Académique Documents
Professionnel Documents
Culture Documents
Purpose
Educate recipients of cyber This Issue’s News Articles:
events to aid in protecting
electronically stored DoD,
Mobile spyware maker leaks 2 million records
corporate proprietary, and/or Twitter is keeping 500,000 bots from logging in every day
Personally Identifiable
Information from unauthorized Using just a laptop, boffins sniff, spoof and pry – without busting browser
access, theft or espionage
padlock
Source
This publication incorporates
Homeland Security awards massive cyber contract to ManTech
open source news articles to House passes measure to identify, sanction hackers assisting in cyberattacks
educate readers on cyber
security matters IAW USC Title against US
17, section 107, Para a. All
articles are truncated to avoid
Social Security numbers exposed on US government transparency site
the appearance of copyright Chrome: Flash is almost, almost, almost dead
infringement
How a data request turned into a data breach
Newsletter Team
* SA Jeanette Greene House passes CDM bill
Albuquerque FBI
* CI Agent Scott Daughtry
Protecting the power grid from GPS spoofing
NMCIWG Member Remotely exploitable flaw in Schneider Electric PLCs is a danger to OT
Subscription/Questions networks
Click HERE to request for your
employer-provided email address
Chinese hacker group targets tech supply chain, report says
to be added to this product’s
distribution list
keeping around 500,000 bot accounts from logging in every day. He also reiterated that every week, Twitter's
systems are challenging between eight and ten million accounts that are suspected of misusing automation or
disseminating spam. Dorsey said that Twitter's systems are now catching more than three times as many
suspicious accounts and thwarting twice as many suspicious logins than they were a year ago.
Using just a laptop, boffins sniff, spoof and pry – without busting browser padlock
TheRegister, 6 Sep 2018: Researchers based in Germany have discovered how to spoof certificates they don't
own – even if the certs are protected by the PKI-based domain validation. Though the group withheld the
names of certificate authorities whose certs could be spoofed, Dr Haya Shulman, of the Fraunhofer Institute
for Secure Information Technology, told The Register a "weak off-path attacker" can – using nothing more
than a laptop – steal credentials, eavesdrop, or distribute malware using the method. All the while, Dr
Shulman told us, the user would think their connections were secure because that's what their browser would
report. Dr Shulman's team wrote: "The attack exploits DNS Cache Poisoning and tricks the CA into issuing
fraudulent certificates for domains the attacker does not legitimately own – namely certificates binding the
attacker's public key to a victim domain." The group has asked The Register not to republish the paper
because it names affected Certificate Authorities. We have however, seen a demo of a live attack by
Fraunhofer's team. "The attack is initiated with a DNS request," the paper explained. "To succeed in the
attack, the attacker has to craft a correct DNS response before the authentic response from the real
nameserver arrives." By successfully mapping their spoofed DNS record to hosts controlled by the attacker,
domain validation checks run by the CA are performed not by the record owner, but against the attacker's
hosts. The attack depends on getting DNS responses broken into fragments, achieved by sending the
nameserver an "ICMP fragment needed" packet. This tricks the server into thinking the victim's system is
configured to only process small packets. The second trick is on the victim: in processing the first fragment,
the victim's machine has completed the DNS challenge-response fields. In other words, Fragment A contains
the validation the victim expects for a domain, but then the attacker injects Fragment B with spoofed
information that the victim accepts.
individuals or entities who have “knowingly materially assisted, sponsored, or provided financial, material, or
technological support” in cyberattacks targeting the U.S. as critical cyber threat actors. President Trump would
be directed to publish the threat actors in the federal register, with the exception of those determined to
remain secret for national security or law enforcement purposes. The names would still be shared with
Congress. The president would also be required to slap sanctions on those threat actors under the new
legislation, which features a list of possible economic penalties that could be imposed.
"profile" -- and contained a comprehensive amount of data, even if all the values weren't fully explained. The
only problem: This was not my data. Instead, it belonged to Jon, a man from one of New York's outer
boroughs who declined to be identified by his full name. I inadvertently learned a lot about him. I know Jon's
birthday, personal email address, alma mater, ethnicity, height and occupation. I know that he's Catholic and
likes vodka. I can infer his home address from the GPS coordinates of where the app was opened. In short, this
was a lens into some of a stranger's most personal and identifiable information. It was a data breach, caused,
ironically, by an attempt at data transparency. It took less than five minutes for me to pinpoint his online
social media profiles and reach out. "I think it's a major invasion of privacy, but I can see how these mistakes
happen," said Jon. "Coffee Meets Bagel should be held accountable, but ultimately it's up to me to be more
selective with where I share my data voluntarily." Arum Kang, Coffee Meets Bagel's co-founder and CEO, said
that the mix-up came from basic human error. An employee mistyped my internal user ID number into the
automated tool for pulling data and failed to double-check that the system spat out the right person's
information. In the wrong hands the kind of information Coffee Meets Bagel sent to me could easily be used
for identity theft or to infer passwords and security questions to other accounts. Combining spoof email
addresses and basic personal details could facilitate requesting even more data from other online services,
depending on their ID-verification methods, which we found varied widely across organizations. For users, the
lesson is to secure your data once you get it from a company. A hacker might not need to scale Facebook's
security apparatus if they can find the same data on an unencrypted hard disk.
time,” Gatsis said. That, he said, could cause operators to take actions they shouldn’t be taking and that could
lead to blackouts. The algorithm compares previously recorded information about GPS signal timing to
incoming signals. When an anomaly in the timing is detected operators are alerted. And the algorithm does
more than just detect anomalies. “The algorithm can also provide protection,” Gatsis said. “It provides the
corrected timing” by noting the timing of signals before the attack began and projecting them forward. The
team is also exploring using the algorithm to protect against time-synchronization attacks against financial
institutions, which use the GPS timing data to time stamp financial transactions.
security firm Boyusec. Meyers believes a similar fate could await the individuals and entities identified in the
group's latest disclosure. Stone Panda is one of several Chinese APT groups charged with targeting supply
chain vulnerabilities in the software, shared services and telecommunications industries. Meyers said the
findings provide another example demonstrating how China has slowly ramped back up its cyber economic
espionage in recent years despite a 2015 bilateral agreement between the U.S. and China to mutually curb
such activities. He said it also indicates the extent which China is relying on third-party security contracting
companies to carry out their espionage work. After Intrusion Truth posted its findings online, Crowdstrike
noticed that several of the named individuals began scrubbing and deleting their social media accounts and
other aspects of their online footprint. Meyers believes now that the group is exposed, it will likely go
underground and dormant, at least temporarily, while members rebuild their operational security and
anonymity.
UNCLASSIFIED Page 6