Shaun Waterman – Page 2 – WindowsTechs.com

How Congress could handle cybersecurity-focused bills in 2018

Posted on January 8, 2018 by Shaun Waterman

As the year begins anew for Congress, lawmakers face a daunting legislative list that includes decisions on a number of cybersecurity-focused laws. CyberScoop polled a half dozen people who work on cybersecurity policy issues to come up with a verdict on each piece of possible legislation — and get their broader take on the possibilities for cyber law-making in 2018. The experts looked at the following bills: A new DHS cyber agency: H.R. 3359, passed by voice vote in the House in December, is awaiting action by the Senate Homeland Security and Governmental Affairs Committee. Election cybersecurity: S. 2261, introduced in December with bipartisan support, and referred to the Rules and Administration Committee. A companion bill in the House, H.R. 3751, was referred both to the Administration and Intelligence Committees. Internet of Things security standards: S.1691 was introduced in August and referred to the Senate Homeland Security and Governmental Affairs Committee. Companion […]

The post How Congress could handle cybersecurity-focused bills in 2018 appeared first on Cyberscoop.

Continue reading How Congress could handle cybersecurity-focused bills in 2018→

VMware announces, patches critical flaw in its VDP backup product

Posted on January 3, 2018 by Shaun Waterman

Cloud computing technology provider VMware issued a security advisory Tuesday outlining three critical vulnerabilities in its vSphere Data Protection (VDP) backup and recovery product. “A remote attacker could exploit these vulnerabilities to take control of an affected system,” wrote the U.S. Computer Emergency Readiness Team in a warning sent out Tuesday afternoon by the National Cyber Awareness System. It advised all VMware customers to download and install the patches, which the company has publicly pushed. WMware, part of the Dell Technologies family of companies did not say how many of their 500,000-plus customers use the affected VDP product. The advisory doesn’t list when and how the vulnerabilities were discovered. A spokesman for the company told CyberScoop by email they had no further details to offer. VDP saves images of virtual machines that have spun up in an enterprise cloud environment so they can be easily restored in the event of […]

The post VMware announces, patches critical flaw in its VDP backup product appeared first on Cyberscoop.

Continue reading VMware announces, patches critical flaw in its VDP backup product→

New gov email report is a mixed bag ahead of DMARC deadline

Posted on January 2, 2018 by Shaun Waterman

The number of federal agencies adopting a security standard that stops people from impersonating their email domains surged by more than a third just before the end of 2017, according to new research out Tuesday. However, less than two weeks away from a Department of Homeland Security deadline, more than half of all agencies still don’t use Domain-based Message Authentication, Reporting and Conformance (DMARC), according to figures published by email security provider Agari. The number of .gov domains with DMARC rose from 351 on Nov. 9 to 523 on Dec. 18. But that still represents only 47 percent of the 1106 federal domains subject to the order. Known as Binding Operational Directive 18-01, the order set a Jan. 15 deadline for agencies to adopt DMARC. “DMARC has proven to be an effective solution to secure our federal domains, but more work is needed,” said Jeanette Manfra, assistant secretary for DHS’ […]

The post New gov email report is a mixed bag ahead of DMARC deadline appeared first on Cyberscoop.

Continue reading New gov email report is a mixed bag ahead of DMARC deadline→

The Wassenaar Arrangement’s latest language is making security researchers very happy

Posted on December 20, 2017 by Shaun Waterman

Security researchers are saying rewritten language that includes hacking tools in a treaty that regulates the global trade in weapons technology, saying it fixes rules that, if implemented in the U.S., would have outlawed much of the daily commerce of the cybersecurity industry. The recent agreement, reached at the annual plenary session of the Wassenaar Arrangement — a 42-nation arms control treaty to which the U.S. is a signatory — was broadly welcomed by policy makers, industry sources and security researchers. “We applaud the hard work of the U.S. interagency and our partners in industry, the research community, and foreign governments to clarify software and technology controls that could have had a negative impact on legitimate cybersecurity,” Rob Joyce, White House Cybersecurity Coordinator, told CyberScoop. The changes provide exemptions to the export control requirements the treaty imposes on hacking tools. Cyber defenders and white hat security researchers engaged in vulnerability disclosure and […]

The post The Wassenaar Arrangement’s latest language is making security researchers very happy appeared first on Cyberscoop.

Continue reading The Wassenaar Arrangement’s latest language is making security researchers very happy→

European police take down criminals behind two big ransomware strains

Posted on December 20, 2017 by Shaun Waterman

Romanian police announced Wednesday the arrest of three suspects and questioning of six more in an operation against a cybercrime gang that spread two of the most popular ransomware variants in the world. The arrests, which were carried out last week, were the culmination of a multi-national investigation that began in 2015, according to a statement from the Dutch National High Tech Crime Unit. Other agencies involved included Britain’s National Crime Agency, the FBI, and both Europol’s European CyberCrime Center (EC3) and its Joint Cybercrime Action Taskforce (J-CAT). Those arrested were linked to two forms of ransomware: CTB-locker and Cerber. According to Europol, investigators from the Romanian Police Service for Combating Cybercrime seized “a significant amount” of material at the six homes, including “hard drives, laptops, external storage devices, cryptocurrency mining devices and numerous documents.” The agency said it supported the investigation, known as Operation Bakovia, by “hosting operational meetings, […]

The post European police take down criminals behind two big ransomware strains appeared first on Cyberscoop.

Continue reading European police take down criminals behind two big ransomware strains→

How a bad wi-fi router flaw led to a perfect example of responsible disclosure

Posted on December 19, 2017 by Shaun Waterman

Tens of thousands of long-range WiFi routers used to provide home wireless broadband, especially in remote or rural areas, are riddled with vulnerabilities that could let a hacker take over IT networks, security researchers said Tuesday. The vulnerabilities, some of which can be exploited remotely if the router’s management interface is directly connected to the internet, were discovered in Cambium Networks’ ePMP and cnPilot product lines by independent researcher Karn Ganeshen earlier this year. Although Cambium has made patches available, as many as 36,000 of the devices appear visible on the internet. Ganeshan approached cybersecurity firm Rapid7 to coordinate disclosure with Cambium in September, Rapid7 Director of Research Tod Beardsley told CyberScoop. “He had a great big pile of vulnerabilities,” Beardsley said. “A lot of them were variations on a theme. We triaged them out … and when we figured out what we had, there were really 11 of them, […]

The post How a bad wi-fi router flaw led to a perfect example of responsible disclosure appeared first on Cyberscoop.

Continue reading How a bad wi-fi router flaw led to a perfect example of responsible disclosure→

Bill to create DHS cyber agency faces a tough road in the Senate

Posted on December 15, 2017 by Shaun Waterman

The bill passed by the U.S. House of Representatives to create a new cybersecurity agency inside the Department of Homeland Security faces a tough climb in the Senate despite bipartisan support, observers and staffers say. H.R.3359, the Cybersecurity and Infrastructure Security Agency Act of 2017, passed by voice vote Monday — moving the bill to the upper chamber. In brief floor remarks, Rep. John Ratcliffe, R-Texas, called the bill a “compromise” that fellow Texan, House Homeland Security Committee Chairman Michael McCaul, had worked on with “dogged determination.” In a statement, newly sworn-in DHS Secretary Kirstjen Nielsen also praised McCaul’s “tireless work” on the proposal. And well she might: It’s his second attempt — with bipartisan support from Rep. Bennie Thompson, D-Miss. — to create an operational cybersecurity agency within DHS. The first bill never made it to the House floor last Congress because of turf fights: Nine other House committees […]

The post Bill to create DHS cyber agency faces a tough road in the Senate appeared first on Cyberscoop.

Continue reading Bill to create DHS cyber agency faces a tough road in the Senate→

Is Mailsploit really a threat to DMARC?

Posted on December 12, 2017 by Shaun Waterman

A new security testing tool that enables email messages to be faked or spoofed, even if the recipients are protected by best practices, has garnered some strong criticism from email security advocates. News of the tool — called Mailsploit — took off last week after a Wired article highlighted the research. The tool would give would-be attackers a way around email security standards — known as DMARC — employed by a number of email clients. DMARC is the industry standard that prevents email spoofing, a practice where hackers messages appear to come from trusted correspondents. John Wilson, the field CTO for email security company Agari, told CyberScoop that while the article did contain caveats, he considered it “rather alarmist.” “If you just skim that article, you would come away with the impression that this standard, which the email industry has worked on for a decade and which has stopped remarkable […]

The post Is Mailsploit really a threat to DMARC? appeared first on Cyberscoop.

Continue reading Is Mailsploit really a threat to DMARC?→

Report: DMARC email security can be too hard for some large companies

Posted on November 20, 2017 by Shaun Waterman

Adoption of the email security standard known as DMARC — the best way to stop fraudulent email like phishing messages — remains low, even among large banks and other major corporations, according to new figures. And that’s because many companies don’t know about it, and it can be very complex to implement in big enterprises. DMARC, or Domain-based Message Authentication, Reporting and Conformance, is the industry standard measure to prevent email spoofing — when hackers make their messages appear as if they come from trusted correspondents. The aim of these so-called phishing messages is to entice the recipient to click malicious links or download infected attachments. Phishing is the number one method used by hackers to gain a foothold on a company network, experts say, and a major cybercrime vector — and DMARC, when used correctly, stops it dead. But a succession of recent reports have shown that DMARC adoption rates continue to […]

The post Report: DMARC email security can be too hard for some large companies appeared first on Cyberscoop.

Continue reading Report: DMARC email security can be too hard for some large companies→