Author Archives: Shaun Waterman

Why DHS is telling all feds to implement DMARC email security

Posted on by

An email security program that the Department of Homeland Security has made mandatory for U.S. agencies will stop hackers, online scammers and spies from impersonating federal email addresses — and boy, is it ever needed. It comes as new figures suggest that more than 1 in 4 emails from .gov addresses might be malicious criminal spam. Domain-based Message Authentication, Reporting and Conformance (DMARC) is the industry standard measure to prevent the spoofing of emails — when hackers make their messages appear as if they come from trusted correspondents, explained DHS Assistant Secretary for Cybersecurity and Communications Jeanette Manfra. “It’s a reasonable action that agencies can take; it’s in line with industry best practices; and it has broad, scalable impact across the whole [online] ecosystem,” Manfra told CyberScoop in an interview, outlining her rationale. “It was one of the first things we started work on” after she was appointed acting assistant secretary earlier this year. Agari, a company […]

The post Why DHS is telling all feds to implement DMARC email security appeared first on Cyberscoop.

Continue reading Why DHS is telling all feds to implement DMARC email security

What is a ‘cyber moonshot,’ anyway?

Posted on by

Boosters say it would provide a unifying national goal on a key national security issue. Critics argue that using a space-travel analogy is all wrong. Like it or not, the “cyber moonshot” is becoming a thing. Earlier this month, a presidential advisory committee debated the concept, and on Wednesday, former CIA CTO Ira “Gus” Hunt used a keynote at CyberTalks to call for one. Such a project would create a single national goal for a much-needed cybersecurity game-changer. But framing the problem in terms of a huge singular goal pursued by a lone government agency isn’t necessarily helpful, argue critics. And even supporters don’t seem sure how the characteristics of the moonshot map to the much diverse cybersecurity problem set. “The cyber moonshot is a call to action,” said Hunt, now the federal cybersecurity practice lead for Accenture. It involved setting “a big, hairy audacious goal … shifting the balance of cyber-power [toward defenders […]

The post What is a ‘cyber moonshot,’ anyway? appeared first on Cyberscoop.

Continue reading What is a ‘cyber moonshot,’ anyway?

DHS spokesman leaving for think tank

Posted on by

Department of Homeland Security press secretary David Lapan is leaving his post for a job with the Bipartisan Policy Center, CyberScoop has learned. Lapan told CyberScoop he made the decision on Sunday and told senior colleagues Monday. His last day in the office will be Oct 24, and he will be joining the Washington, D.C.-based think tank as senior director of communications and public affairs at the end of the month. Lapan, who returned to government service at the request of then-Homeland Security Secretary John Kelly, said the timing of the move — it comes only days after the announcement that Kirstjen Nielsen would be nominated to be the next DHS secretary — was “a coincidence.” Elaine Duke has been acting secretary since Kelly became President Donald Trump’s chief of staff. “Once it became clear that I would not be going to the White House with Gen. Kelly, people who knew me started […]

The post DHS spokesman leaving for think tank appeared first on Cyberscoop.

Continue reading DHS spokesman leaving for think tank

Financial institutions launch their own cyber range to train defenders, test tools

Posted on by

Banks, insurance companies and other financial institutions are banding together to design and build a series of cyber ranges — computer environments where defenders can exercise, train and test tools to defend their real computer networks against online attackers. The initiative, by the Financial Sector Information Sharing and Analysis Council, or FS-ISAC, has already built out the first range and will stage the first exercise on it at the end of November at the Federal Reserve Bank of Boston, according to Shaun Brady, a consultant with FS-ISAC. “Some will be there physically, others will take part remotely,” Brady told CyberScoop on the fringes of the Integrated Cyber Conference staged by the John Hopkins University Applied Physics Lab as part of DC CyberWeek. The sector “does a great job with table top exercises,” said Brady, but those are more policy and management orientated. There was a dearth of “hands-on-keyboards” style war games, he said. Eventually, […]

The post Financial institutions launch their own cyber range to train defenders, test tools appeared first on Cyberscoop.

Continue reading Financial institutions launch their own cyber range to train defenders, test tools

Fin7 weaponization of DDE is just their latest slick move, say researchers

Posted on by

When cybercrime gang FIN7 weaponized a new attack vector against Microsoft applications within a day of it being published last week, it was just the latest slick move from a threat group who’ve been consistently one step ahead of cyber defenders. A timeline of different attack vectors used by the group compiled by Morphisec researchers shows that FIN7 typically adopts a new technique within “a couple of days” of an attack being discovered, once the number of security solutions that detect it gets into double figures. The Morphisec researchers analyzed scoring of FIN7 attachment lures by VirusTotal — a service that scans files and tests them against 56 kinds of security software. “A look at Virus Total scoring reveals that when a FIN7 campaign is first active, is goes mostly undetected by security solutions. The malicious documents do not score more than 1-3 detections. Within a couple of days, security solutions update their patterns and […]

The post Fin7 weaponization of DDE is just their latest slick move, say researchers appeared first on Cyberscoop.

Continue reading Fin7 weaponization of DDE is just their latest slick move, say researchers

DHS orders feds to adopt DMARC email security

Posted on by

The Department of Homeland Security is using new powers to order federal agencies to adopt a form of email security that guards against spam and phishing. A DHS Binding Operational Directive announced Monday in New York City by Assistant Secretary for Cybersecurity and Communications Jeanette Manfra gives federal agencies 90 days to implement Domain-based Message Authentication, Reporting and  Conformance (DMARC) for their email systems. “It’s a real sign that DHS and the federal government are stepping up and leading by example,” said Phil Reitinger, CEO of the Global Cyber Alliance — a non-profit that advocates for internet security. DMARC is the industry standard measure to prevent hackers from spoofing emails — making their messages appear as if they’re sent by someone else. Spoofing is the basis of phishing, a hacking technique used in both crime and espionage, in which an email appearing to a come from a trusted friend or company provides an infected attachment or directs readers to a website where login and […]

The post DHS orders feds to adopt DMARC email security appeared first on Cyberscoop.

Continue reading DHS orders feds to adopt DMARC email security

Researchers say this attack is a bad bug. Microsoft says it’s a feature.

Posted on by

Microsoft says the wave of stealthy fileless attacks leveraging the company’s applications to create the attacks, is a feature not a vulnerability, and won’t be patched despite knowing about the flaw since August. Microsoft “said they weren’t going to fix it” Sept. 29, Dominic White, CTO of pentesting outfit SensePost told CyberScoop via email. SensePost had alerted the company a month before that the Dynamic Data Exchange, or DDE protocol, in Microsoft Word could be used by hackers to run commands and open executable programs. Microsoft told the pentesters that was a feature and there would be no patch, but it would be considered for a bug fix in a future version. This week SensePost published a proof-of-concept on their blog, noting that the technique was an excellent way to get around security measures that cyber-aware enterprises might have in place. The following day, researchers found the technique being used in the wild […]

The post Researchers say this attack is a bad bug. Microsoft says it’s a feature. appeared first on Cyberscoop.

Continue reading Researchers say this attack is a bad bug. Microsoft says it’s a feature.

The Trump administration is looking for its ‘cyber moonshot’

Posted on by

Tech advisors to the Trump administration are looking for a cybersecurity “moonshot” — a single national target that will be a game-changer in online security. But a meeting of a blue-ribbon telecommunications panel this week suggested that defining such a goal is still some way off. “This is the beginning of a conversation,” Scott Charney, vice chairman of the president’s National Security Telecommunications Advisory Committee told CyberScoop during a break in the proceedings at a public meeting Wednesday. “This current approach [to cybersecurity] isn’t working,” added Charney, a former Justice Department cyber prosecutor and current Microsoft VP. “The breaches keep on happening.” NSTAC met in the shadow of the recent Equifax breach — in which hackers were able to steal Social Security numbers for over 145 million Americans, by exploiting an unpatched vulnerability in their web application software. The committee was unable to achieve a quorum and so did not conduct any formal business. Charles […]

The post The Trump administration is looking for its ‘cyber moonshot’ appeared first on Cyberscoop.

Continue reading The Trump administration is looking for its ‘cyber moonshot’

Equifax: Hackers got personal data on Brits, too

Posted on by

Hackers who stole Social Security numbers and other poorly secured personal data for 143 million Americans from Equifax also got away with the personal information of nearly 700,000 British citizens as well, the credit reporting company said Tuesday. A computer file containing 15.2 million records of British citizens was “attacked” during the hack, which began in May, Equifax UK Ltd. said in a statement. “Regrettably this file contained data relating to actual consumers as well as sizeable test datasets, duplicates and spurious fields, ” the statement went on. The company said it would be writing to a total of 693,665 consumers whose email address, phone number, driver’s license number or username and password combination had been stolen. They will be offered free credit monitoring and other identity protection tools. The exact breakdown is: 12,086 consumers had an email address associated with their Equifax.co.uk accessed. 14,961 consumers had portions of their Equifax.co.uk membership […]

The post Equifax: Hackers got personal data on Brits, too appeared first on Cyberscoop.

Continue reading Equifax: Hackers got personal data on Brits, too

OWASP postpones publication of Top 10 app vulnerabilities draft

Posted on by

The Open Web Application Security Project (OWASP) has postponed publication of its canonical Top 10 list of web application vulnerabilities this week, saying it needs more time to review the unprecedented amounts of data it’s received. “We have data on 114,000 apps at the moment, but we got a lot of late submissions. That could rise to 120,000 or 130,000,” lead author Andrew van der Stock told CyberScoop. He said the team of volunteers preparing the new draft met over the weekend and agreed to push the scheduled Oct. 9 publication to Oct. 20. “We needed more time to analyze all this new data,” he said. “We still want to give people a month to comment” on the draft after it’s released, van der Stock said, but added the authors were determined to publish the final version before Thanksgiving. “We don’t want it to get lost in the holidays,” he concluded. OWASP is a […]

The post OWASP postpones publication of Top 10 app vulnerabilities draft appeared first on Cyberscoop.

Continue reading OWASP postpones publication of Top 10 app vulnerabilities draft