Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label US. Show all posts
US
China Cyber Security National Security Security States US

US Imposes Ban on Chinese and Russian Tech in Passenger Cars Over Security Risks

 

The United States has introduced a new regulation barring the use of Chinese and Russian technology in passenger vehicles sold domestically, citing national security risks. According to AFP, the ban covers both hardware and software from these countries, forming part of a broader effort to reduce China's influence in critical industries.

Outgoing President Joe Biden initiated the rule after a prolonged regulatory process aimed at tightening controls on foreign-linked technologies. This follows recent debates over restricting drones and other equipment from adversarial nations. Commerce Secretary Gina Raimondo highlighted the growing reliance of modern cars on advanced technology like cameras, microphones, GPS systems, and internet connectivity, which could pose risks if developed using foreign components.

"This is a targeted approach to keep Chinese and Russian-manufactured tech off American roads," said Raimondo.

The rule initially applies to passenger vehicles under 10,001 pounds, with plans to extend it to commercial vehicles, such as buses and trucks, in the future. It prohibits manufacturers with significant ties to China or Russia from selling cars equipped with foreign-made hardware or software for internet connectivity or autonomous driving.

Implementation will occur in two stages:

  • Software ban: Effective from the 2027 model year.
  • Hardware ban: Beginning with the 2030 model year.Imports of such technology from China and Russia will also face restrictions.

The regulation could affect companies like BYD, a Chinese electric vehicle manufacturer operating a facility in California that produces buses and other vehicles. US officials have raised concerns that connected vehicles equipped with foreign technology could be exploited to misuse sensitive data or interfere with critical systems.

National Economic Advisor Lael Brainard warned, "China is attempting to dominate the future of the auto industry," underscoring the need to shield American vehicles from foreign influence.

The new rule aligns with a broader strategy to bolster domestic industries and reduce dependence on foreign technologies. On the same day, President Biden signed an executive order to fast-track the development of AI infrastructure in the US.

"We will not let America fall behind in building the technology that will define the future," Biden stated.

As Biden prepares to leave office, these measures will transition to the administration of President-elect Donald Trump, who takes office next Monday. While it remains uncertain how Trump will handle these policies, significant shifts in strategy are anticipated.
Read more »
US
Cyber Security Europe financial organizations Hackers malicious scripts Minesweeper game Python clone US

Hackers Use Trojanized Minesweeper Clone to Phish Financial Organizations

 

Hackers are exploiting code from a Python clone of Microsoft's classic Minesweeper game to conceal malicious scripts in attacks targeting financial institutions in Europe and the US.

Ukraine's CSIRT-NBU and CERT-UA have identified the threat actor 'UAC-0188' as responsible for these attacks. They are using the legitimate game code to hide Python scripts that download and install the SuperOps RMM (Remote Monitoring and Management) software. SuperOps RMM, though legitimate, provides remote actors with direct access to compromised systems.

CERT-UA's investigation into the initial discovery has uncovered at least five breaches in financial and insurance sectors across Europe and the United States linked to these same files.

The attack initiates with an email from "support@patient-docs-mail.com," posing as a medical center with the subject "Personal Web Archive of Medical Documents." The email prompts recipients to download a 33MB .SCR file from a Dropbox link. This file includes harmless code from a Python clone of Minesweeper, alongside malicious Python code designed to download additional scripts from a remote source, "anotepad.com."

Incorporating Minesweeper code within the executable helps disguise the 28MB base64-encoded string containing the malicious code, making it seem benign to security software. The Minesweeper code features a function named "create_license_ver," repurposed to decode and execute the hidden malicious code, using legitimate software components to mask and facilitate the attack.

The base64 string decodes to a ZIP file containing an MSI installer for SuperOps RMM, which is extracted and executed using a static password. While SuperOps RMM is a legitimate tool, in this scenario, it grants attackers unauthorized access to the victim's computer.

CERT-UA advises organizations not using SuperOps RMM to treat its presence or related network activity, such as connections to "superops.com" or "superops.ai" domains, as indicators of a compromise.

The agency has also provided additional indicators of compromise (IoCs) associated with this attack at the end of their report.
Read more »
US
AI CIOs European Union GDPR Technology US

EU AI Act to Impact US Generative AI Deployments

 



In a move set to reshape the scope of AI deployment, the European Union's AI Act, slated to come into effect in May or June, aims to impose stricter regulations on the development and use of generative AI technology. The Act, which categorises AI use cases based on associated risks, prohibits certain applications like biometric categorization systems and emotion recognition in workplaces due to concerns over manipulation of human behaviour. This legislation will compel companies, regardless of their location, to adopt a more responsible approach to AI development and deployment.

For businesses venturing into generative AI adoption, compliance with the EU AI Act will necessitate a thorough evaluation of use cases through a risk assessment lens. Existing AI deployments will require comprehensive audits to ensure adherence to regulatory standards and mitigate potential penalties. While the Act provides a transition period for compliance, organisations must gear up to meet the stipulated requirements by 2026.

This isn't the first time US companies have faced disruption from overseas tech regulations. Similar to the impact of the GDPR on data privacy practices, the EU AI Act is expected to influence global AI governance standards. By aligning with EU regulations, US tech leaders may find themselves better positioned to comply with emerging regulatory mandates worldwide.

Despite the parallels with GDPR, regulating AI presents unique challenges. The rollout of GDPR witnessed numerous compliance hurdles, indicating the complexity of enforcing such regulations. Additionally, concerns persist regarding the efficacy of fines in deterring non-compliance among large corporations. The EU's proposed fines for AI Act violations range from 7.5 million to 35 million euros, but effective enforcement will require the establishment of robust regulatory mechanisms.

Addressing the AI talent gap is crucial for successful implementation and enforcement of the Act. Both the EU and the US recognize the need for upskilling to attend to the complexities of AI governance. While US efforts have focused on executive orders and policy initiatives, the EU's proactive approach is poised to drive AI enforcement forward.

For CIOs preparing for the AI Act's enforcement, understanding the tools and use cases within their organisations is imperceptible. By conducting comprehensive inventories and risk assessments, businesses can identify areas of potential non-compliance and take corrective measures. It's essential to recognize that seemingly low-risk AI applications may still pose significant challenges, particularly regarding data privacy and transparency.

Companies like TransUnion are taking a nuanced approach to AI deployment, tailoring their strategies to specific use cases. While embracing AI's potential benefits, they exercise caution in deploying complex, less explainable technologies, especially in sensitive areas like credit assessment.

As the EU AI Act reshapes the regulatory landscape, CIOs must proactively adapt their AI strategies to ensure compliance and mitigate risks. By prioritising transparency, accountability, and ethical considerations, organisations can navigate the evolving regulatory environment while harnessing the transformative power of AI responsibly.



Read more »
US
Cyber Attacks Data MoveIt Hack Safety Security US

US Department of Energy Receives Dual Ransom Demands Amidst Expanding MOVEit Hack Fallout

 

The spokesperson for the US Department of Energy (DOE) revealed that the Russia-linked extortion group Cl0p sent ransom requests to both the nuclear waste facility and scientific education facility of the DOE, which were recently targeted in a global hacking campaign. This attack, initially reported on Thursday, affected the DOE contractor Oak Ridge Associated Universities and the Waste Isolation Pilot Plant in New Mexico, which is responsible for disposing of defense-related radioactive nuclear waste.

The breach occurred through a security flaw in the file transfer tool MOVEit Transfer, a widely-used software for sharing sensitive data among organizations worldwide. Progress Software, the company behind MOVEit Transfer, discovered the security flaw last month, resulting in various victims, including US government departments, the UK's telecom regulator, and energy company Shell.

This incident highlights the significant impact of ransomware attacks, even on security-conscious federal agencies. Ransomware gangs often target widely-used tools, and the attack on MOVEit Transfer reveals the challenges faced by federal agencies in defending against such threats. 

The US Cybersecurity and Infrastructure Security Agency (CISA) confirmed that several federal agencies were affected but noted minimal impact on the federal civilian executive branch. Analysts predict that more victims may emerge in the coming weeks.

The ransom requests to the DOE were sent via individual emails to each facility. The spokesperson did not disclose the demanded amount, but mentioned that the two entities did not engage with Cl0p. Currently, there is no indication that the ransom requests have been withdrawn.

In response to the breach, the DOE has notified Congress and is cooperating with law enforcement and the CISA in their investigations. Cl0p did not respond to requests for comment, but in a post on its website, it said, “WE DON’T HAVE ANY GOVERNMENT DATA” and suggested that should the hackers inadvertently have picked up such data in their mass theft “WE STILL DO THE POLITE THING AND DELETE ALL.”

According to Allan Liska, an analyst from Recorded Future, Cl0p's assertion about deleting government data may be an attempt to safeguard themselves from potential retaliation by Washington and other governments.
Read more »
US
Cyber Attacks data security Hackers Safety Security US

US Government Confirms Federal Agencies Affected by MOVEit Breach, Hackers Expand List of Victims

 

jThe U.S. government has acknowledged that several federal agencies have been targeted in cyberattacks that exploit a security vulnerability found in a popular file transfer tool.

The Cybersecurity and Infrastructure Security Agency (CISA) confirmed the intrusions in a statement provided to TechCrunch. The attacks were attributed to the Clop ransomware gang, believed to be linked to Russia. The group recently began revealing the names of organizations it claims to have hacked by exploiting the vulnerability in the file transfer tool, called MOVEit Transfer, developed by Progress Software.

The exact number of affected agencies was not disclosed by CISA, though CNN was the first to report on the attacks. The agencies impacted were not named, but the Department of Energy confirmed that two of its entities were breached. 

The Federal News Network identified Oak Ridge Associated Universities and a Waste Isolation Pilot Plant in New Mexico as the affected entities. These breaches exposed the personally identifiable information of potentially tens of thousands of individuals, including Energy employees and contractors.

“Upon learning that records from two DOE entities were compromised in the global cyberattack on the file-sharing software MOVEit Transfer, DOE took immediate steps to prevent further exposure to the vulnerability and notified the Cybersecurity and Infrastructure Security Agency (CISA),” a DoE spokesperson said. “The Department has notified Congress and is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate impacts from the breach.”

The Federal Data Procurement System indicates that approximately twelve other U.S. agencies have active contracts with MOVEit, including the Department of the Army, the Department of the Air Force, and the Food and Drug Administration.

CISA Director Jen Easterly stated in a press conference that the agency is working urgently with the affected agencies to understand the impact and implement timely remediation. Although it is still uncertain if data has been stolen, Easterly mentioned that the intrusions do not appear to be focused on stealing specific high-value information or gaining persistence in targeted systems.

“In sum, as we understand it, this attack is largely an opportunistic one,” Easterly said. “In addition, we are not aware of Clop actors threatening to extort or release any data stolen from U.S. government agencies.”

In an update on their dark web leak site, Clop declared that government data had been erased, and no government agencies have been listed as victims so far.

However, Clop added more victims to their list, claiming that they have compromised organizations such as the Boston Globe, East Western Bank based in California, Enzo Biochem located in New York, and Nuance, an AI firm owned by Microsoft. When contacted, Enzo declined to comment, and the other companies mentioned have not responded to inquiries.

Just a day earlier, Clop had released the initial list of impacted organizations, which included U.S.-based financial services firms 1st Source and First National Bankers Bank, as well as the U.K. energy company Shell.

As new victims are being discovered, Progress Software has rushed to address another vulnerability affecting MOVEit Transfer. The company warned customers in an advisory that this vulnerability, identified as CVE-2023-35708, could result in unauthorized access to customer environments.
Read more »
US
Cyber Data Cyber Security Data Safety Security US

The United States has Released its National Cybersecurity Strategy: Here's What you Need to Know

 


The US government is taking steps to enhance the country's cybersecurity capabilities and improve its overall technology governance strategy. President Joe Biden recently unveiled a new National Cybersecurity Strategy aimed at securing cyberspace and building a resilient digital ecosystem that is easier to defend than to attack. 

"When we pick up our smartphones to keep in touch with loved ones, log on to social media to share our ideas with one another, or connect to the internet to run a business or take care of any of our basic needs, we need to be able to trust that the underlying digital ecosystem is safe, reliable and secure," Biden wrote in the framework's preface.

The strategy is part of a broader effort by the Biden administration to reinforce cyber and technology governance, which includes increasing accountability for tech firms, strengthening privacy protections, and ensuring fair competition online.

Why does the United States require a National Cybersecurity Strategy?

The world is becoming more complex, and cyber threats are becoming more sophisticated, with ransomware attacks causing millions of dollars in economic losses in the United States. According to IBM, the average cost of a ransomware attack in 2022 will be more than $4.5 million. The greatest threats we face are interconnected, raising the prospect of a "polycrisis," in which the overall combined impact of these events exceeds their individual impact.

This is also true of technological risks, where attacks on critical information infrastructure, for example, could have disastrous consequences for public infrastructure and health, or where rising geopolitical tensions increase the risk of cyberattacks.

Cybercrime and cyber insecurity were ranked eighth in terms of severity of impact by risk experts polled for the World Economic Forum's Global Risks Report, both in the short term (the next two years) and over the next decade. According to Google data, state-sponsored cyberattacks targeting NATO users increased by 300% in 2022 compared to 2020. With cyberattacks on the rise, experts at the World Economic Forum's Annual Meeting at Davos predicted that 2023 would be a "busy year" for cyberspace with a "gathering cyber storm".

“This is a global threat, and it calls for a global response and enhanced and coordinated action,” Jürgen Stock, Secretary-General of the International Criminal Police Organization (INTERPOL), said at Davos.

According to the Forum's Global Cybersecurity Outlook 2023, 93% of cybersecurity experts and 86% of business leaders believe global instability will have a negative impact on their ability to ensure cybersecurity in the future.

As Biden notes, "Cybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense.

"We must ensure the internet remains open, free, global, interoperable, reliable, and secure – anchored in universal values that respect human rights and fundamental freedoms."

What are the National Security Strategy's five pillars?

Because the COVID-19 pandemic has accelerated the world's digital transformation, we rely on connected devices and digital technology to do more than ever before, putting our lives and livelihoods at greater risk from cyber threats.

The US National Security Strategy recognizes the need to rebalance the burden of responsibility for cybersecurity away from small businesses and individuals and onto the public and private organizations best placed to defend cyberspace through "robust collaboration".

It also aims to strengthen cyberspace resilience by balancing the need to address immediate threats with incentivizing investment in the digital ecosystem's secure, long-term future. Each of the five pillars it establishes is divided into strategic objectives, but here's a quick rundown of what they entail:

1. Defend critical infrastructure
2. Disrupt and dismantle threat actors
3. Shape market forces to drive security and resilience
4. Invest in a resilient future
5. Forge international partnerships to pursue shared goals


Read more »
US Citizen
Christopher Wray Data Privacy Department of Justice FBI Privacy Unwarrantedly gained data US US Citizen

FBI Admits to Have Gained US Citizens’ Location Data, Unwarranted


According to a Wired report, FBI Director Christopher Wray revealed for the first time at a Senate Intelligence Committee hearing yesterday that the organization has previously acquired the location data of US citizens without obtaining a warrant. 

Despite the practice becoming more frequent and widespread since the US Supreme Court restricted the government’s ability to track Americans’ phones warrantlessly, around five years ago, the FBI did not previously acknowledge ever making purchases of such kind. 

The revelation comes after Sen. Ron Wyden [D-Ore] questioned Wray “Does the FBI purchase US phone-geolocation information?” The response to which alarmed privacy experts. 

“To my knowledge, we do not currently purchase commercial database information that includes location data derived from Internet advertising[…]I understand that we previously—as in the past—purchased some such information for a specific national security pilot project. But that’s not been active for some time,” said Wray. 

The response, while being vague and revolving around the question asked, gave a clear insight into the way the FBI made use of location data to monitor US individuals with no court oversight. 

It is not immediately clear whether Wray was talking to a warrant—a court order that states that a crime has been committed—or another legal device. Wray also did not explain why the FBI decided to stop the practice. 

The Supreme Court ruled in the infamous Carpenter v. United States decision, that when government organizations accessed historical location data without a warrant, they were in violation of the Fourth Amendment's prohibition on unjustified searches. But the decision was interpreted very strictly. Privacy groups claim that the judgment left an obvious gap that enables the government to just buy anything it is unable to legally obtain. The Military Intelligence Agency and US Customs and Border Protection (CBP) are two federal organizations that are known to have exploited this loophole. 

On being asked during the Senate hearing whether the FBI is planning to adhere to the practice of buying location data again, Wray said “We have no plans to change that, at the current time.” 

According to Seam Vitka, a policy lawyer at Demand Progress, a nonprofit firm based on national security and private reforms, the FBI needs to be more forthcoming about the purchase, dubbing Wray’s revelation as “horrifying” in its implications. “The public needs to know who gave the go-ahead for this purchase, why, and what other agencies have done or are trying to do the same,” says Vitka. 

US lawmakers have historically failed to enact a comprehensive privacy law, and the majority of the proposed bills have purposely ignored the government's own acquisition of US citizens' private data. For example, all law enforcement organizations and any business "gathering, processing, or transferring" data on their behalf are excluded from the provisions of the American Data Privacy and Protection Act (ADPPA), which was presented last year. Wyden and other senators have attempted to tackle the problem head-on with a number of proposals. For instance, the Geolocation Privacy and Surveillance Act has been reintroduced multiple times in Congress since 2011, but it has never been put to a vote.  

Read more »
USA
Cyber Security Data Safety. Security Online Data US USA

Protect Your Online Data Now, Rather than Waiting for the Government

 

The old joke goes, "The opposite of pro is con, so the opposite of progress is Congress." Getting laws proposed and passed can be difficult even in a more relaxed political climate, but the present state of the US Congress makes most new legislation, regardless of content, a difficult sell. That is one of the challenges that government advisers from the cybersecurity industry face when urging politicians to suggest and pass federal data privacy laws. Other obstacles include inconsistent data privacy laws in some US states.

It's long past time for the United States to adopt the EU's General Data Protection Regulation (GDPR). GDPR is a set of stringent rules that govern how EU residents' data is handled, sold, and stored. GDPR protects consumers' privacy and security rights by imposing fines on companies that fail to comply.

In conversation with Wade Barisoff of the cybersecurity firm Fortra (Opens in a new window) last week about the current state of data privacy protections in the United States. Barisoff emphasized the importance of federal data privacy regulations, citing the European Union's GDPR as an effective example.

"GDPR was significant, not only because it was a unifying act that enshrined the rights of people and their digital identities to govern how their data could be handled,” Barisoff said, “but also because it was the first legislation with real teeth.”

Consumers in the United States would benefit from federal data privacy regulations that enforce severe penalties on companies that fail to comply. If you live in the United States, you may not have much control over what companies can do with your data once they have it, so lock down your accounts with multi-factor authentication and evaluate the privacy policies of your apps today.

Analyzing Data Breach Statistics

There is little recourse for victims of identity theft in the United States whose data was stolen because a company in the United States failed to report a breach. In the Identity Theft Resource Center's (ITRC) 2022 Data Breach Report(Opens in a new window), CEO Eva Velasquez noted a significant disparity between the average number of breach notices issued each business day in the US (seven) and the 356 breach notices issued daily in the EU in 2021.

"Common sense tells us that data breaches are underreported in the United States," Velasquez explained in the report. "The result is individuals are largely unable to protect themselves from the harmful effects of data compromises which are fueling an epidemic—a scamdemic—of identity fraud committed with stolen or compromised information."

Based on the Data Breach Report, since most state governments do not require companies to include factual data surrounding data breach incidents, the majority of US-based companies do not publish this information at all. According to the ITRC, businesses may choose not to include the details surrounding these incidents in order to avoid future lawsuits for failing to protect consumer data. LastPass, the embattled password management company, was singled out in the report for failing to explain the details of a 2022 attack in which cybercriminals gained access to its customers' information.

The Legal Status of Data Privacy in the United States

According to Barisoff, data privacy regulation in the United States has a long history in certain industries. In the United States, for example, the Health Insurance Portability and Accountability Act, or HIPAA, was signed into law nearly 30 years ago. It is still used to develop data privacy policies for healthcare organizations. Barisoff told me that going beyond decades-old industry guidelines is difficult because capitalism is such a powerful drug.

"We've never really climbed this mountain yet because data is worth money," Barisoff said. "Google has built its entire empire just on data and understanding what people are doing and selling that. There's more of a focus on capitalism, and there's a lot of powerful players here in the US that basically made their entire company off of private data."
 
Some state legislators are attempting to retaliate against tech companies by proposing and passing statewide data privacy legislation. According to Barisoff, these laws are a beginning, but imposing them may be difficult. "The only consistency will be that each new law is different," he noted.

This effect is already being felt. Texas sued Google last year, claiming that the company's Photos and Assistant apps violated state biometric privacy laws. In 2016, residents in Illinois filed and won a similar lawsuit against Google. According to Barisoff, the creation, and enforcement of state-by-state data privacy laws makes it more difficult for businesses to comply with regulations.

"As each state seeks to highlight how much they value their citizens’ rights over the next, we’ll see an element of 'What’s good for California isn’t good enough for Kansas' creep in,” warned Barisoff. 

"This developing complexity will have a significant impact on organizations operating across the country," he concluded.
Read more »
Subscribe to: Posts (Atom)