Google+ Shutdown, Weapons Systems Vulnerabilities, Voice Phishing Scams – WB38

This is your Shared Security Weekly Blaze for October 15th 2018 with your host, Tom Eston. In this week’s episode: Google+ shutdown, weapons systems vulnerabilities, and new data on voice phishing scams. Silent Pocket is a proud sponsor of the Sh… Continue reading Google+ Shutdown, Weapons Systems Vulnerabilities, Voice Phishing Scams – WB38

My Experience with the DoD Version of the RMF

Anyone out there dealing with the DoD implementation of the NIST 800-37 RMF? Just in case, it’s the “Guide for Applying the Risk Management Framework to Federal Information Systems” developed by the Joint Task Force Transformation Ini… Continue reading My Experience with the DoD Version of the RMF

‘Hack the Marine Corps’ Bug Bounty Program Announced by DoD

The U.S. Department of Defense (DoD) and HackerOne together announced the creation of a new bug bounty program called “Hack the Marine Corps.” On 12 August, DoD kicked off its new vulnerability disclosure initiative at DEF CON 26 in Las Veg… Continue reading ‘Hack the Marine Corps’ Bug Bounty Program Announced by DoD

Stolen U.S. drone documents found for sale on dark web

Sensitive U.S. military drone blueprints and training documents were recently posted for sale on the dark web, according to Boston-based data analytics and intelligence firm Recorded Future. Analysts with Recorded Future say the stolen drone documents appear to be legitimate, having come from an airman who is currently stationed at a Nevada-based U.S. Air Force facility. The information was apparently breached through a known, outdated router vulnerability that affects a product made by computer networking company NetGear. The stolen documents include the names of active Air Force personnel in addition to other technical information, Recorded Future said. Leaks containing such information — about people involved in a specific military unit — would typically be considered a counterintelligence threat. The drone blueprints provided unclassified yet sensitive information about the MQ-9 Reaper, a drone that is currently used for both surveillance and armed combat operations by the U.S. and its allies. The MQ-9 was originally developed by defense […]

The post Stolen U.S. drone documents found for sale on dark web appeared first on Cyberscoop.

Continue reading Stolen U.S. drone documents found for sale on dark web

Chinese hacking group resurfaces, targets U.S. satellite companies and systems

A Chinese-linked hacking group began targeting at least two different U.S.-based satellite companies, a Defense Department contractor and another private firm that sells geospatial imaging technology in late 2017, according to new research by Symantec. The focused hacking campaign appears to have been originally launched around the same time as talks about a U.S.-China trade war — which is now in full swing — were heating up late last year. Symantec discovered and notified the U.S. government about the malicious cyber activity roughly four months ago, according to Jon DiMaggio, a senior threat intelligence analysts with Symantec, who led the investigation. Tuesday’s findings show that the attackers, dubbed “Thrip” by analysts, have reemerged after they seemingly went underground for more than two years. The group stopped operations after a historic political agreement in 2015 between then U.S. President Barack Obama and Chinese President Xi Jinping. That agreement sought to deter cyber-enabled […]

The post Chinese hacking group resurfaces, targets U.S. satellite companies and systems appeared first on Cyberscoop.

Continue reading Chinese hacking group resurfaces, targets U.S. satellite companies and systems

Pentagon’s latest bug bounty program pays out $80,000

The Department of Defense’s latest bug bounty program exposed more than 100 security vulnerabilities worth $80,000 to the hackers who looked through the department’s travel booking system, officials said. HackerOne, a company that has supported bug bounty programs for the Air Force, Army and the Pentagon at large, ran Hack the DTS (Defense Travel System), which lasted 29 days and concluded April 29, 2018. DTS is used by millions of Pentagon employees around the world making it one of the wide-reaching pieces of enterprise software in the U.S. government. “Securing sensitive information for millions of government employees and contractors is no easy task,” Reina Staley, Chief of Staff and Hack the Pentagon program manager at Defense Digital Service, said in a statement. “No system is infallible, and this assessment was the first time we employed a crowd-sourced approach to improve the security aspect of DTS.” Just 19 vetted hackers took part in the program. They found 65 unique vulnerabilities including 28 ranking high […]

The post Pentagon’s latest bug bounty program pays out $80,000 appeared first on Cyberscoop.

Continue reading Pentagon’s latest bug bounty program pays out $80,000

Dozens of Vulnerabilities Found Under Hack the DTS Bug Bounty Program

The Hack the DTS bug bounty program uncovered dozens of vulnerabilities in the Defense Travel System serving the Department of Defense. On 30 May, vulnerability coordination platform HackerOne revealed the results of Hack the DTS. Nineteen trusted secu… Continue reading Dozens of Vulnerabilities Found Under Hack the DTS Bug Bounty Program

House defense bill would usher in cybersecurity changes at DOD

The House of Representatives this week overwhelmingly passed a defense policy bill with several cybersecurity measures aimed at better securing Pentagon networks. The legislation — the fiscal 2019 National Defense Authorization Act (NDAA) — seeks closer collaboration between the departments of Defense and Homeland Security in defending against hackers, asks for quick notification of data breaches of military personnel, and continues to crack down on foreign-made telecom products that are deemed security threats. The NDAA is an annual ritual that lawmakers use to shape Pentagon policies and budget plans while throwing in some pet projects to boot. The House bill — a $717 billion behemoth — eventually will be merged with the Senate’s version, which that chamber’s Armed Services Committee also approved this week. It’s unclear when the Senate bill will have floor votes. One key provision of the House bill, according to the Rules Committee print, would set up a pilot program for […]

The post House defense bill would usher in cybersecurity changes at DOD appeared first on Cyberscoop.

Continue reading House defense bill would usher in cybersecurity changes at DOD

Pentagon’s websites need better security, Wyden says

If you try visiting certain Department of Defense websites, like the one for Strategic Operations Command or the Navy’s Blue Angels, you might be met with a browser message telling you that your connection is not secure and that malicious actors could be trying to steal your information. Sen. Ron Wyden, D-Ore., wants the Pentagon to fix this issue. In a letter written to DOD Chief Information Officer Dana Deasy on Tuesday, Wyden calls for the department to implement proper encryption and protection on all of its public-facing websites. Wyden writes that a “small number” of DOD websites, such as the Army, Air Force and NSA homepages by default use trusted certificates and HTTPS encryption, the web protocol that ensures secure connections and prevents man-in-the-middle attacks. But many others, Wyden says, like the CIO’s own website, either don’t employ HTTPS or issue basic certificates. “Many mainstream web browsers do not consider these […]

The post Pentagon’s websites need better security, Wyden says appeared first on Cyberscoop.

Continue reading Pentagon’s websites need better security, Wyden says