Daily Archives: May 17, 2022

FORT MEADE, Md. The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the FBI, along with allied nations, published a Cybersecurity Advisory today to raise awareness about the poor security configurations, weak controls and other poor network hygiene practices malicious cyber actors use to gain initial access to a victims system.Weak Security Controls and Practices Routinely Exploited for Initial Access also includes best practices that can help organizations strengthen their defenses against this malicious activity.As long as these security holes exist, malicious cyber actors will continue to exploit them, said NSA Cybersecurity Director Rob Joyce. We encourage everyone to mitigate these weaknesses by implementing the recommended best practices.Some of the most common weaknesses include not enforcing multifactor authentication, incorrectly applying privileges or permissions and errors within access control lists and not keeping software up to date. The advisory recommends mitigations that control access, harden credentials, establish centralized log management and more.CISA produced the advisory with help from NSA and other partners. That includes the FBI, the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team (CERT NZ), the Netherlands National Cyber Security Centre (NCSC-NL), and the United Kingdom National Cyber Security Centre (NCSC-UK) on the advisory. Many of the same cybersecurity authorities collaborated to release a complementary advisory on 27 April, which highlighted the top routinely exploited vulnerabilities from 2021.Read the full report here. Visit our full library for more cybersecurity information and technical guidance.

Here is the original post:
Allies Issue Cybersecurity Advisory on Weaknesses that Allow Initial Access - National Security Agency

A group of human rights lawyers and investigators called on the Hague this week to bring what would be the first ever cyber war crimes charges. The group is urging the International Criminal Court to bring charges against the dangerous and destructive Russian hacking group known as Sandworm, which is run by Russias military intelligence agency GRU. Meanwhile, activists are working to block Russia from using satellites controlled by the French company Eutelsat to broadcast its state-run propaganda programming.

Researchers released findings this week that thousands of popular websites record data that users type into forms on the site before they hit the Submit buttoneven if the user closes the page without submitting anything. Google released a report on an in-depth security analysis it conducted with the chipmaker AMD to catch and fix flaws in specialty security processors used in Google Cloud infrastructure. The company also announced a slew of privacy and security features for its new Android 13 mobile operating system along with a vision for making them easier for people to understand and use.

The European Union is considering child protective legislation that would require scanning private chats, potentially undermining end-to-end encryption at a massive scale. Plus, defenders from the cybersecurity nonprofit BIO-ISAC are racing to protect the bioeconomy from digital threats, announcing a partnership this week with Johns Hopkins University Applied Physics Lab that will help fund pay-what-you-can incident response resources.

But wait, theres more. Each week we round up the news that we didnt break or cover in-depth. Click on the headlines to read the full stories. And stay safe out there.

The United States is completing development of a new generation of high-security encryption standards that will be robust in the current technical climate and are designed to be resistant to circumvention in the age of quantum computing. And while the National Security Agency contributed to the new standards' creation, the agency says it has no special means of undermining the protections. Rob Joyce, the NSAs director of cybersecurity, told Bloomberg this week, There are no backdoors." The NSA has been implicated in schemes to backdoor encryption before, including in a situation in the early 2010s in which the US removed an NSA-developed algorithm as a federal standard over backdoor concerns.

An extensive investigation by Georgetown Laws Center on Privacy & Technology reveals a more detailed picture than ever of US Immigration and Customs Enforcement agency surveillance capabilities and practices. According to the report, published this week, ICE began developing its surveillance infrastructure at the end of the George W. Bush administration, years before it was previously thought to have begun these efforts. And researchers found that ICE spent $2.8 billion on surveillance technology, including face recognition, between 2008 and 2021. ICE was already known for its aggressive and invasive surveillance tactics during the Donald Trump administrations anti-immigration crackdowns, but the report also argues that ICE has played a key role in the federal governments larger push to amass as much information as possible about people in the United States.

Our two-year investigation, including hundreds of Freedom of Information Act requests and a comprehensive review of ICEs contracting and procurement records, reveals that ICE now operates as a domestic surveillance agency, the report says. By reaching into the digital records of state and local governments and buying databases with billions of data points from private companies, ICE has created a surveillance infrastructure that enables it to pull detailed dossiers on nearly anyone, seemingly at any time.

In a legal settlement this week, the face recognition and surveillance startup Clearview AI agreed to a set of restrictions on its business in the US, including that it wont sell its faceprint database to businesses or individuals in the country. The company says it has more than 10 billion faceprints in its arsenal belonging to people around the world and collected through photos found online. The settlement comes after the American Civil Liberties Union accused Clearview of violating the Illinois Biometric Information Privacy Act. The agreement also stipulates that the company wont be allowed to sell access to its database in Illinois for five years. This settlement demonstrates that strong privacy laws can provide real protections against abuse, Nathan Freed Wessler, a deputy director of the ACLU Speech, Privacy, and Technology Project said in a statement. Despite the privacy win, Clearview may continue to sell its services to federal law enforcement, including ICE, and police departments outside of Illinois.

Costa Rican president Rodrigo Chavessaid on Sunday that the country was declaring a national emergency after the notorious Conti ransomware gang infected multiple government agencies with malware last week. Sunday was the first day of Chaves' presidency. Conti leaked some of a 672 GB trove of stolen data from multiple Costa Rican agencies. In April, the Costa Rican social security administration had announced that it was the victim of a Conti attack. At this time, a perimeter security review is being carried out on the Conti Ransomware, to verify and prevent possible attacks," the agency tweeted at the time.

Go here to see the original:
The NSA Swears It Has No Backdoors in Next-Gen Encryption - WIRED

At a glance.

The Council of Europe has announced that the Second Additional Protocol to the Convention on Cybercrime (also known as the Budapest Convention) was opened for signature at a conference of the Councils Committee of Ministers.. The protocols goal is to encourage the sharing of electronic evidence like subscriber info and traffic data among council member states through direct cooperation with service providers and registrars. Representatives from member states including Austria, Finland, Italy, Spain, and Sweden were present at the signing, as well as non-member states including the US and Japan. Secretary General Marija Pejinovi Buri explained, The Second Protocol brings the Budapest Convention up to date with current, technological challenges, so that it remains the most relevant and effective international framework for combating cybercrime in the years ahead. Justice Minister of Italy, Marta Cartabia, added, The use of ICT (Information and Communication Technologies) by organised crime in all sectors (sexual exploitation, drug trafficking, smuggling, terrorism) represents a further challenge for our judicial authorities and for our institutionsThe Second Additional Protocol, therefore, responds to the need for greater and more efficient co-operation between States and between the States and the private sector, clarifying the cases in which the service providers will be able to provide the data in their possession directly to the competent authorities of other countries. The Protocol is open for signature by Parties to the Convention and will be implemented once ratified by five States.

Ilia Kolochenko, Founder of ImmuniWeb, a member of Europol Data Protection Experts Network and EU CyberNet Member, commented on the importance of the Protocol:

As of today, The Budapest Convention remains the most comprehensive and the most important international treaty designed to combat cybercrime. The Convention, among other things, harmonizes the criminalization of computer offences, accelerates collaboration between law enforcement agencies and facilitates the preservation and seizure of digital evidence stored in a foreign country.

"The 20-year old Convention, however, certainly requires some updates to stay ahead of the rapidly evolving technology landscape and novel tactics deployed by sophisticated threat actors. Despite reasonable concerns expressed by the EU EDPB in relation to possible privacy risks created by the long-awaited Second Protocol, the Protocol brings several major improvements.

"Enhanced mutual assistance in emergency situations is probably the most crucial development. While procedurally its not yet crystal clear how the emergency assistance provisions will be implemented by signatory countries, the provisions definitely bring a sound legal framework to remove some bureaucratic barriers that have been hindering mutual legal assistance in cross-border investigations when time was of the essence.

"Other provisions, such as disclosure of domain name owners and subscriber information, will probably have a less palpable impact, as many countries have already established tenable processes and procedures related thereto. Novel provisions on joint investigation teams will undoubtedly boost multiagency and multijurisdictional cooperation, however, the recent success of numerous joint operations, conducted by national authorities led by Europol and Interpol, convincingly demonstrates that joint investigations work pretty well today.

"That being said, in 2022, the challenges remain pretty similar to 2001. First, countries like Russia, China, India and most African countries are not signatories of the Convention. It is impossible to effectively investigate and prosecute cybercriminals without frictionless cooperation with those states, representing over 3 billionInternet users. Second, the Convention does not create specific duties binding upon national law enforcement agencies, but rather encourages governments to adopt necessary legislation and implement the requisite infrastructure. Third, most law enforcement agencies are already overwhelmed with an avalanche of domestic cases and will unlikely prioritize external requests even if the law provides so. Thus, we will probably observe more countries passing national laws to authorized legal hacking by police to obtain digital evidence in a rapid, licit and straightforward manner.

The US National Institute of Standards and Technology (NIST) is working on establishing quantum encryption standards for the nation, and some might be concerned the advanced technology might be used by another agency, NSA, for surveillance. NSAs director of cybersecurity Rob Joyce attempted to put such worries to rest by promising there will be no backdoors that could allow for spying. Joyce told Dark Reading, Those candidate algorithms that NIST is running the competitions on all appear strong, secure, and what we need for quantum resistance. Weve worked against all of them to make sure they are solid.

The Assembly of the US state of New York on Wednesday passed legislation aimed at securing the states energy grid against cyberattack. The bill was introduced by Assemblyman and chair of his chamber's Energy Committee Mike Cusick, who explained, "New York's energy grid is a prime target for hackers and cyber criminals across the globe...The passage of this legislation is a crucial step in our fight against cyber crime and our efforts to bolster the resiliency of our grid. GovTech notes that the bill will also provide a path for future legislation protecting infrastructure, and gives the state's Division of Homeland Security and Emergency Services the power to collaborate with state and federal agencies. Once passed by the Senate, the bill will be reviewed by Governor Kathy Hochul, who in February launched the "Joint Security Operations Center, a collaboration of federal and local partners offering a statewide view of the cyberactivity.

Read the original here:
Data sharing and the Budapest Convention. NSA says new encryption standard won't have backdoors. New York enacts measures to protect power grid. - The...

Since the Russia-Ukraine conflict broke out, war on the ground has been brutal and catastrophic. Cyber warfare has been comparably insignificant, and projections about mass online shutdowns have not materialised.

However, there has been some intervention from hostile state actors. Just last week, the Foreign, Commonwealth and Development Office (FCDO) announced that Russia was almost certainly behind a major cyber operation targeting the US commercial communications and internet satellite company Viasat, which happened an hour before the invasion on 24 February.

After months of analysis, the UK governments National Cyber Security Centre (NCSC) has now attributed the hacks to the Russian state. While the primary target was the Ukrainian military, the attacks also impacted Ukrainian Viasat customers, and caused disruption to wind farms and internet users across central Europe. Additionally, the NCSC has ascertained that Russia was also behind an earlier attack on the Ukrainian government on 13 January, which involved defacing government websites and the deployment of destructive malware.

Interestingly, global sanctions on Russia have caused ransomware attacks to decrease since March, noted Rob Joyce, cyber security director of the US National Security Agency (NSA), at the NCSCs CyberUK conference in Wales this week. Sanctions have made it harder for criminals to organise attacks and move money in the West, he said.

But cyber threats do not only come from hostile states. Speaking in a panel discussion, Joyce highlighted the rise of cyber vigilantes lone actors on both sides of the conflict who are taking matters into their own hands to infiltrate and destroy their enemys systems.

While activism in support of Ukraine might seem commendable, Joyce warned that such an approach is not conducive to ethical behaviour. You want to sit back and root for the folks who are trying to do noble things but it is problematic, he said. We are trying to hold bad actors accountable in other nations [and] we have to be good international citizens in the cyber arena.

Abigail Bradshaw, head of the Australian Cyber Security Centre (ACSC), said that roughly 300,000 hactivists related to the Russia-Ukraine conflict have been identified so far, and added that the extent of cyber vigilantism has taken [government] by surprise.

There is an extreme unpredictability associated with these exploits that make it difficult to attribute, contain and stop them, she said. Hactivism can also impact regular citizens quite significantly, due to spillover onto non-primary targets (such as with the Viasat campaign) and breaches on public tools like Google Maps, impeding peoples ability to travel and infiltrating personal location data.

Some hactivists do not act alone and have the advantage of an organisation behind them, making them even more of a threat. Perhaps the best-known is Anonymous, the pro-Ukraine collective that has vowed to keep attacking Russia until its aggression stops. The groups actions have caused Russia to become the most hacked country in the world in 2022 so far, with breaches affecting 3.5 million people, according to research from virtual private network (VPN) provider Surfshark.

But hactivist collectives exist on both sides. Conti, a group of pro-Russia ransomware cyber criminals, have now restyled themselves as political activists, said Jonathan Hope, senior technology evangelist at cyber security firm Sophos, who spoke in another session at CyberUK on ransomware.

Vigilantes can be more ruthless and chaotic than other cyber criminals, he noted, as they destroy data for the sake of it rather than for financial gain, meaning victims are less likely to get their information back. Theyre hacking for Mother Russia with no checks, controls or balances, Hope said. Its a tool, a weapon to destroy data.

The rise in such sporadic hacking makes it ever more important that governments secure and stress-test their critical national infrastructure, said Juhan Lepassaar, executive director of the European Union Agency for Cyber Security.

He said that the UK has done great work in securing its telecoms sector, and other industries and countries need to follow suit. It pays off to build a framework where you stress-test the most critical sectors in society. [The sectors should be] incentivised to do it themselves.

There was consensus that both organisations and individuals need to be encouraged to undertake basic steps in cyber security. Joyce said that attitudes are changing, albeit a little late intelligence agencies have focused on counter-insurgency and terrorism for the past two decades, he said, which has caused cyber defence to fall by the wayside.

Weve not been investing in IT and now China is threatening those systems, he said. We will now do the things that we should have done ten or 20 years ago. The narrative has shifted.

Moving the onus of cyber security from response to prevention is key, added Lepassaar. In fact, Ukraines thorough preparations are what has helped the country stay online despite multiple setbacks and has even enabled them to host press conferences in besieged cities, he said. There has been a good deal of resilience from the Ukrainian state around maintaining connectivity. [This shows] the value of building partnerships early on and making sure you build distributed systems that are difficult to take down and attack.

Sign up for The New Statesmans newsletters Tick the boxes of the newsletters you would like to receive. Morning Call Quick and essential guide to domestic and global politics from the New Statesman's politics team. World Review The New Statesmans global affairs newsletter, every Monday and Friday. The New Statesman Daily The best of the New Statesman, delivered to your inbox every weekday morning. Green Times The New Statesmans weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. This Week in Business A handy, three-minute glance at the week ahead in companies, markets, regulation and investment, landing in your inbox every Monday morning. The Culture Edit Our weekly culture newsletter from books and art to pop culture and memes sent every Friday. Weekly Highlights A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. Ideas and Letters A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Events and Offers Sign up to receive information regarding NS events, subscription offers & product updates.

Read more:
NSA's Rob Joyce: Even the good hactivists are problematic - The New Statesman

David Sirota, founder of The Lever news outlet, said he believes a reported $10 billion deal between the Biden administration and Amazon is hidden in secrecy.

In late April, the news outlet Nextgov reported that the National Security Agency had re-awarded Amazon a contract for cloud-computing services.

NSA recently awarded a contract to Amazon Web Services that delivers cloud computing services to support the agencys mission, an NSA official told Nextgov.

Sirota expressed concerns with the reported contract.

We dont actually know the details of this contract. Its shrouded in secrecy, theres a national security exemption for the details of the contract, but we know its a cloud computing contract, Sirota said while appearing on Hill.TVs Rising.

There is a privacy question about what the NSA needs with a $10 billion build out of cloud computing. The mind can run wild about what thats all about in terms of surveillance and data collection, he added.

Sirota said the size of the contract is huge.

Theres very few details about what that contract is and I think that people need to understand how big the contract is. Federal contracts go out all the time in the millions of dollars even hundred of millions of dollars. A $10 billion federal contract, even at the federal government level, that is a huge contract, Sirota said.

Sirota said the size of the contract can provide some answers to as why the Biden administration awarded it.

Whatever they are actually building out with that, whatever the NSA is doing with it, you can rest assured that it is a big thing, he added.

More:
Sirota: Biden administrations reported $10B deal with Amazon shrouded in secrecy - The Hill

An active-duty sailor who triggered a two-hour lockdown at Naval Support Activity Naples last year by firing an airsoft gun on base is being discharged from the Navy, a spokesman said May 17, 2022. (Erik Slavin/Stars and Stripes)

NAPLES, Italy An active-duty sailor who triggered a two-hour lockdown at Naval Support Activity Naples last year by firing an airsoft gun on base is being booted from the Navy following a monthslong inquiry.

A probe led by the Naval Criminal Investigative Service found that the unidentified 22-year-old seaman shot at or near a group of adolescents with an airsoft rifle from the balcony of his on-base housing, said Lt. Cmdr. Matthew Comer, a spokesman for Navy Region Europe Africa Central. One of the adolescents alleged that they were struck with a plastic pellet.

As is policy with nonjudicial punishments, the service is not naming the sailor, who was assigned to the Navy Computer and Telecommunications Station Naples, Comer said.

The Dec. 16, 2021, shooting happened on the bases Gricignano di Aversa site. It was not reported to base police and the person who reported being hit did not have any apparent injuries, the NCIS investigation found.

No subsequent shots were fired, but about 45 minutes later another minor reported seeing a man carrying a gun on base. That report caused the lockdown and hunt for the service member, who ultimately was found in his room, Comer said

The service member was compliant with police instructions and immediately turned over the airsoft gun, he said.

The sailor is in the process of leaving Italy and separating from the Navy, Comer said.

Airsoft guns often are realistically modeled to look like real weapons. They shoot nonmetallic soft pellets and frequently are used for target practice and military-style games.

Personal weapons, including airsoft guns, are prohibited on base, a Navy spokesperson said in December.

NSA Naples Gricignano di Aversa site includes schools, housing, a commercial center, a hospital and a hotel. It is about 13 miles from the bases Capodichino site, which includes administrative and support services and is home to U.S. 6th Fleet.

Approximately 8,500 people are assigned to the base, according to its website.

Read more here:
Airsoft shooter at US military base in Italy receives discharge from Navy - Stars and Stripes

The court granted Central government time till May 10 to file its response, failing which it intended to decide the question of whether there was a requirement to refer the challenge to a seven-member bench.

Instead, the Central government filed an affidavit stating that it will reconsider the law and requested that the challenge proceedings be kept in abeyance.

It appears that the courts oral observations in the matter, where it disapproved of the misuse of the law, had a bearing on the governments decision.

The petition took objection to this approach mainly because such a proposal didnt factor in pending cases and continued misuse of the provision while the law would be under the governments consideration.

The Central government sought a days time to take instructions on interim measure to ally the petitioners fears.

On Wednesday, it proposed to establish a mechanism where sedition cases would be filed only after an officer of SP rank justified in writing and such a justification would be open to judicial review. The petitioners, on the other hand, insisted on suspension of law in totality.

In fact, Senior Advocate Gopal Sankaranarayanan submitted proposed consequential directions of an absolute suspension of the law which inter alia included explicit stay of pending proceedings and bar on registration of new cases.

Continued here:
Govt will simply slap UAPA or NSA on perceived dissenters even if sedition law is struck off statute - National Herald