Author Archives: Shaun Waterman

Chinese providers fueling growth of DMARC email security standard

Posted on by

More than three-quarters of the world’s email inboxes are secured against spammers and scammers with DMARC — a set of technical protocols designed to prevent the spoofing of email addresses, according to figures released Tuesday. That’s a big rise from fewer than two-thirds in 2015 — growth driven in large part by the adoption of  DMARC by Chinese email and internet providers, according to Dylan Tweney, head of communications at ValiMail, which compiled the figures. “More than 2 billion more inboxes are protected by DMARC” than in 2015, he told CyberScoop, adding “maybe a half to two-thirds” of that growth was down to adoption by large Chinese providers, including NetEase and Tencent. “We are approaching a tipping point for … herd immunity” from phishing and spam, Tweney said, borrowing a concept from immunology. “The more recipients implement DMARC, the more valuable it becomes for senders to adopt.” DMARC, or Domain-based Message Authentication, Reporting and Conformance, is a […]

The post Chinese providers fueling growth of DMARC email security standard appeared first on Cyberscoop.

Continue reading Chinese providers fueling growth of DMARC email security standard

Feds continue to call for private companies come forward after breaches

Posted on by

American companies that are victims of a data breach ought to report the crimes and work with law enforcement because doing so could change the unfriendly public narrative that the government will look to start charging companies with crimes, federal officials told business executives this week. Acting Assistant Attorney General Dana Boente, the current head of the Justice Department’s national security division, pitched industry leaders in Washington on what he called “the business case” for cooperation with law enforcement in the wake of an online intrusion. “I recognize that your decision to call the FBI, to work with the Justice Department, is often your decision: It’s a choice,” Boente said in a keynote address to the U.S. Chamber of Commerce’s Sixth Annual Cybersecurity Summit. “And what I want to do today is lay out that there are real benefits to making that choice and the risks shouldn’t be overstated.” He argued that — for companies victimized by […]

The post Feds continue to call for private companies come forward after breaches appeared first on Cyberscoop.

Continue reading Feds continue to call for private companies come forward after breaches

CISOs are finally getting access to the corporate board — but need more of it

Posted on by

Headline-grabbing hacks like the Equifax breach provide “teachable moments” that can be used to leverage more cybersecurity investment from company executives, but even with enough money, there are other resources — like face time with the board, or skilled personnel — that are always in short supply, according a panel of chief information security officers that spoke with CyberScoop Tuesday. “Even though CISOs are getting more and more time in front of the board, we’re still not getting enough,” Tammy Moskites, CISO for cybersecurity company Venafi, told CyberScoop on the fringes of an ISACA cybersecurity event in Washington. ISACA, formerly known as the Information Systems Audit and Control Association, is a professional membership and advocacy non-profit based outside of Chicago. “I get 15 minutes with the board on a quarterly basis,” said Michael Raeder, CISO of Orbital ATK, a defense and space contractor recently purchased by Northrop Grumman. “I typically go over” time, provoking angry looks from […]

The post CISOs are finally getting access to the corporate board — but need more of it appeared first on Cyberscoop.

Continue reading CISOs are finally getting access to the corporate board — but need more of it

Clapper: U.S. shelved ‘hack backs’ due to counterattack fears

Posted on by

When the Obama administration was weighing a response to distributed denial-of-service attacks against U.S. banks in 2012, officials vetoed any retaliation because they were worried that the country’s digital infrastructure wouldn’t be able to deal with counterattacks, according to former Director of National Intelligence James Clapper. The DDoS attacks, which slammed dozens of U.S. banks with increasing force, were traced back to Iran by U.S. intelligence, Clapper recently told the ICF CyberSci Symposium in Fairfax, Virginia. The attacks, launched from networks of compromised servers around the world, struck 46 major banks and other financial institutions — including Bank of America, Capital One, JPMorgan Chase, PNC Bank, New York Stock Exchange and Nasdaq. Hundreds of thousands of customers were unable to access their bank accounts online and the victim companies spent tens of millions of dollars to mitigate the attacks. “We’d all built up quite a head of steam, [thinking] ‘By God, we’re not going […]

The post Clapper: U.S. shelved ‘hack backs’ due to counterattack fears appeared first on Cyberscoop.

Continue reading Clapper: U.S. shelved ‘hack backs’ due to counterattack fears

Responsible vulnerability disclosure is becoming an international norm

Posted on by

More and more countries are joining the United States in adopting a policy of weighing the pros and cons of responsible vulnerability disclosure, as the public calls for more clarity regarding intelligence agencies and their supposed hoarding of previously undiscovered software flaws. The U.S. started using its own Vulnerability Equities Process in 2010, according to declassified documents, although it didn’t reveal the VEP publicly until 2014 — to help allay suspicions that the National Security Agency might have secretly known about the massive HeartBleed vulnerability. Now, other democracies are following suit, but it’s not clear if this will put pressure on “bad actor” nations to follow other countries’ lead. Just this month, the Canadian national broadcaster CBC reported for the first time that the country’s equivalent of the NSA, the Communications Security Establishment (CSE), had a comparable process to the VEP — although it is not public and the agency wouldn’t even say what it’s called. “CSE has […]

The post Responsible vulnerability disclosure is becoming an international norm appeared first on Cyberscoop.

Continue reading Responsible vulnerability disclosure is becoming an international norm

Some federal websites now allowing users to login via secure USB keys

Posted on by

For the first time, Americans will have the option to use a cryptographically secure USB keystick to protect their online accounts on federal government websites. Owners of online accounts protected by identity-proofing start up ID.me will be able to use keysticks conforming to the Universal Second Factor, or U2F, standard promulgated by the Fast IDentity Online, or FIDO Alliance, ID.me announced Tuesday. The option will be available to users alongside existing two-factor services, such as a code sent by SMS text message, or a call to a landline, the company said. It’s the first time U2F keysticks — considered a gold-standard protection against phishing and other forms of online identity theft — have been available to the users of federal online services. ID.me did not disclose the three federal agencies it said were buying the company’s identity proofing services — but it has in the past done very public work to provide veterans secure […]

The post Some federal websites now allowing users to login via secure USB keys appeared first on Cyberscoop.

Continue reading Some federal websites now allowing users to login via secure USB keys

Auditors get guidance on SSH key management

Posted on by

A new guide for auditors says SSH key management should be on their checklist because the proliferation of unmanaged keys for the ubiquitous encryption protocol means IT networks can’t be guaranteed as secure. The guidance, “SSH: Practitioner Considerations,” was published Tuesday by the nonprofit global membership association, ISACA, previously known as the Information Systems Audit and Control Association. The guidance includes an appendix listing controls that companies can use to ensure proper management of SSH keys. Secure Shell or SSH is an open-source cryptographic protocol used to enable secure, encrypted access by individual users to servers and other computer assets across the networks of a distributed enterprise. It also facilitates automated machine-to-machine communications in the same secure fashion. But without careful management, the digital keys that enable that communication can proliferate and end up stored in insecure, easily found locations on the network. “When auditors sign off on accounts …. when [a publicly traded] company management makes […]

The post Auditors get guidance on SSH key management appeared first on Cyberscoop.

Continue reading Auditors get guidance on SSH key management

Cyber companies urged to share — and not sell — threat info

Posted on by

Companies who manage and distribute threat intelligence need to stop thinking of their curated feeds as a competitive advantage and instead share them as widely as possible, officials and executives from the power and telecoms sector urged last week. “”The information that can help everybody … better defend their networks is important to everybody, so it shouldn’t be a competitive advantage, it should be part of what we regularly share,”  senior Department of Homeland Security official John Felker told the Intelligence and National Security Summit Thursday. “When you do that, we all get better at it [cyberdefense].” DHS runs several programs that provide free threat intelligence to the private sector, noted former Homeland Security Undersecretary Suzanne Spaulding. Additionally, Congress passed a cyberthreat sharing law in December 2015, creating liability protections and other legal safe harbors for companies that shared information with DHS. AT&T Vice President of Global Public Policy Chris Boyer noted that the cutting edge of the […]

The post Cyber companies urged to share — and not sell — threat info appeared first on Cyberscoop.

Continue reading Cyber companies urged to share — and not sell — threat info

Officials: U.S. should share threat info on — but not blacklist — Kaspersky products

Posted on by

—The U.S. government should brief companies about supply chain security threats, like the ones allegedly posed by Russian cybersecurity firm Kaspersky, yet the government shouldn’t be in the business of blacklisting, officials and executives said Thursday. Companies have to manage the risks suppliers might present, be it from an inadequate security posture, or — as is alleged against Kaspersky — links to Russian intelligence agencies, panelists told a session at the Intelligence and National Security Summit. “We’re in a position to help you make those [risk management] decisions [about suppliers], we’re not in a position to make them for you,” said John Felker, director of the National Cybersecurity and Communications Integration Center at the Department of Homeland Security. “The government has always been reluctant to create blacklists,” observed former DHS Undersecretary Suzanne Spaulding. Representatives of vital industries agreed with Felker and Spaulding during a discussion on critical infrastructure cybersecurity. The companies that […]

The post Officials: U.S. should share threat info on — but not blacklist — Kaspersky products appeared first on Cyberscoop.

Continue reading Officials: U.S. should share threat info on — but not blacklist — Kaspersky products

Equifax breached, up to 143 million SSNs and DOBs stolen, all Americans offered credit monitoring

Posted on by

Massive multinational credit reporting company Equifax has been breached by hackers, with up to 143 million U.S. residents having their names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers stolen from the company’s databases. Although the breach affects just over 60 percent of the adult population of the U.S., it is far from being the largest ever. Two Yahoo breaches revealed last year impacted almost 1.5 billion accounts. But experts said it might nonetheless be the worst, because the consumers affected would all immediately be at high risk of identity theft for the foreseeable future. Unlike when credit card or password information is stolen, consumers cannot change their Social Security number or date of birth. The largest breach of SSNs prior to Thursday was the 2015 Anthem hack of 80 million records. In an unprecedented move, Atlanta-based Equifax said it was offering a year’s free credit monitoring — […]

The post Equifax breached, up to 143 million SSNs and DOBs stolen, all Americans offered credit monitoring appeared first on Cyberscoop.

Continue reading Equifax breached, up to 143 million SSNs and DOBs stolen, all Americans offered credit monitoring