Author Archives: Shaun Waterman

Microsoft’s Smith adds ‘IT Red Cross’ to his ‘digital Geneva Convention’ call

Posted on by

Microsoft President Brad Smith this week renewed his call for a “digital Geneva Convention,” adding a new wrinkle: the suggestion that the world’s IT companies and their cyber first responders should be recognized as kind of “tech Red Cross” — neutral players who should remain unmolested by combatants on the cyber-battlefield. In a speech at the U.N. in Geneva, Smith recalled the origins of the International Committee of the Red Cross — the brainchild of Geneva businessman Henri Dunant, who witnessed the slaughter at the battle of Solferino, in Italy in 1859, the deadliest single day of battle in Europe since Waterloo nearly a half-century earlier.   “He recognized that humanity needed to catch up with [new weapons] technology … he advocated, he persuaded, he succeeded in convincing the leaders of governments in Europe that despite the fact that the medics were uniformed soldiers of a specific army, they should be treated as neutrals … protected so they could treat those […]

The post Microsoft’s Smith adds ‘IT Red Cross’ to his ‘digital Geneva Convention’ call appeared first on Cyberscoop.

Continue reading Microsoft’s Smith adds ‘IT Red Cross’ to his ‘digital Geneva Convention’ call

Senate Dems want second confirmation hearing for DHS secretary nominee Nielsen

Posted on by

Democrats on the Senate Homeland Security and Governmental Affairs Committee are calling for a second hearing for Homeland Security secretary nominee Kirstjen Nielsen after revelations of political interference in immigration decisions and resignation threats from the acting DHS secretary. In a letter to committee Chairman Ron Johnson, R-Wis., Democratic members cite a Washington Post story saying that John Kelly, the former DHS secretary and current White House chief of staff, tried to bully acting secretary Elaine Duke into ending a special immigration status called TPS — designed to protect undocumented migrants from being deported to countries torn apart by wars or natural disasters. Duke, a highly experienced Senate-confirmed official who is well-liked within the department, threatened to resign, the Post reported. The confirmation process is being closely watched in the cybersecurity policy circles because of the departments key role in defending federal IT networks and America’s vital industries from online attack […]

The post Senate Dems want second confirmation hearing for DHS secretary nominee Nielsen appeared first on Cyberscoop.

Continue reading Senate Dems want second confirmation hearing for DHS secretary nominee Nielsen

What’s lurking in federal mobile tech? Apps, devices could hold nasty surprises.

Posted on by

A discovery by Department of Homeland Security techs shows that federal agencies could get some nasty surprises as they prepare for a new reporting mandate assessing the security of their mobile devices and apps. When security specialists from the DHS Science and Technology Directorate’s mobile security research and development team scanned the MyTSA mobile app, they found hard-coded credentials, program manager Vincent Sritapan said Thursday at the Red Hat Government Symposium presented by FedScoop. “What does this mean? This means … you are exposing the backend,”  Sritapan said, referring to the fact that, in many applications, credentials erroneously hard-coded into the software can be a backdoor into the data that apps collect and to their cloud-based functionality. The MyTSA app is designed to let airline passengers get crowdsourced or historical data about wait-times at airport security checkpoints. It includes a searchable database of items that can and can’t go in checked or carry-on bags. It’s unclear how much or what data was […]

The post What’s lurking in federal mobile tech? Apps, devices could hold nasty surprises. appeared first on Cyberscoop.

Continue reading What’s lurking in federal mobile tech? Apps, devices could hold nasty surprises.

Senators postpone quick vote on Nielsen

Posted on by

A Senate committee vote on Kirstjen Nielsen’s nomination to become the next secretary of Homeland Security was postponed until at least next week after members submitted nearly 200 questions for the record Thursday. The Senate Homeland Security and Government Affairs Committee had been scheduled to hold a vote on the nomination just 24 hours after Nielsen’s confirmation hearing — a breathtakingly fast turnaround for the Senate. Sen. Ron Johnson, R-Wisc., told a business meeting of the committee Thursday that the vote would be delayed until at least Monday, as Nielsen, who is currently White House deputy chief of staff, drafts answers to 197 follow-up questions that she received from committee members after Wednesday’s hearing. “To put things into perspective, about the only comparable secretary nomination mid-cycle was [President Obama’s second DHS secretary] Jeh Johnson,” said the chairman. There were 42 questions for the record after that nomination hearing, he added. “Nobody was doing anything on our side to […]

The post Senators postpone quick vote on Nielsen appeared first on Cyberscoop.

Continue reading Senators postpone quick vote on Nielsen

‘Eavesdropper’ vulnerability strikes hundreds of mobile apps using Twilio

Posted on by

Careless coding by mobile developers using Twilio’s application programming interface (API) has left hundreds of enterprise communication apps vulnerable to snooping and monitoring, security researchers revealed Thursday. Apps impacted by the newly-named Eavesdropper vulnerability total nearly 700, including one used for secure communications by a federal law enforcement agency, according to research from the Appthority Mobile Threat Team. Others affected include an app that enables enterprise sales teams to record audio and annotate discussions in real-time, and branded white label navigation apps for customers such as AT&T and U.S. Cellular. More than 170 affected and vulnerable apps are currently live in app stores today, Appthority says. Downloads of vulnerable Android apps total 180 million. Vulnerable apps expose historic and current data including calls, call records, call audio recordings, and SMS and MMS text messages, according to Appthority. Twilio says there’s no evidence the issue has been exploited in the wild. “Eavesdropper is caused by developers […]

The post ‘Eavesdropper’ vulnerability strikes hundreds of mobile apps using Twilio appeared first on Cyberscoop.

Continue reading ‘Eavesdropper’ vulnerability strikes hundreds of mobile apps using Twilio

Feds upping their email security game in wake of DHS order

Posted on by

The number of federal agencies employing a security protocol that stops email spoofing has more than doubled since the Department of Homeland Security instituted a binding government-wide policy last month. The number of .gov domains employing Domain-based Message Authentication, Reporting and Conformance (DMARC) has risen from 156 on Oct. 1  to 344 on Nov. 6, according to figures compiled this week by the nonprofit Global Cyber Alliance. Nearly a thousand federal domains still don’t have it deployed at all, despite the Binding Operational Directive DHS issued Oct. 16. DMARC is the industry standard measure to prevent email spoofing — when hackers make their messages appear as if they come from trusted correspondents. It’s thereby a powerful weapon against phishing — when hackers try to steal passwords or implant malware by getting victims to click links or open malicious attachments in spoofed emails. But DMARC, once deployed, has to be switched on, explained GCA’s Director of Operations […]

The post Feds upping their email security game in wake of DHS order appeared first on Cyberscoop.

Continue reading Feds upping their email security game in wake of DHS order

Here’s how cybersecurity was dealt with in Kirstjen Nielsen’s confirmation hearing

Posted on by

Kirstjen Nielsen, President Donald Trump’s nominee for Homeland Security Secretary, said during her confirmation hearing Wednesday that securing the nation’s computer networks against hackers, spies and online crooks was one of the key missions of the sprawling federal department. Lawmakers with the Senate Homeland Security and Governmental Affairs Committee mostly agreed with that sentiment. Then everyone proceeded to largely ignore the subject for the rest of the hearing. Wednesday was instead dominated by the political lightning rods of border security, immigration enforcement and even climate change. There were questions about Nielsen’s relative lack of senior-level leadership experience, but cybersecurity — one of the increasingly rare topics on which there is actually bipartisan agreement in Congress — took a back seat. The hearing yielded some dribs and drabs of cyber, however, which we’ve chronicled below. From elections to the energy grid A key cybersecurity topic focused on electronic voting machines and other online election systems — starting with the […]

The post Here’s how cybersecurity was dealt with in Kirstjen Nielsen’s confirmation hearing appeared first on Cyberscoop.

Continue reading Here’s how cybersecurity was dealt with in Kirstjen Nielsen’s confirmation hearing

House committee dings DHS’s cyber intelligence for fusion centers

Posted on by

Fewer than one-in-four Homeland Security fusion centers across the country receive cyberthreat reporting or other intelligence products from DHS’ National Protection and Programs Directorate, hampering their nascent efforts to help defend the country against online attacks, a congressional report said Tuesday. Those efforts are further hampered because fusion center representatives do not sit on the floor of NPPD’s 24 hour watch center, the National Cybersecurity and Communications Integration Center (NCCIC), the majority staff of the House Homeland Security Committee found. The report includes material from dozens of interviews and a long survey completed by 68 major fusion centers across the country. The centers were set up to integrate state and local law enforcement agencies into DHS’ homeland protection mission by providing them with threat warnings they could use to inform their local priorities and by vacuuming up local intelligence reporting in the hope that it could cast light on national trends or geographically dispersed terrorist […]

The post House committee dings DHS’s cyber intelligence for fusion centers appeared first on Cyberscoop.

Continue reading House committee dings DHS’s cyber intelligence for fusion centers

Senators urged to question DHS nominee Nielsen’s management experience

Posted on by

Senators of both parties were tight-lipped Tuesday about their plans for Homeland Security Secretary nominee Kirstjen Nielsen’s confirmation hearing — but there’s one topic many observers are hoping they’ll ask about: Her experience. The issue of leadership is key one for the department — a sprawling government behemoth which encompasses two of the largest federal law enforcement agencies and is responsible for a bewildering variety of missions. In particular, observers say, its cyber mission has been handicapped by the absence of an operational agency responsible for securing government computer networks and helping vital U.S. businesses harden their IT systems against online attacks. Nielsen’s defenders point to a career in emergency preparedness, first as a junior White House official and later as a consultant and think-tank fellow, culminating in her brief stint this year as chief of staff at DHS under then-Secretary John Kelly. But critics point out that, until this year, she’d never managed […]

The post Senators urged to question DHS nominee Nielsen’s management experience appeared first on Cyberscoop.

Continue reading Senators urged to question DHS nominee Nielsen’s management experience

Watchdog: DHS prioritizing speed over context for AIS program

Posted on by

Sharing threat intelligence with the private sector at the Department of Homeland Security is hamstrung by prioritizing speed of release over adding context or other value; and because there’s no integration between classified and unclassified databases, leaving analysts with only half the picture, an agency watchdog said Monday. “Given these limitations” to DHS’s automated information sharing (AIS) program “federal and private sector partners sometimes rely on other systems or participate in other DHS information sharing programs to obtain quality cyber threat data,” finds a report from the department’s inspector general. The IG was mandated by the 2015 Cybersecurity Act to report biennially on the department’s efforts with regards to the AIS program. The Cybersecurity Act created liability protections for private sector companies that shared cyberthreat information with the federal government through DHS, and usher in a new era in which “indicators of compromise” — the tell-tale signs of a cyber-intrusion — could […]

The post Watchdog: DHS prioritizing speed over context for AIS program appeared first on Cyberscoop.

Continue reading Watchdog: DHS prioritizing speed over context for AIS program