FEC: Campaigns Can Use Discounted Cybersecurity Services

The U.S. Federal Election Commission (FEC) said today companies can offer discounted cybersecurity services to political campaigns without running afoul of existing campaign finance laws, provided they already do the same for other non-political entities. The decision comes amid much jostling on Capitol Hill over election security at the state level, and fresh warnings from U.S. intelligence agencies about impending cyber attacks targeting candidates in the lead up to the 2020 election. Continue reading FEC: Campaigns Can Use Discounted Cybersecurity Services

FEC considers whether its legal for campaigns to accept discounted anti-spearphishing services

In its latest effort to provide cybersecurity companies clarity on whether they can lawfully provide cybersecurity protection to political campaigns for free or at a low-cost, the Federal Election Commission indicated this week it could be close to  greenlighting anti-spearphishing services in a case currently before the commission. That tentative conclusion, not guaranteed until the FEC issues a formal advisory opinion, was reached Thursday during a commissioners’ meeting on a request from anti-spearphishing company Area 1 Security. It marked a shift from how the FEC appeared to be leaning on the issue earlier this week. The FEC’s legal team on Monday issued two draft opinions which both recommended blocking Area 1 from providing anti-spearphishing services at a discounted rate over concerns the lower rates would effectively serve as an in-kind contribution that could curry political favor with politicians in the future. Existing campaign finance law bars corporate contributions to campaigns, an issue that has given campaigns reason to pause on signing up […]

The post FEC considers whether its legal for campaigns to accept discounted anti-spearphishing services appeared first on CyberScoop.

Continue reading FEC considers whether its legal for campaigns to accept discounted anti-spearphishing services

DHS assessment of foreign VPN apps finds security risk real, data lacking

The risk posed by foreign-made virtual private network (VPN) applications must be accounted for — even if government device users have avoided such apps — because adversaries are interested in exploiting the software, according to a senior Department of Homeland Security official. “Open-source reporting indicates nation-state actors have demonstrated intent and capability to leverage VPN services and vulnerable users for malicious purposes,” Chris Krebs, director of DHS’s Cybersecurity and Infrastructure Security Agency (CISA), wrote in a May 22 letter to Sen. Ron Wyden, D-Ore., obtained by CyberScoop. There is no overarching U.S. policy preventing government mobile device users from downloading foreign VPN apps, according to Krebs. “Even with the implementation of technical solutions, if a U.S. government employee downloaded a foreign VPN application originating from an adversary nation, foreign exploitation of that data would be somewhat or highly likely,” Krebs wrote. “This exploitation could lead to loss of data integrity and confidentiality […]

The post DHS assessment of foreign VPN apps finds security risk real, data lacking appeared first on CyberScoop.

Continue reading DHS assessment of foreign VPN apps finds security risk real, data lacking

Private: 11/5/18: Dtex, Insider Threat, Privacy News: Insider Threat Matures; China Intel Officers Recruit Insiders; Sen. Wyden Disrupts Privacy, Again

The insider threat has come of age. Last week, The National Insider Threat Task Force (NITTF), operating under the joint leadership of the Attorney General and the Director of National Intelligence, announced the release of the “Insider Threat Pr… Continue reading Private: 11/5/18: Dtex, Insider Threat, Privacy News: Insider Threat Matures; China Intel Officers Recruit Insiders; Sen. Wyden Disrupts Privacy, Again

Verizon to Stop Sharing Customer Location Data With Third Parties

In the wake of a scandal involving third-party companies leaking or selling precise, real-time location data on virtually all Americans who own a mobile phone, the four major wireless carriers have responded to requests from a U.S. senator for more details about how the carriers are managing access to this extremely sensitive information. While three out of four providers said they had cancelled data sharing agreements with some of the offending companies, only one — Verizon — pledged to terminate all of them and initiate a wholesale review of their location data-sharing practices. Continue reading Verizon to Stop Sharing Customer Location Data With Third Parties

Why Is Your Location Data No Longer Private?

The past month has seen one blockbuster revelation after another about how our mobile phone and broadband providers have been leaking highly sensitive customer information, including real-time location data and customer account details. In the wake of … Continue reading Why Is Your Location Data No Longer Private?

Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers in Real Time Via Its Web Site

LocationSmart, a U.S. based company that acts as an aggregator of real-time data about the precise location of mobile phone devices, has been leaking this information to anyone via a buggy component of its Web site — without the need for any password or other form of authentication or authorization — KrebsOnSecurity has learned. The company took the vulnerable service offline early this afternoon after being contacted by KrebsOnSecurity, which verified that it could be used to reveal the location of any AT&T, Sprint, T-Mobile or Verizon phone in the United States to an accuracy of within a few hundred yards. Continue reading Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers in Real Time Via Its Web Site

DHS will scan agencies for DMARC, other hygiene measures

The Department of Homeland Security is now collecting data about federal agencies’ use of an industry-standard cybersecurity measure that blocks forged emails. The collection is seen as a first step to encouraging wider adoption within the U.S. government, according to official correspondence. In a letter to Sen. Ron Wyden, D-Ore., DHS official Christopher Krebs says the department, “is actively assessing the state of email security and authentication technologies … across the federal government,” to include Domain-based Message Authentication, Reporting and Conformance (DMARC). DMARC is the industry standard measure to prevent hackers from spoofing emails — making their messages appear as if they’re sent by someone else. Spoofing is the basis of phishing, a major form of both crime and espionage, in which an email appearing to a come from a trusted third party directs readers to a website where login and password credentials can be stolen. Krebs says DHS’s 24-hour cyber watch center, […]

The post DHS will scan agencies for DMARC, other hygiene measures appeared first on Cyberscoop.

Continue reading DHS will scan agencies for DMARC, other hygiene measures