Justice Dept. Launches #CyberTaskForce to Review Elections Attorney General Jeff Sessions is creating a cyber task force to evaluate attempts to interfere with U.S. elections. It is believed the task force will be comprised of representatives from various Justice Department offices, as well as outside law enforcement and #federal agencies. InfoSec Insights Team.

13002-cybersecurity

Sessions Creates Cyber Task Force to Study Election Interference

The Hill | By Olivia Beavers

The Justice Department is creating a cyber-digital task force to examine outside attempts to interfere with U.S. elections, Attorney General Jeff Sessions announced Tuesday.

“At the Department of Justice, we take these threats seriously. That is why today I am ordering the creation of a Cyber-Digital Task Force to advise me on the most effective ways that this Department can confront these threats and keep the American people safe,” Sessions said in a statement. Sessions said Deputy Attorney General Rod Rosenstein will name a senior department official to chair the task force. The effort will seek to “canvass the many ways that the Department is combatting the global cyber threat” as well as “identify how federal law enforcement can more effectively accomplish its mission in this vital and evolving area,” according to the press release.

The task force will be in charge of looking into a broad range of efforts in which outside actors sought to interfere. It is tasked with providing a report on its findings at the end of June.

“The Internet has given us amazing new tools that help us work, communicate, and participate in our economy, but these tools can also be exploited by criminals, terrorists, and enemy governments,” Sessions added. The new task force comes shortly after special counsel Robert Mueller charged 13 Russian nationals and three Russian companies on Friday with attempting to sow discord and interfere in the country’s presidential election by waging “information warfare.”

President Trump spent the weekend tweeting that the grand jury’s indictment vindicates him in the federal Russia probe because this particular set of charges did not point to collusion between Trump campaign aides and Russians. Trump in particular seized on the fact that the indictment accuses the Russians of beginning such efforts in 2014, before he had officially thrown his hat in the ring.

“Russia started their anti-US campaign in 2014, long before I announced that I would run for President. The results of the election were not impacted. The Trump campaign did nothing wrong – no collusion!” Trump tweeted shortly after the indictment became public.

But Trump’s critics pointed to Mueller’s indictment detailing the Russians’ sophisticated operation. The eight-count indictment also includes the explosive allegation that some defendants, who masqueraded as politically active Americans, had contact with “unwitting individuals associated with the Trump campaign” and others. The cyber force will bring together representatives from a wide range of DOJ offices along with outside law enforcement and federal agencies, depending on the direction of Rosenstein.

The announcement also comes amid growing calls on Capitol Hill to prioritize election security ahead of the approaching midterms.

 

FY2019 Budget Sees Cyber Funding Boost, Research Cuts. President Trump’s recently revealed budget for fiscal year 2019 increases #cybersecurity funding across the government, but also includes significant cuts in funding for #cyber #research.

cybersecurity-budget-sm

Trump’s 2019 Budget Boosts Cyber Spending but Cuts Research

Nextgov | By Joseph Marks

President Donald Trump’s 2019 fiscal year budget request boosts cybersecurity funding by about 4 percent across the government, including significant hikes at the Homeland Security Department and Pentagon.

The overall increase includes even larger cyber funding spikes at key agencies, including a 23 percent jump at the Energy Department, a 33 percent jump at the Nuclear Regulatory Commission and a 16 percent hike at the Veterans Affairs Department. The budget, however, includes a massive cut of 18 percent to the government’s main cyber standards organization, the National Institute of Standards and Technology. That cut comes as NIST is working on an update to its cybersecurity framework, which is now mandatory for all federal agencies.

The budget also marks a major shift for cyber research and development funding inside the Homeland Security Department. Cyber research was formerly housed primarily in the department’s Science and Technology Directorate. Going forward, that funding, which totals $41 million in the president’s budget request, will be inside the cyber and infrastructure protection division—called the National Protection and Programs Directorate, or NPPD. The move is another blow for the Science and Technology Directorate, which has faced significant budget cuts since the start of the Trump administration.

The shift was made so “operators on the ground have influence over research and development,” a senior administration official said during a press call. The cyber and infrastructure protection division will work closely with the science and technology division on research priorities, the official said.The budget also calls for a small spike in government-wide information technology spending.

The president’s budget request is as much an ideological document as a budgeting one. The request lays out the executive branches’ funding priorities, but those numbers are only a rough starting point when Congress begins its own budgeting process and they’re often ignored entirely. Funding Hikes at Homeland Security and Defense, Homeland Security cyber spending overall will stay roughly flat at about $1.72 billion.

The cyber division of the department’s cyber and infrastructure protection wing, however, will get a 7 percent spike from $665 million in the 2018 fiscal year to $712 million this year.

In addition to protecting federal civilian government computer networks, that division is also helping states secure their election systems against cyberattacks.

The budget includes $238 million for Homeland Security’s continuous diagnostics and mitigation program, which delivers a suite of cybersecurity tools to federal agencies and will eventually track federal computer systems on a government-wide dashboard. That’s down from $279 million in last year’s request.

The budget commits $407 million for a government-wide intrusion detection program called Einstein. That’s up from $397 million in last year’s request.

At the Pentagon, total cyber funding jumps to $8.5 billion in this year’s request, a 4.2 percent hike over the prior year.

That jump comes as U.S. Cyber Command, which was elevated last year to a unified combatant command, is in the process of reaching full operational capability.

The budget released Monday also:

  • Includes $8 million for the White House Office of Management and Budget’s cybersecurity oversight responsibilities, down from $19 million last year.
  • Includes $25 million for a cybersecurity enhancements account at the Treasury Department, which will help upgrade high-value Treasury computer systems that rely on outdated technology. The fund will also help the department respond more nimbly to cyber incidents. Overall cyber funding at Treasury will drop from about $529 million last year to $500 this year.
  • Raises funding for the Justice Department’s national security division, which prosecutes cyber crimes, from $95 million to $101 million. Overall Justice Department cyber funding is at $721 million, up from $704 million last year but down from $735 during the final year of the Obama administration.
  • Includes $10 million for cyber upgrades at the Transportation Department.
  • Hikes Veterans Affairs Department cyber funding 16 percent from $360 million last year to $418 million this year.
  • Raises cyber funding at the Office of Personnel Management 18 percent, from about $39 million to about $46 million.
  • Hikes Nuclear Regulatory Commission cyber funding 33 percent, from about $24 million to about $32 million.

Hikes Energy Department cyber funding 23 percent, from about $379 million to about $465 million.

Dark Caracal Targets Thousands in Over 21 Countries. The Electronic Frontier Foundation and Lookout Security released a report detailing several active Dark Caracal #hacking campaigns that successfully targeted mobile devices of #military personnel, medical #professionals, #journalists, #activists, and others in over 21 countries.

the

Dark Caracal: Hackers Spied on Targets in Over 21 Countries and Stole Hundreds of Gigabytes of Data

International Business Times UK | By India Ashok

A new and massive cyberespionage campaign, believed to be the work of Lebanese hackers linked to Lebanese General Security Directorate (GDGS) in Beirut, has been uncovered.

A new report by the Electronic Frontier Foundation and Lookout Security revealed that the cyberespionage group, dubbed Dark Caracal, has conducted numerous attacks against thousands of targets in over 21 countries in North America, Europe, the Middle East, and Asia.

The hacker group successfully targeted mobile devices of military personnel, medical professionals, journalists, lawyers, activists and more. It has stolen hundreds of gigabytes of data, including photos, text messages, call records, audio recordings, contact information and more.

The cyberespionage group stole this massive trove of information using its custom-developed mobile spyware called Pallas. The spyware, which Lookout discovered in 2017, is found in malware-laced Android apps — knock-offs of popular apps like WhatsApp, Telegram and others that users downloaded from third-party online stores.

“People in the US, Canada, Germany, Lebanon, and France have been hit by Dark Caracal,” EFF director of Cybersecurity Eva Galperin said in a statement. “This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying, because phones are full of so much data about a person’s day-to-day life.”

According to the report, Dark Caracal has been active in several different campaigns, running parallel, with its backend infrastructure also having been used by other threat actors. For instance, Operation Manul, which according to the EFF targeted journalists, lawyers and dissidents of the Kazakhistan government, was launched using Dark Caracal’s infrastructure.

According to Galperin, the Dark Caracal group may be offering its spyware services to various clients, including governments, The Register reported.

Dark Caracal hackers also make use of other malware variants such as the Windows malware called Bandook RAT. The group also uses a previously unknown multi-platform malware dubbed CrossRAT by Lookout and EFF, which is capable of targeting Windows, Linux and OSX systems. The report states that the APT group also borrows or purchases hacking tools from other hackers on the dark web.

“Dark Caracal is part of a trend we’ve seen mounting over the past year whereby traditional APT actors are moving toward using mobile as a primary target platform,” said Mike Murray, VP of security intelligence at Lookout. “The Android threat we identified, as used by Dark Caracal, is one of the first globally active mobile APTs we have spoken publicly about.”

“One of the interesting things about this ongoing attack is that it doesn’t require a sophisticated or expensive exploit. Instead, all Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware,” said EFF staff technologist Cooper Quintin. “This research shows it’s not difficult to create a strategy allowing people and governments to spy on targets around the world.”

#SID2018 Is the Internet Safer? Today is the annual Safer Internet Day, an effort to promote safer and responsible use of the internet and mobile phones that is celebrated by over 120 countries. Several cyber experts and companies weigh in on the dangers that younger internet browsers face, and how government, industry, parents, and others in the community can help reduce usage risks.

th
#SID2018: Is the Internet Safer?

Infosecurity Magazine | By Dan Raywood | February 6, 2018

Today is the annual Safer #InternetDay, where the reality of online threats are detailed in the effort to encourage users to take better safety steps online.

According to research released by the UK Safer Internet Centre, a study of 2000 eight- to 17-year-olds, found that 11% had “felt worried or anxious on the internet,” while respondents had felt inspired (74%), excited (82%) or happy (89%) as a result of their internet use in the previous week.

This year’s event is using the slogan “Create, Connect and Share Respect: A better internet starts with you” with a strong emphasis on using the internet and what makes users feel good or bad. In a time where more is being done to deliver a safe experience online – including free SSL certificates, the launch of a new version of the TLS protocol and the ability to filter out certain words on Twitter – it does seem that more is being done to provide a safer and better experience for all online.

Margot James, Minister for Digital and the Creative Industries, said that the internet does have a positive effect on young people’s lives, but we must all recognize the dangers that can be found online. “Only by working together can government, industry, parents, schools and communities harness the power of the internet for good and reduce its risks.”

At the recent White Hat Ball, it was revealed that in 2017, there were over 12,000 counselling sessions in which children spoke to Childline about experiences of online sexual abuse, bullying and safety.

Will Gardner, a director of the UK Safer Internet Centre and CEO of Childnet, said: “Safer Internet Day gives us the unique opportunity to collectively promote respect and empathy online, inspire young people to harness their enthusiasm and creativity, and support them to build positive online experiences for everyone. It is #inspirational to see so many different organizations and individuals come together today to build a better internet.”

After all, a #safer #internet means more young people are encouraged to learn more about the internet and its workings, and therefore see the benefits of a career in cybersecurity.

Raj Samani, chief scientist and fellow at McAfee, said the reality is that we need to continue raising awareness for codes of best practice online. “Cyber-criminals are constantly on the lookout for slip ups and mistakes which allow them to access lucrative private data – from bank account details to medical history: consumers must be aware of the threats online – not least because the blurring of work life boundaries today means bad habits online can quickly slip into the office.”

As a result, Samani recommended that businesses should offer staff training to build up a strong security culture across their entire organization.

He added: “Implementing the right technology is vital but, at the end of the day, it’s about looking for a blended approach which suits your specific organization. This means finding the right combination of people, process and technology to effectively protect the organization’s data, detect any threats and, when targeted, rapidly correct systems.

“Safer Internet Day acts as a timely reminder for organizations to ensure the correct training is in place so staff can remain cyber-savvy online.”

To tie-in with the day, ENISA published the Cybersecurity Culture in Organizations report, in order to promote both the understanding and uptake of cybersecurity culture programs within organizations. ENISA said that a decent culture is achieved by:

• Setting #cybersecurity as a standing agenda item at board meetings to underline the importance of a robust cybersecurity culture

• Ensure that employees are consulted and their concerns regarding cybersecurity practices are being considered by the cybersecurity culture working group

• Ensure that business processes/strategies and cybersecurity processes/strategies are fully aligned

“While many organizations and employees are familiar with related concepts such as cybersecurity awareness and information security frameworks, cybersecurity culture covers a broader scope. The idea behind this concept is to make information security considerations an integral part of an employee’s daily life,” ENISA’s announcement said.

Part of this was to appreciate that “cyber threat awareness campaigns alone do not provide sufficient #protection against ever evolving cyber-attacks,” and that technical cybersecurity measures need to be in accordance with other business processes, and it is important that employees need to act as a strong human firewall against cyber-attacks.

A safer internet is better for all, although a cynic of such awareness days would suggest that there should be year-round awareness of the issues and part of developing a culture is the constant awareness. Regardless, some action is better than none and it is reassuring to see such positivity about internet usage in 2018.

Army to Modernize Tracking System for Cyber Attacks

US Army Cyber CommandThe U.S. Army is preparing to modernize Blue Force Tracking, its friendly forces tracking system, to ensure continued operability in the event of cyber and electronic warfare attacks.

The Army Wants to be Able to Track Friendly Forces During a Cyber Attack
C4ISRNET | By Daniel Cebul

Washington — The U.S. Army is preparing to modernize its friendly forces tracking system so that it will continue to operate through cyber and electronic warfare attacks.

The service’s situational awareness network, known as Blue Force Tracking, already receives periodic updates, but a more significant upgrade is needed if troops are to be adequately equipped for future warfare. “This capability improvement is necessary as the United States faces increased cyber and electronic warfare threats from near-peer adversaries,” Lt. Col. Shane Sims said in an Army press release.

Defense News reported in November 2017 that Russia’s Zapad exercise took place in a largely EW-hostile environment. Because Russia proved it can jam its own forces relatively easily, military officials are concerned about how well NATO forces are prepared to operate in GPS- and communication-denied environments.

To address these issues, the program office partnered with the Army’s Communications Electronic-Research, Development and Engineering Center, or CERDEC, and ran concurrent studies that examined the capabilities and limitations of current blue force tracking technology.

The work included:

A traffic study that explored how the current blue force tracking system generates and receives data, as well as the requirements of moving data digitally to identify any network vulnerabilities.

A cyber and electronic warfare study that aimed to identify what emerging technologies need to be developed to stay ahead of adversaries. The Army announcement notes, “assured positioning, navigation and timing, known as PNT, for soldiers in GPS-denied environments was the primary goal in this study.”

A network study that examined how to communicate future data more efficiently within the network.

A transport study that identified the physical infrastructure — radios, satellites and antennas — needed to move larger quantities of information. Part of the solution is to build in redundancies into the network to use different radios and different frequency bands.

This might entail deploying satellites of higher technological quality in larger quantities. A new satellite infrastructure that could handle more data and transmit information faster was credited with the improvements soldiers observed the last time the BFT system was upgraded in 2011.

“The goal of the next-generation BFTs is to reduce the cognitive burden on soldiers by creating a simply and intuitive network,” Sims said.

The Army issued a request for information on the system this month, and CERDEC is set to meet with Army leaders to discuss an acquisition strategy in February.

The Army hopes to issue a request for proposals from industry in early 2020, and could begin fielding the new BFT by 2025, the release said.

The Risk of Insider Threat

Research demonstrates that most fraud risk is attributed to insider threat. In a study almost one third of all cyber attacks were committed by ex-employees.

It’s Not Just Cybercriminals: Insider Threats Still a Top Cyber Risk for Corporations
Property Casualty 360° | By Rhys Dipshan

As cyber espionage and ransom ware attacks wreak increasing damage on the world economy, it makes sense that many companies think their biggest threats comes from external actors.
But most risk still emanates from inside the organization, according to the Kroll’s Global Fraud & Risk Report.
The report was based on a survey conducted among 540 senior executives across six continents and found that a significant amount of companies’ fraud, cybersecurity and security incidents were caused by current or former employees.
Risks from current & former employees
Ex-employees, for example, were key perpetrators in 37% of security incidents that happened outside the cyber realm. What’s more, 25% of security incidents were caused by middle- or senior-level employees, while 26% were by junior employees.
Junior employees were also the most likely to cause fraud incidents, followed by ex-employees.
And while most cybersecurity incidents were caused by random cyberattackers, at 34%, ex-employees still accounted for 28% of all attacks, while senior or middle management employees accounted for 19%, and junior employees 16%.
Alan Brill, senior managing director with Kroll’s cyber security and investigations practice, noted that oftentimes, organizations will concentrate too much on high-tech cybersecurity needs, such as protecting their networks, and miss the fact that their biggest “risk factor comes from those who have access to sensitive information.”
Ensure former employees don’t have access
One major shortcoming among organizations is not properly ensuring former employees do not have access to enterprise systems. “You need to be able to not just plan the steps the company is going to take [when an employee leaves], but you have to have a way of knowing that the steps are actually being done. I think in many cases, there is a disconnect from what managers believe is being done and what is happening on the ground,” Brill said.
Brill also advised organizations to ensure that “the right agreements are [in] place” to limit employees’ and contractors’ access to sensitive information, and train employees on the appropriate data handling procedures.
Most companies surveyed took measures to mitigate the risk of insider threats. Over 80%t restricted employees from installing software on company devices and had employee training programs. Over 75% had internal cybersecurity policies and procedures.
But Brill noted that it’s not enough to just have security programs and policies without constantly reviewing their usefulness. He said that many companies need to use “metrics to understand if what they’re doing is effective,” and build their security programs around tested results.
Fraud, information theft
Such proven programs are becoming increasingly necessary given the wide range of fraud and cybersecurity incidents that organizations face in the current economy. The survey found, for example, that 29% of respondent companies suffered fraud, which resulted in information theft, loss or attack, while 27% had theft of physical assets or stock, and 26% uncovered a conflict of interest.
Information theft and conflict of interest incidents were experienced by 5% more companies in 2017 than in 2016, the biggest increase among all types of fraud incidents.
Brill noted that such conflict of interest incidents are becoming more common as enterprises rely on more vendors in their supply chain and as compliance offices become “more able to detect conflicts of interest” through the use of better compliance technology.
More vulnerable to all types of threats in 2018
With regards to cyber incidents, the survey found the amount of companies attacked by malicious viruses rose 3% to 36% in 2017, while those suffering email phishing attacks rose 7% to 33%, which Brill attributed to such scams becoming more sophisticated.
When compared with the 2015 survey results, respondents believed they’re more vulnerable to all types of threats in 2017 than they were two years prior, with the exception of theft of physical assets or stock. Areas where respondents believe their vulnerability had increased the most since 2015 included IP theft, management of conflicts of interest, and market collusion.

Symantec, McAfee Let Russia Search Through Their Software

A Reuters investigation found that global technology providers Symantec and McAfee allowed Russian authorities to search for vulnerabilities in the source code of some of their products that are also used by the U.S. government. U.S. lawmakers and security experts believe the practice could potentially jeopardize the security of networks in at least a dozen federal agencies.

Tech Firms Let Russia Probe Software Widely Used by U.S. Government
Reuters | By Dustin Volz, Joel Schectman, Jack Stubbs

WASHINGTON/MOSCOW (Reuters) – Major global technology providers SAP (SAPG.DE), Symantec (SYMC.O) and McAfee have allowed Russian authorities to hunt for vulnerabilities in software deeply embedded across the U.S. government, a Reuters investigation has found.

The practice potentially jeopardizes the security of computer networks in at least a dozen federal agencies, U.S. lawmakers and security experts said. It involves more companies and a broader swath of the government than previously reported.

In order to sell in the Russian market, the tech companies let a Russian defense agency scour the inner workings, or source code, of some of their products. Russian authorities say the reviews are necessary to detect flaws that could be exploited by hackers.

But those same products protect some of the most sensitive areas of the U.S government, including the Pentagon, NASA, the State Department, the FBI and the intelligence community, against hacking by sophisticated cyber adversaries like Russia.

Reuters revealed in October that Hewlett Packard Enterprise (HPE.N) software known as ArcSight, used to help secure the Pentagon’s computers, had been reviewed by a Russian military contractor with close ties to Russia’s security services.

Now, a Reuters review of hundreds of U.S. federal procurement documents and Russian regulatory records shows that the potential risks to the U.S. government from Russian source code reviews are more widespread.

Beyond the Pentagon, ArcSight is used in at least seven other agencies, including the Office of the Director of National Intelligence and the State Department’s intelligence unit, the review showed. Additionally, products made by SAP, Symantec and McAfee and reviewed by Russian authorities are used in at least eight agencies. Some agencies use more than one of the four products.

McAfee, SAP, Symantec and Micro Focus (MCRO.L), the British firm that now owns ArcSight, all said that any source code reviews were conducted under the software maker’s supervision in secure facilities where the code could not be removed or altered. The process does not compromise product security, they said. Amid growing concerns over the process, Symantec and McAfee no longer allow such reviews and Micro Focus moved to sharply restrict them late last year.

The Pentagon said in a previously unreported letter to Democratic Senator Jeanne Shaheen that source code reviews by Russia and China “may aid such countries in discovering vulnerabilities in those products.”

Reuters has not found any instances where a source code review played a role in a cyber attack, and some security experts say hackers are more likely to find other ways to infiltrate network systems.

But the Pentagon is not alone in expressing concern. Private sector cyber experts, former U.S. security officials and some U.S. tech companies told Reuters that allowing Russia to review the source code may expose unknown vulnerabilities that could be used to undermine U.S. network defenses.

“Even letting people look at source code for a minute is incredibly dangerous,” said Steve Quane, executive vice president for network defense at Trend Micro, which sells TippingPoint security software to the U.S. military.

Worried about those risks to the U.S. government, Trend Micro has refused to allow the Russians to conduct a source code review of TippingPoint, Quane said.

Quane said top security researchers can quickly spot exploitable vulnerabilities just by examining source code.

“We know there are people who can do that, because we have people like that who work for us,” he said.

In contrast to Russia, the U.S. government seldom requests source code reviews when buying commercially available software products, U.S. trade attorneys and security experts say.

OPENING THE DOOR

Many of the Russian reviews have occurred since 2014, when U.S.-Russia relations plunged to new lows following Moscow’s annexation of Crimea. Western nations have accused Russia of sharply escalating its use of cyber attacks during that time, an allegation Moscow denies.

Some U.S. lawmakers worry source code reviews could be yet another entry point for Moscow to wage cyberattacks.

“I fear that access to our security infrastructure – whether it be overt or covert – by adversaries may have already opened the door to harmful security vulnerabilities,” Shaheen told Reuters.

In its Dec. 7 letter to Shaheen, the Pentagon said it was “exploring the feasibility” of requiring vendors to disclose when they have allowed foreign governments to access source code. Shaheen had questioned the Pentagon about the practice following the Reuters report on ArcSight, which also prompted Micro Focus to say it would restrict government source code reviews in the future. HPE said none of its current products have undergone Russian source code review.

Lamar Smith, the Republican chairman of the House Science, Space and Technology Committee, said legislation to better secure the federal cyber security supply chain was clearly needed.

Most U.S. government agencies declined to comment when asked whether they were aware technology installed within their networks had been inspected by Russian military contractors. Others said security was of paramount concern but that they could not comment on the use of specific software.

A Pentagon spokeswoman said it continually monitors the commercial technology it uses for security weaknesses.

NO PENCILS ALLOWED

Tech companies wanting to access Russia’s large market are often required to seek certification for their products from Russian agencies, including the FSB security service and Russia’s Federal Service for Technical and Export Control (FSTEC), a defense agency tasked with countering cyber espionage.

FSTEC declined to comment and the FSB did not respond to requests for comment. The Kremlin referred all questions to the FSB and FSTEC.

FSTEC often requires companies to permit a Russian government contractor to test the software’s source code.

SAP HANA, a database system, underwent a source code review in order to obtain certification in 2016, according to Russian regulatory records. The software stores and analyzes information for the State Department, Internal Revenue Service, NASA and the Army.

An SAP spokeswoman said any source code reviews were conducted in a secure, company-supervised facility where recording devices or even pencils “are strictly forbidden.”

“All governments and governmental organizations are treated the same with no exceptions,” the spokeswoman said.

While some companies have since stopped allowing Russia to review source code in their products, the same products often remain embedded in the U.S. government, which can take decades to upgrade technology.

Security concerns caused Symantec to halt all government source code reviews in 2016, the company’s chief executive told Reuters in October. But Symantec Endpoint Protection antivirus software, which was reviewed by Russia in 2012, remains in use by the Pentagon, the FBI, and the Social Security Administration, among other agencies, according to federal contracting records reviewed by Reuters.

In a statement, a Symantec spokeswoman said the newest version of Endpoint Protection, released in late 2016, never underwent a source code review and that the earlier version has received numerous updates since being tested by Russia. The California-based company said it had no reason to believe earlier reviews had compromised product security. Symantec continued to sell the older version through 2017 and will provide updates through 2019.

McAfee also announced last year that it would no longer allow government-mandated source code reviews.

The cyber firm’s Security Information and Event Management (SIEM) software was reviewed in 2015 by a Moscow-based government contractor, Echelon, on behalf of FSTEC, according to Russian regulatory documents. McAfee confirmed this.

The Treasury Department and Defense Security Service, a Pentagon agency tasked with guarding the military’s classified information, continue to rely on the product to protect their networks, contracting records show.

McAfee declined to comment, citing customer confidentiality agreements, but it has previously said the Russian reviews are conducted at company-owned premises in the United States.

‘YOU CAN‘T TRUST ANYONE’

On its website, Echelon describes itself as an official laboratory of the FSB, FSTEC, and Russia’s defense ministry. Alexey Markov, the president of Echelon, which also inspected the source code for ArcSight, said U.S. companies often initially expressed concerns about the certification process.

“Did they have any? Absolutely!!” Markov wrote in an email.

”The less the person making the decision understands about programming, the more paranoia they have. However, in the process of clarifying the details of performing the certification procedure, the dangers and risks are smoothed out.”

Markov said his team always informs tech companies before handing over any discovered vulnerabilities to Russian authorities, allowing the firms to fix the detected flaw. The source code reviews of products “significantly improves their safety,” he said.

Chris Inglis, the former deputy director of the National Security Agency, the United States’ premier electronic spy agency, disagrees.

“When you’re sitting at the table with card sharks, you can’t trust anyone,” he said. “I wouldn’t show anybody the code.”

New Bill to Give Government Power to Penalize Companies Who Suffer Data Breach

In efforts to motivate entities to protect their stores of sensitive consumer data, lawmakers want to penalize organizations who suffer major cyber-attacks.  The proposed bill would grant the Federal Trade Commission clearer authority to fine credit-reporting agencies.  The fines incurred by the companies would be paid to the millions of Americans affected by the breach.

Equifax could face a massive fine for another security breach — if two top Senate Democrats get their way

Redcode| By Tony Romm| January 10, 2018

Two top Senate Democrats are seeking broad new powers for the U.S. government to slap Equifax and its peers with massive fines if they suffer major cyber attacks — money that would then be returned to the millions of Americans affected by such a breach.

The idea is the centerpiece of the so-called Data Breach Prevention and Compensation Act, a bill to be introduced on Wednesday by Democratic Sens. Elizabeth Warren and Mark Warner. Cyber attacks may be inevitable, but the lawmakers feel that the federal government for too long has lacked the power to penalize entities that fail to protect their stores of sensitive consumer data.

Specifically, the bill would grant the Federal Trade Commission — an arm of the government that oversees companies’ security practices — clearer authority to fine credit-reporting agencies. That category includes TransUnion, Experian and Equifax, the latter of which was subject to a breach last year compromising the names, Social Security numbers and other sensitive information of more than 145 million Americans.

If the Democrats’ measure had been law at the time of the incident, Equifax would have been forced to fork over $1.5 billion to the feds, the lawmakers estimate. That’s because their measure would allow the FTC to fine credit-reporting agencies $100 for each consumer whose personal information was stolen by a hacker — and an another $50 for each additional piece of personal information compromised per individual. Total fines would be capped based on a credit-reporting agency’s revenue, but could increase further if the likes of Equifax failed to follow basic cybersecurity practices.

The bill by Warren and Warner would further ensure that half of the money paid to the U.S. government would ultimately be returned to affected consumers. Meanwhile, the Democratic duo would empower the FTC to probe and regulate the data security practices of credit-reporting agencies.

“Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax — and provides robust compensation for affected consumers — which will put money back into peoples’ pockets and help stop these kinds of breaches from happening again,” Warren said in a statement.

For Warren and Warner, their proposal originates out of a broader frustration about the power and reach of credit-reporting agencies. These entities aren’t widely known, but they amass virtual warehouses of information about all Americans. The credit scores they compute affect consumers’ ability to purchase cars, rent apartments, obtain loans and more — but the watchdog FTC is limited in its oversight of the industry.

Yet even these powerful Democrats still face a daunting challenge in advancing their legislation to a vote on the Senate floor.

Lawmakers convened months of hearings in the aftermath of the Equifax breach, repeatedly grilling its top executives for their misdeeds. Disgust and outrage transcended party lines, leading Democrats and Republicans to expand their inquiries to include other major breaches, including a 2013 incident at Yahoo that affected three billion users.

Somehow, though, their intense, widespread criticism failed to translate into any new, meaningful movement on a slew of bills that might have addressed the problem. Congress couldn’t even advance basic legislation that aimed to refund consumers who had to purchase credit freezes from the very credit-reporting agencies, like Equifax, that had been hacked. Warren, in fact, had been a key driver of that idea.

Nor was it the first time that lawmakers failed to translate their outage into action: Similar breaches affecting Sony, Home Depot, Target and scores of other major companies in recent years have failed to convince Congress to adopt new federal rules governing how and when companies inform customers of a data breach. Many states have their own rules, which one major company — Uber — may have flouted in its handling of a 2016 security incident.

For now, though, Senate Democrats stressed that their new bill is necessary to fix the “out of whack” economics of cybersecurity, as Warren explained — the reality that there’s currently very little the FTC can do, even in the wake of a cyber attack that affected 40 percent of the U.S.

“In today’s information economy, data is an enormous asset,” added Warner in a statement. “But if companies like Equifax can’t properly safeguard the enormous amounts of highly sensitive data they are collecting and centralizing, then they shouldn’t be collecting it in the first place.”