Cybersecurity expert warns of scams tied to coronavirus

Experts are warning of new scams tied to the ongoing coronavirus outbreak.

Shannon Wilkinson is a cybersecurity expert based in Las Vegas, but even the CEO of Tego Cyber Inc. gets scam emails.

Scammers are pretending to be health officials and promising new information like “updated cases of the coronavirus near you,” she said, in hopes, people will give up their personal data.

“There is one scam going around where they’re pretending to be the CDC asking for donations in bitcoin,” Wilkinson said.

Wilkinson said any time there’s a health epidemic or natural disaster, predators are ready to take advantage of others who might not be able to tell the difference.

Some ask for usernames and passwords. Others plant undetectable malware in a computer to track sensitive data entered on websites like banks.

Wilkinson said it’s usually easy to tell if an email is a scam: check the sender’s address and look for grammatical errors or phrases that seem out of place in the body of the email.

But she said scammers are getting more sophisticated.

“There’s a lot of little red flags but, unfortunately, cybercriminals are just getting better at masking their intent,” she said. “They’ve actually hired copywriters to help them with grammatical errors to make their emails look more legitimate.”

If an email looks suspicious, “don’t click on the link in the email, but actually go to what you know is the CDC’s website,” Wilkinson said.

https://www.ksat.com/news/national/2020/02/11/cyber-security-expert-warns-of-scams-tied-to-coronavirus/

How to Mitigate Cyber-Risk While Empowering a Modern Workforce

Resiliency is often something that businesses lack when a cyber event occurs. To combat this, businesses need to develop enduring security strategies around the technologies they currently have in place or plan to deploy.

So argued leading cybersecurity expert Theresa Payton, the president and CEO of Fortalice Solutions, speaking at the CDW Protect SummIT in San Antonio. Payton also served as the first female CIO at the White House and is the co-founder of Dark Cubed, a technology startup providing Cybersecurity Software as a Service.

“I’m not telling you to not integrate newer technologies, such as cloud or AI,” said Payton. “You have to. It’s the only way to cut costs and stay competitive.”

However, she explained that as businesses implement such solutions, security teams need to develop an incident response playbook, including user controls or authorizations and a “kill switch.” She also stressed the importance of getting buy-in from various stakeholders within the organization, particularly end users.

Take Critical Steps Toward Securing Your Business

Building an incident response plan starts with assuming the worst: that the technology your team is adding to its networking will, at some point, be a point of entry for a cybercriminal and will need to be shut down.

“Understand where the risk is so you can minimize it, but also so that when that event does occur, you’re prepared,” said Jeremy Weiss, cybersecurity practice lead for CDW.

When a breach takes place, Weiss told SummIT attendees, businesses must be prepared and know exactly what to do, in that moment. Many times, he said, the reality is that people don’t even know whom to call. A response plan will address that.

Beyond the playbook, teams need visibility into their own data — they need to take a step back to identify what data the business has stored, who’s accessing it and what systems it’s on. From there, the security team can make sure those systems are running both efficiently and securely.

And when it comes to adding modern devices to the network, such as Internet of Things technologies, Payton suggested that organizations should implement a fail-safe.

“These devices are trained to be turned on and be helpful to you, which means that they’re also trained to be turned on for nefarious purposes,” said Payton. “If and when you know there are issues, what’s the kill switch?”

Kill switches can be useful for organizations that witness anomalies in their network traffic, enabling them to shut down their systems to prevent the wrong person from gaining access to protected information. But while it’s a great method to help businesses mitigate risk, it can also impact on the end-user experience.

READ MORE: The 5 cybersecurity must-haves for every business.

Real Security Awareness Starts with Listening

Security is often seen as a hinderance to end users. Take multifactor authentication for example, which requires more tasks — and more time — for the user to access their device or information.

It’s really no surprise that convincing users to follow security best practices is a common challenge for security professionals. In fact, 50 percent of CDW’s Protect SummIT attendees cited this as their No. 1 cybersecurity challenge.

“The user is the most difficult thing to actually administer,” said Weiss. “But you still have to deal with users to keep your business productive.”

Payton, while stating that security awareness training is important, believes that there’s another, more effective way to reach users: active listening. She suggested that by listening to users’ problems and involving them in the decision-making process early on, they will have more respect for and interest in the security process as a whole. 

“Part of their daily job is to open up an email and click on links,” Payton said. “And you think you’re going to train them on which one is good, and which one is bad? Good luck.”

She suggested asking individuals what their nightmare is if their information were to get out. Often, this prospect is so terrifying for employees that they’ll work hand in hand with the security team to stop that from happening.

“Part of it is going to be clunky, but you’ll have their buy-in,” she said, “and this is how you avoid their nightmare. Once people learn to trust you and realize you’re going to listen, they will change.”

Check out our event page for more articles and videos from the CDW Protect SummIT.

https://biztechmagazine.com/article/2020/02/how-mitigate-cyber-risk-while-empowering-modern-workforce

Report: Most municipalities use less secure domain name

PROVIDENCE, R.I. (AP) — Most Rhode Island municipalities have websites that do not use the domain name for government entities, according to a WJAR-TV report.

The television station reviewed websites for Rhode Island’s 39 municipalities and found that 29 of them use a domain name that does not end .GOV.

Cybersecurity experts recommend using .GOV for security, and so residents know they are on a legitimate government website.

Secretary of State Nellie Gorbea, when told of the findings, said she would contact the 29 municipalities and offer federal funding that has been allocated to Rhode Island to make the switch. She said it’s a good investment because of the risk of cyber attacks.

The Rhode Island League of Cities and Towns said municipalities would welcome the opportunity to make their websites and networks more secure, especially if the program helps defer costs.

https://www.mysanantonio.com/news/article/Report-Most-municipalities-use-less-secure-15050447.php

Bipartisan lawmakers introduce bill to combat cyberattacks on state and local governments

A bipartisan group of lawmakers on Monday introduced a bill that would establish a $400 million grant program at the Department of Homeland Security (DHS) to help state and local governments combat cyber threats and potential vulnerabilities. 

Under the legislation — led by Reps. Cedric Richmond (D-La.), John Katko (R-N.Y.), Derek Kilmer (D-Wash.), Michael McCaul (R-Texas), Dutch Ruppersberger (D-Md.), Bennie Thompson (D-Miss.) and Mike Rogers (R-Ala.) — DHS’s Cybersecurity and Infrastructure Security Agency (CISA) would be required to develop a plan to improve localities’ cybersecurity and would create a State and Local Cybersecurity Resiliency Committee to help inform CISA on what jurisdictions need to help protect themselves from breaches. 

The group noted that state and local governments have become targets for hackers, having seen an uptick in attacks in recent years. 

“It provides more grant funding to state and locals for cybersecurity my own state of Texas impacted, particularly as tensions rise in Iran, for instance, we are seeing more cyberattacks coming out of Iran,” McCaul told The Hill.  

“And then of course going into the election we will make sure that our voting machines are secure.”

Richmond — the chairman of the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Innovation  — said it’s a critical step in providing the framework needed to craft and implement adequate cybersecurity plans.

“The State and Local Cybersecurity Improvement Act is a critically important piece of legislation that provides state and local governments the tools they need to significantly invest in their cybersecurity infrastructure,” he said in a statement. 

“Louisiana has long been vulnerable to cyberattacks, and this bill offers the resources needed to ensure protection against potential threats.” 

The House Homeland Security Committee is slated to hold a markup on the measure on Wednesday. 

Sens. Gary Peters (D-Mich.) and Rob Portman (R-Ohio) are leading the efforts on a similar bill in the upper chamber. 

— Maggie Miller contributed 

https://thehill.com/policy/cybersecurity/482464-bipartisan-lawmakers-introduce-bill-to-combat-cyber-attacks-on-state-and

Equifax breach is the latest of many hacks linked to China

BOSTON (AP) — In 2014, the Obama administration accused five Chinese military agents of targeting Pittsburgh-area industrial companies including Westinghouse Electric, Alcoa and U.S. Steel. Since then, the number of companies allegedly targeted by Chinese hackers has only grown.

Chinese President Xi Jinping assured th en-President Barack Obama in 2015 his military would stop stealing commercial secrets from U.S. companies. The evidence indicates that pledge was short-lived, if it was honored at all.

The latest in a string of China-linked hacking incidents came with the Monday indictment of four members of the Chinese military for breaking into the credit-reporting agency Equifax in 2017. The motives, a s with several others hacks that preceded it, appear to be more about espionage t han stealing trade secrets, cybersecurity experts say.

Among other things, experts who monitor the dark web say they have seen no evidence of data stolen in the Equifax hack — or in an earlier breach of Marriott — being sold to common criminals for ID theft and credit card fraud.

The state-backed Chinese hackers allegedly vacuumed up billions of data points on Americans that could be used to cross-reference data and obtain deep insights into individual lives. The data could be used in the recruitment of spies, and the hackers may have seeded cover identities for Chinese agents inside Equifax’s databases, said Priscilla Moriuchi, a former NSA employee now at the cybersecurity firm Recorded Future.

Here are the biggest cases of wholesale data theft blamed on Chinese agents.

OFFICE OF PERSONNEL MANAGEMENT

In a devastating blow to U.S. national security, the personal data of more than 21 million current, former and prospective federal employees was stolen. Although a first hacker was detected in March 2014, a second intruder went undetected until April 2015, by which time data on security clearances, background checks and fingerprint records had been extracted. A House inquiry said the hack was likely the work of “Deep Panda,” a group linked to the Chinese military.

ANTHEM

Hackers stole personal information on nearly 80 million current and former customers and employees of the Indiana-based health insurer over at least seven months ending in January 2015. Two members of a hacking group operating from China were later indicted in the biggest health care hack in U.S. history.

Stolen data included Social Security numbers, birth dates, email addresses, employment details, incomes and street addresses. Anthem said it had no evidence that medical or financial information was taken or than any of the data stolen resulted in fraud.

The security firm Symantec said the hack was believed to be the work of a well-resourced Chinese group it called Black Vine that had been conducting cyber-espionage targeting industries including aerospace, energy and health care.

MARRIOTT

Beginning in 2014, hackers extracted data including credit card and passport numbers, birth dates, phone numbers and hotel arrival and departure dates on as many as 383 million guests of the hotel chain. The breach went undetected for four years and affected hotels in the Starwood chain that Marriott acquired in 2016.

Analysts noted that information from hotels — common venues of extramarital trysts and corporate espionage — could be used for blackmail and counterespionage. On Monday, Attorney General William Barr blamed the hack on Chinese agents.

OTHER MAJOR CORPORATIONS AND AGENCIES

Two hackers were indicted in December 2018 for extensive data theft from major corporations in the U.S. and nearly a dozen other nations beginning in 2006, allegedly on behalf of Beijing’s main intelligence agency. They allegedly obtained names, Social Security numbers and other personal information of more than 100,000 Navy personnel.

Targets included NASA’s Jet Propulsion Lab and Goddard Space Center. The indictment said more than 45 technology companies were targeted by the group, known as “Stone Panda,” and that other victims spanned strategic industries from aerospace to factory automation, laboratory instruments and biotechnology.

https://www.mysanantonio.com/business/technology/article/Equifax-breach-is-the-latest-of-many-hacks-linked-15045687.php

The Top 20 Cybersecurity Conferences to Attend in 2020

What does it take to crack the code of cybersecurity when it comes to best practices?

A 2019 Fortinet survey asked chief information security officers (CISOs) to comment on how the expanding complexity of cybersecurity impacts their ability to fulfill their responsibilities. CISOs said there is an increased need for learning and development for security team members. Other concerns included risk management and cybersecurity and strategy awareness.

Enter cybersecurity conferences. Taking place across the U.S. and the world, cybersecurity conferences can offer unique opportunities for cybersecurity professionals, such as hands-on workshops, networking and certifications. They also provide cybersecurity leaders with greater security awareness of threats, tactics and best practices needed to effectively thwart attacks on the systems and assets they protect.

Here, Security brings you a list of the top 20 cybersecurity conferences in the U.S. in 2020.

1. The Human Hacking Conference

Lake Buena Vista, Fla.

February 20-22

The Human Hacking Conference is an all-encompassing training event that teaches business, security, technology and psychology professionals the latest expert techniques in human deception, body language analysis, cognitive agility, intelligence research and security best practices. The conference is put together by the Social Engineering Village (SEVillage), which seeks to progress social engineering as a professional practice.

The conference includes:

  • Five multi-hour workshops taught by leaders in behavior, physiology, deception, technology and psychology.
  • Specialized learning tracks including Hacking the C-Level & Hacking Business, Mind Hacking, Penetration testing and Red Teaming.
  • A variety of speaking sessions from expert-level presenters, varying from fast-paced concentrated content to panels and keynotes.
  • Three Evening Events plus many opportunities for networking

2. 2020 Global Insider Threat Summit

San Francisco, Calif.

February 24

If you’re attending RSA, the 2020 Global Insider Threat Summit is the perfect conference to kick off your week. At this year’s Summit, CISOs, CSOs, CTOs and other leading experts from top organizations such as MITRE and Flex will share how they are utilizing data to build stronger business and security strategies. In exclusive knowledge-sharing sessions, speakers will discuss:

  • How to implement a data-driven security strategy.
  • How the MITRE ATT&CK framework can be utilized to drive insider threat detection.
  • The latest cutting-edge research into insider threats.
  • How to use data to elevate security to a board-level discussion.
  • Why an effective insider threat approach has far-reaching benefits across security and across the business.

3. RSA Conference

San Francisco, Calif.

February 24-28

At RSA, top cybersecurity leaders and a dedicated community of peers will exchange though-provoking cybersecurity solutions to the latest threats. Dr. Lorrie Cranor, Director and Bosch Distinguished Professor of the CyLab Security and Privacy Institute, is one of the featured speakers at RSA. Chris Krebs, Director of the Cybersecurity and Infrastructure Security Agency, is one of the keynote speakers. He will discuss CISA’s expansive role as the Nation’s risk advisor, and how CISA builds partnerships across the U.S.

Seminars include a discussion around:

  • Emerging Threats.
  • Privacy and Security in the Cloud.
  • Establishing a Culture of Protect, Detect and Respond.
  • Lethal Threat Hunting and Incident Response Techniques.
  • DevOps: 2020 DevSecOps Days.
  • Personnel Management and Building Successful Cybersecurity Teams.

Panel discussions include:

  • The Cryptographers’ Panel: Whitfield Diffie, Cryptographer and Security Expert, Cryptomathic; Tal Rabin, Head of Research, Algorand Foundation; Ronald Rivest, Professor, Massachusetts Institute of Technology; Adi Shamir, Borman Professor of Computer Science, The Weizmann Institute, Israel; and Zulfikar Ramzan, Chief Technology Officer, RSA (Moderator)
  • The SANS Institute Panel: Heather Mahalik, Senior Instructor, SANS Institute and Director of Digital Intelligence, Cellebrite; Ed Skoudis, Instructor, SANS Institute; Johannes Ullrich, Ph.D., Dean of Research, SANS Technology Institute; and Alan Paller; Research Director and Founder, SANS Institute (Moderator)
  • How to Reduce Supply Chain Risk – Lessons from Efforts to Block Huawei Panel: Katie Arrington, Cyber Information Security Officer of Acquisitions, U.S. Dept of Defense / OUSD for Acquisitions; Donald (Andy) Purdy, Chief Security Officer, Huawei Technologies USA; Bruce Schneier, Security Technologist, Researcher & Lecturer, Harvard Kennedy School; Kathryn Waldron, Fellow, R Street Institute; and Craig Spiezle, Founder, Agelight Advisory & Research Group (Moderator).
  • Genomics – A New Frontier Panel: Kathy Hibbs, Chief Legal and Regulatory Officer, 23andMe; Dr. Patrick Courneya, Chief Medical Officer, Kaiser Permanente; Dr. Richard Migliori, Chief Medical Officer, UnitedHealth Group; and Rajeev Chand, Partner and Head of Research, Wing Venture Capital (Moderator)

4. Atlanta Cybersecurity Conference

Atlanta, Ga.

March 5

The Atlanta Cybersecurity Conference features a Keynote Speaker Session, a CISO Panel and 8-10 additional educational speaker sessions discussing current cybersecurity threats and solutions. The Keynote will be Assistant Special Agent in Charge Mark Grantz, US Secret Service.

The CISO Panel will feature:

  • Gary Brantley, CISO, City of Atlanta
  • Jose Marroquin, CISO, Encompass Digital Media
  • Chris Paravate, CSO, Northeast Georgia Medical Center
  • Chris Stouff, CSO, Armor
  • Steven Ferguson, CIO, Technical College System of Georgia
  • John Slaughter, CIO, Alliant Health
  • Gaurav Singal, VP and CIO, Georgia Lottery Corporation
  • Sergio Rio, CIO, Innovative Water Care

In addition, attendance includes CPE credits and certificates of attendance.

5. Women in Cybersecurity

Aurora, Colo.

March 12-14

Each year WiCyS, a non-profit membership organization that is dedicated to bringing together women in cybersecurity from academia, holds the Women in Cybersecurity Conference with local host college partners. It’s an excellent opportunity to network with other women in cybersecurity.

In addition, companies looking to recruit can also connect with students and candidates and experienced leaders and professionals in the cybersecurity field.

The leadership summit, a forum for cybersecurity industry experts, will address challenges in the following four tracks:

  • Strengthening the diverse cybersecurity workforce pipeline.
  • Creating an inclusive work environment.
  • Furthering opportunities for various groups such as veteran female cybersecurity aspirants or those transitioning or returning to cybersecurity workforce.
  • Advancing women in technical and non-technical leadership roles. 

Workshops, panel discussions and presentations will feature CISOs, Information Security, Directors and more leaders from the MITRE Corp., CISA, U.S. Army, Microsoft, Netflix, Amazon, F5 Labs, HCA Healthcare, John Hopkins, University of Alabama in Huntsville, University of Texas at San Antonio and many more.

For the full agenda, click here.

6. InfoSec World

Lake Buena Vista, Fla.

March 30-April 1

Join peers and experts at InfoSec World 2020 Conference & Expo to not only address the disruptive technologies and threats on the horizon, but to create a plan for managing the people, processes and tools for how your organizations react and cope with these intrusive circumstances. Security professionals have the opportunity to earn up to 45 CPE credits over the course of one week and numerous opportunities to network with more than 1,000 attendees.

Keynote speakers are:

  • Jamil Farshchi, CISO, Equifax
  • Jimmy Sanders, Head of Information Security, Netflix DVD
  • Parham Eftekhari, Executive Director, Institute for Critical Infrastructure Technology (ICIT)
  • Badri Raghunathan, Director Product Management – Container and Serverless Security, Qualys
  • Mark Kelton, Retired Senior Executive, Central Intelligence Agency
  • Chuck Brooks, Brand Ambassador, The Cybersecurity Collaborative

7. SANS 2020

Orlando, Fla.

April 3-10

Each year, SANS hosts five large scale national events that attract anywhere from 900-1300 attendees. This two-day SANS 2020 Summit will offer a focus on threat intelligence, with more than 50 hands-on, immersive-style courses that apply to new and experienced cybersecurity professionals. SANS 2020 will provide cybersecurity training and GIAC certifications. The courses, taught by real-world practitioners, are geared towards professionals who work in development, incident response & forensics, management, audit, legal, industrial control systems and more.

For a full list of all courses, click here.

Other SANS 2020 events include:

For a full list of all SANS local and regional events and solution forums, click here.

8. CSO50 Conference+Awards

Scottsdale, Ariz.

April 27-29

The CSO50 Conference+Awards will focus on “Bringing Risk into Focus” and feature innovation stories from the nation’s top security leaders. Winning projects and initiatives will be featured in lively sessions spanning important security topics such as:

  • Access and Identity Management
  • Critical Infrastructure
  • Cybersecurity
  • Data Loss Prevention and Recovery
  • IoT and Machine Learning
  • Managing Third-Party Risk
  • Minimizing Risk and Fraud
  • Security Awareness and Training

Speakers include:

  • Bob Bragdon, SVP & Publisher, CSO
  • Kevin Charest, CISO, Health Care Service Corp.
  • Seth Fogie, Director, Information Security, Penn Medicine
  • Raj Madan, Managing Director, Technology, BNY Mellon/Pershing
  • Shawn Riley, CIO, ND Information Technology Department
  • Kandice Samuelson, Senior Director, Information Technology Governance, PPD
  • Jeffrey Thomas, VP, Global Security, Prudential Financial
  • Brad Wells, Executive Director, Information Security, PDD

9. THINK 2020

San Francisco, Calif.

May 4-7

THINK 2020 is the annual IBM business and technology conference. Here, security professionals have the opportunity to join strategy discussions, hands-on training, more than 1,000 targeted technical training and demos. Conference education will cover the breadth and depth of technology and business topics including automation, blockchain, cloud, code, data and AI, analytics, infrastructure, Internet of Things, mobile security, supply chain and many more.

Join IBM’s Chairman, President and CEO, Ginni Rometty for the THINK 2020 Chairman’s Address, including some of the world’s top CEOs and leaders, such as Muriel Médard, Cecil H. Green Professor of EECS, MIT, Ralph Clark, President and CEO, ShotSpotter, and Saška Mojsilović, IBM Fellow, Head of Trustworthy AI and Co-Director of Science for Social Good, IBM Research.

10. THOTCON

Chicago, Ill.

May 8-9

THOTCON is a hacking conference based in Chicago, which started in late 2009 by a group of Chicago hackers who wanted to start a local and low-cost conference. “Once you attend a THOTCON event, you will have experienced one of the best information security conferences in the world combined with a uniquely casual and social experience,” claims the website.

Topics that will be discussed during speaker and keynote are: Internet of Things, Medical Devices, Industrial Control Systems, Computer/Human Interfaces, Wearable Computing, Offensive/Defensive Techniques, Chaotic Actors, Surveillance, Intelligence Gathering, Data Visualization, Transportation Systems, Legal Issues and more.

At the time of this writing, THOTCON has yet to announce who the speakers and keynotes are.

11. IEEE Symposium on Security and Privacy

San Francisco, Calif.

May 18-20

The Institute of Electrical and Electronics Engineers (IEEE) Symposium for Security and Privacy has been one of the premier forums for computer security research, presenting the latest developments and bringing together researchers and practitioners.

IEEE solicits previously unpublished papers that offer novel research contributions in any aspect of security and privacy. Papers may present advances in the theory, design, implementation, analysis, verification or empirical evaluation and measurement of secure systems. Topics can range from access control and authorization to application security, authentication, blockchain, cloud security, cyber physical systems security, security and privacy metrics and more.

If you’re interested in submitting, IEEE accepts paper submissions 12 times a year, on the first of each month.  

12. National Cyber Summit

Huntsville, Ala.

June 2-4

Described as the “nation’s most innovative cybersecurity technology event,” the National Cyber Summit offers unique educational, collaborative and workforce development opportunities for industry visionaries and rising leaders. Their core focus is on three things: education, collaboration and innovation.

Keynote speakers are:

  • Jon “maddog” Hall – Board Chair, Linux Professional Institute
  • Major General Thomas Murphy – Director of DoD’s Protecting Critical Technology Task Force, Air Force
  • Robert Powell – Senior Advisor for Cybersecurity, NASA

13. Gartner Security & Risk Management Summit

National Harbor, Md.

June 1-4

The Gartner Security & Risk Management Summit 2020 is one conference to attend if you want to hear independent experts on what matters most now and how to prepare for what’s ahead. Here you can learn how to create the security and IT risk management plans you need for your enterprise.

More than 3,500 peers and 65 Gartner experts gather at the conference, so you have a chance to network and gather meaningful insights to help you thrive in the evolving digital landscape. The conferences hosts more than 130 research-driven sessions, as well, to evaluate cybersecurity and risk management strategies.

14. Blue Team Con

Chicago, Ill.

June 20-21

The Blue Team Con, an information security conference, is tailored for those that are performing blue team type work at enterprises. Blue Team Con claims that its goal is to help fill in the gap within the information security industry, specifically between the information sharing network for red teams and offensive research and that of the blue team.

The conference hosts talks that are almost exclusively focused on sharing information among defenders and protectors of organizations. This can span from SOC Analysts to CISOs, auditors and compliance personnel or application developers focusing on security.

Some of Keynote speakers include:

  • Sean Metcalf, Consultant, Trimarc
  • Dana Baril, Security Research Architect at Microsoft
  • AJ Van Beest, founding member of the WI SLTT Cyber Response Team
  • Amanda Berlin, Co-Author of the Defensive Security Handbook
  • Cheryl Biswas, Strategic Threat Intel Analyst, TD Bank
  • Jesse Bowling, Security Architect & CSIRT Program Manager, Duke University

For a full list of all speakers, click here.

15. Black Hat

Las Vegas, Nev.

August 1-6

Now in its 23rd year, Black Hat USA is an information security event, providing attendees with the very latest in research, development and trends. Black Hat USA 2020 opens with four days of technical Trainings (August 1-4) followed by the two-day main conference (August 5-6) featuring Briefings, Arsenal, Business Hall, and more. You’ll also have the opportunity to network with 19,000 InfoSec professionals.

Trainings include hands-on offensive and defensive skill-building opportunities. These courses are taught by some of the most sought-after international industry & subject matter experts, with the goal of defining and defending tomorrow’s InfoSec landscape.

Briefings include presentations on cutting-edge research on information security risks and trends. Security experts from around the world will share their latest findings, open-source tools, zero day exploits and more.

16. Bsides Vegas

Las Vegas, Nev.

August 4-5

Founded in 2009, BSides Las Vegas claims to be “the impetus that sparked a global movement.” Whether you’re looking for your next big thing, career advice, or your first talk on a national stage, join the cybersecurity professionals at this two-day event.

The conference is free, but attendance can only be guaranteed if individuals stay for a minimum of three nights at the Tuscany on the BSidesLV room block.

The Call for Presentations for Providing Ground mentors program, which gives first-time speakers the opportunity to work with a seasoned industry professional to improve public speaking skills to present their research, is still open and closes on February 29, 2020.

The General Call for Presentations will be open from March 1st through April 15th.

17. Global CISO Executive Summit

Marana, Ariz.

September 21-23

The Global CISO Executive Summit is “built by CISOs, for CISOs.” This conference focuses on sharing best practices and developing leadership skills that enhance a CISO’s organization’s ability to impact their security climate.

Speakers include:

  • Tim Callahan, Global Chief Security Officer, Aflac
  • Meredith Harper, Vice President, Chief Information Security OfficerLilly
  • Meredith Harper, VP, CISO, Eli Lilly & Company
  • Nasrin Rezai, EVP, Global Chief Information Security and Product Security Officer, General Electric
  • Ben Sapiro, Global CISO, Great-West Life Assurance

The agenda is yet to be announced.

18. GrrCON Cyber Security Summit & Hacker Conference

Grand Rapids, Mich.

October

The GrrCON Cyber Security Summit & Hacker Conference is an information security and hacking conference that provides the Midwest InfoSec community with a fun atmosphere to come together and network. GrrCON is small compared to other conferences, with around 1,700 individuals in attendance. Whether you are a Fortune 500 executive, security researcher, industry professional, student, or a hacker, you will find something for you at GrrCON.

Student and Early Bird tickets open on March 1, 2020. Regular tickets go on sale April 1. Keep in mind it’s important to buy tickets early, says GrrCon, as they usually sell out completely. Conference dates have not been announced yet, but the conference is usually in October.

19. Cybersecurity & Fraud Summit

Washington, D.C.

November 17

The Cybersecurity & Fraud Summit is part of ISMG’s Global Summit Series, which takes place across four continents. This summit will focus on fraud and breach prevention that can apply to many industry verticals such as finance, government, retail, energy and healthcare.

The event provides cybersecurity leaders the opportunity to earn CPE credits. A few keynote panels that spark interest are:

  • Cybersecurity in the Era of Donald Trump.
  • The Rise of Cybercrime as a Service: Which Threats Should We Address First?
  • Why Organizations Fail to Implement Proper Security Safeguards and What They Can Do About It.
  • We’ve Been Breached: Now What? How to Effectively Work with Law Enforcement and Regulators.

Call for speakers is still open. Find out more here.

20. FutureCon

FutureCon holds more than 25 events per year. Here, you’ll be able to interact with CISOs and Senior Level Executives who have experience in mitigating the risk of cyberattacks. At each FutureCon Event, you will receive cybersecurity training and learn cutting-edge security approaches to manage risks in the constantly evolving world of cyber threats.

Events include:

  • Dallas, Texas – February 12, 2020
  • Los Angeles, Calif. – February 19, 2020
  • Chicago, Ill. – March 11, 2020
  • St. Louis, Mo. – March 25, 2020
  • Raleigh, N.C. – April 1, 2020
  • Houston, Texas – April 15, 2020
  • New Jersey – April 29, 2020
  • Kansas City, Mo. – May 13, 2020
  • San Diego, Calif. – June 10, 2020
  • Indianapolis, Ind. – June 25, 2020
  • Detroit, Mich. – July 8, 2020
  • Denver, Colo. – July 22, 2020
  • Omaha, Nev. – July 29, 2020
  • Seattle, Wash. – August 5, 2020
  • Columbus, Ohio – August 19, 2020
  • Des Moines, Iowa – September 2, 2020
  • Toronto, Ontario – September 16, 2020
  • Minneapolis, Minn. – September 30, 2020
  • Boston, Mass. – October 14, 2020
  • Tampa, Fla. – October 28, 2020
  • Orange County, Calif. – November 4, 2020
  • San Antonio, Texas – November 18, 2020
  • Nashville, Tenn. – December 3, 2020
  • South Florida, Fla. – December 9, 2020

Additional Conferences to Attend

Security Professionals Conference 

Bellevue, Wash.

April 21-23

The EDUCAUSE Security Professionals Conference is created just for the higher education information security and privacy community. This is a great opportunity to connect and collaborate with colleagues around the latest information security, privacy and risk management innovations and strategies.

This year’s conference will introduce new offerings like leadership training, more workshops, track sessions and lightning talks to cover a broad range of skill levels and topics, both technical and strategic. 

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.

Senate: Obama officials hamstrung by Russia election attack

WASHINGTON (AP) — A heavily politicized environment, coupled with concerns that public warnings would undermine confidence in the 2016 election, limited the Obama administration’s ability to respond to the Russian interference, according to a bipartisan congressional report released Thursday.

The Senate Intelligence Committee’s report noted the U.S. government was “not well-postured” to counter Russian election interference and noted that Russia’s cyberactivities did not cease despite high-level warnings of potential retaliation. Committee members said they hoped lessons learned from 2016 will better position the U.S. to foil another round of potential interference, as the nation’s intelligence chiefs warn that Russia, China, Iran and North Korea remain a threat.

Back in 2016, Russia carried out a “sweeping and systematic” effort to interfere in U.S. elections through disinformation on social media, stolen campaign emails and attacks on voting systems. U.S. officials have made advances in trying to prevent similar attacks from undermining the 2020 vote, but the potential threats have increased and some old problems such as outdated and vulnerable voting machines have not been fully addressed.

Committee Chairman Sen. Richard Burr said the Obama administration in 2016 struggled to determine an appropriate response as it became aware of Russian activities.

“Frozen by ‘paralysis of analysis,’ hamstrung by constraints both real and perceived, Obama officials debated courses of action without truly taking one,” said Burr, a North Carolina Republican, noting many of their concerns were valid. “However, Obama officials made decisions that limited their options, including preventing internal information-sharing and siloing cyber and geopolitical threats.”

The committee noted most Obama administration officials interviewed in the investigation said they had first learned about the Russian operation to steal emails from the Democratic National Committee from the media. The initial reaction of administration officials and members of the intelligence community was that Russia’s activity “fell within the bounds of traditional espionage” and was not understood at that point to be part of a broader campaign, according to the report.

“There were many flaws with the U.S. response to the 2016 attack, but it’s worth noting that many of those were due to problems with our own system – problems that can and should be corrected,” said Sen. Mark Warner of Virginia, the top Democrat on the committee. He said he was particularly concerned that the fear raised by the Obama administration, that warning the public of a foreign attack could backfire politically, “is still present in our hyper-partisan environment.”

The report is the third to be released as part of the committee’s investigation. The first focused on Russia’s effort to target state and local election systems and the second detailed the use of social media to sow division during the election. Two additional reports are expected.

___

Cassidy reported from Atlanta.

https://www.mysanantonio.com/news/article/Senate-Obama-officials-hamstrung-by-Russia-15035130.php

Critical Cisco ‘CDPwn’ Flaws Break Network Segmentation

Cisco has released patches to address the five vulnerabilities, which could lead to remote code-execution and denial of service.

Cisco is issuing patches for five critical vulnerabilities that have been discovered in Cisco Discovery Protocol (CDP), the info-sharing layer that maps all Cisco equipment on a network.

Researchers at Armis say that the vulnerabilities, which they disclosed on Wednesday and collectively dubbed CDPwn, can allow attackers with an existing foothold in the network to break through network segmentation efforts and remotely take over millions of devices.

CDP is a Cisco proprietary Layer 2 network protocol that is used to discover information about locally attached Cisco equipment. CDP aids in mapping the presence of other Cisco products in the network and is implemented in virtually all Cisco products – including switches, routers, IP phones and IP cameras. Many of these devices cannot work properly without CDP, and do not offer the ability to turn it off, according to researchers.

The flaws specifically exist in the parsing of CDP packets, within the protocol’s implementation in various Cisco products, from its IOS XR software to IP cameras. Cisco issued patches on Wednesday addressing the five flaws, and is urging users to update as soon as possible.

“There are endless types of Layer 2 protocols, and CDP is one of them,” Ben Seri, vice president of research at Armis, told Threatpost. “But there is actually a very large attack surface there, which has been neglected. I think the research community needs to do more in looking at these protocols. And network segmentation, at the end of the day, is a strong solution for IoT [internet of things], and other security problems are solved by it, but we need to make sure that it really stands strong against all kinds of attacks.”

A Cisco spokesperson told Threatpost that Cisco is not aware of any “malicious uses” of the flaws in the wild.

“Transparency at Cisco is a matter of top priority,” the spokesperson told Threatpost. “When security issues arise, we handle them openly and swiftly, so our customers understand the issue and how to address it. On Feb. 5, we disclosed vulnerabilities in the Cisco Discovery Protocol implementation of several Cisco products along with software fix information and mitigations, where available.”

The Flaws

The attack comes with a caveat: It requires the attacker to already have some sort of foothold inside the network, via a previously compromised Cisco device, Seri told Threatpost.

“So it’s not an attack that necessarily is coming from the internet,” Seri told Threatpost. “The attacker needs to have some access, but if you have some very low-grade IoT device sitting inside the network, part of your threat model already is that these devices might be compromised.”

After compromising a vulnerable Cisco device, an attacker could then send a maliciously crafted CDP packet to another Cisco device located inside the network. There are five vulnerabilities in all — four of which are critical remote code-execution (RCE) vulnerabilities, and one is a denial-of Service (DoS) vulnerability.

The first RCE flaw (CVE-2020-3118) is a format string flaw in the parsing of certain fields (i.e. Device ID) for incoming CDP packets in the CDP implementation for Cisco’s Internetworking Operating System (IOS XR). IOS XR is used for its Network Converging System (NCS) carrier-grade routers.

An attacker could use certain format string characters to cause a stack overflow, ultimately leading to RCE. Researchers said an attacker could exploit this flaw to “gain full control over the target router to traverse between network segments and use the router for subsequent attacks.”

The second RCE flaw (CVE-2020-3119) is a stack-overflow vulnerability that stems from the parsing of CDP packets in Cisco NX-OS, a network operating system for Cisco’s Nexus-series Ethernet switches and MDS-series Fibre Channel storage area network switches. An attacker can exploit this flaw using a legitimate CDP packet with skewed power levels (i.e., above the power level that can be accepted) and cause a stack overflow on switches, thus gaining full control.

Another RCE flaw is a heap overflow (CVE-2020-3110) that exists in the parsing of CDP packets in the CDP implementation for Cisco Video Surveillance 8000 Series IP Cameras. It’s caused when an attacker sends a CDP packet with an “overly large Port ID field.”

The final RCE flaw exists in the CDP implementation on Cisco Voice Over IP Phones (CVE-2020-3111).  “In this vulnerability, a stack overflow in the parsing function for the Port ID, can be exploited to gain code execution on the phone,” researchers said.

The DoS flaw meanwhile stems from the CDP implementation in Cisco FXOS, IOS XR and NX-OS software (CVE-2020-3120), which can be exploited by making the CDP daemon of a router or switch allocate large blocks of memory, causing the process to crash.

“With this vulnerability, an attacker can cause the CDP process to crash repeatedly, which in turn causes the router to reboot,” said researchers. “This means that an attacker can use this vulnerability to create a complete DoS of the target router, and in turn, completely disrupt target networks.”

Impact

Once these flaws have been exploited, a bad actor could launch an array of attacks – including exfiltrating data of corporate network traffic traversing through an organization’s switches and routers; and viewing sensitive information such as phone calls from IP phones and video feeds from IP cameras.

Attackers could also gain access to additional devices by leveraging man-in-the-middle attacks, which would allow them to intercept and alter traffic on corporate switches.

Armis disclosed the vulnerabilities to Cisco on Aug. 29, and said that it has worked with the networking giant since then to develop and test mitigations and patches. The patches were released Wednesday.

“Vulnerabilities that allow an attacker to break through network segmentation and move freely across the network pose a tremendous threat to enterprises,” according to Armis researchers. “Targets have moved beyond traditional desktops, laptops and servers to devices like IP phones and cameras which contain valuable voice and video data. Current security measures, including endpoint protection, mobile device management, firewalls and network security solutions are not designed to identify these types of attacks.”

Twitter API Abused to Uncover User Identities

State-sponsored actors may have been behind the social media abuse, said Twitter.

Twitter said that malicious actors, with potential ties to state-sponsored groups, were abusing a legitimate function on its platform to unmask the identity of users.

The social media giant said that on Dec. 24, 2019, it discovered a large network of fake accounts abusing a legitimate API (application programming interface) function on its platform that, when used as intended, allows accounts to find Twitter users that they may already know by matching phone numbers to their Twitter account names.

The bad actors were using this legitimate feature to uncover Twitter users – opening concerns that they could have potentially obtained the true identities of human rights activists or dissidents who go under pseudonyms on Twitter.

Twitter, which has a user base of more than 68 million, said that the fake accounts were detected in a wide range of countries. However, a particularly high volume of requests were coming from individual IP addresses located within Iran, Israel, and Malaysia.

“It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle,” said Twitter in a Monday statement. “We immediately suspended these accounts and are disclosing the details of our investigation to you today because we believe it’s important that you are aware of what happened, and how we fixed it.”

The API only matches users’ phone numbers and names if they have enabled the “Let people who have your phone number find you on Twitter” option. People who did not have this option enabled were not affected, said Twitter.

However, “After our investigation, we immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries,” said Twitter.  “Additionally, we suspended any account we believe to have been exploiting this endpoint.”

Threatpost has reached out to Twitter for more information on how it has improved the privacy of “Let people who have your phone number find you on Twitter” option. Threatpost has also inquired whether affected Twitter users are being notified.

In December, security researcher Ibrahim Balic told TechCrunch that he was able to match 17 million phone numbers to Twitter user accounts by abusing a flaw in Twitter’s Android app. Twitter reportedly became aware of the separate exploitation efforts after the researcher made his findings known.

It’s not the first time that Twitter’s platform has been targeted by governments to dig up users’ identities. In November, the Department of Justice (DoJ) charged two former Twitter employees of working with the government of Saudi Arabia to snoop on political dissidents’ accounts. Other platforms, such as WhatsApp, have reportedly also been targeted by state-sponsored actors to spy on or identify human rights activists.

It’s also only the latest Twitter privacy issue to come to light. In December, Twitter for Android users were urged to update their app to avoid a security bug that allows a malicious user to access private account data and could also allow an attacker to take control of accounts to send tweets and direct messages. The social media platform also warned in October that old Twitter API still used by popular iOS mobile apps that could be abused as part of a man-in-the-middle attack.

https://threatpost.com/twitter-api-abused-to-uncover-identities/152521/

US Could Learn How to Improve Election Protection From Other Nations

(The Conversation is an independent and nonprofit source of news, analysis and commentary from academic experts.)

Scott Shackelford, Indiana University

(THE CONVERSATION) Hacking into voting machines remains far too easy.

It is too soon to say for sure what role cybersecurity played in the 2020 Iowa caucuses, but the problems, which are still unfolding and being investigated, show how easily systemic failures can lead to delays and undermine trust in democratic processes. That’s particularly true when new technology – in this case, a reporting app – is introduced, even if there’s no targeted attack on the system.

The vulnerabilities are not just theoretical. They have been exploited around the world, such as in South Africa, Ukraine, Bulgaria and the Philippines. Successful attacks don’t need the resources and expertise of national governments – even kids have managed it.

Congress and election officials around the U.S. are struggling to figure out what to do to protect the integrity of Americans’ votes in 2020 and beyond. The Iowa caucuses are run by political parties, not state officials, but many of the concepts and processes are comparable. A look at similar problems – and some attempts at solutions – around the world offers some ideas that U.S. officials could use to ensure everyone’s vote is recorded and counted accurately, and that any necessary audits and recounts will confirm that election results are correct.

As a scholar researching cybersecurity and internet governance for more than 10 years, I have come to the conclusion that only by working together across sectors, industries and nations can the people of the world make their democracies harder to hack and achieve some measure of what I and others call cyber peace.

Electronic tampering is not new

As far back as 1994, an unknown hacker tried to alter the results of an election – but the effort failed, and Nelson Mandela was elected president of South Africa.

A similar effort played out in 2014 when Russian-backed hackers targeted Ukraine, attempting to fake vote totals for the presidential election. They were caught just in time, but the sophistication of the attacks should have been seen as a shot across the bow for future elections in the U.S. and around the world.

How has the US government responded?

More than two-thirds of U.S. counties are using voting machines that are at least a decade old. Because many of these machines are running outdated operating systems, they are vulnerable to exploitation.

The multi-pronged strategy used by the Kremlin to undermine the 2016 U.S. presidential election shared parallels with the election in Ukraine back in 2014, including the probing of insecure voting machines, compromising voter-registration lists and weaponizing social media to spread misinformation.

To date, the U.S. response has been weak. True, the threats are complex, and partisan rancor hasn’t made it any easier for officials to unite against them. Still, local, state and federal government agencies have made some progress.

For instance, in 2018 Congress agreed to spend US$380 million to help states buy more secure voting machines. In December 2019, Congress and the president agreed to spend a further $425 million on election cybersecurity, which is in line with estimates for how much it would cost to replace digitally vulnerable paperless voting machines across the nation.

These funds will allow more states to upgrade their voting equipment, and conduct post-election audits. But this is still less than a quarter of the amount Congress appropriated – nearly $4 billion – to upgrade U.S. voting systems after the confusion of the 2000 election.

U.S. Cyber Command has been sharing information with local officials, as well as becoming more active such as by shutting down a Russian troll farm on Election Day 2018.

Lessons from other nations

Like the United States, the European Union has also faced hacking attacks on election systems, including in the Netherlands, Bulgaria and the Czech Republic.

In response, the EU has increased cybersecurity requirements on election officials and infrastructure providers requiring things like more robust authentication procedures to help confirm voters’ identities. It has also urged its members to use paper ballots and analog vote-counting systems to help ward off concerns over compromised voting machines.

Nations around the world – including Germany and Brazil – that have used electronic voting machines are going back to paper ballots in part due to security and transparency concerns, while a 2019 court order requires paper trail audits in Indian elections.

Other mature democracies, like Australia, do far more than the U.S. to protect the vote. Australians all use paper ballots, which are hand counted, and voting itself is mandatory so there are no issues over voting rights. The country’s powerful Electoral Commission also sets nationwide standards and oversees the entire voting process, as opposed to the more decentralized U.S. approach.

International initiatives

The problem is global, and in my view would benefit from an internationally coordinated solution among both advanced and emerging democracies. Many nations and interested businesses and organizations around the world say they want to join the fight. The G7 and the U.N. have issued statements emphasizing the importance of protecting democracy and securing voting machines.

The Paris Call for Trust and Security in Cyberspace – which specifically calls on its backers to “cooperate in order to prevent interference in electoral processes” by sharing intelligence – has more than 550 supporters, including 67 nations. The U.S. is part of the G7 and the U.N., but hasn’t joined the Paris Call. Nevertheless, U.S. election officials could learn from other countries’ experiences.

Time is growing short

In the U.S., states are already trying approaches that have worked in other countries, but federal rules have not yet caught up. Congress could encourage states to follow Colorado’s example by banning paperless ballots, and requiring risk-limiting audits, which double-check statistically significant samples of paper ballots to check if official election results are correct. That would increase voter confidence that the outcomes were correct.

Congress could similarly require the National Institute for Standards and Technology to update its standards for voting machines, which state and county election officials rely on when deciding which machines to purchase.

The U.S. could also create a National Cybersecurity Safety Board to investigate cyberattacks on U.S. election infrastructure and issue reports after elections to help ensure that experts and the public alike are aware of the vulnerabilities and work to fix them.

Democracy is a team sport. Scholars can also help federal, state and local governments secure the country’s election system, by devising and testing possible improvements.

Different approaches around the country may make the overall system more secure, but the diversity of potential problems means the election officials on the ground need help. There’s still time to avoid a replay of South Africa 1994 or Ukraine 2014 in the 2020 U.S. elections.

[ You’re smart and curious about the world. So are The Conversation’s authors and editors. You can get our highlights each weekend. ]

This article is republished from The Conversation under a Creative Commons license. Read the original article here: https://theconversation.com/us-could-learn-how-to-improve-election-protection-from-other-nations-126157.

https://www.mysanantonio.com/news/article/US-could-learn-how-to-improve-election-protection-15029088.php