TweakTown NewsRefine News by Category:
The Department of Homeland Security (DHS) is a bureaucratic mess when it comes to cybersecurity - and would be inefficient and overmatched trying to protect citizens and other federal branches. This news comes as part of the "A Review of the Department of Homeland Security's Missions and Performance" report, which heavily scrutinized DHS activities.
"Widespread weaknesses in the federal government's information security practices represent a significant vulnerability that could be exploited by adversaries, creating a potential threat to national security and American citizens," according to the report.
It's not just hacktivists trying to breach US infrastructure, but foreign states with sophisticated cyberespionage programs. The DHS itself has failed in maintaining its own security protocols, let alone trying to secure other departments from potential cyberattack.
The French government announced there are 19,000 civilian websites now under cyberattack by unknown sources, in a wide-ranging attack. The French Defense Ministry recently faced a targeted distributed denial of service (DDoS) attack, according to officials discussing the ongoing cyber operation.
"These attacks have no effect on the conduct of our operations," said Rear Admiral Arnaud Coustilliere, in a statement to CNNMoney. Reportedly, the attacks are targeting websites while hoping for weak cyber defenses, though the top visited French websites appear to be working fine.
Over the past week, cybercriminals have posted pro-Islamic images and messages on various religious groups websites and other sites. The Anonymous hacker group temporarily downed a jihadist website last week and the Charlie Hebdo magazine released a new edition that has sold millions of copies.
The threat of mobile malware continues to increase, with rates jumping 75 percent in 2014, according a report published by Lookout. Mobile users are urged to run some type of anti-virus and anti-malware security platform on their smartphones and tablets, as threats rise.
There are a number of different types of attacks, but ransomware has cybersecurity firms extremely anxious, especially as users download apps and other files from unknown sources. It may be harder to infect users with ransomware, but payouts are larger, as victims have to turn over a ransom for full control of their devices again.
"It all goes back to monetization, what's the endgame?" pondered Kevin Mahaffey, co-founder and CTO of Lookout, in a statement published by CNBC. "While it can be complicated it can generate a huge amount of money. The bad guys aren't stupid and they wouldn't do this if they weren't making money."
A security researcher has developed a USB wall charger that can intercept, log, and decrypt signals sent from Microsoft's wireless keyboards. The KeySweeper was developed by Samy Kamkar, a giving sort, who has released instructions on how to build the device online.
The KeySweeper can be built for as little as $10 and simply appears to be a typical, and functional, USB wall charger. The charger monitors all Microsoft keyboards in range. The transmissions are encrypted, but the researcher has found multiple bugs that enable easy decryption. The design also includes optional features, such as an internal rechargeable battery that keeps the device working even after being unplugged, and SMS notification when keywords are typed into the keyboard.
There is a detailed build log on GitHub, and also a video on YouTube. Microsoft has fired back by insisting that all models manufactured after 2011 feature AES encryption, which isn't decoded by the system, but Samy Kamkar has recently purchased a vulnerable model from Best Buy last month.
Numerous states are now investigating a major data breach suffered by JPMorgan Chase in 2014, asking the company to turn over details regarding its security practices. Customer records that included names, addresses and phone numbers of up to 83 million members were stolen, though account numbers, passwords and Social Security numbers weren't impacted.
"Critical facts about the intrusion remain unclear, including details concerning the cause of the breach and the nature of any procedures adopted or contemplated to prevent further breaches," according to the letter obtained by Reuters, which more than one dozen states sent to JPMorgan Chase.
States also asked if the bank received reports of fraud, and a description of its past and current security protections.
Apple Pay is helping lead a mobile payment revolution, with consumers and retailers seeing a wider number of payment options at checkout. Mobile security is expected to reach upwards of $11 billion in 2015 alone, industry analysts forecast, and trying to keep mobile payment platforms will need special attention.
Upwards of 30 million smartphones could be used for mobile payments worldwide, according to Deloitte, with five percent of NFC-equipped devices estimated to be used for in-store transactions. If interest is accelerating in mobile payment adoption, then it's likely cybercriminals will adapt their attack strategies.
"It's very easy to predict that as the adoption of mobile payment systems like Apple Pay increases, that attacks will grow to follow that," said Chris Doggett, North American managing director at Kaspersky Lab, in an interview with the Washington Post. "It's like that famous saying, 'Why do you rob banks? Because that's where the money is.' If Apple Pay becomes a big, pervasive system for payments, you can be sure that the criminals are going to be right behind, figuring out how to breach Apple's security and how to steal money."
Even with cybercriminals using sophisticated attack methods to compromise companies, business leaders must deal with employees recklessly clicking links and installing unknown software, according to the "2015 State of the Endpoint" study.
Seventy-eight percent of surveyed IT professionals believe careless employees are the biggest threat, 68 percent blame personal devices in the workplace, and 66 percent cite commercial cloud apps used at work.
"Respondents in this year's study have shifted their thinking and are now also attributing endpoint risk to human behavior in addition to particular device vulnerabilities," said Chris Merritt, director of solution marketing at Lumension. "This is a significant cultural shift to note because it illustrates how IT is starting to look at cybersecurity holistically. In addition to technology solutions, in 2015 IT must also take into account company policies and control processes, user awareness and overall employee education."
Former NSA contractor Edward Snowden recently said he went through the "channels" to inquire about oversight and compliance regarding NSA activities, but was shut down by big bureaucracy.
However, the NSA said they conducted an investigation and "have not found any evidence to support Mr. Snowden's contention that he brought these matters to anyone's attention," the NSA noted.
"The email, provided to the committee by the NSA on April 10, 2014, poses a question about the relative authority of laws and executive orders - it does not register concerns about NSA's intelligence activities, as was suggested by Snowden in an NBC interview this week," said Sen. Dianne Feinstein (D - Calif), chair of the Senate Intelligence Committee, in a statement.
Cybercrime is maturing while those interested in launching attacks are better organized and skilled with their ability to breach networks. There are a growing number of paid cyberattack tools available on the black market, which can be custom scripted for additional payments, broadening the scope of these attacks.
Following its success of dropping the Microsoft Xbox Live and Sony PlayStation Network on Christmas, the Lizard Squad hacker group showed off its distributed denial of service (DDoS) tool. The DDoS-for-hire attack service, dubbed Lizard Stresser, put the for-pay cyberattack market in front of a larger audience - and it appears people are interested.
"I really feel Lizard Squad has upped the ante on the DDoS for hire market," said Terrence Gareau, Chief Scientist at NexusGuard, in a statement to SiliconANGLE. "They have taken an approach much like Silicon Valley startups that focuses on marketing and media to push a product and make their stresser appear better than competitors."
The US Central Command Twitter and YouTube accounts were compromised on Monday morning, with hackers posting threatening messages and officer contact information. CENTCOM servers and classified data remained intact, and the FBI and Department of Defense (DoD) are now investigating the issue. If nothing else, this is a rather embarrassing issue for the US military, as cybersecurity protocols are being taken more seriously.
"It's embarrassing as all get-out for CENTCOM," said Matthew Aid, a cybersecurity specialist, in a statement to the USA Today. "It looks like rather low-level classified documents. They came off a protected network. Regardless of the low level of sensitivity, the fact that it was done should scare the crap out of people."
However, CENTCOM officials note that the account's username and password were compromised, but its networks were not breached in the incident: "This is little more, in our view, than a cyber-prank," said Army Col. Steve Warren, a spokesman for the Pentagon. "It's an annoyance. We wish it wouldn't happen because we have to spend our time on it. But in no way compromises our operations in any way shape or form."