Top News

Grid List

One year out from the 2020 elections, presidential candidates face legal roadblocks to acquiring the tools and assistance necessary to defend against the cyberattacks and disinformation campaigns that plagued the 2016 presidential campaign.

Federal laws prohibit corporations from offering free or discounted cybersecurity services to federal candidates. The same law also blocks political parties from offering candidates cybersecurity assistance because it is considered an “in-kind donation.”

The issue took on added urgency this week after lawyers for the Federal Election Commission advised the commission to block a request by a Silicon Valley company, Area 1 Security, which sought to provide services to 2020 presidential candidates at a discount. The commission questioned Area 1 about its request at a public meeting on Thursday, and asked the company to refile the request with a simpler explanation of how it would determine what campaigns qualified for discounted services.

Cybersecurity and election experts say time is running out for campaigns to develop tough protections.

Christopher Wray, the F.B.I. director, warned in April that Russian election interference continued to pose a “significant counterintelligence threat” and that Russian efforts in the 2016 and 2018 elections were “a dress rehearsal for the big show in 2020.”

A bill introduced last month by Senator Ron Wyden, a Democrat from Oregon, would have allowed political parties to provide greater cybersecurity assistance to candidates. But it stalled in the Senate after the majority leader, Mitch McConnell, said he would not bring any election security bills to the floor for a vote.

The 2020 campaigns themselves are unlikely to have the expertise to track disinformation campaigns or to build sophisticated defenses needed to ward off hackers. In most cases, they cannot afford to pay outside experts market rates for such services, as required by federal election laws.

To thwart digital threats and phishing attacks, multinational corporations spend hundreds of thousands of dollars, at minimum, on security. Jamie Dimon, the chief executive of JPMorgan Chase, has said the bank spends nearly $600 million a year on security. Bank of America’s chief executive has said the bank has a “blank check” when it comes to cybersecurity. Security experts note that — despite significantly smaller head counts — presidential candidates and their campaigns are among the most targeted organizations in the world.

“Expecting campaigns to do this on their own is asking for failure,” said Laura Rosenberger, the director of the Alliance for Securing Democracy, a group that seeks to track and expose efforts by authoritarian regimes to undermine democratic elections.

Ms. Rosenberger knows the risks faced by campaigns. As a foreign policy adviser to Hillary Clinton in 2016, she saw firsthand the real-world effects of these attacks. In what’s called a spearphishing attack, Russian hackers compromised emails belonging to John Podesta, then Mrs. Clinton’s campaign chairman, and employees at the Democratic Congressional Campaign Committee.

“If we’re putting campaigns on the front lines alone, and they’re having to defend themselves alone, then we’ve lost,” she said.

But guarding against Russia is just one of the challenges, officials and experts said.

“Russia drafted a playbook that other international actors can use,” said Nathaniel Persily, co-director of the Stanford Cyber Policy Center and a law professor at Stanford Law School. “We should not be surprised if other nation-states and stateless entities try to take a page from the Russian playbook in the next election.”

There are also concerns that domestic players could do the same thing.

Last month, the F.E.C. ruled that a nonprofit organization, Defending Digital Campaigns, could provide free cybersecurity services to political campaigns. But the ruling was narrow, and applied only to nonpartisan, nonprofit groups that offer the same services to all campaigns. Defending Digital Campaigns was founded by Robbie Mook, who ran Mrs. Clinton’s 2016 campaign, and Matt Rhoades, who managed Mitt Romney’s campaign in 2012.

But nonprofits can only do so much, experts said, and in many cases there are private companies with better technology for fending off hackers.

The case heard this week by the F.E.C. involves Area 1, which says it has developed tools to block spearphishing attacks.

In anticipation of future attacks, a number of candidates running for office in 2020 contacted Area 1 to ask for its anti-phishing services, said Oren Falkowitz, a former analyst at the National Security Agency who helped found the company.

Area 1 works with a number of large corporations and assists smaller firms and nonprofits, charging a rate lower than what it charges big clients, Mr. Falkowitz said. He noted that the pricing model was fairly standard. Other tech companies like Dropbox and Slack give away many of their services to individuals and smaller organizations, but charge larger businesses to use their products.

Lawyers for three of the 2020 candidates that contacted Area 1, who could not be named because of confidentiality agreements, told the company that they worried that by using Area 1’s services, the campaigns might run afoul of campaign finance laws.

Area 1 made a formal request to the F.E.C. to ask for an advisory opinion in April. As part of its request, Area 1 asked the commission to grant the company the same exemption the F.E.C. granted to Microsoft last year.

The F.E.C. ruled that Microsoft could offer “enhanced online account security services to its election-sensitive customers at no additional cost” because Microsoft would be shoring up defenses for its existing customers, not seeking to curry favor with political candidates, and would be acting on a nonpartisan basis out of business interests.

But on Monday, lawyers for the F.E.C. said Area 1’s request did not meet the same bar as Microsoft and the company’s services looked too much like a political contribution.

The commission has been sensitive to the influx of so-called dark money into campaigns and maintains a high bar for granting exemptions because of concerns that an exemption could create a loophole for corporations looking to influence an election.

Daniel A. Petalas, outside counsel for Area 1 and a lawyer at the firm Garvey Schubert Barer, said the draft opinion was based on a misunderstanding. In return for helping the candidates, Area 1 could gain valuable research, he said.

“Area 1’s whole purpose, their whole basis for being, is attacking the phishing issue,” Mr. Petalas said. “There’s really nowhere it’s more dramatically presented than in the election context, given what happened in 2016.”

Election security experts said lawmakers must address rules that prohibit cybersecurity firms from providing assistance to campaigns.

“The idea that this is even an issue is just insane,” Mr. Persily said in an interview Tuesday.

For now, campaigns must fend for themselves, and most are vulnerable to more phishing attacks.

“On the cyber side, campaigns obviously have to do a lot to have much, much tougher defenses than they had in ’16, and I see very little of that so far,” said Ms. Rosenberger, the former Clinton worker.

 

Liz Upton from the Raspberry Pi Foundation made a shocking revelation, someone has offered cash to install a malware into its tiny computers.

Turkish systems are suffering a major cyber attack which is causing serious problems to organizations in the country. Is is an act of Information warfare?

Security researchers from ESET uncovered the Roaming Tiger hacking campaign, bad actors in the wild are targeting Russian organizations.

A honeypot set up by researchers at the SANS institute has shown that hackers have already attempted to exploit the Juniper backdoor.

Who planted the Authentication Backdoor in the Juniper ScreenOS? Security experts are making their speculation, but interesting revelations are coming out.

One day after Quest Diagnostics reported that nearly 12 million of its patients were potentially affected by a malicious breach of third-party bill collection vendor American Medical Collection Agency (AMCA), fellow clinical testing firm LabCorp acknowledged that roughly 7.7 million of its customers may be affected by the same incident.

Burlington, North Carolina-based LabCorp publicly disclosed the disturbing news yesterday in a Securities and Exchange Commission 8-K filing, warning that patient data it supplied to AMCA was exposed in the incident, which took place from Aug. 1, 2018 through March 30, 2019. Such information may include names, birth dates, addresses, phone numbers, dates of service, providers and unpaid balances.

Making matters worse, roughly 200,000 customers who paid LabCorp bills using AMCA’s web portal had their payment card information compromised, the LabCorp continued. According to the SEC filing, AMCA did not share the identities of these particular victims, but assured the diagnostics company that it had already begun to notify these individuals, and would offer them two years of identity protection and credit monitoring services.

This revelation appears to correspond to a May 10 DataBreaches.net report that said analysts from Gemini Advisory had found a database for sale on the dark web that contained information on about 200,000 individuals. Through their investigative work, Gemini’s analysts eventually linked the stolen data to AMCA.

Social Security numbers, insurance identification information, laboratory tests and results, and diagnostic information were not impacted in the breach, asserted LabCorp, which officially goes by the name Laboratory Corporation of America Holdings.

“AMCA has indicated that it is continuing to investigate this incident and has taken steps to increase the security of its systems, processes and data,” the filing said, later adding that in response to the incident LabCorp “ceased sending new collection requests to AMCA and stopped AMCA from continuing to work on any pending collection requests involving LabCorp consumers.”

Between Quest Diagnostics and LabCorp alone, nearly 20 million lab patients have now had their information imperiled, and it’s possible many more victims will come to light as other companies using AMCA as a third-party service provider discover their customer data was affected as well.

Security researcher Brian Krebs wrote on his website that a review he conducted of the Consumer Financial Protection Bureau’s complaint web page turned up nearly 700 complaints lodged against AMCA, which also operates under the name Retrieval-Masters Credit Bureau. These complaints revealed current or previous business relationships between AMCA and New Jersey’s EZPass system as well as American Traffic Solutions, which services rental car companies and processes millions of toll transactions and violations.

“Due to the interconnectedness of modern business, I will be surprised if we do not soon learn about other companies affected by this breach,” said George Wrenn, founder and CEO of CyberSaint Security, in emailed comments. “Organizations must be responsible for tracking their third parties, knowing the real-time status of their cybersecurity, data protection, and privacy postures, and identifying their risk tolerance, using this information to request remediation activities and make the most informed partnership decisions possible.”

Kevin Gosschalk, CEO of Arkose Labs, said that every third-party vendor is an “added access point” that requires attention, because “as hackers continue to evolve, they will target the endpoints that companies might not actively think of protecting.”

The fact that Question Diagnostics said certain medical information (unrelated to lab tests) was exposed and LabCorp acknowledged that insurance and provider information was affected is “troubling,” said Brad Keller, program director at Shared Assessments, because “there is no mechanism in place to prevent [the] misuse” of health care information.

“Action can be taken to freeze information at the credit bureaus and indicate that financial information has been compromised. In addition, financial institutions have programs in place to take corrective action to prevent the unauthorized use of credit cards and accounts once information has been compromised,” Keller continued. But, “no such centralized process exists for health care or insurance information, making it extremely difficult to prevent the unauthorized use of this information.”

Some cybersecurity and privacy experts have already begun speculating on the regulatory implications of this incident.

“This breach will undoubted bring a hefty fine from [the Department of Health and Human Services’] Office of Civil Rights to ACMA…” predicted Michael Magrath, director of global regulations and standards at OneSpan. “However, what is necessary is for HHS to revisit the HIPAA Security and Privacy [Rules and] tighten the security controls for third parties.” Magrath suggested that the New York Department of Financial Services’ new Cybersecurity Regulation for financial institutions (23 NYCRR 500)  “could serve as the model.”

But Tom Garrubba, senior director and CISO of Shared Assessments, suggested that HIPAA already has clear-cut expectations for third-party business associates, under its Omnibus Rules. “Business associates are by law… to handle data with the same care as covered entities… and these B.A.s are to undergo proper due diligence from the covered entity,” said Garrubba in comments sent after the Quest disclosure but before LabCorp had made its announcement.

“I’m curious to see how swiftly the Office of Civil Rights… moves in to review the details of the breach with this particular business associate…who was performing the scope of work, and to see what negligence, if any, is on the hands of Quest,” Garrubba remarked. “I’m also curious as to the size of the fines to both entities, as the OCR has historically been under a lot of pressure to levy fines of health care breaches.”

Following the Quest Diagnostics disclosure, AMCA sent the following statement to SC Media: “We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system. Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page. We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident.”

 

Lost and stolen devices account for 45 percent of all breaches in Verizon's new health care data breach report.

"Want to keep using the pacemaker? "" pay us 2 bitcoins" Experts fear that ransomware will start targeting medical devices.

EMC and Hartford Hospital have agreed to pay US$90,000 to Connecticut in connection with the loss in 2012 of an unencrypted laptop containing patient information of 8,883 residents of the state, according to the state's attorney general.

Healthcare has become a favorite target for criminals, and some medical organizations are reacting by looking at outside providers to keep their data secure.But jumping to the cloud without first taking some precautions can be a mistake, experts say.

A survey of major industries reveals health care organizations are below average in secure coding.

Ad injection and other "man-in-the-middle" techniques will have a tougher time installing themselves onto PCs.

44 per cent of Internet users admit having shared their passwords or stored them in visible places.

Frankly, I'm surprised. Is it the revelation that Juniper had "unauthorized code" in their Netscreen product? Is it that a third party could reportedly remotely access these systems? Is it that VPN traffic could be decrypted?

I'm seeing in the news today that a subset of Twitter users have been receiving notifications that they may well be the targets of surveillance by nation state actors. Step one, let's all take a deep breath.

A group of computer scientists at the Massachusetts Institute of Technology has developed the most secure SMS text messaging system.

Tens of millions of users would be unable to access HTTPS websites that only use SHA-2-signed certificates, Facebook and Cloudflare have warned
Millions of Web users could be left unable to access websites over the HTTPS protocol if those websites only use digital certificates signed with the SHA-2 hashing algorithm.

Cryptographic key reuse is rampart in European payment terminals, allowing attackers to compromise them en masse.

Security firm Zscaler discovered a malicious campaign based on a new strain of the Spy Banker banking malware.

FireEye says it has discovered a type of malware designed to steal payment card data that can be very difficult to detect and remove.
The cybercriminal group behind the malware, which FireEye nicknamed "FIN1," is suspected of being in Russia and has been known to target financial institutions.

The malware, which FIN1 calls Nemesis, infected an organization that processes financial transactions, which FireEye did not identify.

A criminal named Hacker Buba after asking UAE bank for $3 million ransom started leaking customer data online.

A new strain of PoS malware dubbed Pro PoS Solution is available for sale in the underground forums.

American Express appears to have used a weak algorithm to generate new card numbers.

Security Career Center

Advertise at CISSP.COM

Advertise your events and products at CISSP.COM

Free CISSP Practice Tests

Post your events Free

post your security events at cissp.com free

Tools & Methodologies

Grid List

We use cookies to maintain login sessions, analytics and to improve your experience on our website. By continuing to use our site, you accept our use of cookies, Terms of Use.