Google tells senator that nation-state hackers probed his old campaign email accounts

Google has informed Sen. Pat Toomey, R-Pa., that nation-state hackers may have tried to breach old email accounts associated with his campaign, according to Toomey spokesman Steve Kelly. The probing involved phishing emails to accounts over a year old, and there is no evidence of a breach, according to Kelly. Based on scans of the emails, they did not appear to contain malware, he added. Toomey, who won re-election in 2016, is not up for re-election again until 2022. “This underscores the cybersecurity threats our government, campaigns, and elections are currently facing,” Kelly said in a statement Friday. “It is essential that Congress impose tough penalties on any entity that undermines our institutions.” Kelly’s statement did not say whether the hackers have been tied to a particular country. Google did not respond to a request for comment by press time. Toomey is the latest politician to draw the attention of […]

The post Google tells senator that nation-state hackers probed his old campaign email accounts appeared first on Cyberscoop.

Continue reading Google tells senator that nation-state hackers probed his old campaign email accounts

T-Mobile breach exposes data on 2 million customers

Hackers have breached T-Mobile servers, exposing personal information on roughly 2 million customers, the mobile carrier has confirmed. Affected customers’ names, phone numbers, billing zip codes, email addresses, account numbers and account types may have been accessed, T-Mobile said. However, financial data, such as credit card or social security numbers, were not exposed. “On August 20, our cybersecurity team discovered and shut down an unauthorized access to certain information, including yours, and we promptly reported it to authorities,” T-Mobile said in a statement. “This was quickly discovered by our security team and shut down very fast,” a T-Mobile spokesperson told CyberScoop. “There’s no additional threat.” Asked who was responsible for the breach, the spokesperson said “it was an international group” of hackers who accessed the company’s servers through an API. “It was a small percentage of our 77 million customers that was affected (about 3 percent),” the spokesperson said. Mobile carriers […]

The post T-Mobile breach exposes data on 2 million customers appeared first on Cyberscoop.

Continue reading T-Mobile breach exposes data on 2 million customers

DNC says phishing incident was a false alarm

The Democratic National Party now says a phishing campaign against its voter database revealed Wednesday was in fact an unauthorized test by a third party and not the work of a malicious attacker. “We, along with the partners who reported the site, now believe it was built by a third party as part of a simulated phishing test on VoteBuilder,” DNC Chief Security Officer Bob Lord said in a statement. “The test, which mimicked several attributes of actual attacks on the Democratic party’s voter file, was not authorized by the DNC, VoteBuilder nor any of our vendors.” Lord did not identify the unauthorized third party that had carried out the phishing test. Citing a source familiar with the matter, PCMag reported that the Michigan Democratic Party had given its approval for an unnamed organization to carry out the test. Spearphishing was devastatingly effective during the 2016 presidential campaign, as Russian hackers breached […]

The post DNC says phishing incident was a false alarm appeared first on Cyberscoop.

Continue reading DNC says phishing incident was a false alarm

DHS, Microsoft to brief states on latest Russian intelligence activity

The Department of Homeland Security will hold a conference call for Microsoft representatives to brief state election officials on new evidence showing Russian hackers have targeted the U.S. Senate and conservative think tanks, according to senior DHS cybersecurity adviser Matthew Masterson. The goal will be to turn Microsoft’s observations into actionable security advice for state officials as the November midterms approach. The conference call, which Masterson said had not been scheduled yet, will be an opportunity for state officials to study the latest techniques from the Russian hacking group, often known as Fancy Bear, that breached Democratic Party organizations in the 2016 U.S. presidential campaign. Speaking to reporters Tuesday, Masterson said Microsoft’s takedown of internet domains allegedly set up by Fancy Bear showed “a growing interaction and relationship that we have with industry.” Asked if he anticipated that private companies would need to take similar action in the future, Masterson said the Russian […]

The post DHS, Microsoft to brief states on latest Russian intelligence activity appeared first on Cyberscoop.

Continue reading DHS, Microsoft to brief states on latest Russian intelligence activity

DNI official: Leaks won’t stop intelligence agencies’ digitization

The leaks of sensitive cyber tools from U.S. spy agencies in recent years will not impede the intelligence community’s push to adopt cloud computing and other hallmarks of a digitized world, according to a top intelligence official. “In a world that is more connected, I worry about security all the time,” Sue Gordon, principal deputy director of national intelligence, told CyberScoop, but “I’m not disproportionately worried about cloud security because I can see some real advantages to it.” “I think what’s nice about a more connected infrastructure is the ability to monitor” networks and detect threats, Gordon said. The U.S. intelligence community has suffered high-profile exposures of its hacking capabilities, including last year’s “Vault 7” episode, in which a former CIA employee allegedly leaked information on numerous U.S. government zero-day exploits, among other tools. In the wake of the leaks, U.S. intelligence agencies have continued to wrestle with how to […]

The post DNI official: Leaks won’t stop intelligence agencies’ digitization appeared first on Cyberscoop.

Continue reading DNI official: Leaks won’t stop intelligence agencies’ digitization

Microsoft: Russians targeted conservative think tanks, U.S. Senate

The Russian intelligence office that breached the Democratic National Committee in 2016 has spoofed websites associated with the U.S. Senate and conservative think tanks in a further attempt to sow discord, according to new research from Microsoft. The tech giant last week executed a court order and shut down six internet domains set up by the Kremlin-linked hacking group known as Fancy Bear or APT 28, Microsoft President Brad Smith said. “We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group,” Smith wrote in a blog post. “We’re concerned that these and other attempts pose security threats to a broadening array of groups connected with both American political parties in the run-up to the 2018 elections.” The domains were constructed to look like they belonged to the Hudson Institute and International Republican Institute, but were in fact phishing websites […]

The post Microsoft: Russians targeted conservative think tanks, U.S. Senate appeared first on Cyberscoop.

Continue reading Microsoft: Russians targeted conservative think tanks, U.S. Senate

Election exercise pairs states with intelligence community in unprecedented opportunity

Forty-four states took part in an unprecedented election-security exercise last week that offered a crucial opportunity for electoral officials to interact with federal agencies with some of the most vaunted cyber capabilities in the government. This elaborate a security exercise simply didn’t happen in 2016: before the Russian government’s sweeping intervention in the U.S. election, it was hard to imagine the need for local and state officials to drill with the National Security Agency and U.S. Cyber Command. But with 2016 fresh in their minds, those officials have warmed to the idea. “The biggest obstacle that we had in 2016 was communication, and so I think a lot of those barriers have been torn down and states are more willing to hear from the federal government,” Election Assistance Commission Commissioner Thomas Hicks told CyberScoop. “[O]ne of the most valuable parts” of the drill, Hicks added, was that it drove home for state […]

The post Election exercise pairs states with intelligence community in unprecedented opportunity appeared first on Cyberscoop.

Continue reading Election exercise pairs states with intelligence community in unprecedented opportunity

PPD-20 elimination opens arguments over how U.S. should conduct offensive hacking operations

President Donald Trump has rescinded a key policy directive that governs the approval process for cyberattacks conducted by the U.S. government, potentially opening the door to more offensive operations, an administration official familiar with the matter confirmed to CyberScoop. Presidential Policy Directive 20, which then-President Barack Obama signed in 2012, had installed an intricate inter-agency legal and policy process for green-lighting cyberattacks. Critics of the process said it unnecessarily delayed offensive operations, while advocates called it an important mechanism for accounting for all of the potential repercussions of a cyberattack. Trump’s reversal of the memorandum is in keeping with his administration’s efforts to enable military commanders to more freely conduct cyber operations against adversaries such as nation-states and terrorists. While critics warn of the pitfalls of loosening restrictions on hacking operations, the policy shift answers a call from lawmakers for the government to be more willing to go on the […]

The post PPD-20 elimination opens arguments over how U.S. should conduct offensive hacking operations appeared first on Cyberscoop.

Continue reading PPD-20 elimination opens arguments over how U.S. should conduct offensive hacking operations

DHS holds election security exercise with states to prep for midterms

With less than three months until the midterm elections, the Department of Homeland Security held a three-day exercise this week that allowed state and local officials to practice warding off an array of cyberthreats, from spear-phishing campaigns to distributed denial of service attacks. The drills, which featured officials from 44 states, the National Security Agency and U.S. Cyber Command, among other federal agencies, “explored potential impacts to voter confidence, voting operations, and the integrity of elections,” according to a DHS statement. The Election Assistance Commission, the federal agency charged with distributing $380 million in election-security funding to states, also took part. DHS said private vendors participated in the exercise, but did not name them. The exercise covered several scenarios, according to DHS: spear phishing against election officials; social media manipulation related to political candidates; “disruption” of voter registration IT systems; distributed denial-of-service attacks and “web defacements” affecting board of election […]

The post DHS holds election security exercise with states to prep for midterms appeared first on Cyberscoop.

Continue reading DHS holds election security exercise with states to prep for midterms

Research shows gap in House, Senate candidates’ website security

Nearly 30 percent of House of Representatives candidates have significant security issues in their websites compared to less than 5 percent of Senate candidates, according to new research. The disparity underscores the challenge that smaller, resource-strapped campaigns have in making themselves less vulnerable to hacking. About 3 in 10 House candidate websites scanned by election-security expert Joshua Franklin and his research team were not using important security protocols for routing data or had a major certificate issue. The scans, most of which took place in June, covered the websites of more than 500 House candidates and nearly 100 Senate candidates. “The House has significantly more candidates running and that provides more opportunities for security errors,” Franklin told CyberScoop. He presented his findings at the DEF CON conference in Las Vegas. The major political parties’ Senate candidates also tend to be more experienced on the campaign trail and have bigger staffs for those statewide races. […]

The post Research shows gap in House, Senate candidates’ website security appeared first on Cyberscoop.

Continue reading Research shows gap in House, Senate candidates’ website security