Author Archives: Shaun Waterman

Black Hat attendees are very vocal about the VEP

Posted on by

As Black Hat USA is in full swing, Las Vegas buzzed with questions about the government’s process for disclosing newly discovered software vulnerabilities, even as the government is working to change the way the process works. At issue: What can fresh data examining zero days tell the public about whether the U.S. government secretly retains a new software vulnerability or reveals it to the manufacturer so it can be fixed. Retained vulnerabilities can be used to spy on U.S. adversaries, but — if rediscovered by foreign spies, cybercriminals or other hackers — they could also be used to wreak havoc on systems both inside and outside the U.S. “I’m gonna light it up,” cybersecurity researcher Katie Moussouris told CyberScoop about a planned debate on the subject. Because of the nature of the global software market — people and companies all over the world use the same programs — a high chance of rediscovery […]

The post Black Hat attendees are very vocal about the VEP appeared first on Cyberscoop.

Continue reading Black Hat attendees are very vocal about the VEP

Cybersecurity vendors lag badly on DMARC email security, survey shows

Posted on by

Only 1 in 4 of the cybersecurity companies exhibiting at the celebrated Black Hat conference this week have implemented a set of best practices to prevent email spoofing and phishing, according to figures from the nonprofit Global Cyber Alliance. In a release Wednesday, GCA said that 73 percent of the 268 exhibitors had not deployed Domain-based Message Authentication, Reporting and Conformance, or DMARC — a set of email protocols that prevents spammers, phishers and other cybercriminals from using an organization’s name and email domain to conduct hacking attacks. Of the 72 exhibitors using DMARC, only six — just 2 percent — have fully deployed it so that it stops spoofed email from being delivered. Lower level implementations of DMARC warn an organization that their email domain is being spoofed — and can help spoofed mail get blocked by spam filers — but don’t prevent it from being delivered. “A lot of [security vendors] clearly are […]

The post Cybersecurity vendors lag badly on DMARC email security, survey shows appeared first on Cyberscoop.

Continue reading Cybersecurity vendors lag badly on DMARC email security, survey shows

NIST moving forward, cautiously, on framework revisions

Posted on by

Big changes to the National Institute of Standards and Technology’s Cybersecurity Framework, such as the introduction of a section on coordinated vulnerability disclosure, may be pushed off to a future major revision rather than be included in the forthcoming Version 1.1. That’s the takeaway from a report last week of the NIST public consultation workshop in May, in which the agency lays out plans to complete the overhaul of the popular cybersecurity guide by early next year. The commitment to “backwards compatibility” — ensuring users of the existing Version 1.0 can employ the new Version 1.1. — means that only smaller tweaks, like the addition of multi-factor identity authentication or new language for Internet of Things risks, can be addressed in the update. In the report, NIST laid out plans to inch ahead with a number of proposed changes to the draft V1.1 released in January. They include: Rewrites to the section on measuring cybersecurity — business leaders wanted it […]

The post NIST moving forward, cautiously, on framework revisions appeared first on Cyberscoop.

Continue reading NIST moving forward, cautiously, on framework revisions

The endless hunt: Looking for patterns in malware data

Posted on by

“No research is ever really finished,” observes Kenneth Geers, senior research scientist for Comodo. He’s talking about the second massive set of data he’s crunched in two weeks: The Comodo Threat Labs Q2 2017 report. It was only a week ago that Geers released Comodo’s Q1 data — the first time the company sought to leverage the huge amounts of information about malware attacks gathered by the 90 million installs of its software across the world. This time around, the dataset is four times as large — more than 97 million malware incidents — and Geers told CyberScoop the analysis he’s been able to do on it so far is “just scratching the surface.” “I’m going to be working all week,” he said, preparing for a presentation at DEF CON Saturday. In Q1, he demonstrated that “different malware types map against [national] GDP per capita.” The more advanced types of malware, like backdoors, make up a greater […]

The post The endless hunt: Looking for patterns in malware data appeared first on Cyberscoop.

Continue reading The endless hunt: Looking for patterns in malware data

Why a ‘super-Mirai’ attack never happened

Posted on by

The vast amount of internet-connected devices that fueled the Mirai botnet are only the “tip of the iceberg” when it comes to the denial of service threat from the Internet of Things, according to new research to be presented at the DEF CON security conference later this week. “We estimate up to 95 percent of all IoT devices are deployed behind corporate firewalls,” and not addressable via the public internet, Steinthor Bjarnason, a security engineer with Arbor Networks, told CyberScoop. “They are only locally addressable,” he said, “We are talking about security cameras, light bulbs, thermostats…. Any kind of [connected] device … They are living happily behind those firewalls and life is good.” Mirai — which uses the public web to find and infect IoT devices and weaponize their internet connectivity into massive distributed denial of service attacks — brought the internet briefly to its knees last year. Hundreds of thousands of vulnerable IoT […]

The post Why a ‘super-Mirai’ attack never happened appeared first on Cyberscoop.

Continue reading Why a ‘super-Mirai’ attack never happened

Study: Zero days rediscovered much faster

Posted on by

New research from Harvard suggests that the freshly discovered software flaws called zero day vulnerabilities are independently rediscovered much faster than previously thought. The rediscovery rate has big implications for U.S. cybersecurity policy because it would change the calculation officials make when deciding whether to reveal zero days discovered by U.S. agencies so they can be fixed, or keep them secret so they can be used to spy on foreign adversaries and in other cyber-operations. “If the rediscovery rate is this high, the number of vulnerabilities [secretly retained] for operational use should be lower or subject to more aggressive scrutiny,” said Trey Herr a post-doctoral fellow at the Belfer Center at Harvard. Herr, along with security guru Bruce Schneier and Christopher Morris, a research assistant from the Harvard school of engineering, published their findings this week after a lengthy peer-review process, and will present them at the Black Hat USA conference in Las Vegas next week. […]

The post Study: Zero days rediscovered much faster appeared first on Cyberscoop.

Continue reading Study: Zero days rediscovered much faster

Second act for cybersecurity commissioners: Pritzker, Palmisano, Nadella form nonprofit

Posted on by

Some members and staff of President Obama’s Commission on Enhancing National Cybersecurity are seeking to advance the commission’s goals through a nonprofit that will provide cyber risk-management best practices for small and medium-sized businesses, according to an announcement Wednesday. The Cyber Readiness Institute was launched to help the private sector “better address cybersecurity risk management across value chains, with a particular emphasis on support for small and medium-sized enterprises,” according to the announcement. The four co-chairs of the institute are former IBM CEO and commission Deputy Chairman Sam Palmisano; commission member and MasterCard CEO Ajay Banga; Microsoft CEO Satya Nadella, who took over from commission member and Microsoft Vice President Peter Lee; and Penny Pritzker, who as Obama’s secretary of Commerce stood the commission up. It will be run by commission Executive Director Kiersten Todt. “The commission was the launching pad and the foundation stone” for the institute, she told CyberScoop. She said she’d […]

The post Second act for cybersecurity commissioners: Pritzker, Palmisano, Nadella form nonprofit appeared first on Cyberscoop.

Continue reading Second act for cybersecurity commissioners: Pritzker, Palmisano, Nadella form nonprofit

Tallinn Manual author: Petya malware attack likely war crime

Posted on by

If Russia was indeed behind the recent destructive malware attack known as Petya, then it should be considered a war crime, according to the lead author of the definitive guide to international law in cyber conflict. Even though no one was injured or killed, they very easily could have been; the attackers appear to have targeted civilian infrastructure including hospitals and power companies; and they did so with an indiscriminate weapon, argues Prof. Michael Schmitt of the U.S. Naval War College, and lead author of the Tallinn Manual, in an article posted on the European Journal of International Law. But the reasoning only holds if Moscow was behind the attack — because Russia is already engaged in an armed conflict, albeit undeclared, with Ukraine, the nation originally targeted by the malware. Petya on its own isn’t be a big enough attack to count as a “use of force” in international law. “A threshold question is, ‘Is the […]

The post Tallinn Manual author: Petya malware attack likely war crime appeared first on Cyberscoop.

Continue reading Tallinn Manual author: Petya malware attack likely war crime

Insurers: Major cyberattack on cloud provider could cost more than huge hurricane

Posted on by

A successful major hacking attack on a global cloud provider could easily end up costing more than a huge natural disaster like Superstorm Sandy, and it could cripple the nascent cyber-insurance market even though only a fraction of the losses would be covered, a new report says. The report, which underlines the high volatility and low risk visibility that cyber-insurers face, was co-produced by venerable insurance market-maker Lloyd’s of London and Silicon Valley risk-management company Cyence. Its authors acknowledge it is hard to estimate losses from future large cyber-events with any degree of exactitude. “The understanding of cyber liability and risk exposures is relatively underdeveloped compared with other insurance classes,” they write. “Traditional insurance risk modeling relies on authoritative information sources such as national or industry data, but there are no equivalent sources for cyber-risk.” As a result, there is a very wide range of possible cost totals, depending on how the impact cascades through the economy. […]

The post Insurers: Major cyberattack on cloud provider could cost more than huge hurricane appeared first on Cyberscoop.

Continue reading Insurers: Major cyberattack on cloud provider could cost more than huge hurricane

Despite its hacking prowess, Russia appears to have very messy networks

Posted on by

Russia’s hackers may be among the best, but its computer networks are the most malware-ridden in the world, according to new data from security vendor Comodo. Russia also has a high proportion of more primitive forms of malicious software, the data show, suggesting the security of its IT networks is in a parlous state. The data, which comes from computers all over the world loaded with Comodo software, and covers the first quarter of 2017, is analyzed by the company’s Comodo Threat Research Labs. “It’s a very bad sign” said Comodo Senior Research Scientist Kenneth Geers of the Russia numbers. “It suggests the networks are poorly managed … the software is pirated or out of date.” “The networks [there] are riddled with malware that’s taking advantage of all the low-hanging fruit” in the form of poorly secured IT equipment, he added. “Probably many countries are spying on Russia pretty easily.” The 90 million […]

The post Despite its hacking prowess, Russia appears to have very messy networks appeared first on Cyberscoop.

Continue reading Despite its hacking prowess, Russia appears to have very messy networks