Author Archives: Patrick Howell O'Neill

Pacemaker updates seal vulnerabilities that impact nearly half million U.S. patients

Posted on by

Pacemakers from Abbott Laboratories can be hacked due to three significant vulnerabilities, the Department of Homeland Security’s CERT team announced on Tuesday, prompting the manufacturers to issue updates to address security and dangerous battery problems. It’s a complex and difficult flaw to exploit, according to CERT, but the danger is real. A nearby hacker can gain unauthorized access to the heart implants allowing them to issue commands, change settings and interfere with the pacemaker’s functionality. The pacemakers deliver electrical pulses to correct a slow, irregular or stopped heart. Interference could result in a target’s death. Attackers have to be within inches of the target to exploit the vulnerability via radio frequency (RF) communications. The pacemakers impacted are the following St. Jude Medical pacemaker and CRT-P devices: Accent Anthem Accent MRI Accent ST Assurity Allure MedSec Holdings, a third-party security research firm, identified the vulnerabilities in the devices made by Abbott Laboratories, formerly known as […]

The post Pacemaker updates seal vulnerabilities that impact nearly half million U.S. patients appeared first on Cyberscoop.

Continue reading Pacemaker updates seal vulnerabilities that impact nearly half million U.S. patients

Tillerson to officially eliminate cyber coordinator office

Posted on by

The State Department’s cyber coordinator office will be shuttered, Secretary Rex Tillerson announced Monday. The move comes one month after Chris Painter, America’s top cyber diplomat for six years, announced his departure in July. Some of the Coordinator for Cyber Issues (CCI) office’s responsibilities will fall to the Bureau of Economics and Business Affairs (EB), according to a letter Tillerson sent to Congress that outlined a broad reorganization, downgrading and even elimination of some special envoys in the State Department. The Economic and Business Affairs bureau will receive a $5.5 million budget boost as a result of the realignment. Two weeks after leaving his post, Painter published a blog defending the CCI office’s work. “Achieving the future we want will require continued high-level attention and a significant and sustained effort,” Painter argued. “Diplomacy has and must continue to play a pivotal role  —  shaping the environment, building cooperation, and working to build coalitions to respond to shared […]

The post Tillerson to officially eliminate cyber coordinator office appeared first on Cyberscoop.

Continue reading Tillerson to officially eliminate cyber coordinator office

Hurricane Harvey scammers use disaster as phishing bait

Posted on by

As Hurricane Harvey continues to devastate southeast Texas, scammers are taking advantage of the catastrophe by sending phishing emails that can steal sensitive information or infect targeted machines, according to a new warning from US-CERT. Man-made and natural disasters are magnets for scammers and hackers looking to take advantage of people’s inclination to help or learn more, the agency warned, cautioning the public that “emails requesting donations from duplicitous charitable organizations commonly appear after major natural disasters.” US-CERT, which is part of the Department of Homeland Security, pointed to the Federal Trade Commission’s information on Wise Giving in the Wake of Hurricane Harvey as well as its own general guidance on Avoiding Social Engineering and Phishing Attacks. Expect more disaster and death in Texas. About 30,000 people are expected to seek emergency shelter, government officials said Tuesday, and 450,000 will seek federal aid. The rain total in Houston is expected to hit a massive […]

The post Hurricane Harvey scammers use disaster as phishing bait appeared first on Cyberscoop.

Continue reading Hurricane Harvey scammers use disaster as phishing bait

Chinese drone maker DJI launches bug bounty program after U.S. Army ban

Posted on by

Chinese drone maker Daijiang Innovation Corporation (DJI) launched a bug bounty program on Monday after the company’s products were banned by the U.S. Army about one month ago due to unspecified “cyber vulnerabilities.” DJI owns 70 percent of the global drone market, according to a 2016 analysis by Goldman Sachs and Oppenheimer. Analysts predict that the market will expand to $100 billion in five years. DJI also released several security updates and removed third-party plugins that did not meet security standards on Monday, based on a press release issued by the company. The Army ban pushed DJI to launch several additional security updates over the last month, including one patch that added the ability to disconnect a drone from the internet while it is flight. Customer concerns were ultimately the motivating factor that caused DJI to make changes to its software, Reuters previously reported. The newly announced bug bounty program offers rewards from […]

The post Chinese drone maker DJI launches bug bounty program after U.S. Army ban appeared first on Cyberscoop.

Continue reading Chinese drone maker DJI launches bug bounty program after U.S. Army ban

U.S. spies think the FBI is botching the Kaspersky investigation

Posted on by

U.S. spies believe FBI agents have mismanaged the ongoing counterintelligence investigation into Moscow-based cybersecurity company Kaspersky Lab, current and former senior U.S. officials familiar with the matter tell CyberScoop. Officials tell CyberScoop believe the FBI has engaged in deliberate media leaks and overblown classified congressional briefings to build their case around Kaspersky. These officials also say the FBI should be more covert in their efforts by quietly convincing private companies to uninstall Kaspersky software and issuing other classified directives, which they believe would not put the rest of the intelligence community — especially agencies engaged in cyber operations — in the crosshairs for retaliation. The FBI has briefed private sector firms across industries urging the companies to cut ties with Kaspersky on security grounds, CyberScoop reported last week. On some occasions, the FBI’s outreach efforts in the U.S. have gone well. At least one major American energy firm recently opted against signing a significant business deal with Kaspersky due […]

The post U.S. spies think the FBI is botching the Kaspersky investigation appeared first on Cyberscoop.

Continue reading U.S. spies think the FBI is botching the Kaspersky investigation

Will Democrats share all cyber threat intel with Donald Trump in 2020?

Posted on by

Imagine this: Donald Trump’s 2020 presidential campaign and, let’s say, Joe Biden’s 2020 campaign working together closely on cyber threat and incident intelligence sharing. Every sensitive piece of information and forensics on hacking attempts passed between the two opposing organizations. Given what we know about the 2016 presidential campaign, the scenario seems like a longshot. However, it’s closer to reality than most would think. That scenario is one possible outcome of a newly launched project promoting an Information Sharing and Analysis Organization (ISAO) among U.S. political campaigns. The overall project, Defending Digital Democracy, launched in July at Harvard University’s Belfer Center for Science and International Affairs. This month, Hillary Clinton’s campaign manager Robby Mook and Mitt Romney campaign manager Matt Rhoades announced the ISAO as the DDD’s first priority. In the wake of the most high-profile campaign hacking in American history, it’s a critical security point that’s received a lot of support. The specifics — including the possibility of […]

The post Will Democrats share all cyber threat intel with Donald Trump in 2020? appeared first on Cyberscoop.

Continue reading Will Democrats share all cyber threat intel with Donald Trump in 2020?

Marcus Hutchins prosecutors outline secret evidence to be introduced

Posted on by

Prosecutors in the case against Marcus Hutchins, the British cybersecurity researcher recently arrested in the U.S. on charges of creating the Kronos banking malware, were this week granted a protective order keeping much of their evidence out of the public eye. The Justice Department asked the Wisconsin federal judge hearing the case for restrictions on releasing the evidence because it includes “information related to other ongoing investigations, malware, and investigative techniques.” The defense didn’t contest the request and the judge granted the order. While Hutchins, his lawyers, and any outside experts they engage will be able to see the evidence in a pre-trial procedure known as discovery, they are not allowed to share anything with anyone outside the defense team — and the expert witnesses will have to sign a copy of the order, showing they agree to its terms. Hutchins, better known by his Twitter handle MalwareTechBlog, pleaded not guilty, to the charges last week. […]

The post Marcus Hutchins prosecutors outline secret evidence to be introduced appeared first on Cyberscoop.

Continue reading Marcus Hutchins prosecutors outline secret evidence to be introduced

Private firm puts $500K bounty on Signal, WhatsApp zero-day vulnerabilities

Posted on by

Zero-day vulnerabilities targeting popular secure messenger applications, like Signal, Telegram and WhatsApp, can fetch payments of up to $500,000 from Zerodium, a buyer and seller of zero-day research, based on a newly released list of available awards offered by the U.S. firm. The market for zero-day vulnerabilities — an undisclosed software security hole that can be exploited by hackers — is notoriously rich and murky. Traders tend to operate away from public scrutiny for a number of reasons that make it difficult to learn about the market. Although Zerodium isn’t known for the transparency of its business, the company’s listings for vulnerabilities provides a window into the supply and demand behind the vulnerability resale industry. Information concerning software flaws that allow for remote code execution and privilege escalation within Signal, and other secure messenger applications, are currently worth $500,000 a piece. These applications are used by billions of people around the world including, as […]

The post Private firm puts $500K bounty on Signal, WhatsApp zero-day vulnerabilities appeared first on Cyberscoop.

Continue reading Private firm puts $500K bounty on Signal, WhatsApp zero-day vulnerabilities

Versive gets $12.7 million in Series C round

Posted on by

Seattle-based Versive, a big data analytics company that sells the “Versive Security Engine,” announced Tuesday it raised $12.7 million, bringing total investment in the firm to $54.7 million. Founded in 2012 as Context Relevant, the renamed company bills its products as strategically applied artificial intelligence built to secure “organizations [that] are overwhelmed by data, unable to detect high-risk patterns in their network,” Versive CEO Joe Polverari said in a statement. The new money and focus on cybersecurity is a pivot that comes after deep layoffs hit the company in 2015 and a “deep operational review” following disappointing results. Versive’s advisory board includes Richard Clarke, the CEO of Good Harbor and former adviser to presidents Bill Clinton, George W. Bush and Barack Obama on cybersecurity issues, and Peiter Zatko, also known as Mudge, a founder of the famous 1990s-era hacking collective the L0pht. Versive’s goal is to have automated systems find patterns of malicious behavior. The use […]

The post Versive gets $12.7 million in Series C round appeared first on Cyberscoop.

Continue reading Versive gets $12.7 million in Series C round

Silent Circle acquires hardware VPN firm Kesala

Posted on by

Silent Circle acquired Kesala, a Maryland-based hardware startup previously backed by the NSA-connected investment fund DataTribe, earlier this month. The price and terms of the acquisition are unknown. Founded by the U.S. intelligence veteran Vesh Bhatt, Kesala makes a small black box designed to encrypt and obfuscate internet traffic. Silent Circle CEO Gregg Smith describes Kesala as a “VPN and Wi-Fi hotspot the size of a matchbox” with the ability to mask user location. It can be used on servers, phones, desktops, laptops and any IoT device. The device was developed in and used by U.S. intelligence agencies before its private sector debut. “It acts like a mobile firewall,” Silent Circle chief strategy officer Joshua Konowe said. “It’s a tiny little box about the size of two tic-tac boxes. It will encrypt up to five devices. You’re encrypting all the information on the device and then it’s connecting to the internet and going out […]

The post Silent Circle acquires hardware VPN firm Kesala appeared first on Cyberscoop.

Continue reading Silent Circle acquires hardware VPN firm Kesala