CISA's Krebs in the Spotlight During Voting Battles
Microsoft, Adobe push out patches, Microsoft engineer sentenced for stealing $10M, TikTok demands divestiture timeline answers, Ragnar Locker gang hacked FB account to run ads, PLATYPUS can steal keys
The head of the Department Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), Christopher Krebs, is in the spotlight this week during the protracted and highly contentious presidential election vote counting, as he tries to deprive some of the more prominent voter fraud conspiracy theories of oxygen. He’s also receiving many accolades for his term as the first head of the independent cybersecurity agency. And, he’s the recipient of some concern that Donald Trump might boot him out in his last-gasp purge of competent government officials.
Earlier this week, David Sanger and Julian Barnes of the New York Times had this piece on how the much-feared cyberattacks against the election never materialized this go-around, citing unnamed bi-partisan officials who give Krebs kudos for prioritizing network hardening against potential hackers during his four-year tenure. (Sanger gave another nod to Krebs in the immediate aftermath of election day for being the voice of reason urging everyone to “keep calm and count the votes.”) Natasha Bertrand at Politico wrote a deeper dive on Krebs highlighting his use of CISA’s Rumor Control website and his personal Twitter account to counter fringe beliefs, including one about a computer called Hammer and a program called Scorecard that purportedly sucks away votes from Trump, according to some conspiracists.
Krebs’ public correction of these feverish and false ideas is a dicey proposition for a high-profile government official given that his boss is pushing misinformation that casts doubt on the election. Maybe that’s why so many experts have taken to Twitter to advocate on his behalf.
Despite fears that Krebs could meet the same fate as other officials while Trump continues on his expulsion spree, Bertrand suggests that Krebs, a former lobbyist for Microsoft, might be seeking greener pastures anyway. According to her piece, it’s unlikely he will stay in the government under a Biden Administration but is willing to stay at least through the transition to help out his successors.
Microsoft and Adobe Push Out a Bundle of Fixes on Patch Tuesday
Microsoft and Adobe both pushed out many security updates on Patch Tuesday, with Microsoft issuing fixes for 112 separate flaws, including a zero-day vulnerability. Seventeen of Microsoft’s fixes were for critical flaws. The patch for the zero-day flaw was for CVE-2020-17087, which was already seeing active exploitation and was exposed by Google’s Project Zero because it was being exploited together with a Chrome zero-day to target Windows 7 and Windows 10 users.
This month marked the first time that Microsoft changed how it reports its security advisories, a shift that brought some criticism from security professionals for stripping away pertinent information.
Adobe issued updates to plug at least 14 security holes in Adobe Acrobat and Reader, with no security updates for its always problematic Flash player. Adobe plans to retire Flash by year-end. (Brian Krebs / Krebs on Security)
Former Microsoft Engineer Sentenced to Nine Years for Stealing $10 Million From Company
Former Microsoft engineer Volodymry Kvashuk received a nine-year prison sentence for stealing $10 million from his employer Microsoft after a jury convicted him of five counts of wire fraud, six counts of money laundering, two counts of aggravated identity theft, two counts of filing false tax returns, and one count each of mail fraud, access device fraud, and access to a protected computer in furtherance of fraud. According to testimony, Kvashuk used his testing privileges to steal "currency stored value" such as digital gift cards and then sold them on the internet, using the proceeds to purchase a $1.6 million lakefront home and a $160,000 Tesla. (Campbell Kwan / ZDNet)
TikTok Files Suit for Answers From Trump Administration About Divestiture Deadline
Popular video app TikTok, which the Trump administration this past summer sought to ban in the U.S. or, failing that, force the company to sell itself to a U.S. firm, filed a petition in a US Court of Appeals calling for a review of actions by the Trump administration’s Committee on Foreign Investment in the United States (CFIUS). The CFIUS set the deadline of November 12th for TikTok to divest itself and TikTok filed for a 30-day extension of that deadline. TikTok claims it still hasn’t heard from the committee in weeks about the deadline for Chinese parent company ByteDance to sell off its US assets. (Sam Byford / The Verge)
Ragnar Locker Ransomware Operators Hacked Into Facebook Account to Advertise Their Attack on Campari
The ransomware operators behind Ragnar Locker hacked into a Facebook advertiser's account and began creating advertisements promoting their attack on beverage company Campari Group. Campari suffered an attack last week when the cybercriminals stole 2 TB of unencrypted files before encrypting their network and demanding $15 million in ransom. The Facebook ad rebuffed Compari’s statement that it couldn’t rule out the theft of data in the attack, saying, “This is ridiculous and looks like a big fat lie,” and “We can confirm that confidential data was stolen and we talking about huge volume of data.” The ad was unwittingly paid for by a DJ in Chicago named Chris Hodson, who said the campaign's attackers budgeted $500. (Brian Krebs / Krebs on Security)
Related: Bleeping Computer
New Side-Channel Attack PLATYPUS Can Steal Crypto Keys From Intel CPUs
A new side-channel attack called PLATYPUS can remotely steal cryptographic keys from Intel CPUs, even when the CPUs run software guard extensions, according to an international team of researchers led by Moritz Lipp of the Graz University of Technology. PLATYPUS attacks an Intel interface known as RAPL, or the Running Average Power Limit, which lets users monitor and control the energy flowing through CPUs and memory. In response to the researchers’ findings, Intel said it would make key changes to RAPL. (Dan Goodin / Ars Technica)
Other Infosec Developments
The European Union issued stricter rules regarding the sale of surveillance technology, including facial recognition and spyware. Negotiations for the tighter strictures have been going on for years, and the European Parliament will have to approve the new rules, which, among other things, require companies to secure licenses to sell the technology. (James Farrell / Silicon Angle)
Starting in January 2021 with Chrome 88, Google will deploy a new security feature in Chrome next year to prevent a certain kind of tab-nabbing, a type of web attack that allows newly opened tabs to hijack the original tab from where they were opened. The kind of tab-nabbing that Google specifically seeks to stop is one that has been abused by phishing campaigns across the years. (Catalin Cimpanu / ZDNet)
Machine learning-based device security company SentinelOne has raised $267 million in a funding round led by Insight Partners and Third Point Ventures, with participation by Sequoia, Tiger Partners, and Qualcomm Ventures. (Ingrid Lunden / TechCrunch)
Google’s crack team of researchers at Project Zero found and disclosed last week at least seven critical vulnerabilities, all of which are related to one another, in Chrome, Android, Windows, and iOS but has yet to publicly disclose who may have been using them and who may have been targeted. Apple issued an update for iPhone 5 and 6 to address the flaws, which, to some security experts, indicate that the flaws are bad. Microsoft issued updates yesterday to address one of the flaws. (Lorenzo Franceschi-Bicchierai / Motherboard)
Newly Discovered Must-Listen Podcast
When we pulled together our cybersecurity podcast list, we overlooked a hidden gem - Hack the Plant podcat by Bryson Bort at the R Street Institute, that examine each month the digital threats to the critical infrastructure systems in the U.S. Take a listen and for our premium subscribers, check out the details in our new updated list. Photo by Ajay Pal Singh Atwal on Unsplash