Tim Starks – Page 60 – WindowsTechs.com

SolarWinds hack spotlights a thorny legal problem: Who to blame for espionage?

Posted on December 30, 2020 by Tim Starks

Every massive breach comes with a trail of lawsuits and regulatory ramifications that can last for years. Home Depot, for instance, only last month settled with a group of state attorneys general over its 2014 breach. The SolarWinds security incident that U.S. officials have pinned on state-sponsored Russian hackers is unlike anything that came before, legal experts say, meaning the legal liability could take even longer to resolve in court. As Congress, federal government departments and corporations reckon with the vast sweep of the SolarWinds breach, there are still many more questions than answers. Fewer pieces of it are less certain than how it might play out in court, where companies and individuals alike stand to gain or lose. Many millions of dollars, corporate blame and years of finger-pointing are on the line. That’s because the targets — government agencies, and some major companies — aren’t the usual kind of […]

The post SolarWinds hack spotlights a thorny legal problem: Who to blame for espionage? appeared first on CyberScoop.

Continue reading SolarWinds hack spotlights a thorny legal problem: Who to blame for espionage?→

Biden takes aim at Trump, Russia over SolarWinds breach

Posted on December 22, 2020 by Tim Starks

President-elect Joe Biden pressured Donald Trump on Tuesday to name the hackers behind the SolarWinds breach, saying that the evidence suggests Russia is responsible. Biden also faulted the incumbent president for his handling of the nation’s digital defenses and vowed to do “all that needs to be done” to get to the bottom of the sweeping cyber espionage campaign, then punish the culprits. “It is a grave risk and it continues. I see no evidence that it’s under control,” Biden said during a speech in Wilmington, Delaware. “The Defense Department won’t even brief us on many things. So I know of nothing that suggests it’s under control. This president hasn’t even identified who is responsible yet.” Biden’s remarks amounted to his most extensive statement on cybersecurity since winning office. They came shortly after Trump downplayed the severity of the backdoor inserted into SolarWinds software that has afflicted both Cabinet departments […]

The post Biden takes aim at Trump, Russia over SolarWinds breach appeared first on CyberScoop.

Continue reading Biden takes aim at Trump, Russia over SolarWinds breach→

Senators press Treasury to speak about breach, planned response to hackers

Posted on December 16, 2020 by Tim Starks

Two key Senate Democrats extensively questioned the U.S. Treasury Department on Tuesday about its reported data breach, a subject it has been less forthcoming about than the other federal agencies swept into the compromise of SolarWinds software. The senators, Sherrod Brown of Ohio and Ron Wyden of Oregon, also want to know whether Treasury plans to sanction the attackers and if it has begun evaluating the overall damage to the economy of the cyber-espionage campaign, which could ripple through the private sector, too. The senators’ letter to Treasury Secretary Steven Mnuchin pushes the department not only to provide information about its own breach, but also to develop a broader response that includes punishments for the hackers responsible. Cybersecurity researchers have tied them to Russia. “These media reports suggest that these attacks were comprehensive and historic and bad actors may have had access to critical U.S. government networks for many months,” […]

The post Senators press Treasury to speak about breach, planned response to hackers appeared first on CyberScoop.

Continue reading Senators press Treasury to speak about breach, planned response to hackers→

Here comes the bride: New map matches threat intel to cyber defenses

Posted on December 15, 2020 by Tim Starks

A popular method that organizations lean on to reduce their cybersecurity risks is marrying a popular tool that cyber pros consult when they analyze hacking groups — in a way they think everyone can use. The project to conjoin the National Institute of Standards and Technology’s cybersecurity framework and MITRE ATT&CK framework, announced Tuesday, comes with backing from big players: JPMorgan Chase, a nonprofit center operated by an offshoot of MITRE, the cybersecurity company AttackIQ and the nonprofit Center for Internet Security that’s perhaps best known for its work with state and local governments. The idea behind the mapping project is to harmonize the risk management sides of cyber with the threat intelligence side of cyber, via models that any organization can employ. Usually unifying those two sides would be something that only a large outfit, like the U.S. military or major investment banks, would be able to pull off, […]

The post Here comes the bride: New map matches threat intel to cyber defenses appeared first on CyberScoop.

Continue reading Here comes the bride: New map matches threat intel to cyber defenses→

HackerOne, Verizon weigh pros and cons of making live hacking contests virtual

Posted on December 14, 2020 by Tim Starks

Among all the ways COVID-19 has affected the cybersecurity world, perhaps nothing is more impossible than live hacking events, which were once a staple of the industry. The coronavirus forced bug bounty company HackerOne and Verizon Media into hosting two online hacking events together since the outbreak, and they recently completed what they billed as the world’s largest live hacking contest. Live hacking events, whether virtual or in-person, give companies a chance to lure ethical hackers to find their security flaws before the attackers do, and can serve as recruiting opportunities for corporate positions, too. What made the most recent competition stand out was its massive size, and what the experiment could mean for the rest of the bug bounty community. The HackerOne/Verizon Media duo wasn’t the first to move live hacking events online. Pwn2Own made a similar transition in March. With more than 3,000 people from 59 countries registering […]

The post HackerOne, Verizon weigh pros and cons of making live hacking contests virtual appeared first on CyberScoop.

Continue reading HackerOne, Verizon weigh pros and cons of making live hacking contests virtual→

Commerce Department breached as Treasury, others reportedly victimized by suspected Russian hackers

Posted on December 13, 2020 by Tim Starks

Hackers breached the Commerce Department, and reportedly have infiltrated the Treasury Department and other U.S. agencies, in incidents that government security officials said on Sunday that they were fighting to contain. “We can confirm there has been a breach in one of our bureaus,” a Commerce Department spokesperson said. The spokesperson added that Commerce has asked the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency “and the FBI to investigate, and we cannot comment further at this time.” Reuters reported that foreign nation-backed hackers have been monitoring email traffic at the Treasury Department and Commerce Department’s National Telecommunications and Information Administration, and the attackers apparently used similar tools to breach other agencies. “The United States government is aware of these reports and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” said John Ullyot, a spokesman for the White House’s National […]

The post Commerce Department breached as Treasury, others reportedly victimized by suspected Russian hackers appeared first on CyberScoop.

Continue reading Commerce Department breached as Treasury, others reportedly victimized by suspected Russian hackers→

As FireEye grapples with breach investigation, questions remain

Posted on December 10, 2020 by Tim Starks

FireEye’s announcement this week that hackers breached its systems has sent shockwaves through the cybersecurity community, raising new questions about how one of the most influential security firms in the U.S. grappled with an apparently state-sponsored attack. It also has triggered policy discussions about whether the U.S. government should do more to protect cyber industry titans like FireEye, one of the top cybersecurity firms in the world with customers that counts Fortune 500 companies among its clients. The hack adds FireEye to the list of cybersecurity companies that have experienced their own breaches, a roster stretching back to at least the beginning of the last decade. “This news has rocked the cybersecurity industry to our core, unlike anything since the RSA hack” from 2011, said Tom Bossert, president of Trinity Cyber and the former homeland security adviser to President Donald Trump. “It’s a pretty big deal.” FireEye revealed on Tuesday […]

The post As FireEye grapples with breach investigation, questions remain appeared first on CyberScoop.

Continue reading As FireEye grapples with breach investigation, questions remain→

Meet ODoH, where privacy means just not knowing anything

Posted on December 8, 2020 by Tim Starks

Being oblivious on the internet usually isn’t a recipe for protecting privacy. But Cloudflare announced Tuesday that it was launching support for a protocol that makes obliviousness its chief trait. Developed in conjunction with engineers from Apple and Fastly, it’s called Oblivious DNS over HTTPS, or ODoH for short. It’s a newly proposed Domain Name System standard that Cloudflare, an internet services and cybersecurity provider, says separates IP addresses from queries, which means no one entity can see both simultaneously. ODoH is one of three privacy initiatives Cloudflare hailed on Tuesday, with the other two meant to improve password security and halt metadata leaks. “Fundamentally what we’re trying to do with these announcements is to help point out places on the internet — or aspects of how the internet is built — that have a privacy hole, or an issue that make it easier to have their privacy compromised in […]

The post Meet ODoH, where privacy means just not knowing anything appeared first on CyberScoop.

Continue reading Meet ODoH, where privacy means just not knowing anything→

33 connectivity flaws render millions of IT, IoT devices vulnerable

Posted on December 8, 2020 by Tim Starks

Several sets of internet communication protocols used by major vendors of connected products have vulnerabilities that could affect millions of devices, researchers revealed on Tuesday. Four of the vulnerabilities are critical, meaning attackers could use them to remotely take over devices ranging from a “smart” refrigerator to an industrial networking switch in the electrical grid, according to the security vendor Forescout. The flaws exist in information technology, operational technology and so-called internet of things products. The Forescout study, dubbed AMNESIA:33, focuses on 33 vulnerabilities in four open-source TCP/IP stacks. TCP/IP stands for “Transmission Control Protocol/Internet Protocol,” which is used to communicate between computers. Open-source TCP/IP stacks serve as the foundational connectivity components of devices around the world. (A TCP/IP stack is an implementation of the TCP/IP protocol.) It marks the second time this year that a set of TCP/IP stack vulnerabilities emerged that could affect a large number of devices. […]

The post 33 connectivity flaws render millions of IT, IoT devices vulnerable appeared first on CyberScoop.

Continue reading 33 connectivity flaws render millions of IT, IoT devices vulnerable→

A look inside Congress’ biggest cyber bill ever

Posted on December 7, 2020 by Tim Starks

Congress this week is slated to pass what just might be the most significant cybersecurity legislation ever. This year’s annual defense policy bill, known as the National Defense Authorization Act (NDAA), is loaded with provisions that would reshape the federal bureaucracy on cybersecurity. It would create a national cyber director in the White House and strengthen the Department of Homeland Security’s Cybersecurity and Information Security Agency (CISA), among other changes. “I believe it’s safe to say that this is the most important piece of cybersecurity legislation ever passed” should the final bill advance this week, said Sen. Angus King, I-Maine, who co-chaired the Cyberspace Solarium Commission that produced many of the proposals in the legislation. Mark Montgomery, executive director of the commission, called it “the most substantive” cyber legislation Congress will have passed. Others agree. “I think that’s true, 100%,” said Jonathan Reiber, a former Defense Department cybersecurity official during […]

The post A look inside Congress’ biggest cyber bill ever appeared first on CyberScoop.

Continue reading A look inside Congress’ biggest cyber bill ever→