Somehow this does not give me that warm, fuzzy feeling…
https://www.politico.com/news/2020/09/24/fbi-cisa-election-hacking-panic-421144?&web_view=true
FBI, CISA urge public not to panic if they hear about election hacking
Trump — contradicted by his own intelligence agencies — claims that foreign powers plan to "rig" the election by printing fraudulent mail-in ballots.
… “The public should be aware that election officials have multiple safeguards and plans in place — such as provisional ballots to ensure registered voters can cast ballots, paper backups, and backup pollbooks — to limit the impact and recover from a cyber incident with minimal disruption to voting,” the agencies said in a public service announcement.
… The goal of the latest PSA is to explain why voters shouldn’t believe disinformation about vote-stealing hacks if they see it. But its unqualified promise about the resilience of local officials’ backup plans and the sanctity of election results is questionable, given the sophistication of nation-state hackers and the inadequate security measures in many counties.
(Related) If they can’t protect systems they have some control over, what success will they have with state systems not under their control?
https://threatpost.com/feds-cyberattack-data-stolen/159541/?web_view=true
Feds Hit with Successful Cyberattack, Data Stolen
… The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Thursday, not naming the agency [too embarrassing? Bob] but providing technical details of the attack. Hackers, it said, gained initial access by using employees’ legitimate Microsoft Office 365 log-in credentials to sign onto an agency computer remotely.
“The cyber-threat actor had valid access credentials for multiple users’ Microsoft Office 365 (O365) accounts and domain administrator accounts,” according to CISA.
(Related) One of many, many election system examples.
Foreign Hackers Cripple Texas County’s Email System, Raising Election Security Concerns
The malware attack, which sent fake email replies to voters and businesses, spotlights an overlooked vulnerability in counties that don’t follow best practices for computer security.
Last week, voters and election administrators who emailed Leanne Jackson, the clerk of rural Hamilton County in central Texas, received bureaucratic-looking replies. “Re: official precinct results,” one subject line read. The text supplied passwords for an attached file.
But Jackson didn’t send the messages. Instead, they came from Sri Lankan and Congolese email addresses, and they cleverly hid malicious software inside a Microsoft Word attachment. By the time Jackson learned about the forgery, it was too late. Hackers continued to fire off look-alike replies. Jackson’s three-person office, already grappling with the coronavirus pandemic, ground to a near standstill.
“I’ve only sent three emails today, and they were emails I absolutely had to send,” Jackson said Friday. “I’m scared to” send more, she said, for fear of spreading the malware.
Why the people who make these decisions are paid the ‘big bucks.’
https://securityboulevard.com/2020/09/the-high-cost-of-reporting-a-non-reportable-data-breach/
The High Cost of Reporting a Non-Reportable Data Breach
In May, cloud provider Blackbaud was the victim of a ransomware attack designed to lock it out of accessing its own data and servers. The company notified law enforcement, used its own cybersecurity team and hired outside consultants, and successfully prevented the attacker from blocking access to the system and “fully encrypting” the files—ultimately expelling the threat actor from its system. Blackbaud noted that the hacker had “removed a copy of a subset of data from our self-hosted environment” but that “[t]he cybercriminal did not access credit card information, bank account information, or Social Security numbers.”
In the case of Blackbaud, similar to the case of Uber, the company decided to pay the hackers. While it does not appear that the company paid the hackers for their silence, Blackbaud “paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed,” and the company noted that, based on its investigation and that of law enforcement and the nature of the incident, “we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly …”
In short, the company suffered a ransomware attack that included a partial data breach (breach of a subset of its data). Blackbaud recovered from the ransomware, secured the data and had reasonable assurance (not sure how) that the data, while breached in the sense that there was “unauthorized access” to the data, was not used or transmitted to anyone else and was destroyed.
Under these circumstances, a data breach disclosure to customers and to various Attorneys General is probably both legally required and unnecessary. Indeed, Blackbaud did make such a breach disclosure. In return, the company was sued in a class action filed on behalf of its customers.
Can’t hurt.
https://www.helpnetsecurity.com/2020/09/24/nist-guide-recover-ransomware/?web_view=true
NIST guide to help orgs recover from ransomware, other data integrity attacks
The National Institute of Standards and Technology (NIST) has published a cybersecurity practice guide enterprises can use to recover from data integrity attacks, i.e., destructive malware and ransomware attacks, malicious insider activity or simply mistakes by employees that have resulted in the modification or destruction of company data (emails, employee records, financial records, and customer data).
… Special Publication (SP) 1800-11, Data Integrity: Recovering from Ransomware and Other Destructive Events can help organizations to develop a strategy for recovering from an attack affecting data integrity (and to be able to trust that any recovered data is accurate, complete, and free of malware), recover from such an event while maintaining operations, and manage enterprise risk.
Addressed to those who should know better?
Phishers are targeting employees with fake GDPR compliance reminders
… “The attacker lures targets under the pretense that their email security is not GDPR compliant and requires immediate action. For many who are not versed in GDPR regulations, this phish could be merely taken as more red tape to contend with rather than being identified as a malicious message,” Area 1 Security researchers noted.
… Following the link in the email takes victims to the phishing site, initially hosted on a compromised, outdated WordPress site.
The link is “personalized” with the target’s email address, so the HTML form on the malicious webpage auto-populates the username field with the correct email address (found in the URL’s “email” parameter). Despite the “generic” look of the phishing page, this capability can convince some users to log in.
Great risk offers an opportunity for great reward?
https://www.buzzfeednews.com/article/ryanmac/controversial-clearview-ai-raises-8-million
Controversial Facial Recognition Firm Clearview AI Raised $8.6 Million
Controversial facial recognition company Clearview AI — which has built a database of more than 3 billion images taken from Facebook, Instagram, and the world’s largest social networking platforms — raised $8.6 million in a recent fundraising round, according to financial documents filed on Thursday.
The fundraising round comes amid a series of legal challenges to Clearview for its alleged violation of various states’ biometric information and data privacy laws, and follows a year in which the company has come under heavy scrutiny for its previously undisclosed relationships with law enforcement agencies and private companies.
I too would like to see their justification.
https://www.reuters.com/article/us-usa-tiktok-idUSKCN26F35F
Judge says U.S. must defend or delay TikTok app store ban by Friday
A U.S. judge said Thursday the Trump administration must either delay a ban on U.S. app stores offering TikTok for download or file legal papers defending the decision by Friday.
The U.S. Commerce Department order banning Apple Inc and Alphabet Inc’s Google app stores from offering the short video sharing app for new downloads is set to take effect late Sunday. U.S. District Judge Carl Nichols said the government must file a response to a request by TikTok for a preliminary injunction or delay the order by 2:30 p.m. EDT Friday.
A federal judge in San Francisco on Saturday issued a preliminary injunction blocking a similar Commerce Department order from taking effect on Sunday on Tencent Holdings’ WeChat app.
But will they listen? (If your issue is not listed, you can still use the contact information)
5 Calls – easiest and most effective way for citizens to make an impact in national and local politics
How do I use 5 Calls?
Type in your ZIP code (or let your browser or the app find your location for you).
Choose an issue that’s important to you.
Make calls!
You have three members of Congress – two senators and a House rep.
Some issues need calls to all three (we’ll tell you when they do). For those, call the first person on the list. When you’re done, enter your call results and then move to the next person on your list. Lather, rinse, repeat until you’re done.
Some issues only need a call to your House rep; for others, just your senators. Again, we’ll make it clear who you should call.
You may also see issues that ask you to call a non-Congressional entity, office, etc. Those calls work the same way…”
No comments:
Post a Comment