Articles

Articles

Mail-in ballots during COVID crisis necessary, but with risk says expert

Articles, Blog, News
featured image

Noted election security researcher Harri Hursti says mail-in voting is likely the only option for a safe, secure US presidential election, but voter and election worker training needed.

One of the foremost topics facing the nation, the security of the 2020 presidential election, has been obscured by the COVID-19 pandemic. Cybersecurity company Grimm brought the topic to the forefront during its virtual GRIMMcon event held April 14 by inviting noted election security specialist, hacker and researcher Harri Hursti to offer his take on the state of US election security.

HBO’s documentary on the weakness of the US election system called Kill Chain, which premiered in late-2019, follows Hursti as he travels the world and across the US exposing voting insecurities. CSO caught up with Hursti after his GRIMMcon talk to discuss the state of US election security, the feasibility of mass mail-in voting during the COVID-19 pandemic, and whether new voting machine standards under development by a revived Election Assistance Commission could make a difference in election security.

Hursti says that despite years of warning and repeated demonstrations of the insecurity of voting systems, “a lot of the infrastructure in the United States has not even been updated since 2002. Nothing has changed since the Help America Vote Act of 2002. The majority of systems are running 2004, 2005 deployments. The vast majority of systems are old and have not been updated.”

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Trump administration moves to revoke China Telecom’s US licenses on security grounds

Articles, Blog, News
featured image

A legal filing claims China Telecom is in violation of federal and state cybersecurity and privacy laws, but evidence is redacted.

Highlighting the diminished opportunities for Chinese telecom and technology providers in the US, the Department of Justice (DOJ) announced last week that the Trump Administration would seek to revoke and terminate the licenses of mobile operator China Telecom. China Telecom is authorized to provide communications, data, television and business services in the US as a facilities-based common carrier. It obtains spectrum licenses from the Federal Communications Commission (FCC) under what is called international Section 214 authorizations.

The DOJ announcement said relevant executive branch agencies unanimously recommended that the FCC revoke the telco’s licenses because it is an arm of the Chinese government and therefore poses “substantial and unacceptable national security and law enforcement risks.” Those agencies collectively represent an ad hoc arrangement of the Departments of Justice, Defense, and Homeland Security, formerly known as Team Telecom, which was established to ensure that the FCC defers to the executive branch when it comes to, among other things, matters of foreign ownership of communications assets in the US.

The redacted legal filing containing the agencies’ recommendation was submitted to the FCC’s International Bureau Filing System (IBFS) by the Department of Commerce’s National Telecommunications and Information Administration (NTIA), which filed on the agencies’ behalf. NTIA’s filing was the first that followed a somewhat unexpected April 4 Executive Order, which formalized or codified for the first time the Team Telecom arrangement.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Beware malware-laden emails offering COVID-19 information, US Secret Service warns

Articles, Blog, News
featured image

Beware malware-laden emails offering COVID-19 information, US Secret Service warns.

As the coronavirus crisis continues to capture everyone’s attention, cybercriminals stay busy running scams and delivering malware using the attention-getting virus as a lure. The threats from the scammers and crooks, which began as early as January and continue unabated, range from tricking people out of their financial data to delivering pernicious malware.

mit their crimes, many schemes rely on tried-and-true phishing methods that exploit unpatched software flaws that sometimes have stayed unfixed for years. On April 1, the US Secret Service (USSS) sent out an information alert, “Fraudulent COVID-19 Emails with Malicious Attachments,” that warns about messages masquerading as COVID-19 status emails from employers, merchants and other businesses.

The USSS has uncovered attempted attacks that, using these faux alerts, sought to remotely install malware on the infected system to “harvest financial credential, install keyloggers, or lockdown the system with ransomware.” The malicious attachments are usually Microsoft Office or WordPad file types that exploit a now-patched vulnerability in Microsoft Office, according to the alert. However, the Secret Service says that variations exist and attack vectors evolve.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

White House strategy paper to secure 5G envisions America leading global 5G development

Articles, Blog, News
featured image

Though light on details, the paper offers clues as to how the US government sees the development and security of 5G communications moving forward.

With curiously little fanfare, the White House released last week a six-page document called the National Strategy to Secure 5G, a blueprint that was mandated by the Secure 5G and Beyond Act. That bill, signed into law by President Trump on the same day, March 23, that the White House released its strategy paper, directed the president to release his strategy paper within 180 days of the bill’s enactment.

The paper’s stated goal is to articulate a vision “for America to lead the development, deployment and management of secure and reliable 5G communications infrastructure, worldwide, arm-in-arm with our closest partners and allies.” The four “lines of effort” driving this vision include:

  • Facilitating the domestic roll-out of 5G
  • Assessing the security risks and core principles for infrastructure
  • Managing those economic and security risks
  • Promoting responsible global development and deployment of the 5G infrastructure

The domestic roll-out of 5G, coordinated by the National Economic Council, primarily lies with the Federal Communications Commission (FCC), which has what it calls its 5G FAST plan. FAST makes more radiofrequency spectrum available, streamlines government processes, and “modernizes” regulation to promote the deployment of 5G backhaul. The Commerce Department is also working on a National Spectrum Strategy to plan for future generations of wireless networks.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

New coronavirus-era surveillance and biometric systems pose logistical, privacy problems

Articles, Blog, News
featured image

Governments and companies are using biometrics and geolocation to identify and track potential coronavirus victims in the name of public safety.

As the COVID-19 pandemic grips the globe, new surveillance methods are already raising new privacy and security challenges despite the still-early days of this crisis. Chief among these potential problems is the sudden turn by the government toward using geolocation data to track millions of Americans’ cell phones in monitoring the spread of the disease.

Silicon Valley giants, including Alphabet, Amazon and Facebook, have already been called into the White House to brainstorm ways to use geolocation, public media scraping and other technologies to track users in ways that ostensibly don’t violate users’ privacy. Meanwhile, phone carriers across Europe are sharing data with authorities while Israeli intelligence agencies are using phone tracking technology initially developed to combat terrorism in the fight against COVID-19.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Virtual security conferences fill void left by canceled face-to-face events

Articles, Blog, News
featured image

Notable members of the infosec community are creating impromptu but highly popular virtual events using cheap, off-the-shelf tools.

Following the swift emergence of the COVID-19 crisis, organizers of cybersecurity and hacking conferences of all sizes have been faced with three choices: Cancel their events altogether, postpone them to the presumably better future, or find some way to hold them in a virtual manner on the internet. Wild West Hacking Fest, originally slated for March 10 to March 13 in San Diego, quickly converted itself into a virtual conference and was soon followed by dozens of conferences that modified their plans to accommodate the need for the social distancing.

A new form of non-traditional information security conference has emerged over the past two weeks. These conferences are organized by leading information security professionals who are leveraging existing, off-the-shelf online video conferencing and collaboration tools such as GotToWebinar or Zoom to rapidly mount internet-based alternatives to in-the-flesh confabs.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

New York’s SHIELD Act could change companies’ security practices nationwide

Articles, Blog, News
featured image

New York’s SHIELD Act could change companies’ security practices nationwide.

The Stop Hacks and Improve Electronic Data Security Act, otherwise known as the SHIELD Act, is a New York State bill signed into law last July. One key provision in the legislation that could significantly change security practices across the country is slated to go into effect March 21, possibly inducing companies big and small to change the way they secure and transmit not only New Yorkers’ private data but all consumers’ sensitive information.

Technically an amendment to the state’s data breach notification law, the SHIELD Act could have as much of an impact on internet and tech companies’ privacy and security practices as the more famous California Consumer Privacy Act (CCPA) or even the European Union’s General Data Protection Regulation (GDPR) experts say.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Cyberspace Solarium report calls for layered cyber deterrence, defend forward strategy

Articles, Blog, News
featured image

The intergovernmental commission outlines the steps needed to defend the United States from modern cybersecurity threats.

Last week, the US Cyberspace Solarium Commission, a bicameral, bipartisan intergovernmental body created by the 2019 Defense Authorization Act, launched its official report on the organization, policy and technical issues surrounding how to best defend the country against digital security threats. Inspired by a commission established in the Eisenhower Administration to tackle Cold War era problems, the Cyberspace Solarium Commission is co-chaired by Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI). It counts among its 14 commissioners four members from Congress, four senior executive agency leaders and six experts from outside of government.

The objective of the commission is to cut through the thicket of government bureaucracy and terminology and archaic structures surrounding cybersecurity to come up with implementable action plans that address the issues uncovered by the commission’s investigation. The report spells out 75 recommendations for action across the public and private sectors.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Deloitte: 8 things municipal governments can do about ransomware

Articles, Blog, News
featured image

Deloitte researchers explain why state and local governments are favored for ransomware attacks and how they can protect themselves with limited resources.

The IT systems of the City of Durham and Durham County in North Carolina have been shuttered since a successful ransomware attack struck the municipalities on the evening of March 6. Although details are still sketchy, the North Carolina Bureau of Investigation indicated the attackers used Russian-made malware known as Ryuk.

Durham joins a growing list of local governments grappling with the latest security scourge sweeping the country: ransomware attacks against poorly fortified local government systems that are ill-prepared to recover from these assaults. Municipal governments like Durham are attractive targets for ransomware attackers as more governments are being held hostage more frequently and for more money, according to a new report released today by Deloitte’s Center for Government Insights that examines trends in ransomware attacks on state and local governments.

According to the report, in 2019 governments reported 163 ransomware attacks, a nearly 150% increase from 2018, with more than $1.8 million in ransoms paid and tens of millions of dollars spent on recovery costs. Tight budgets, a growing attack surface and inadequate cybersecurity talent are the top reasons that cities struggle with the attacks, the report said.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Is the EARN-IT Act a backdoor attempt to get encryption backdoors?

Articles, Blog, News
featured image

New bipartisan US legislation to fight online child exploitation incentivizes companies to drop end-to-end encryption, critics say.

Last week a pair of US senators on the Senate Judiciary Committee, Lindsey Graham (R-SC) and Richard Blumenthal (D-CT), introduced a flashpoint piece of legislation called The Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT). The law, ostensibly designed to dampen the rampant child exploitation activities online, has drawn criticism from civil rights groups, free speech advocates, and cybersecurity professionals during draft discussions. Most observers said it is a sneak attack on end-to-end encryption. The release of the formal version of the bill only solidified this fear.

The 65-page piece of legislation promises to eliminate so-called Section 230 legal liability protection tech and internet companies that don’t meet recommendations about how to eradicate child exploitation material. Those recommendations would be made by a 19-member National Commission on Online Child Sexual Exploitation Prevention. Companies can “earn” their liability exemptions granted under Section 230 of the Communications Decency Act, essential protection that enabled the growth of online platforms such as Facebook, Twitter and Google, if they meet the commission’s recommendations on how to combat child sexual abuse material (CSAM).

[This article appeared in CSO Online. To read the rest of the article please visit here.]