When it comes to cybersecurity, the federal government is nowhere to be found

To no one’s surprise, lots of big challenges chronically plague the cybersecurity world. But the biggest headache of all may be the relative inaction of the federal government, which unlike some other advanced nations simply isn’t doing its part. For years, the U.S. has been periodically promulgating feckless mandates, including some issues from the White House, that accomplish virtually nothing. The half-hearted attempts at actionable measures contribute to weaknesses and help open the door to breaches. Consider, for example, just a few instances: Last month, tens of thousands of images of travelers and license plates stored by the Customs and Border Protection agency were stolen in a digital breach. A federal contractor had transferred copies of the images to its network in violation of the contract. Then the subcontractor’s network was hacked – likely by a foreign government interested in tracking Americans or in the agency’s procedures. Tensions between the […]

The post When it comes to cybersecurity, the federal government is nowhere to be found appeared first on CyberScoop.

Continue reading When it comes to cybersecurity, the federal government is nowhere to be found

Why the revised NIST mobile security framework looks better from a distance

Mobile security vulnerabilities have been no stranger to national headlines lately. With examples ranging from WhatsApp reportedly allowing hackers to gain access to your smartphone’s sensors, to malicious apps making their way into the Google Play store, it’s no surprise the National Institute of Standards and Technology (NIST) saw the need for an update to its guidelines for vetting mobile applications. A Theoretical Approach From an academic perspective, the update to the NIST framework offers a solid theoretical approach to vetting applications for your enterprise; a process for managing risk and assuring compliance with security requirements. But, what sounds good theoretically can be near impractical to implement. While the guidelines laid out by NIST highlight an ideal, very few organizations have the resources to implement them across the board. This isn’t to say that these new guidelines don’t make sense. In fact, presenting the state of applications and offering suggestions […]

The post Why the revised NIST mobile security framework looks better from a distance appeared first on CyberScoop.

Continue reading Why the revised NIST mobile security framework looks better from a distance

Is offense really your best defense?

In June, the House Appropriations Committee approved a spending bill that, among other things, included a reintroduction of Rep. Tom Graves Active Cyber Defense Certainty Act (ACDC). According to Rep. Graves’ website, the ACDC “makes targeted changes to the Computer Fraud and Abuse Act (CFAA) to allow use of limited defensive measures that exceed the boundaries of one’s network in order to monitor, identify and stop attackers.” Specifically, the bill gives authorized individuals and companies the legal authority to leave their network to: establish attribution of an attack disrupt cyberattacks without damaging other computers retrieve and destroy stolen files monitor the behavior of an attacker and utilize beaconing technology Cybersecurity is a challenging issue for those who don’t have the luxury of spending every waking minute keeping up with the latest exploits, vulnerabilities and innovations. It is not a partisan issue, but an opportunity for us to show a united […]

The post Is offense really your best defense? appeared first on CyberScoop.

Continue reading Is offense really your best defense?

Proposed State Department bureau takes wrong approach to U.S. cyber diplomacy

This week the State Department formally notified Congress of its long overdue plan to establish a new Bureau for Cyberspace Security and Emerging Technologies. This news, which was expected for almost a year, should in theory be welcomed by lawmakers. In 2018, the Republican-controlled House grew so frustrated with former Secretary Rex Tillerson’s plan to abolish the State Department’s cybersecurity coordinator – the country’s top cyber diplomat – that it passed legislation to not just reconstitute the position but actually elevate its stature and responsibilities. This rare rebuke of the administration by the president’s own party could have been rectified by Tillerson’s successor, Mike Pompeo. Instead, the department’s latest plan may be worse than Tillerson’s. There are two fundamental and related problems with the department’s proposed cyber bureau. First, the bureau’s focus is far too narrow. By limiting the scope of the bureau’s purview to security – and excluding the digital economy, […]

The post Proposed State Department bureau takes wrong approach to U.S. cyber diplomacy appeared first on CyberScoop.

Continue reading Proposed State Department bureau takes wrong approach to U.S. cyber diplomacy

Stop demonizing encryption

The security industry has more than its fair share of buzzwords and gimmicks. End-to-end encryption is not one of them. The recent discovery of a vulnerability in WhatsApp has instigated discussions and spawned hot takes surrounding spyware and export controls, with some declaring that end-to-end encryption is ineffective. With this particular vulnerability, spyware created by the NSO Group could be uploaded onto a phone through a series of malicious data packets sent via VoIP calls. This enabled access to the content and data on a targeted phone. While this particular vulnerability may prompt concerns over WhatsApp’s overall security (a patch has since been released), it does not negate the value of end-to-end encryption. Furthermore, the current negativity toward encryption perpetuates misinformation and provides fodder for governments seeking to undermine security and privacy across the globe. Yes, end-to-end encryption alone is not sufficient for complete security and privacy across every attack […]

The post Stop demonizing encryption appeared first on CyberScoop.

Continue reading Stop demonizing encryption

It’s time for Congress to act on Facebook’s privacy policies. Here’s how.

It seemed as though, after years of privacy scandals, Facebook had finally gotten the message. After its founder hinted at a shift to a privacy-oriented model in a blog post earlier this year, the company elaborated at F8 this week by unveiling its new look, FB5, that includes features such as encryption, reduced permanence and secure data storage. This might sound promising — but it’s not yet time to let Facebook off the hook. If the recent announcement that Facebook stored hundreds of millions of users’ passwords in plaintext for years is any indication, Facebook’s external reorientation has a lot of work to do to make up for its ongoing internal privacy failures. Facebook already has a wealth of personal data on you, far beyond phone numbers, message content or photographs. New ID Experts research is showing that the platform’s users – as many as 68% of them – aren’t happy with that fact. Additionally, The Wall Street Journal revealed that the social media giant may […]

The post It’s time for Congress to act on Facebook’s privacy policies. Here’s how. appeared first on CyberScoop.

Continue reading It’s time for Congress to act on Facebook’s privacy policies. Here’s how.

The Internet Has a Huge C/C++ Problem and Developers Don’t Want to Deal With It

What do Heartbleed, WannaCry, and million dollar iPhone bugs have in common? Continue reading The Internet Has a Huge C/C++ Problem and Developers Don’t Want to Deal With It

Why you shouldn’t be afraid of nation-state hackers

When talking about information security, nation-state backed hackers are set up as the ultimate threat. The countries have brilliant hackers, unlimited resources, endless exploits, and they are all after you! Fortunately for us, there are also many more nation state hackers who are not that skilled, on a tight budget, and forced to use off-the-shelf tools. Just because your organization might be of interest to foreign services does not mean that you should just give up. Before we go much further, it’s important to acknowledge that some nation-state adversaries are, in fact, your worst nightmare. However, there is ample evidence of hacker “B-teams” amongst even the most sophisticated nation-state groups. Looking at the Russian attacks against the DNC, many simple mistakes are immediately apparent, including how easy it was to discover their origin. The group forgot to deploy anonymity tools, reused email and IP addresses for different parts of the […]

The post Why you shouldn’t be afraid of nation-state hackers appeared first on Cyberscoop.

Continue reading Why you shouldn’t be afraid of nation-state hackers

It’s Amateur Hour in the World of Spyware and Victims Will Pay the Price

We’re living in the golden age of spyware and government hacking, with companies rushing to join a blossoming billion dollar market. The weakest among us—activists or journalists—will suffer the consequences if we don’t regulate it appropriately. Continue reading It’s Amateur Hour in the World of Spyware and Victims Will Pay the Price

How to combat the long lives of zero-day vulnerabilities

We’ve all heard stories about advanced nation-states leveraging zero-days to exploit a previously unknown security vulnerability. Perhaps the most infamous example is Stuxnet (with its four zero-days) that survived for an estimated five years prior to being discovered. However, that does not mean the ability to develop exploits for zero-day vulnerabilities is reserved only for well-financed state-sponsored actors. According to RAND Corporation research, “…any serious attacker can always get an affordable zero-day for almost any target.” Worse, the data suggests that the time between vulnerability discovery to public disclosure and patch availability is almost seven years, a big red flag indicating that companies are dramatically underestimating their exposure. The term “zero-day vulnerability” is a bit of a misnomer, because it might convey that an attacker tries to quickly get in to victims’ computers, exfiltrate data or launch malware and get out. But just the opposite is the case, as some of […]

The post How to combat the long lives of zero-day vulnerabilities appeared first on Cyberscoop.

Continue reading How to combat the long lives of zero-day vulnerabilities