear from the DHS report what the extent of damage these electrical grid attacks could be.

Katherine Gronberg, vice president of government affairs at ForeScout Technologies, said in the past, electrical grid attacks were “ostensibly motivated by money, business disruption, hacktivism or espionage.”

“Now, we are facing a very real and targeted threat to U.S. national security. A successful attack on systems such as power plants, dams or the electric grid could have severe repercussions and could possibly lead to the loss of human life and disruption of society,” Gronberg wrote via email. “With so much on the line, securing critical infrastructure must be top of mind. Recent efforts by the DHS, DOE and key congressional committees suggest that it is. But we have to tackle this problem as the shared responsibility it is. It likely will entail some difficult decisions at all levels, from policymakers to power producers to consumers.”

Andrea Carcano, co-founder and CPO of Nozomi Networks, noted that since the electrical grid attacks reported by DHS didn’t result in blackouts, it raises the “question if the attackers intentionally only went so far.”

“Attacks on the grid will be difficult to control and will undoubtedly lead to lots of collateral damage. This, combined with the risk of retaliation, may be keeping attackers at bay,” Carcano wrote via email. “It is reminiscent of the mutually assured destruction model of the Cold War when restraint was used on all sides. We are likely in the midst of a Cyber Cold War with all sides holding back from enacting the destruction they are truly capable of.”

DHS, SecureLogix develop TDoS attack defense

The U.S. Department of Homeland Security has partnered with security firm SecureLogix to develop technology to defend against telephony denial-of-service attacks, which remain a significant threat to emergency call centers, banks, schools and hospitals.

The DHS Science and Technology (S&T) Directorate said this week the office and SecureLogix were making “rapid progress” in developing defenses against call spoofing and robocalls — two techniques used by criminals in launching telephony denial-of-service (TDoS) attacks to extort money. Ultimately, the S&T’s goal is to “shift the advantage from TDoS attackers to network administrators.”

To that end, S&T and SecureLogix, based in San Antonio, are developing two TDoS attack defenses. First is a mechanism for identifying the voice recording used in call spoofing, followed by a means to separate legitimate emergency calls from robocalls.

“Several corporations, including many banks and DHS components, have expressed interest in this technology, and SecureLogix will release it into the market in the coming months,” William Bryan, interim undersecretary for S&T at DHS, said in a statement.

In 2017, S&T handed SecureLogix a $100,000 research award to develop anticall-spoofing technology. The company was one of a dozen small tech firms that received similar amounts from S&T to create a variety of security applications.

Filtering out TDoS attack calls

SecureLogix’s technology analyzes and assigns a threat score to each incoming call in real time. Calls with a high score are either terminated or redirected to a lower-priority queue or a third-party call management service.

SecureLogix built its prototype on existing voice security technologies, so it can be deployed in complex voice networks, according to S&T. It also contains a business rules management system and a machine learning engine “that can be extended easily, with limited software modifications.”

Over the last year, SecureLogix deployed the prototype within a customer facility, a cloud environment and a service provider network. The vendor also worked with a 911 emergency call center and large financial institutions.

In March 2013, a large-scale TDoS attack highlighted the threat against the telephone systems of public-sector agencies. An alert issued by DHS and the FBI said extortionists had launched dozens of attacks against the administrative telephone lines of air ambulance and ambulance organizations, hospitals and financial institutions.

Today, the need for TDoS protection has grown from on premises to the cloud, where an increasing number of companies and call centers are signing up for unified communications as a service. In 2017, nearly half of organizations surveyed by Nemertes Research were using or planned to use cloud-based UC.

SS7 vulnerabilities enable breach of major cellular provider

The U.S. Department of Homeland Security warned of an exploit of the Signaling System 7 protocol that may have targeted American cellphone users.

The Washington Post reported that DHS notified Sen. Ron Wyden (D-Ore.) last week that malicious actors “may have exploited” global cellular networks “to target the communications of American citizens.” The letter has not been made public, but The Washington Post obtained a copy of it and reported that it described surveillance systems that exploit Signaling System 7 (SS7) vulnerabilities. According to the report, the exploit enables intelligence agencies and criminal groups to spy on targets using nothing but their cellphone number.

SS7 is the international telecommunications standard used since the 1970s by telecommunications providers to exchange call routing information in order to set up phone connections. Cellphone providers use SS7 to enable users to send and receive calls as they move from network to network anywhere in the world. The protocol has been criticized by analysts and experts for years because of its vulnerabilities and because it enables spying and data interception.

In a different letter to Ajit Pai, chairman of the Federal Communications Commission, Wyden referenced an “SS7 breach” at a major wireless carrier and criticized the FCC for its inaction regarding SS7 vulnerabilities.

“Although the security failures of SS7 have long been known to the FCC, the agency has failed to address the ongoing threat to national security and to the 95% of Americans who have wireless service,” Wyden wrote.

He explained the SS7 vulnerabilities enable attackers to intercept people’s calls and texts, as well as hack into phones to steal financial information or get location data.

“In a prior letter to me, you dismissed my request for the FCC to use its regulatory authority to force the wireless industry to address the SS7 vulnerabilities,” Wyden wrote to Pai. “You cited the work of the [Communications Security, Reliability and Interoperability Council] as evidence that the FCC is addressing the threat. But neither CSRIC nor the FCC have taken meaningful action to protect hundreds of millions of Americans from potential surveillance by hackers and foreign governments.”

In the letter, Wyden included a call to action for Pai to use the FCC’s “regulatory authority” to address the security issues with SS7 and to disclose information about SS7-related breaches to Wyden by July 9, 2018.

In other news:

  • The U.S. government ban on using Kaspersky Lab products was upheld this week, and the security company’s lawsuits were dismissed. U.S. District Judge Colleen Kollar-Kotelly dismissed two lawsuits filed by Kaspersky Lab in response to Binding Operational Directive 17-01 and the National Defense Authorization Act (NDAA), both of which banned the company’s products from use in the federal government. Kaspersky argued the ban was unconstitutional and caused undue harm to the company, but Kollar-Kotelly dismissed the argument and said while there may be “adverse consequences” for Kaspersky, the ban is not unconstitutional. Kaspersky Lab has said it will file an appeal of the ruling.
  • The U.S. House of Representatives advanced a bill that would require law enforcement to get a warrant before collecting data from email providers. The Email Privacy Act was added as an amendment to the NDAA, which is the annual budget for the Department of Defense. The bill passed the House 351-66 and will now move to the Senate for approval. The amendment was authored by Rep. Kevin Yoder (R-Kan.) and is the latest version of the 2016 Email Privacy Act that received unanimous support in the House. If the NDAA passes with this amendment included, it will provide warrant protections to all email, chats and online messages that law enforcement might want or need for investigations. The Electronic Frontier Foundation has been a proponent of email privacy in law, saying, “The emails in your inbox should have the same privacy protections as the papers in your desk.”
  • The private equity investment firm Thoma Bravo is acquiring a majority share in the security company LogRhythm. LogRhythm offers its users a security information and event management platform that also has user and entity behavior analytics features. The company has been in business for 15 years and has more than 2,500 customers worldwide. “LogRhythm believes it has found an ideal partner in Thoma Bravo,” said LogRhythm’s president and CEO, Andy Grolnick, in a statement. “As we seek to take LogRhythm to the next level and extend our position as the market’s preeminent NextGen SIEM vendor, we feel Thoma Bravo’s cybersecurity domain expertise and track record of helping companies drive growth and innovation will make this a powerful and productive relationship.” The deal is expected to close later in 2018. Thoma Bravo owns the certificate authority company DigiCert, which recently purchased Symantec’s CA operations, and has previously invested in other cybersecurity companies, including SonicWall, SailPoint, Hyland Security, Deltek, Blue Coat Systems, Imprivata, Bomgar, Barracuda Networks, Compuware and SolarWinds.

Feds issue new alert on North Korean hacking campaigns

The FBI and the Department of Homeland Security released an alert on Tuesday regarding malware campaigns connected to a North Korean hacking group known as Hidden Cobra.

The alert, which includes indicators of compromise (IOCs) such as IP addresses, attributes two malware families to the North Korean government by way of Hidden Cobra: a remote access tool called Joanap and a worm known as Brambul, which spreads via Windows’ Server Message Block (SMB) protocol. Both malware families were first identified by Symantec in 2015 and were observed targeting South Korean organizations. Other cybersecurity vendors later attributed the two malware campaigns to the nation-state hacking group Hidden Cobra, also known as Lazarus Group.

However, Tuesday’s alert, which was issued by US-CERT, marks the first time U.S. authorities publicly attributed the malware families and their activity to North Korean hacking operations.

“FBI has high confidence that HIDDEN COBRA actors are using the IP addresses — listed in this report’s IOC files — to maintain a presence on victims’ networks and enable network exploitation,” US-CERT said. “DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber activity.”

The alert also claimed that, “according to reporting of trusted third parties,” Joanap and Brambul have likely been used by the North Korean hacking group since at least 2009 to target organizations in various vertical industries across the globe. The FBI and DHS didn’t identify those trusted parties, but the alert cited a 2016 report, titled “Operation Blockbuster Destructive Malware Report,” from security analytics firm Novetta, which detailed malicious activity conducted by the Lazarus Group.

DHS’ National Cybersecurity and Communications Integration Center conducted an analysis of the two malware families, and the U.S. government discovered 87 network nodes that had been compromised by Joanap and were used as infrastructure by Hidden Cobra. According to the US-CERT alert, those network nodes were located in various countries outside the U.S., including China, Brazil, India, Iran and Saudi Arabia.

The FBI and DHS attribution case for Brambul and Joanap represents the latest evidence connecting the North Korean government to high-profile malicious activity, including the 2014 breach of Sony Pictures. Last December, the White House publicly attributed the WannaCry ransomware attack to the North Korean government; prior to the U.S. government’s accusation, several cybersecurity vendors had also connected the WannaCry source code, which also exploited the SMB protocol, with the Brambul malware.

The US-CERT alert also follows tense, back-and-forth negotiations between President Donald Trump and North Korean leader Kim Jong Un regarding a U.S.-North Korea summit. Last week, Trump announced the U.S. was withdrawing from the summit, but talks have reportedly resumed.

Federal HR wants to modernize cybersecurity recruiting, pay

The U.S. Dept. of Homeland Security wants dramatic changes in hiring and management of cybersecurity professionals. It seeks 21st Century HR practices and technologies, with a goal of making the federal HR program as competitive as the private sector.

This effort will streamline hiring and improve cybersecurity recruiting. DHS wants a pay system for cybersecurity professionals based on “individual’s skills and capabilities.” New HR technologies are sought as well.

The proposed federal HR improvements are in a request for information to vendors. In this knowledge gathering effort vendors are asked to estimate the cost, and outline the expertise and technologies needed to achieve this reform. It doesn’t obligate the government but sets the stage for contract proposals. Its goals are sweeping.

DHS, for instance, said it wanted to end 20th Century federal HR practices, such as annual reviews. Instead, it wants 21st Century methods, such as continuous performance management.

The goal is modernizing federal HR technologies and processes, but with a focus on improving cybersecurity recruiting and retention.

Analysts see DHS moving in the right direction

HR analysts contacted about the planned federal cybersecurity recruiting reform seemed impressed.

“The scope of this is really big and it’s very ambitious,” said Kyle Lagunas, research manager in IDC’s talent acquisition and staffing research practice. “I’m really encouraged to see this. It really captures, I think, where the industry is going.”

It’s all in the right direction.
Josh Bersinfounder and principal, Bersin by Deloitte Consulting

“This sounds like good stuff to me,” said Josh Bersin, founder and principal of Bersin by Deloitte Consulting. “It’s all in the right direction,” he said.

Both analysts said that if DHS achieves its goals it will rank with leading businesses in HR best practices.

DHS employs some 11,000 cybersecurity professionals and leads government efforts to secure public and private critical infrastructure systems.

The U.S. said in 2016 that there weren’t enough cybersecurity professionals to meet federal HR needs. President Barack Obama’s administration called for a “government-wide” federal HR cybersecurity recruitment strategy. President Donald Trump’s administration is reaching out to vendors for specifics.

DHS published its request for information for reforming federal HR in early May, asking for cost estimates and ideas for modernizing cybersecurity hiring and management. It sought specific capabilities such as the ability to process as many as 75,000 applicants per year. It wants, as well, applicant assessment technologies. This can include virtual environments, for testing “real-world application of technical cybersecurity competencies.”

Feds boldly make a case for reform of cybersecurity recruiting

But what distinguished this particular federal HR request, from so many other government requests for information, was its dramatic framing of the goal.

The 20th Century way of recruiting involves posting a job and “hoping the right candidates apply,” said DHS in its request to vendors. The new 21st Century method — is to “strategically recruit from a variety of sources on an ongoing basis, and use up-to-date, cybersecurity-focused standards and validated tools to screen, assess and select talent.”

DHS also wants to adopt “market-sensitive pay” to more readily compete for people, a smart move, according to Lagunas. “If they want to bring in top cybersecurity talent they are going to have to make sure they are very competitive in their pay and practices.”

In what may be a nod to the growing contingent workforce, DHS wants a federal HR plan for “dynamic careers.” This involves “streamlined movement” from the private sector to government and back again.

The deadline for vendor responses to the government’s request for information is May 25.

NIST botnet security report recommendations open for comments

The Departments of Commerce and Homeland Security opened public comments on a draft of its botnet security report before the final product heads to the president.

The report was commissioned by the cybersecurity executive order published by the White House on May 11, 2017. DHS and the National Institute of Standards and Technology (NIST), a unit of the Department of Commerce, were given 240 days to complete a report on improving security against botnets and other distributed cyberattacks, and they took every minute possible, releasing the draft botnet security report on Jan. 5, 2018.

The public comment period ends Feb. 12, 2018 and industry experts are supportive of the contents of the report. According to a NIST blog post, the draft report was a collaborative effort.

“This draft reflects inputs received by the Departments from a broad range of experts and stakeholders, including private industry, academia, and civil society,” NIST wrote. “The draft report lays out five complementary and mutually supportive goals intended to dramatically reduce the threat of automated, distributed attacks and improve the resilience of the ecosystem. For each goal, the report suggests supporting activities to be taken by both government and private sector actors.”

The blog post listed the goals for stakeholders laid out by the draft botnet security report as:

  1. Identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace.
  2. Promote innovation in the infrastructure for dynamic adaptation to evolving threats.
  3. Promote innovation at the edge of the network to prevent, detect, and mitigate bad behavior.
  4. Build coalitions between the security, infrastructure, and operational technology communities domestically and around the world.
  5. Increase awareness and education across the ecosystem.

Rodney Joffe, senior vice president, technologist and fellow at Neustar, Inc., an identity resolution company headquartered in Sterling, Va., said NIST and DHS took the right approach in putting together the report.

“The Departments of Commerce and Homeland Security worked jointly on this effort through three approaches — hosting a workshop, publishing a request for comment, and initiating an inquiry through the President’s National Security Telecommunications Advisory Committee (NSTAC),” Joffe told SearchSecurity. “We commend the administration for working with and continuing to seek private sector advice on the best path forward.”

A good start, but… 

Experts, like Michael Patterson, CEO of Plixer, a network traffic analysis company based in Kennebunk, Maine, generally applauded the draft botnet security report as being an in-depth starting point that is missing some key features.

“The report offers a comprehensive framework for threat intelligence sharing, and utilizing NIST to work with a variety of industry groups to establish tighter security protocols and best practices while outlining government and industry transformations to protect the internet,” Patterson told SearchSecurity. “However, it is missing the required teeth to propel industry action. Without a mechanism to define a specific compliance standard, service providers will not have enough incentive to take the steps required to mitigate these risks.”

Stephen Horvath, vice president of strategy and vision for Telos Corporation. a cybersecurity company located in Ashburn, Va., applauded the draft botnet security report for balancing “high level explanations along with some technical details of merit.”

“This report will hopefully drive improvements and awareness of the issues surrounding botnets. Given a few of the more important recommendations are taken and funded, the establishment of an IoT [cybersecurity framework] profile for example, a general overall improvement across all domains should be felt in the next few years,” Horvath told SearchSecurity. “I believe stronger improvements would be possible more quickly if the recommendations included greater focus on enforcing hard requirements rather than incentives.”

Gavin Reid, chief security architect at Recorded Future, a threat intelligence company headquartered in Somerville, Mass., said NIST’s goals are “laudable and the paper takes the approach of providing as comprehensive of a solution as is possible given the transient nature of attacks.”

“It does not address how the goals and technology approach keep up with and change to match changes to the attack vectors,” Reid told SearchSecurity. “The paper also conflates all botnets with IoT botnets. Bots resulting in automated controlled attacks and toolkits are not limited to IoT but have a much wider footprint covering all IT ecosystems.”

The IoT question

Following the highly publicized botnet attacks like Mirai which preyed on insecure IoT devices, the draft report focused on these issues and even noted “IoT product vendors have expressed desire to enhance the security of their products, but are concerned that market incentives are heavily weighted toward cost and time to market.”

Luke Somerville, manager of special investigations at Forcepoint Security Labs, said the goals and actions within the draft botnet security report are “a good starting point, but the effectiveness of ideas such as baseline security standards for IoT devices will depend entirely on the standards themselves and how they are implemented.”

“Any standards would need to be backed up robustly enough to overcome the strong market incentives against security which exist at present,” Somerville told SearchSecurity. “Increasing awareness and security education is also discussed — something that has been a goal of the security industry for a long time. Ultimately, insecure systems don’t fix themselves, and nor do they make themselves insecure in the first place. By focusing on the human point of contact with data and systems — be that point of contact the developers writing the code controlling the systems, the end-users configuring the systems, or even prospective users in the process of making a purchasing decision — we can attempt to build security in throughout the design and usage lifecycle of a product.”

Botnet security report outcomes

While experts were generally favorable to the draft botnet security report, some were less optimistic about real-world changes that might come from such a report.

Jeff Tang, senior security researcher at Cylance, said he was “not convinced this report will make any significant strides towards deterring the spread of botnets.”

“Trying to develop an accepted security baseline through a consensus-based process when one of your stakeholder’s primary goal is to sell you a new shiny IoT device every year is only going to result in watered-down standards that will be ineffective. As the recent spectacle of CPU bugs has shown, speed is the enemy of security. If you’re rushing to release a new device every year, security is going to be nonexistent,” Tang told SearchSecurity. “Additionally, secure development best practices haven’t changed much in the last decade, but judging by the reports of various device vulnerabilities, manufacturers have not voluntarily adopted these best practices.”

This is not the work of a moment; this is evolution over thousands of software design lifecycles.
Pam Dingleprincipal technical architect at Ping Identity

Pam Dingle, principal technical architect at Ping Identity, an identity security company headquartered in Denver, said “changing ecosystems is difficult” and it will take a concerted effort by vendors and CISOs alike to make the change real, otherwise “the effects will likely be limited.”

“It is up to those who see the value in the recommended actions to put the manpower into participating in standards groups, collaborating with adjacent vendor spaces to make integration easier and more pattern-based, and demanding that a shared defense strategy stay high in priority lists,” Dingle told SearchSecurity. “This is not the work of a moment; this is evolution over thousands of software design lifecycles, and even then, the mass of legacy devices out there with no update capabilities will be shackles on our collective legs for a long time to come. We have to start.”

A DHS data breach exposed PII of over 250,000 people

A data breach at the U.S. Department of Homeland Security exposed the personally identifiable information of over 250,000 federal government employees, as well as an unspecified number of people connected with DHS investigations.

DHS released a statement Jan. 3, 2018, that confirmed the exposure of “approximately 246,167” federal government employees who worked directly for DHS in 2014. It also disclosed the breach of a database for the Office of Inspector General that contained the personally identifiable information (PII) of any person — not necessarily employed by the federal government — who was associated with OIG investigations from 2002 to 2014. This includes subjects, witnesses and complainants.

In its statement, the department emphasized the DHS data breach was not caused by a cyberattack and referred to it as a “privacy incident.”

“The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized unauthorized [sic] transfer of data,” DHS said.

The DHS data breach was initially found in May 2017 during a separate, ongoing DHS OIG criminal investigation in which it was discovered that a former DHS employee had an unauthorized copy of the department’s case management system.

However, individuals affected by the DHS data breach weren’t notified until Jan. 3, 2018. In its statement, DHS addressed why the notification process took so long.

“The investigation was complex given its close connection to an ongoing criminal investigation,” the department said. “From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed. These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised.”

The DHS employee data breach exposed PII that included names, Social Security numbers, dates of birth, positions, grades and duty stations of DHS employees; the DHS investigative data breach exposed names, Social Security numbers, dates of birth, alien registration numbers, email addresses, phone numbers, addresses and other personal information that was provided to the OIG during investigative interviews with its agents.

DHS is offering free identity protection and credit-monitoring services for 18 months to affected individuals. The department said it has also taken steps to improve its network security going forward, including “placing additional limitations on which individuals have back end IT access to the case management system; implementing additional network controls to better identify unusual access patterns by authorized users; and performing a 360-degree review of DHS OIG’s development practices related to the case management system.”

While the affected government employees were notified directly about the breach, DHS stated, “Due to technological limitations, DHS is unable to provide direct notice to the individuals affected by the Investigative Data.”

DHS urged anyone associated with a DHS OIG investigation between 2002 and 2014 to contact AllClear ID, the Austin, Texas, breach response service retained by DHS to provide credit-monitoring and identity protection services to affected individuals.

In other news:

  • A group of senators has introduced a bill to secure U.S. elections. The Secure Elections Act is a bipartisan bill that aims to provide federal standards for election security. One measure proposed in the bill is to eliminate the use of paperless voting machines, which are regarded by election security experts as the least secure type of voting machines in use in today. Paperless voting machines don’t allow for audits, which the proposed legislation also wants to make a standard practice in all elections. The idea is that audits after every election will deter foreign meddling in American democracy like Russia’s interference in the 2016 U.S. presidential election. “An attack on our election systems by a foreign power is a hostile act and should be met with appropriate retaliatory actions, including immediate and severe sanctions,” the bill states. The bill was sponsored by Sen. James Lankford (R-Okla.) and co-sponsors Sens. Amy Klobuchar (D-Minn.), Lindsey Graham (R-S.C.), Kamala Harris (D-Calif.), Susan Collins (R-Maine) and Martin Heinrich (D-N.M.).
  • Attackers exploited a vulnerability in Google Apps Script to automatically download malware onto a victim’s system through Google Drive. Discovered by researchers at Proofpoint, the vulnerability in the app development platform enabled social-engineering attacks that tricked victims into clicking on malicious links that triggered the malware downloaded on their computer. The researchers also found the exploit could happen without any user interaction. Google has taken steps to fix the flaw by blocking installable and simple triggers, but the researchers at Proofpoint said there are bigger issues at work. The proof of concept for this exploit “demonstrates the ability of threat actors to use extensible SaaS platforms to deliver malware to unsuspecting victims in even more powerful ways than they have with Microsoft Office macros over the last several years,” the research team said in a blog post. “Moreover, the limited number of defensive tools available to organizations and individuals against this type of threat make it likely that threat actors will attempt to abuse and exploit these platforms more often as we become more adept at protecting against macro-based threats.” The researchers went on to note that, in order to combat this threat, “organizations will need to apply a combination of SaaS application security, end user education, endpoint security, and email gateway security to stay ahead of the curve of this emerging threat.”
  • The United States federal government is nearing its deadline to implement the Domain-based Message Authentication, Reporting and Conformance (DMARC) tool. In October 2016, the DHS announced it would mandate the use of DMARC and HTTPS in all departments and agencies that use .gov domains. DHS gave those departments and agencies a 90-day deadline to implement DMARC and HTTPS, which means the Jan. 15, 2018, deadline is soon approaching. According to security company Agari, as of mid-December, 47% of the federal government domains were now using DMARC, compared to 34% the month before. Another requirement within this mandate is federal agencies are required to use the strongest “reject” setting in DMARC within a year. This means emails that fail authentication tests will be less likely to make it to government inboxes — i.e., be rejected. Agari reported a 24% increase in the use of higher “reject” settings in the last month. On the flip side, Agari noted that most agency domains (84%) are still unprotected, with no DMARC policy.

DHS cyberinsurance research could improve security

The Department of Homeland Security has undertaken a long-term cyberinsurance study to determine if insurance can help improve cybersecurity overall, but experts said that will depend on the data gathered.

The DHS began researching cyberinsurance in 2014 by gathering breach data into its Cyber Incident Data and Analysis Repository (CIDAR). DHS uses CIDAR to collect cyber incident data along 16 categories, including the type, severity and timeline of an incident, the apparent goal of the attacker, contributing causes, specific control failures, assets compromised, detection and mitigation techniques, and the cost of the attack.

According to the DHS, it hoped to “promote greater understanding about the financial and operational impacts of cyber events.”

“Optimally, such a repository could enable a novel information sharing capability among the federal government, enterprise risk owners, and insurers that increases shared awareness about current and historical cyber risk conditions and helps identify longer-term cyber risk trends,” the DHS wrote in a report about the value proposition of CIDAR. “This information sharing approach could help not only enhance existing cyber risk mitigation strategies but also improve and expand upon existing cybersecurity insurance offerings.”

The full cyberinsurance study by the DHS could take 10 to 15 years to complete, but Matt Shabat, strategist and performance manager in the DHS Office of Cybersecurity and Communications, told TechRepublic that he hopes there can be short-term improvements to cybersecurity with analysis of the data as it is gathered.

Shabat said he hopes the added context gathered by CIDAR will improve the usefulness of its data compared to other threat intelligence sharing platforms. Experts said this was especially important because as Ken Spinner, vice president of global field engineering at Varonis, told SearchSecurity, “A data repository is only as good as the data within it, and its success will likely depend on how useful and thorough the data is.”

“Sector-based Information Sharing and Analysis Centers have been implemented over a decade ago, so creating a centralized cyber incident data repository for the purpose of sharing intelligence across sectors is a logical next step and a commendable endeavor,” Spinner added. “A data repository could have greater use beyond its original intent by helping researchers find patterns in security incidents and criminal tactics.”

Philip Lieberman, president of Lieberman Software, a cybersecurity company headquartered in Los Angeles, said speed was the key to threat intel sharing.

“The DHS study on cyberinsurance is a tough program to implement because of missing federal laws and protocols to provide safe harbor to companies that share intrusion information,” Lieberman told SearchSecurity. “The data will be of little use in helping others unless threat dissemination is done within hours of an active breach.”

Many organizations may be reluctant to share meaningful data because of the difficulty in anonymizing it and the potential for their disclosure to be used against them.
Scott Petryco-founder and CEO of Authentic8

Scott Petry, co-founder and CEO of Authentic8, a secure cloud-based browser company headquartered in Mountain View, Calif., said the 16 data elements used by the DHS could provide “a pretty comprehensive overview of exploits and responses, if a significant number of organizations were to contribute to CIDAR.”

“The value of the data would be in the volume and its accuracy. Neither feel like short term benefits, but there’s no question that understanding more about breaches can help prevent similar events,” Petry told SearchSecurity. “But many organizations may be reluctant to share meaningful data because of the difficulty in anonymizing it and the potential for their disclosure to be used against them. It goes against their nature for organizations to share detailed breach information.”

The DHS appears to understand these concerns and outlined potential ways to overcome the “perceived obstacles” to enterprises sharing attack data with CIDAR, although experts noted many of the suggestions offered by the DHS may not be as effective as desired because they tend to boil down to working together with organizations rather than offering innovative solutions to these longstanding issues.

DHS did not respond to requests for comment at the time of this post.

Using cyberinsurance to improve security

Still, experts said if the DHS can gather quality data, the cyberinsurance study could help enterprises to improve security.

Spinner said cyberinsurance is a valid risk mitigation tool.

“Counterintuitively, having a cyberinsurance policy can foster a culture of security. Think of it this way: When it comes to auto insurance, safer drivers who opt for the latest safety features on their vehicles can receive a discount,” Spinner said. “Similarly, organizations that follow best practices and take appropriate steps to safeguard the data on their networks can also be rewarded with lower a lower rate quote.”

Lieberman said the efficacy of cyberinsurance on security is limited because the “industry is in its infancy with both insurer and insured being not entirely clear as to what constitutes due and ordinary care of IT systems to keep them free of intruders.”

“Cyberinsurance does make sense if there are clear definitions of minimal security requirements that can be objectively tested and verified. To date, no such clear definitions nor tests exist,” Lieberman said. “DHS would do the best for companies and taxpayers by assisting the administration and [the] legislative branch in drafting clear guidelines with both practices and tests that would provide safe harbor for companies that adopt their processes.”

Petry said the best way for cyberinsurance to help improve security would be to require “an organization to meet certain security standards before writing the policy and by creating an ongoing compliance requirement.”

“It’s a big market, and insurers are certainly making money, but that doesn’t mean it’s a mature market. Many organizations require their vendors to carry cyberinsurance, which will continue to fuel that growth, but the insurers aren’t taking reasonable steps to understand the exposure of the organizations they’re underwriting. When I get health insurance, they want to know if I’m a smoker and what my blood pressure is. Cyberinsurance doesn’t carry any of the same real-world assessments of ‘the patient.'”

Spinner said the arrangement between the cybersecurity industry and cyberinsurance is “very much still a work in progress.”

“The cybersecurity market is evolving rapidly, to some extent it is still in the experimental phase in that providers are continuing to learn what approach works best, just as companies are trying to figure out just how much insurance is adequate,” Spinner said. “It’s a moving target and we’ll continue to see the industry and policies evolve. The industry needs to work towards a standard for assessing risk so they can accurately determine rates.”

DHS banned Kaspersky software from all government systems

The U.S. Department of Homeland Security has directed that every government agency must remove any and all Kaspersky software from their systems within 90 days.

Elaine Duke, the acting secretary of homeland security, issued a Binding Operational Directive this week that calls on U.S. government agencies and departments to find any use of Kaspersky software on their systems within 30 days. Within 60 days, they must develop plans to remove that software. And within 90 days, they must execute those plans to remove Kaspersky software and discontinue its use in the future.

“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” DHS wrote in a statement. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”

This move by DHS is the latest in a series of actions taken by the U.S. government to vilify the Russia-based antivirus company and get its products away from government information systems. In July, the Trump administration removed Kaspersky Lab from the U.S. General Services Administration approved vendors list, rendering the company ineligible to get government contracts for products and services.

The software has also already been banned from the Department of Defense, and Sen. Jeanne Shaheen (D-N.H.) introduced an amendment to the National Defense Authorization Act this week that would ban Kaspersky software from any federal computer.

The intelligence community — particularly the FBI — has been investigating ties between Kaspersky Lab and the Russian government, but has yet to provide the public with any hard evidence of collusion or influence.

According to the statement from DHS on this latest move to remove and ban the software, this move is not reserved for the Russian company.

“Safeguarding federal government systems requires reducing potential vulnerabilities, protecting against cyber intrusions, and anticipating future threats,” the statement from DHS read. “While this action involves products of a Russian-owned and operated company, the Department will take appropriate action related to the products of any company that present a security risk based on DHS’s internal risk management and assessment process.”

DHS also said it would be open to Kaspersky Lab submitting a written response addressing the concerns the U.S. government has raised. Kaspersky Lab co-founder and CEO Eugene Kaspersky has previously offered to let the U.S. government see the source code of his products on multiple occasions, and he accepted an offer to testify before the House of Representatives in defense of his company.

The concerns about Kaspersky software have not been limited to the government, as retail chain Best Buy announced it is pulling Kaspersky products from its shelves, as well.

In other news:

  • The commonwealth of Virginia’s board of elections voted to replace any and all touchscreen voting machines before the upcoming November elections. The voting machines, known as direct recording electronic (DRE) machines, will no longer be used in Virginia’s elections, and the commonwealth is determined to make the change before its gubernatorial election this year. This move comes shortly after a demonstration at the DefCon conference in July proved the extreme vulnerability of electronic voting systems. “This recommendation is being made for multiple reasons,” the board of elections wrote in a memo, “including the current security environment surrounding election administration, recently released public reports with confidential information related to unauthorized access to DREs at DefCon’s ‘Voting Machine Hacking Village,’ the fact that no DREs in use in Virginia have a voter-verifiable paper audit trail (VVPAT), and the initial security assessment review of various DRE equipment conducted by the Virginia Information Technology Agency (VITA).” Approximately 22 localities in the commonwealth still use DREs and will need to switch to new systems, though the specific voting machines that will replace them were not noted.
  • Exploit broker Zerodium has offered $1 million for zero-day exploits of the Tor Browser. Zerodium said it is gathering exploits on the Tor Browser to help the government. “While Tor network and Tor Browser are fantastic projects that allow legitimate users to improve their privacy and security on the internet, the Tor network and browser are, in many cases, used by ugly people to conduct activities such as drug trafficking or child abuse,” the broker wrote in its announcement of the project. “We have launched this special bounty for Tor Browser zero-days to help our government customers fight crime and make the world a better and safer place for all.” The program will run through the end of November, or it will end when the total payouts reach the $1 million limit. Specifically, Zerodium is looking for “a fully functional zero-day exploit for Tor Browser with JavaScript BLOCKED,” or exploits for Tor Browser with JavaScript.
  • A WordPress plug-in was updated with malicious code, affecting around 200,000 sites. Wordfence, WordPress’s plug-in security group, reported this week that the plug-in called Display Widgets was sold by its original author to a third-party in May 2017 for $15,000. The third-party purchaser then released an updated version of the plug-in a month later that showed malicious behavior. Since then, more updates of the plug-in have been released with more malicious behavior. According to Wordfence, the last three versions of Display Widgets have contained code that allows the plug-in owner to publish any content to the WordPress site, essentially creating a backdoor. “The authors of this plugin have been using the backdoor to publish spam content to sites running their plugin,” Wordfence explained. “During the past three months the plugin has been removed and readmitted to the WordPress.org plugin repository a total of four times. The plugin is used by approximately 200,000 WordPress websites, according to WordPress repository.” Wordfence suggested anyone with Display Widget installed should remove it immediately.