Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature currently requires accessing the site using the built-in Safari browser.
The US Senate has passed a bill aimed at improving cybersecurity by encouraging companies and the government to share information about threats. It took six years to win approval. The Cybersecurity Information Sharing Act was passed yesterday by a 74-21 vote. It overcame concerns about privacy and transparency from some senators and technology companies, such as Apple and Yelp. The Senate rejected amendments, including one addressing concerns that companies could give the government personal information about their customers. Another failed amendment would have eliminated part of the bill that would keep secret information about which companies participate and what they share with the government.
The bill's co-sponsors, Sens. Dianne Feinstein, a Democrat, , and Richard Burr, a Republican, said the measure was needed to limit high-profile cyberattacks, such as the one on Sony Pictures last year. "From the beginning we committed to make this bill voluntary, meaning that any company in America, if they, their systems are breached, could choose voluntarily to create the partnership with the federal government. Nobody's mandated to do it," Burr said. Companies would receive legal protections from antitrust and consumer privacy liabilities for participating in the voluntary program. The House passed its version of the bill earlier this year with strong bipartisan support. The two versions of the bill will need to be reconciled before being sent to the White House for the president's signature.
Sen Ron Wyden, a Democrat , who opposed the bill, offered an amendment addressing privacy concerns, but it failed to pass. It would have required companies to make "reasonable efforts" to remove unrelated personal information about their customers before providing the data to the government. "You just can't hand it over," Wyden said. "You've got to take affirmative steps, reasonable, affirmative steps, before you share personal information."
Senators also rejected an amendment Sen Patrick Leahy, a Democrat, had offered that would have removed a provision to keep secret more information about materials that companies provide to the government. Leahy criticized the bill's new exemption from the US Freedom of Information Act as overly broad because it pre-empts state and local public information requests, and it was added without public debate.
US Senate passes bill to push sharing of info on hackers - Times of India
The central bank's staff suspected hackers or spies in many of the incidents, the records show. The Fed's computer systems play a critical role in global banking and hold confidential information on discussions about monetary policy that drives financial markets. The cybersecurity reports, obtained by Reuters through a Freedom of Information Act request, were heavily redacted by Fed officials to keep secret the central bank's security procedures. The Fed declined to comment, and the redacted records do not say who hacked the bank's systems or whether they accessed sensitive information or stole money. "Hacking is a major threat to the stability of the financial system. This data shows why," said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, a Washington think tank. Lewis reviewed the files at the request of Reuters.
For a graphic on the Fed security breaches, see: Federal Reserve data breaches The records represent only a slice of all cyber attacks on the Fed because they include only cases involving the Washington-based Board of Governors, a federal agency that is subject to public records laws. Reuters did not have access to reports by local cybersecurity teams at the central bank's 12 privately owned regional branches. The disclosure of breaches at the Fed comes at a time when cybersecurity at central banks worldwide is under scrutiny after hackers stole $81 million from a Bank Bangladesh account at the New York Fed. Cyber thieves have targeted large financial institutions around the world, including America's largest bank JPMorgan, as well as smaller players like Ecuador's Banco del Austro and Vietnam's Tien Phong Bank.
Hacking attempts were cited in 140 of the 310 reports provided by the Fed's board. In some reports, the incidents were not classified in any way. In eight information breaches between 2011 and 2013 - a time when the Fed's trading desk was buying massive amounts of bonds - Fed staff wrote that the cases involved "malicious code," referring to software used by hackers. Four hacking incidents in 2012 were considered acts of "espionage," according to the records. Information was disclosed in at least two of those incidents, according to the records. In the other two incidents, the records did not indicate whether there was a breach. In all, the Fed's national team of cybersecurity experts, which operates mostly out of New Jersey, identified 51 cases of "information disclosure" involving the Fed's board. Separate reports showed a local team at the board registered four such incidents.
The cases of information disclosure can refer to a range of ways unauthorized people see Fed information, from hacking attacks to Fed emails sent to the wrong recipients, according to two former Fed cybersecurity staffers who spoke on condition of anonymity. The former employees said that cyber attacks on the Fed are about as common as at other large financial institutions. It was unclear if the espionage incidents involved foreign governments, as has been suspected in some hacks of federal agencies. Beginning in 2014, for instance, hackers stole more than 21 million background check records from the federal Office of Personnel Management, and U.S. officials attributed the breach to the Chinese government, an accusation denied by Beijing.
TARGET FOR SPYING
After robot cars and robot rescue workers, US research agency Darpa is turning its attention to robot hackers. Best known for its part in bringing the internet into being, the Defence Advanced Research Projects Agency has more recently brought engineers together to tackle what it considers to be "grand challenges". These competitions try to accelerate research into issues it believes deserve greater attention - they gave rise to serious work on autonomous vehicles and saw the first stumbling steps towards robots that could help in disaster zones. Next is a Cyber Grand Challenge that aims to develop software smart enough to spot and seal vulnerabilities in other programs before malicious hackers even know they exist. "Currently, the process of creating a fix for a vulnerability is all people, and it's a process that's reactive and slow," said Mike Walker, head of the Cyber Grand Challenge at Darpa.
This counted as a grand challenge, he said, because of the sheer complexity of modern software and the fundamental difficulty one computer had in understanding what another was doing - a problem first explored by computer pioneer Alan Turing. He said the need for quick fixes would become more pressing as the world became populated by billions of small, smart net-connected devices - the so-called internet of things. "The idea is that these devices will be used in such quantities that without automation we just will not be able to field any effective network defence," he said. The cyber challenge climaxes this week at the Def Con hacker convention, where seven teams will compete to see whose software is the best hacker.
Blowing up
But automated, smart digital defences are not limited to Darpa's cyber arena. Software clever enough to spot a virus without human aid is already being widely used. A lot of what anti-virus software did had to be automatic, said Darren Thomson, chief technology officer at Symantec, because of the sheer number of malicious programs the bad guys had created. There are now thought to be more than 500 million worms, Trojans and other viruses in circulation. Millions more appear every day. That automation helped, said Mr Thomson, because traditional anti-virus software was really bad at handling any malware it had not seen before. "Only about 30-40% of all the things we protect people against are caught by these programs," he said.
For the rest, said Mr Thomson, security companies relied on increasingly sophisticated software that could generalise from the malware it did know to spot the malicious code it did not. Added to this are behavioural systems that keep an eye on programs as they execute and sound the alarm if they do something unexpected. Some defence systems put programs they are suspicious about in a virtual container and then use different techniques to try to make the code "detonate" and reveal its malicious intent. "We simulate keystrokes and make it look like it is interacting with users to make the malware believe it's really being used," Mr Thomson said.
Clever code
Usernames, passwords and dates of birth are being offered for sale for three bitcoins (£1,360). Using the name Peace, the hacker said the data was "most likely" from 2012. Yahoo said it was taking the claim "very seriously" and was "working to determine the facts". "Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms," it said in a statement.
Dictionary attack
The passwords appear to be hashed - which means they have been scrambled - but the hacker has also published details of the algorithm allegedly used for the hash. "The algorithm MD5 is considered to be weak, and for the vast majority of passwords it is easy to reverse what it was using what we call a dictionary attack," said Prof Alan Woodward, a security expert from Surrey University. He added though that caution needed to be exercised about the alleged breach. "We have seen claims about similar dumps in the past weeks which have proved to be fake or just old data," he said. "People are still trying to work out if it is real or not." Motherboard, which first reported the alleged breach, obtained a small sample of the data - some 5,000 records, and tested whether they corresponded to real accounts on the service.
It found that most of the first two dozen Yahoo usernames tested did correspond to actual accounts. However, attempts to contact more than 100 of the addresses in the sample saw many returned as undeliverable with auto-responses reading: "This account has been disabled or discontinued," which might suggest that the data is old. Brendan Rizzo, technical director at HPE Security, said: "Data has high value to attackers, and even though the information for sale on the black market is several years old, it can still be used for social engineering attacks for spear phishing to attempt to gain access to deeper systems with even more lucrative data that can be monetised directly if stolen." Earlier this month, Yahoo was sold to US telecoms giant Verizon for nearly $5bn (£3.8bn).
Can machines keep us safe from cyber-attack? - BBC News
For the higher-ups at the Democratic National Committee, hit by a cyberattack that vacuumed up thousands of emails, which WikiLeaks then leaked, it sure felt like a calamity. It was the night before the opening of the party convention, and the world had an up-close peek at the rough-and-tumble world of American politics: emails that showed party leaders were doing everything they could to ensure that former Secretary of State Hillary Clinton, not Vermont Senator Bernie Sanders, would win the party's nomination for president. The hack was quickly laid at Russia’s doorstep, which prompted some mudslinging by Donald Trump, who had just become the Republican presidential candidate at his party's convention the week before. Trump grabbed headlines again when he called on Russia to find “the 30,000 missing emails” that Clinton's staff said they had deleted because they were purely personal. The DNC tried to ignore the controversy, but just hours into day one of the convention, the party's national committee chairwoman, Debbie Wasserman Schultz, stepped down.
For cyber experts, this was small stuff … mischief. No one died. No sovereign nation was violated. No infrastructure destroyed. Cyberattacks happen all the time, all over the world. The DNC was embarrassed, but that’s nothing compared to a loss of life. However, the connection with Russia hung around. Not because of Trump, but because of the implication that President Vladimir Putin was meddling in U.S. political affairs — a presidential election, no less. President Barack Obama, hosting Prime Minister Lee Hsien Loong of Singapore at the White House, was asked how the alleged Russian connection to the DNC hack might impact America’s already strained relations with Putin. “In terms of how it affects our relationship with Russia, look, I think we’ve already got a lot of differences with Russia on a whole bunch of issues," Obama said. “If, in fact, Russia engaged in this activity, it’s just one on a long list of issues that me and Mr. Putin talk about and that I’ve got a real problem with. And so I don’t think that it wildly swings what is a tough, difficult relationship that we have with Russia right now.”
Demonstrators make their way around downtown July 25, 2016, in Philadelphia, during the first day of the Democratic National Convention after some of the 19,000 emails, presumably stolen from the DNC by hackers, were posted to the website WikiLeaks.
He reiterated that the United States is ready to “impose potentially certain proportional penalties.” Obama gave no specifics, but said the FBI is still investigating. That Russia was behind the DNC breach is widely accepted. Shocking as it may sound, China routinely hacks the United States and has done so successfully, said Fred Kaplan, a columnist for Slate.com and author of "Dark Territory: The Secret History of Cyber War." “The distinction between China and Russia when it comes to cyber activities is that China is kind of indiscriminate about it," Kaplan said Wednesday, during a radio appearance (Stand Up! with Pete Dominick on SiriusXM). “Russia tends to be a bit cagier about it, and some of their hacks are much harder to trace. They’re subtler and they cover their tracks well.”
Scary? Yes, with scenarios of blacking out the power grids of entire countries swirling around one’s head. Kaplan says the United States employs some of the world’s brightest cybersecurity experts at the National Security Agency, the most secret of all U.S. intelligence services. Those who are in charge of U.S. cybersecurity are focused on three key aspects of cyberwarfare: deterrence, detection and resilience. And Kaplan’s well-placed sources tell him “we are the best at this.” That's good to know.
Constant Vigilance Crucial Element of Cybersecurity
The cyber pros, who appeared on this week's Hashtag VOA program, said U.S. electronic voting systems are likely to be among the next targets. When the whistle-blowing website WikiLeaks published leaked emails of the U.S. Democratic National Committee last month, it caused major embarrassment to the party, and forced U.S. Congresswoman Debbie Wasserman Schultz to quit her position as the DNC chairperson. Cybersecurity analyst Richard Forno said that outcome shows foreign hackers can achieve political goals and incentivizes them to escalate their attacks. "Interfering with the electoral and political process of countries is a classic tool of intelligence and foreign policy,” said Forno, who directs the University of Maryland’s Center for Cybersecurity. “Even though we are moving toward an era of electronic and technology-enabled voting in more places, this [DNC cyberattack] reinforces the fact that the traditional threats are still with us, and are now moving further into cyberspace."
Electronic voting machines are part of that cyberspace. The vast majority of U.S. states will use them for this November's national elections. But a 2015 study by New York University found that 43 of those states had machines that were at least a decade old. Could they be hacked as well? Cyber security pros attending an annual Las Vegas conference known as Black Hat think so.
Attack in Ukraine
One of them is Toni Gidwani, research director at ThreatConnect, a cyberdefense platform used by 1,200 companies and organizations worldwide. She said there is a precedent for attacks on voting systems. "We saw that in Ukraine in 2014, where three days before the election, the Ukrainian central election committee suffered a massive hack that threatened their ability to hold voting on schedule,” she said. “And then malware was discovered right before results were announced – malware that would have projected a totally different outcome in which an ultranationalist candidate, who in reality received less than 1 percent of the vote, would have won. So this is not science fiction - we have already seen this happen." Some U.S. voting machines produce paper records that can be used in case of problems with a vote count. But keeping a paper trail might not be enough.
Yong-Gon Chon, another Black Hat attendee, said any organization seeking to protect itself from hackers needs all of its personnel to play their part. "It is no longer just the responsibility of a chief security officer or CIO to protect an organization's infrastructure - everyone has a role to play,” said Chon, who serves as CEO of Cyber Risk Management and has led global security teams for more than 20 years. “There is a shared level of responsibility, whether you are using cloud systems or your own systems within your organizations. And ultimately it is about being able to practice safe and healthy (cyber) activities on a day to day basis." One healthy habit recommended by Chon is being skeptical when you receive an email containing a hyperlink that could expose you to a hacker. “You should determine whether or not that is something that you should trust and is acceptable for your business,” he said.
US Cyber Pros: Hackers Could Hit Electronic Voting Machines Next
The revelation suggests the group often nicknamed Fancy Bear, whose hacking campaign scrambled the 2016 U.S. electoral contest, is still busy trying to gather the emails of America's political elite. "They're still very active — in making preparations at least — to influence public opinion again," said Feike Hacquebord, a security researcher at Trend Micro Inc., which published the report . "They are looking for information they might leak later." The Senate Sergeant at Arms office, which is responsible for the upper house's security, declined to comment. Hacquebord said he based his report on the discovery of a clutch of suspicious-looking websites dressed up to look like the U.S. Senate's internal email system. He then cross-referenced digital fingerprints associated with those sites to ones used almost exclusively by Fancy Bear, which his Tokyo-based firm dubs "Pawn Storm." Trend Micro previously drew international attention when it used an identical technique to uncover a set of decoy websites apparently set up to harvest emails from the French presidential candidate Emmanuel Macron's campaign in April 2017. The sites' discovery was followed two months later by a still-unexplained publication of private emails from several Macron staffers in the final days of the race.
Hacquebord said the rogue Senate sites — which were set up in June and September of 2017 — matched their French counterparts. "That is exactly the way they attacked the Macron campaign in France," he said. Attribution is extremely tricky in the world of cybersecurity, where hackers routinely use misdirection and red herrings to fool their adversaries. But Tend Micro, which has followed Fancy Bear for years, said there could be no doubt. "We are 100 percent sure that it can attributed to the Pawn Storm group," said Rik Ferguson, one of the Hacquebord's colleagues. Like many cybersecurity companies, Trend Micro refuses to speculate publicly on who is behind such groups, referring to Pawn Storm only as having "Russia-related interests." But the U.S. intelligence community alleges that Russia's military intelligence service pulls the hackers' strings and a months-long Associated Press investigation into the group, drawing on a vast database of targets supplied by the cybersecurity firm Secureworks, has determined that the group is closely attuned to the Kremlin's objectives. If Fancy Bear has targeted the Senate over the past few months, it wouldn't be the first time. An AP analysis of Secureworks' list shows that several staffers there were targeted between 2015 and 2016.
The U.S. Capitol building is illuminated during sunrise in Washington.
Among them: Robert Zarate, now the foreign policy adviser to Florida Senator Marco Rubio; Josh Holmes, a former chief of staff to Senate Majority Leader Mitch McConnell who now runs a Washington consultancy; and Jason Thielman, the chief of staff to Montana Senator Steve Daines. A Congressional researcher specializing in national security issues was also targeted. Fancy Bear's interests aren't limited to U.S. politics; the group also appears to have the Olympics in mind. Trend Micro's report said the group had set up infrastructure aimed at collecting emails from a series of Olympic winter sports federations, including the International Ski Federation, the International Ice Hockey Federation, the International Bobsleigh & Skeleton Federation, the International Luge Federation and the International Biathlon Union. The targeting of Olympic groups comes as relations between Russia and the International Olympic Committee are particularly fraught. Russian athletes are being forced to compete under a neutral flag in the upcoming Pyeongchang Olympics following an extraordinary doping scandal that has seen 43 athletes and several Russian officials banned for life. Amid speculation that Russia could retaliate by orchestrating the leak of prominent Olympic officials' emails, cybersecurity firms including McAfee and ThreatConnect have picked up on signs that state-backed hackers are making moves against winter sports staff and anti-doping officials.
On Wednesday, a group that has brazenly adopted the Fancy Bear nickname began publishing what appeared to be Olympics and doping-related emails from between September 2016 and March 2017. The contents were largely unremarkable but their publication was covered extensively by Russian state media and some read the leak as a warning to Olympic officials not to press Moscow too hard over the doping scandal. Whether any Senate emails could be published in such a way isn't clear. Previous warnings that German lawmakers' correspondence might be leaked by Fancy Bear ahead of last year's election there appear to have come to nothing. On the other hand, the group has previously dumped at least one U.S. legislator's correspondence onto the web. One of the targets on Secureworks' list was Colorado State Senator Andy Kerr, who said thousands of his emails were posted to an obscure section of the website DCLeaks — a web portal better known for publishing emails belonging to retired Gen. Colin Powell and various members of Hillary Clinton's campaign — in late 2016. Kerr said he was still bewildered as to why he was targeted. He said while he supported transparency, "there should be some process and some system to it. "It shouldn't be up to a foreign government or some hacker to say what gets released and what shouldn't."
Cybersecurity Firm: US Senate in Russian Hackers' Crosshairs
