Somehow
this does not give me that warm, fuzzy feeling…
https://www.politico.com/news/2020/09/24/fbi-cisa-election-hacking-panic-421144?&web_view=true
FBI,
CISA urge public not to panic if they hear about election hacking
Trump
— contradicted by his own intelligence agencies — claims that
foreign powers plan to "rig" the election by printing
fraudulent mail-in ballots.
… “The
public should be aware that election officials have multiple
safeguards and plans in place — such as provisional ballots to
ensure registered voters can cast ballots, paper backups, and backup
pollbooks — to limit the impact and recover from a cyber incident
with minimal disruption to voting,” the agencies said in a
public service announcement.
… The
goal of the latest PSA is to explain why voters shouldn’t believe
disinformation about vote-stealing hacks if they see it. But its
unqualified promise about the resilience of local officials’ backup
plans and the sanctity of election results is questionable, given the
sophistication of nation-state hackers and the
inadequate security measures in
many counties.
(Related)
If they can’t protect systems they have some control over, what
success will they have with state systems not under their control?
https://threatpost.com/feds-cyberattack-data-stolen/159541/?web_view=true
Feds
Hit with Successful Cyberattack, Data Stolen
… The
U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued
an alert on
Thursday, not
naming the agency [too
embarrassing? Bob]
but providing technical details of the attack. Hackers, it said,
gained initial access by using employees’ legitimate Microsoft
Office 365 log-in credentials to sign onto an agency computer
remotely.
“The
cyber-threat actor had valid access credentials for multiple users’
Microsoft Office 365 (O365) accounts and domain administrator
accounts,” according to CISA.
(Related)
One of many, many election system examples.
https://www.propublica.org/article/foreign-hackers-cripple-texas-countys-email-system-raising-election-security-concerns
Foreign
Hackers Cripple Texas County’s Email System, Raising Election
Security Concerns
The
malware attack, which sent fake email replies to voters and
businesses, spotlights an overlooked vulnerability in counties that
don’t follow best practices for computer security.
Last
week, voters and election administrators who emailed Leanne Jackson,
the clerk of rural Hamilton County in central Texas, received
bureaucratic-looking replies. “Re: official precinct results,”
one subject line read. The text supplied passwords for an attached
file.
But
Jackson didn’t send the messages. Instead, they came from Sri
Lankan and Congolese email addresses, and they cleverly hid malicious
software inside a Microsoft Word attachment. By the time Jackson
learned about the forgery, it was too late. Hackers continued to
fire off look-alike replies. Jackson’s three-person office, already
grappling with the coronavirus pandemic, ground to a near standstill.
“I’ve
only sent three emails today, and they were emails I absolutely had
to send,” Jackson said Friday. “I’m scared to” send more,
she said, for fear of spreading the malware.
Why
the people who make these decisions are paid the ‘big bucks.’
https://securityboulevard.com/2020/09/the-high-cost-of-reporting-a-non-reportable-data-breach/
The
High Cost of Reporting a Non-Reportable Data Breach
In
May, cloud provider Blackbaud was the victim of a ransomware attack
designed to lock it out of accessing its own data and servers. The
company notified law enforcement, used its own cybersecurity team and
hired outside consultants, and successfully prevented the attacker
from blocking access to the system and “fully encrypting” the
files—ultimately expelling the threat actor from its system.
Blackbaud noted that the hacker had “removed a copy of a subset of
data from our self-hosted environment” but that “[t]he
cybercriminal did not access credit card information, bank account
information, or Social Security numbers.”
In
the case of Blackbaud, similar to the case of Uber, the company
decided to pay the hackers. While it does not appear that the
company paid the hackers for their silence, Blackbaud “paid the
cybercriminal’s demand with confirmation that the copy they removed
had been destroyed,” and the company noted that, based on its
investigation and that of law enforcement and the nature of the
incident, “we have no reason to believe that any data went beyond
the cybercriminal, was or will be misused; or will be disseminated or
otherwise made available publicly …”
In
short, the company suffered a ransomware attack that included a
partial data breach (breach of a subset of its data). Blackbaud
recovered from the ransomware, secured the data and had reasonable
assurance (not sure how) that the data, while breached in the sense
that there was “unauthorized access” to the data, was not used or
transmitted to anyone else and was destroyed.
Under
these circumstances, a
data breach disclosure to customers and to various Attorneys General
is probably both
legally required and unnecessary.
Indeed, Blackbaud did make such a breach disclosure. In return, the
company was sued
in a class action filed
on behalf of its customers.
Can’t
hurt.
https://www.helpnetsecurity.com/2020/09/24/nist-guide-recover-ransomware/?web_view=true
NIST
guide to help orgs recover from ransomware, other data integrity
attacks
The
National Institute of Standards and Technology (NIST) has published a
cybersecurity practice guide enterprises can use to recover from data
integrity attacks, i.e., destructive malware and ransomware attacks,
malicious insider activity or simply mistakes by employees that have
resulted in the modification or destruction of company data (emails,
employee records, financial records, and customer data).
… Special
Publication (SP) 1800-11, Data
Integrity: Recovering from Ransomware and Other Destructive Events
can
help organizations to develop a strategy for recovering from an
attack affecting data integrity (and to be able to trust that any
recovered data is accurate, complete, and free of malware), recover
from such an event while maintaining operations, and manage
enterprise risk.
Addressed
to those who should know better?
https://www.helpnetsecurity.com/2020/09/24/phishers-targeting-employees-fake-gdpr-compliance-reminders/?web_view=true
Phishers
are targeting employees with fake GDPR compliance reminders
… “The
attacker lures targets under the pretense that their email security
is not GDPR compliant and requires immediate action. For many who
are not versed in GDPR regulations, this phish could be merely taken
as more red tape to contend with rather than being identified as a
malicious message,” Area 1 Security researchers noted.
… Following
the link in the email takes victims to the phishing site, initially
hosted on a compromised, outdated WordPress site.
The
link is “personalized” with the target’s email address, so the
HTML form on the malicious webpage auto-populates the username field
with the correct email address (found in the URL’s “email”
parameter). Despite the “generic” look of the phishing page,
this capability can convince some users to log in.
Great
risk offers an opportunity for great reward?
https://www.buzzfeednews.com/article/ryanmac/controversial-clearview-ai-raises-8-million
Controversial
Facial Recognition Firm Clearview AI Raised $8.6 Million
Controversial
facial
recognition company Clearview AI —
which has built a database of more than 3 billion images taken from
Facebook, Instagram, and the world’s largest social networking
platforms — raised $8.6 million in a recent fundraising round,
according to financial documents filed on Thursday.
The
fundraising round comes amid a series of legal challenges to
Clearview for its alleged violation of various states’ biometric
information and data privacy laws, and follows a year in which the
company has come under heavy scrutiny for its previously undisclosed
relationships with law enforcement agencies and private
companies.
I
too would like to see their justification.
https://www.reuters.com/article/us-usa-tiktok-idUSKCN26F35F
Judge
says U.S. must defend or delay TikTok app store ban by Friday
A
U.S. judge said Thursday the Trump administration must either delay a
ban on U.S. app stores offering TikTok for download or file legal
papers defending the decision by Friday.
The
U.S. Commerce Department order banning Apple Inc and Alphabet Inc’s
Google app stores from offering the short video sharing app for new
downloads is set to take effect late Sunday. U.S. District Judge Carl
Nichols said the government must file a response to a request by
TikTok for a preliminary injunction or delay the order by 2:30 p.m.
EDT Friday.
A
federal judge in San Francisco on Saturday issued a preliminary
injunction blocking a similar Commerce Department order from taking
effect on Sunday on Tencent Holdings’ WeChat app.
But
will they listen? (If your issue is not listed, you can still use
the contact information)
https://www.bespacific.com/5-calls-easiest-and-most-effective-way-for-citizens-to-make-an-impact-in-national-and-local-politics/
5
Calls – easiest and most effective way for citizens to make an
impact in national and local politics
How
do I use 5
Calls?
Type
in your ZIP code (or let your browser or the app find your location
for you).
Choose
an issue that’s important to you.
Make
calls!
You
have three members of Congress – two senators and a House rep.
Some
issues need calls to all three (we’ll tell you when they do). For
those, call the first person on the list. When you’re done, enter
your call results and then move to the next person on your list.
Lather, rinse, repeat until you’re done.
Some
issues only need a call to your House rep; for others, just your
senators. Again, we’ll make it clear who you should call.
You
may also see issues that ask you to call a non-Congressional entity,
office, etc. Those calls work the same way…”
