News

News

Virtual security conferences fill void left by canceled face-to-face events

Articles, Blog, News
featured image

Notable members of the infosec community are creating impromptu but highly popular virtual events using cheap, off-the-shelf tools.

Following the swift emergence of the COVID-19 crisis, organizers of cybersecurity and hacking conferences of all sizes have been faced with three choices: Cancel their events altogether, postpone them to the presumably better future, or find some way to hold them in a virtual manner on the internet. Wild West Hacking Fest, originally slated for March 10 to March 13 in San Diego, quickly converted itself into a virtual conference and was soon followed by dozens of conferences that modified their plans to accommodate the need for the social distancing.

A new form of non-traditional information security conference has emerged over the past two weeks. These conferences are organized by leading information security professionals who are leveraging existing, off-the-shelf online video conferencing and collaboration tools such as GotToWebinar or Zoom to rapidly mount internet-based alternatives to in-the-flesh confabs.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

New York’s SHIELD Act could change companies’ security practices nationwide

Articles, Blog, News
featured image

New York’s SHIELD Act could change companies’ security practices nationwide.

The Stop Hacks and Improve Electronic Data Security Act, otherwise known as the SHIELD Act, is a New York State bill signed into law last July. One key provision in the legislation that could significantly change security practices across the country is slated to go into effect March 21, possibly inducing companies big and small to change the way they secure and transmit not only New Yorkers’ private data but all consumers’ sensitive information.

Technically an amendment to the state’s data breach notification law, the SHIELD Act could have as much of an impact on internet and tech companies’ privacy and security practices as the more famous California Consumer Privacy Act (CCPA) or even the European Union’s General Data Protection Regulation (GDPR) experts say.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Cyberspace Solarium report calls for layered cyber deterrence, defend forward strategy

Articles, Blog, News
featured image

The intergovernmental commission outlines the steps needed to defend the United States from modern cybersecurity threats.

Last week, the US Cyberspace Solarium Commission, a bicameral, bipartisan intergovernmental body created by the 2019 Defense Authorization Act, launched its official report on the organization, policy and technical issues surrounding how to best defend the country against digital security threats. Inspired by a commission established in the Eisenhower Administration to tackle Cold War era problems, the Cyberspace Solarium Commission is co-chaired by Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI). It counts among its 14 commissioners four members from Congress, four senior executive agency leaders and six experts from outside of government.

The objective of the commission is to cut through the thicket of government bureaucracy and terminology and archaic structures surrounding cybersecurity to come up with implementable action plans that address the issues uncovered by the commission’s investigation. The report spells out 75 recommendations for action across the public and private sectors.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Deloitte: 8 things municipal governments can do about ransomware

Articles, Blog, News
featured image

Deloitte researchers explain why state and local governments are favored for ransomware attacks and how they can protect themselves with limited resources.

The IT systems of the City of Durham and Durham County in North Carolina have been shuttered since a successful ransomware attack struck the municipalities on the evening of March 6. Although details are still sketchy, the North Carolina Bureau of Investigation indicated the attackers used Russian-made malware known as Ryuk.

Durham joins a growing list of local governments grappling with the latest security scourge sweeping the country: ransomware attacks against poorly fortified local government systems that are ill-prepared to recover from these assaults. Municipal governments like Durham are attractive targets for ransomware attackers as more governments are being held hostage more frequently and for more money, according to a new report released today by Deloitte’s Center for Government Insights that examines trends in ransomware attacks on state and local governments.

According to the report, in 2019 governments reported 163 ransomware attacks, a nearly 150% increase from 2018, with more than $1.8 million in ransoms paid and tens of millions of dollars spent on recovery costs. Tight budgets, a growing attack surface and inadequate cybersecurity talent are the top reasons that cities struggle with the attacks, the report said.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Is the EARN-IT Act a backdoor attempt to get encryption backdoors?

Articles, Blog, News
featured image

New bipartisan US legislation to fight online child exploitation incentivizes companies to drop end-to-end encryption, critics say.

Last week a pair of US senators on the Senate Judiciary Committee, Lindsey Graham (R-SC) and Richard Blumenthal (D-CT), introduced a flashpoint piece of legislation called The Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT). The law, ostensibly designed to dampen the rampant child exploitation activities online, has drawn criticism from civil rights groups, free speech advocates, and cybersecurity professionals during draft discussions. Most observers said it is a sneak attack on end-to-end encryption. The release of the formal version of the bill only solidified this fear.

The 65-page piece of legislation promises to eliminate so-called Section 230 legal liability protection tech and internet companies that don’t meet recommendations about how to eradicate child exploitation material. Those recommendations would be made by a 19-member National Commission on Online Child Sexual Exploitation Prevention. Companies can “earn” their liability exemptions granted under Section 230 of the Communications Decency Act, essential protection that enabled the growth of online platforms such as Facebook, Twitter and Google, if they meet the commission’s recommendations on how to combat child sexual abuse material (CSAM).

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Authentication, identity management start-ups lead 2019 VC investing

Articles, Blog, News
featured image

Cybersecurity venture investments reached nearly $7 billion in 2019. Authentication and identity management start-ups were the top lures..

The red-hot venture capital (VC) investment trend for cybersecurity start-ups turned white hot during 2019, with the number of investments deals in “pure-play” cybersecurity companies soaring from 2018 levels. According to one set of numbers, the Venture Monitor report produced by Pitchbook for the National Venture Capital Association (NVCA), the cybersecurity sector is attracting “unprecedented levels of VC deal-making.”

The goal of all this deal-making is to cash out wisely when companies are either acquired or go public on the stock exchange. Like VC spending, 2019 was a major year for cybersecurity acquisitions, with more than 150 deals totaling more than $23 billion taking place.

The NVCA data, however, shows a downtick in total venture investment in cybersecurity start-ups from 2018 to 2019, from around $6.5 billion to around $5 billion. That slip is consistent with a PwC/CBInsights report on 2019 venture spending, which doesn’t break out spending for the cybersecurity sector separately but shows overall venture investing falling toward the end of the year, with year-over-year spending levels dropping by 9% to $108 billion.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

5G security is a mess. Could digital certificates help?

Articles, Blog, News
featured image

5G inherited security vulnerabilities from earlier mobile technology, but digital certificates might solve the issue of unauthenticated messages.

As countries around the world begin deploying 5G technology, the promises of faster speeds and better service sometime obscure a host of security issues affecting the next-generation cellular technology. These security concerns exist despite improvements in data encryption, authentication and privacy embodied in recent releases of the Third Generation Partnership Project (3GPP), the technical standards organization for cellular communications.

The most prominent of 5G security fears are highlighted in the Trump administration’s fight to ban technology from China’s tech giant Huawei from U.S. next-generation networks. The U.S. government is also seeking to persuade European and other allies to shun Huawei, an effort that has met with limited success. The basic fear driving the Huawei ban is that the company caters to the government in Beijing and might very well embed surveillance capabilities into its technology or otherwise spy for the Chinese government, making 5G completely insecure from the get-go.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Presidential campaigns taking email security more seriously–not so much at the local level

Articles, Blog, News
featured image

DMARC now protects the email domains for most U.S. presidential candidates, according to a new report, but local election bodies lag behind and are vulnerable to spoofing.

The 2020 election season got off to what could be a record-setting rocky start with delays in the reporting of the Iowa caucus results due to a poorly developed app. The failure of the mobile IowaReporterApp developed for the Democratic party by a company called Shadow, Inc., followed by revelations that the app was riddled with security errors, fueled further the flames of anxiety about the security of 2020 voting and election systems. (To be clear, the IowaReporterApp was not a mobile voting app but merely a means of collecting and reporting the results of the individual caucuses.)

Against the spectacular failure of the Iowa caucus and as the Democrats head into tomorrow’s New Hampshire primary having ditched the Shadow app, there are some signs that election-related security is otherwise headed in the right direction. For the first time, the 2020 U.S. presidential election hit a milestone because more than half of the candidates for president have domains that are protected from spoofing, according to a just-released study by identity-based anti-phishing company Valimail.

Of the 14 candidates currently in the race (including Donald Trump but excluding Joe Walsh, who dropped out last week), eight are protected by Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies set to enforcement. DMARC is an email authentication, policy and reporting protocol that builds on two other widely deployed email security protocols, Sender Policy Framework (SPF) and DomainKeys Identified Mailprotocols (DKIM), that give domain owners control over who can send as them.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Recent False Claims Act cases a caution to gov’t contractors that skimp on security

Articles, Blog, News
featured image

Two FCA cases unsealed in 2019 show that contractors can face multi-million-dollar penalties if they don’t comply with federal government cybersecurity requirements.

The False Claims Act (FCA), otherwise known as the “Lincoln Law,” can cost companies that supply goods or services to the federal government millions of dollars if they fail to provide the digital security protections they promise, as two recent cases illustrate. In one of the cases, Cisco Systems was forced to pay millions of dollars to the federal and state governments.

First passed in 1863 during the Lincoln Administration, the FCA was aimed at fraudulent contractors who sold bad horses, provisions and munitions to the Union Army. One of the law’s provisions allows for citizen “relators” or whistleblowers to be paid a percentage of what can be recovered from those who are proved to have made false claims to the federal government in the sale of goods or services.

Between the Civil War and the mid-1980s, the FCA was little used until it was given a shot in the arm by Congress in 1986 to deal with rampant problems involving defense contractors. The FCA was revised again by Congress in 2009 and 2010.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

On the 2020 Congressional cybersecurity agenda: Critical infrastructure, copyright exemptions

Articles, Blog, News
featured image

Despite the distraction of an election year, Congress is expected to give the Department of Homeland Security tools to identify critical infrastructure threats and copyright exemptions to security researchers.

Distracted by high-profile developments, gridlocked by partisan resentment, and time-crunched due to the election year, Congress is nevertheless swinging into gear on specific cybersecurity issues, Washington insiders told attendees at Shmoocon 2020 this past weekend. Among the top items that Congress might tackle are new subpoena powers to address critical infrastructure threats, a big-picture policy report, and copyright law exemptions that protect security researchers.

Congressional interest in cybersecurity has escalated over the past decade, the panelists agreed. “Congress members are aware of a challenge. They want to do something to fix it,” Nick Leiserson, legislative director to Congressman Jim Langevin (D-RI), a senior member of the House Armed Services and Homeland Security Committees, said. “There is engagement, and that is very important. That is a change that is not where we were ten years ago when my boss was being looked at [oddly] by his colleagues. You know, they were like, ‘Here’s the tinfoil hat, Jim,'” he said.

[This article appeared in CSO Online. To read the rest of the article please visit here.]