InfoSec News

Business Continuity

Texas Department of Transportation reports ransomware attack on agency network

By

InfoSec NewsBy William Knowles @c4i
Senior Editor
InfoSec News
May 16, 2020

The Texas Department of Transportation in a statement on Twitter says they were the victims of a ransomware attack on their agency network.

On May 14, 2020, there was unauthorized access to the network in a ransomware event and TxDot took immediate steps to isolate the incident and shut down any further unauthorized access.

“We believe we have a duty to inform our fellow Texans and our fellow state agencies of this unfortunate incident,” executive director James Bass said. “We want every Texan to rest assured that we are doing everything we can to swiftly address this issue. We also are working to ensure critical operations continue during this interruption.”

The Texas Department of Transportation says they are working closely with the FBI to find those responsible and prosecute them to the fullest extent of the law.

InfoSec News is trying to find out if this is a separate attack or related to the ransomware attack that crippled the Texas Supreme Court’s website earlier in the week.

Ransomware attack disables Texas Supreme Court’s website

By

InfoSec News

 

By William Knowles @c4i
Senior Editor
InfoSec News
May 13, 2020

On Friday, May 8th, the Office of Court Administration (OCA), the information technology (IT) provider for the appellate courts and state judicial agencies within the Texas Judicial Branch, identified a serious security event in the branch network, which was later determined to be a ransomware attack.

The attack began during the overnight hours and was first discovered in the early morning hours on Friday. The attack is unrelated to the courts’ migration to remote hearings amid the coronavirus pandemic.

Immediately upon discovery, OCA IT staff disabled the branch network including websites and servers to prevent further harm. The network has remained disabled since this time and will continue to do so until the breach is remediated.

OCA is working with law enforcement and the Texas Department of Information Resources (DIR) to investigate the breach. DIR and other information security authorities are providing assistance to OCA with recovery support.

OCA was able to catch the ransomware and limit its impact and will not pay any ransom. Work continues to bring all judicial branch resources and entities back online. In the meantime, a temporary web site has been established with critical judicial branch information, including information concerning the COVID-19 pandemic.

In recent years, the majority of the Texas Judicial Branch entities supported by OCA have moved many IT functions to the cloud. These services have not been impacted by the attack. These cloud services include eFileTexas (for filing of documents), reSearchTX (for reviewing filed documents), collaboration tools for editing and sharing documents, and email.

This action will permit many of the courts and judicial branch agencies to continue operations and ensure that filing of documents can continue uninterrupted. At this time, there is no indication that any sensitive information, including personal information, was compromised.

Additionally, due to the structure of the IT function within the state judiciary, individual trial court networks throughout the state were unaffected by the cyberattack. Judicial branch employees supported by OCA have received training in cybersecurity in recent weeks and will continue to receive updated training.

Blake Hawthorne, Clerk of the Supreme Court of Texas, tweeted on Tuesday night “I have a feeling that before long I will be giving a continuing legal education talk on the oddly specific topic “Operating a Court During a Pandemic and a Ransomware Attack.”

In August 2019, 22 Texas towns were hit with a ransomware attack by “one single threat actor” who demanded a $2.5MM ransom.

National Security Agency releases guide to secure video conferencing

By

InfoSec News

By William Knowles @c4i
Senior Editor
InfoSec News
April 29, 2020
[Updated: June 21, 2020]

Last Friday, the National Security Agency released a guide aimed mainly towards U.S. Government employees and military service members are working from home, but is also ideal for business professionals on Selecting and Safely Using Collaboration Services for Telework.

This cybersecurity guidance contains a snapshot of current, commercially-available collaboration tools available for use, along with a list of security criteria to consider when selecting which capability to leverage. In addition, the guidance contains a high-level security assessment of how each capability measures up against the defined security criteria, which can be used to more quickly identify the risks and features associated with each tool.

Criteria to Consider When Selecting a Collaboration Service

The criteria below identify risks and features to consider when choosing collaboration services to support your mission. All criteria should be strongly considered but may not be fully supported based on your own operating environment and constraints. The criteria are intended to align with related USG guidance to include NIST SP 800-171r2 – Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations (Feb 2020) and NIST SP 800-46r2 Guide to Enterprise Telework, Remote Access and BYOD Security (Apr 2016).

1. Does the service implement end-to-end encryption?

End-to-end (E2E) encryption means that content (text, voice, video, data, etc.) is encrypted all the way from sender to recipient(s) without being intelligible to servers or other services along the way. Some apps further support encryption while data is at rest, both on endpoints (e.g. your mobile device or workstation) and while residing on remote storage (e.g. servers, cloud storage). Only the originator of the message and the intended recipients should be able to see the unencrypted content. Strong end-to-end encryption is dependent on keys being distributed carefully. Some services such as large-scale group video chat are not designed with end-to-end encryption for performance reasons.

2. Are strong, well-known, testable encryption standards used?

Even in the absence of end-to-end encryption, NSA recommends the use of strong encryption standards, preferably NIST-approved algorithms and current IETF secure protocol standards. Many collaboration services protect data-in-transit between clients and servers via the Transport Layer Security (TLS) version 1.2 (or later) secure protocol, which is commonly used for sensitive but unclassified information. The use of published protocol standards, such as TLS and DTLSSRTP, is preferred. If the product vendor has created its own encryption scheme or protocol, it should undergo an independent evaluation by an accredited lab. This includes not just cryptographic protocols, but also key generation.

3. Is multi-factor authentication (MFA) used to validate users’ identities?

Without MFA, weak or stolen passwords can be used to access legitimate users’ accounts and possibly impersonate them during the use of the collaboration service. Multi-factor authentication requires that a second form of identification (code, token, out-of-band challenge, etc.) be provided to allow access to an existing account.

4. Can users see and control who connects to collaboration sessions?

The collaboration service should allow organizers to limit access to collaboration sessions to only those who are invited. This can be implemented through such features as session login passwords or waiting rooms, but preferably would support reasonably strong authentication. Users should also be able to see when participants join through unencrypted/unauthenticated means such as telephone calls.

5. Does the service privacy policy allow the vendor to share data with third parties or
affiliates?

While collaboration services must often collect certain basic information needed to operate, they should protect sensitive data such as contact details and content. Collaboration information and conversations should not be shared with third parties. This could include metadata associated with user identities, device information, collaboration session history, or various other information that may put your organization at risk. Information sharing should be spelled out clearly in the privacy policy.

6. Do users have the ability to securely delete data from the service and its repositories as needed?

While no services are likely to support full secure overwrite/deletion capabilities, users should be given the opportunity to delete content (e.g. shared files, chat sessions, saved video sessions) and permanently remove accounts that are no longer used.

7. Has the collaboration service’s source code been shared publicly (e.g. open-source)?

Open-source development can provide accountability that code is written to secure programming best practices and isn’t likely to introduce vulnerabilities or weaknesses that could put users and data at risk.

8. Has the service and/or app been reviewed or certified for use by a security-focused nationally recognized or government body?

NSA recommends that cloud services (which collaboration apps rely on) be evaluated under the Office of Management and Budget (OMB) FEDRAMP program. NSA also recommends that collaboration apps be evaluated by independent testing labs under the National Information Assurance Partnership (NIAP) against the Application Software Protection Profile (PP) [1]. NSA has worked with the DHS S&T Mobile Security R&D Program to develop excellent semi-automatable testing criteria for app vetting based on the application PP [2]. These criteria include tests of how apps interact with platform resources, how they defend themselves from exploitation, the crypto libraries they use, what permissions they request, and many others.

9. Is the service developed and/or hosted under the jurisdiction of a government with laws that could jeopardize USG official use?

Since it is well documented that some countries require that communications be provided to law enforcement and intelligence services, it may not be wise for certain USG missions to be performed on services hosted or developed under certain foreign legal jurisdictions. Users should be aware that the country of origin where products were developed is not always public knowledge. This criterion was not assessed in the table on page 5.

Selecting and Safely Using Collaboration Services for Telework. 

How to prevent ZoomBombing from your Zoom video conference

By

 

InfoSec News

By William Knowles @c4i
Senior Editor
InfoSec News
April 3, 2020

It seems lately not an hour goes by without news of another ZoomBombing happening, just as I was preparing this story comes this headline from Vermont Senate committee Zoom hearing derailed by porn hacker

A Vermont Senate Committee on Agriculture Zoom hearing, which was being live-streamed on Youtube, was interrupted by a hacker Thursday who screen shared pornographic videos before reaching into his pants.

The sudden outburst came as the committee had been in the midst of discussing school lunch access and how farms were faring during the COVID-19 crisis.

The first sign of trouble began with a sudden outburst of “p—- ass” and a racial slur before a video from the site Pornhub began to play.

Without blaming the Zoom administrators, many of these stories of ZoomBombings remind me of early conversations about using Amazon Web Services and hearing minds blown about insecure EC2 instances. I can’t tell you how many enterprises thought the workloads they ran in AWS were completely secure by default. More than a few shops were counting their stars nothing happened.

I suspect a number of Zoom users naturally feel the same way as early AWS users, but fear not, Zoom has a guide with a number of recommendations to keep your video conferencing secure.
When you share your meeting link on social media or other public forums, that makes your event … extremely public. ANYONE with the link can join your meeting.

Avoid using your Personal Meeting ID (PMI) to host public events. Your PMI is basically one continuous meeting and you don’t want randos crashing your personal virtual space after the party’s over. Learn about meeting IDs and how to generate a random meeting ID (at the 0:27 mark) in this video tutorial.

Boris Johnson says HI

Familiarize yourself with Zoom’s settings and features so you understand how to protect your virtual space when you need to. For example, the Waiting Room is an unbelievably helpful feature for hosts to control who comes and goes. (More on that below.)

Manage screen sharing

The first rule of Zoom Club: Don’t give up control of your screen.

You do not want random people in your public event to take control of the screen and sharing unwanted content with the group. You can restrict this — before the meeting and during the meeting in the host control bar — so that you’re the only one who can screen-share.

Follow this link for more tips on how to keep your Zoom conferences secure.

Also, Founder and CEO of Zoom, Eric S. Yuan said in a blog posting today that effective immediately, Zoom will have a feature freeze for the next 90 days, and shifting all engineering resources to focus on their biggest trust, safety, and privacy issues.

  • Conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases.
  • Preparing a transparency report that details information related to requests for data, records, or content.
  • Enhancing our current bug bounty program.
  • Launching a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.
  • Engaging a series of simultaneous white box penetration tests to further identify and address issues.
  • Starting next week, Yuan will host a weekly webinar on Wednesdays at 10 am PT to provide privacy and security updates to our community.

 

InfoSec News Signal Boost – March 27, 2020

By

InfoSec News Signal Boost

By William Knowles @c4i
Senior Editor
InfoSec News
March 27, 2020

As we try to get used to the new normal, InfoSec News understands many cyber and information security professionals (including myself) are looking for their new security forever homes. As I find these calls for security professionals, I’m hopeful this might be the catalyst for breaking what has been broken forever. Hiring experienced professionals and competent security-aware people that can be trained to be that unicorn that many HR departments have been looking for.

-=-

The popular Infosec R&D company Grimm (https://grimm.rip), famous for only
taking on “difficult projects” is still hiring at a time when many of their
competitors are going out of business. The lack of competitors also means tons
of work coming in, so job security is solid. If you were laid off and have a
heavy Security Engineering (& DevSecOps) Exploit Dev and/or AppSec background
and want to work with some of the objectively smartest people in Infosec, check
out their job postings here https://www.grimm-co.com/careers, and note the
“General Resume Submission” link at the bottom if you want to be considered for
“whatever.”

-=-

Research Analyst, Cyber Policy Initiative

Cyber Policy Initiative

The Carnegie Endowment for International Peace is seeking a Research Analyst to
work with scholars in our Washington DC-based Cyber Policy Initiative. Founded
in 1910, Carnegie is a top-ranked policy think tank with a unique global network
research centers in Russia, China, Europe, the Middle East, India, and the
United States. The Cyber Policy Initiative is part of Carnegie’s Technology and
International Affairs program, which also focuses on artificial intelligence and
biotechnology.

The Research Analyst will primarily help build a project exploring how to
leverage market incentives to improve cyber risk management. For example, it
researches and promotes ways in which commercial insurers, major asset-holding
corporations, and credit-rating agencies, can set de facto standards that
promote cybersecurity more quickly, flexibly, and internationally than
governmental regulatory processes often do.

The Research Analyst will work closely with scholars to develop and execute
original research and writing projects such as policy briefs and longer research
reports and build partnerships within the private sector. Additional activities
include: Engaging with policymakers in the U.S. Congress and administration;
preparing and delivering briefings; attending and reporting back on relevant
events in the policy community; contributing to other areas of the Initiative’s
work on cyber policy and strategy; and occasional administrative support, such
as organizing public and private events.

The ideal candidate will have deep interest in technology policy, a willingness
to dive into new research topics, and possess the ability to perform within a
challenging program environment. Up to two years of relevant post-graduate
experience is a plus, but not required. Strong writing and research skills are
essential.

Located in Dupont Circle in Washington, DC, we offer an outstanding benefits
package. When applying, please include your resume/C.V. and cover letter. Please
apply via the Carnegie Endowment website:
https://carnegieendowment.applicantpro.com/jobs/1373349.html

All qualified applicants will receive consideration for employment without
regard to race, color, religion, sex, national origin, disability, protected
veteran status, sexual orientation, gender identity, or any other protected
group

-=-

Principal Technician (Cyber Security)-200286

Primary Location Belgium-Mons
NATO Body NATO Communications and Information Agency (NCI Agency)
Schedule Full-time
Salary (Pay Basis) : 4,449.34Euro (EUR) Monthly
Grade B.5

Description:

NATO offers you more than a job. It gives you a mission: building peace and
security for one billion people in Europe and North America. The NATO
Communications & Information Agency is leading NATO’s Digital Endeavour.

We are NATO’s technology and cyber leaders, helping NATO Nations to communicate
and work together in smarter ways. Our work is challenging and meaningful, and
you will develop and apply your expertise as part of a dynamic international
team of civilian and military professionals.

What do we offer?

Genuinely meaningful work as part of the most successful alliance in history

3 year contract with competitive tax-free salary and household and children’s
allowances

Privileges for expatriate staff including expatriation and education allowances
(where appropriate) and additional home leave

Excellent private health insurance scheme

Generous annual leave of 30 days plus official holidays

Retirement Pension Plan

About the job

Based in Mons, Belgium you will join the Agency as we embark on a journey to
transform our IT services to support NATO’s Digital Endeavour. You will be
responsible for production and management of Security Hardening, Configuration
and Installation guidelines; providing security expert assistance and support in
analysis of security incidents and resolution; reviewing documents to be
published on NCSC Portals, or provided to NCSC customers, as part of projects
deliverables.

For a full list of duties, please review the job description. Here.
https://www.ncia.nato.int/Documents/JD_Principal%20Technician%20(Cyber%20Security)_B5_200286.pdf

About you

We’re looking for a talented and knowledgeable Principal Technician (Cyber
Security) professional with ideally a higher vocational training in a relevant
discipline with 3 years post-related experience; or, a secondary educational
qualification with 5 years post-related experience A different qualification
coupled with particularly relevant experience may also be considered.

Knowledge of English, both written and spoken, is essential.