U.S. Air Force pays out $103,883 to hackers in bug bounties

The U.S. military’s love affair with bug bounty programs continues. The second iteration of “Hack the Air Force” in December paid out $103,883 in bounties to freelance hackers for 106 vulnerabilities found over a 20-day period. The highest bounty was $12,500, the largest paid by the U.S. government to date. The Air Force’s first bug bounty program launched in April 2017 following similar efforts like Hack the Pentagon and Hack the Army  in 2016. In total, more than 3,000 vulnerabilities have been found in federal government systems since the programs began. The bug bounty platform HackerOne, a private company, continues to handle the military’s bug bounty initiatives. Air Force CISO Peter Kim, who helped kick off and cheerlead the service’s first round last year, also played a leading role this time. “We continue to harden our attack surfaces based on findings of the previous challenge and will add lessons learned from this round,” Kim said in a […]

The post U.S. Air Force pays out $103,883 to hackers in bug bounties appeared first on Cyberscoop.

Continue reading U.S. Air Force pays out $103,883 to hackers in bug bounties

Kaspersky Lab files another lawsuit in wake of NDAA ban

Kaspersky Lab has upped its legal fight with the U.S. government, filing another lawsuit related to a ban against its products tucked within the 2018 National Defense Authorization Act. Based on court documents filed Monday in U.S. District Court for the District of Columbia, the Russian company says the ban is unconstitutional. Kaspersky’s lawyers say that under the Constitution’s Bill of Attainder Clause, Congress is forbidden “from enacting laws which impose individualized deprivations of life, liberty, and property and inflict punishment on individuals and corporations without a judicial trial.” The 2018 NDAA instituted a government-wide ban on use of Kaspersky products. Signed by President Donald Trump in December, the ban would go into place on Oct. 1, 2o18. “Kaspersky Lab believes that these provisions violate the U.S. Constitution by specifically and unfairly singling out the company for legislative punishment, based on vague and unsubstantiated allegations without any basis in fact,” the […]

The post Kaspersky Lab files another lawsuit in wake of NDAA ban appeared first on Cyberscoop.

Continue reading Kaspersky Lab files another lawsuit in wake of NDAA ban

Senators question Pentagon over workforce’s use of data-leaking fitness app Strava

A bipartisan group of senators wants the Defense Department to explain how a popular fitness app apparently used by some U.S. military personnel, intelligence analysts and Pentagon officials led to the disclosure of secret bases and facilities around the world. Tom Cotton, R-Ark., and Richard Blumenthal, D-Conn., wrote a letter to Defense Secretary James Mattis, questioning the department’s policy for employees using wireless networks and devices on military sites after. The app, Strava, inadvertently shared a heat map that recently detailed its users’ activities, prompting a DoD-wide review of personal electronics at its installations. The heat map revealed the locations of several secret U.S. military bases when the data was dumped in November. Patrick Shanahan, deputy secretary of Defense, was wearing a Fitbit watch up until last week, potentially exposing himself to this breach. If Android users using the fitness app don’t enable the “nomap” feature — which disables a Wi-Fi network […]

The post Senators question Pentagon over workforce’s use of data-leaking fitness app Strava appeared first on Cyberscoop.

Continue reading Senators question Pentagon over workforce’s use of data-leaking fitness app Strava

Experts push back on Trump administration’s call to respond to cyberattacks with nukes

The U.S. might consider using nuclear weapons in response to a cyberattack that killed civilians and destroyed infrastructure, a defense official said Friday after rolling out a new Trump administration policy. The new Nuclear Posture Review (NPR), Deputy Defense Secretary Patrick Shanahan told reporters at the Pentagon, states that “in the context of a non-nuclear attack against the U.S. or our allies that was strategic in nature, that involved substantial impacts to our infrastructure or people, we would consider that context in evaluating an appropriate response that might involve nuclear weapons.” Shanahan also insisted that the new policy, although more explicit about the kind of non-nuclear attack that might trigger a nuclear response, did not lower the threshold for the U.S. use of atomic weapons and did not change U.S. policy. “It’s been the long-standing policy of the U.S. to maintain some ambiguity around the circumstances under which we would […]

The post Experts push back on Trump administration’s call to respond to cyberattacks with nukes appeared first on Cyberscoop.

Continue reading Experts push back on Trump administration’s call to respond to cyberattacks with nukes

Watchdog questions DoD about Cyber Command’s work with private sector, civilian agencies

The Defense Department needs to clarify and further define how certain U.S. defense agencies and combatant commands — including the nation’s top cyberwarfare unit, U.S. Cyber Command — should interact with private sector companies and civilian agencies, according to a recent report by the Government Accountability Office (GAO). The GAO outlined deficiencies in a report by the Pentagon that sought to establish roles and responsibilities for some of these defense organizations when they respond to data breaches. GAO contends that the Defense Department’s “Section 1648 report” leaves out several key details that would sufficiently answer questions about collaboration with businesses as well as training requirements for operators. DOD has reportedly agreed with some of GAO’s criticism. Recent major data breaches affecting U.S. corporations, including Deloitte and Equifax, have spurred questions about whether the Pentagon should take on a greater role in defending the private sector from intrusions. “DOD was supposed to develop [a] comprehensive plan for CYBERCOM […]

The post Watchdog questions DoD about Cyber Command’s work with private sector, civilian agencies appeared first on Cyberscoop.

Continue reading Watchdog questions DoD about Cyber Command’s work with private sector, civilian agencies

SANS Hackfest, Pentesting, Agreeing and Disagreeing – Paul’s Security Weekly #537

Blaming Russia, compromising Apple’s facial recognition, books to give to your 30-year old self, malware on NSA employee computers, and more security news! Paul’s Stories DoD’s Vuln Disclosure Program Racks Up 2,837 Security Flaws The Mothe… Continue reading SANS Hackfest, Pentesting, Agreeing and Disagreeing – Paul’s Security Weekly #537

Cyber Command lacks authorities, capabilities, Pentagon watchdog says

U.S. Cyber Command lacks the authorities it needs to manage personnel, set standards for training and ensure its Cyber Mission Force teams are properly equipped for combat, according to a Department of Defense watchdog. A classified November 2015 report by the Pentagon inspector general assessed whether the CMF teams “had adequate facilities, equipment and capabilities to effectively perform missions.” A heavily redacted version was released to CyberScoop this week as the result of a Freedom of Information Act request. Although the report is almost two years old, many of the problems it describes persist, according to former military officials who spoke to CyberScoop on condition they not be identified or quoted, owing to the classified nature of the issues. The Trump administration’s plan to elevate U.S. Cyber Command to full-fledged Unified Combatant Command status — and other changes proposed and in some cases implemented since the report was issued — will help […]

The post Cyber Command lacks authorities, capabilities, Pentagon watchdog says appeared first on Cyberscoop.

Continue reading Cyber Command lacks authorities, capabilities, Pentagon watchdog says

Cyber Command lacks authorities, capabilities, Pentagon watchdog says

U.S. Cyber Command lacks the authorities it needs to manage personnel, set standards for training and ensure its Cyber Mission Force teams are properly equipped for combat, according to a Department of Defense watchdog. A classified November 2015 report by the Pentagon inspector general assessed whether the CMF teams “had adequate facilities, equipment and capabilities to effectively perform missions.” A heavily redacted version was released to CyberScoop this week as the result of a Freedom of Information Act request. Although the report is almost two years old, many of the problems it describes persist, according to former military officials who spoke to CyberScoop on condition they not be identified or quoted, owing to the classified nature of the issues. The Trump administration’s plan to elevate U.S. Cyber Command to full-fledged Unified Combatant Command status — and other changes proposed and in some cases implemented since the report was issued — will help […]

The post Cyber Command lacks authorities, capabilities, Pentagon watchdog says appeared first on Cyberscoop.

Continue reading Cyber Command lacks authorities, capabilities, Pentagon watchdog says

Return to sender: military will send malware right back to you

‘The threat could be a large nation-state or a 12-year-old’ – so is weaponizing malware and sending it back the right tactic? Continue reading Return to sender: military will send malware right back to you