136330526
submission
chicksdaddy writes:
Tyler Technologies (https://www.tylertech.com/), the U.S.’s largest provider of software and services to the public sector said on Wednesday that it was hacked by unknown assailants, who gained “unauthorized access” to the company’s IT and phone systems, according to a report by The Security Ledger (https://securityledger.com/2020/09/public-sector-mega-vendor-tyler-technologies-says-it-was-hacked/).
Tyler, which sells software that supports a wide range of public sector functions such as permitting, inspections, 311 systems and utility billing said that it has hired independent IT experts to investigate the incident. The company’s MUNIS ERP (enterprise resource planning) technology is widely used by local governments across the U.S.
“We are treating this matter with the highest priority and working with independent IT experts to conduct a thorough investigation and response,” wrote Matt Bieri, the company’s Chief Information Officer in an email obtained by The Security Ledger. Tyler is also working with law enforcement to investigate the issue.
The company’s web page on Thursday displayed a message saying it was “temporarily unavailable."
In the email message to customers, Bieri said that the company discovered the intrusion Wednesday morning after the intruder “disrupted access to some of our internal systems” – a possible reference to ransomware.
Bieri told customers the intrusion was “limited to our internal network and phone systems” and that the company has “no reason to believe that any client data, client servers, or hosted systems were affected.”
The incident raises concerns that hackers may have used access to Tyler's networks to steal credentials needed to compromise the company's thousands of municipal customers. The average length of time that malicious actors "dwell" on victim networks is 56 days, according to data from the firm FireEye. “If that amount of time goes by, there’s plenty of time to look around for passwords,” said Michael Hamilton, the CISO of CI Security and a former Vice-Chair for the DHS State, Local, Tribal and Territorial Government Coordinating Council.
131042744
submission
chicksdaddy writes:
We've all read the stories about faulty ventilators and the heroic efforts (https://www.fastcompany.com/90484261/this-fuel-cell-company-has-pivoted-to-fixing-old-ventilators-to-give-to-hospitals) of companies like Bloom Energy, a fuel cell manufacturer, to get them back online. One of the less-reported stories of this pandemic is the myriad of ways in which COVID has exposed changes to the medical device market and the increasingly draconian software licensing practices that have made servicing and repairing medical devices much more difficult, slow and expensive. (https://uspirg.org/news/usp/statement-after-public-outcry-ventilator-repair-restrictions-loosen)
In its latest episode, Security Ledger Podcast goes behind the scenes of Project BioMed, an effort headed up by repair site iFixit (https://www.ifixit.com) to democratize access to repair and servicing information for medical devices including (and especially) ventilators and respirators. Kylie Wiens, CEO of iFixit talks the critical role played by Biomedical Technicians, who keep hospital equipment up and running and about the growing efforts by medical device OEMs to deny hospitals and biomeds access to the information they need to service equipment. The podcast also interviews Jonathan Krones, an Assistant Professor at Boston College and one of an army of volunteers, including hundreds of librarians and archivists who sorted through and cataloged hundreds of thousands of pages of medical device servicing information donated by biomedical technicians as part of the project.
124065996
submission
chicksdaddy writes:
The Security Ledger is reporting (https://securityledger.com/2020/01/seven-years-later-scores-of-eas-systems-sit-un-patched-vulnerable/) that more than 50 Emergency Alert System (EAS) devices made by Monroe Electronics (now Digital Alert Systems) are un-patched and accessible from the public Internet, seven years after security researchers alerted the public about security flaws in the devices. (https://ioactive.com/article/ioactive-uncovers-vulnerabilities-in-united-states-emergency-alerting-system/)
More than 50 EAS deployments across the United States still use a shared SSH key, a security vulnerability first discovered and reported by IOActive in 2013, according to a warning posted by the security researcher Shawn Merdinger on January 19, seven years after the initial vulnerability report was issued.
Security Ledger viewed the exposed web interfaces for Monroe/Digital Alerts Systems EAS hardware used by two, FM broadcasters in Texas and an exposed EAS belonging to a broadband cable provider in North Carolina. Also publicly accessible: EAS systems for two stations (FM and AM) serving the Island of Hawaii. Residents there received a false EAS alert about an incoming ICBM in 2018. That incident was found to be the result of human error (https://www.cnn.com/2018/01/30/us/hawaii-false-alarm-investigation/index.html) but prompted the FCC to issue new guidance about securing EAS systems. (https://docs.fcc.gov/public/attachments/DOC-352524A1.pdf)
Digital Alert Systems said it is aware of the problem and is contacting the customers whose gear is exposed. However, a search using the Shodan search engine suggests that few have taken steps to remove their EAS systems from the public Internet in the past week. Security Ledger is withholding the names of the broadcasters whose EAS systems were exposed for security reasons. None of the stations contacted for the story was able to provide comment prior to publication.
119393190
submission
chicksdaddy writes:
A former employee of the New York based cosmetics giant Estée Lauder is suing the company and a third party benefits firm alleging they breached their fiduciary duty to secure her 401k retirement account after $99,000 was fraudulently distributed from the account without her knowledge, The Security Ledger reports (https://securityledger.com/2019/11/suit-against-estee-lauder-spotlights-401k-distribution-fraud/)
The case, Naomi Berman vs. Estée Lauder et. al, (https://securityledger.com/wp-content/uploads/2019/11/1-main.pdf) comes amid increasing concern about cyber fraud targeting the $5.7 trillion 401k industry, in which more than 100 million Americans participate.
The case hinges on a series of three 401k distributions from Ms. Berman’s Estée Lauder 401k plan in September and October of 2016. Those distributions, for $37,000, $52,000 and $12,000, were sent by Lauder’s plan administrator, Alight Solutions LLC, to three, separate bank accounts. Berman only learned of the distributions after receiving mailed 401k statements from the administrator. Subsequent efforts by Berman to get Alight, which ran the plan’s web portal, and Estée Lauder to investigate the transfers and restore the stolen funds were fruitless.
401k accounts are particularly vulnerable to fraud, because they are typically not accounts that account holders interact with frequently, according to Teresa Renaker, an attorney who is representing Ms. Berman in her case against Estée Lauder and Alight. “You don’t check your 401k every day or even every month,” she noted. Plans are only required to mail statements every quarter. “Indeed, participants are generally advised to leave their 401k accounts alone,” Renaker said.
In the case of Ms. Berman, who worked for Estée Lauder’s MAC Cosmetics subsidiary from 1998 to 2006, the complaint alleges that she did not learn of the distributions until all three had taken place. After notifying the plan administrator of the fraud, Ms. Berman made at least 23 calls to the administrator’s Customer Service Center regarding the unauthorized distributions to between October 24, 2016, and January 2, 2017. Eventually, the Customer Service Center informed Ms. Berman that it had completed its investigation, that no money had been recovered, and that her Lauder Plan account would not be made whole for the losses. That's unusual, said Renaker and others: plan administrators have historically opted to make fraud victims whole when unauthorized distributions happen. And the change in approach has some worried about what might be coming.
An analysis by Washington D.C. based Groom Law Group (https://www.groom.com/resources/new-case-raises-difficult-questions-about-erisa-remedies-for-401k-account-thefts/) said the facts of the Berman case “expose some ugly truths” for the 401k industry “about the potential vulnerability of 401(k) plan assets to theft.” In such cases, Groom noted, the fraudsters “typically have acquired sufficient amounts of personal information about the participant to penetrate security protocols.” Historically, 401k plan administrators and record keepers have responded to such fraud incidents by making the victim whole without involving distributions from the plan itself. As Groom notes, the Berman case may suggest that “at least for some plan service providers, the willingness to cover fraudulent withdrawals may have run out.”
118703100
submission
chicksdaddy writes:
Uncle Sam’s supply chain woes just got a lot worse. A complaint unsealed by the U.S. District Court for the Eastern District of New York (https://www.justice.gov/usao-edny/pr/aventura-technologies-inc-and-its-senior-management-charged-fraud-money-laundering-and) alleges that Aventura Technologies, a Long Island, firm sold more than $88 million worth of Chinese-made security equipment to the U.S. government for more than a decade, including networked surveillance cameras used in military bases and U.S. Department of Energy facilities.
A 56 page complaint unsealed in the U.S. District Court for the Eastern District of New York (https://www.justice.gov/usao-edny/press-release/file/1215951/download) names seven individuals employed by Aventura Technologies of Commack, Long Island as participants in a years-long scheme that sold Chinese security hardware to a wide range of U.S. government agencies including the U.S. Army, Navy and Air Force, as well as the Department of the Treasury. In all, the company sold technology across more than 60 contracts with the U.S. Government.
The DOJ outlines an extensive fraud, including import fraud, defrauding the government and money laundering. The government arrested six individuals on Thursday. The government also seized a 70-foot luxury yacht and froze approximately $3 million in 12 financial accounts, according to a statement.
Though Aventura claimed in its dealings with the U.S. Government that its cameras, night vision cameras, turnstiles and other technology were manufactured in a factory in New York, they were actually sourced from a range of manufacturers in China, some with ties to the Chinese government.
Cameras manufactured in China were outfitted with Aventura’s logo and the phrase “Made in USA” before being resold to U.S. government agencies. Cabasso and others took extensive measures to conceal the source of the hardware, urging their partners in China to remove the manufacturer’s name from circuit boards and communications sent between client and server software used by its networked cameras and other equipment.
118665054
submission
chicksdaddy writes:
Uncle Sam’s supply chain woes just got a lot worse. A complaint unsealed by the U.S. District Court for the Eastern District of New York ([spam URL stripped]) alleges that Aventura Technologies, a Long Island, firm sold more than $88 million worth of Chinese-made security equipment to the U.S. government for more than a decade, including networked surveillance cameras used in military bases and U.S. Department of Energy facilities.
A 56 page complaint unsealed in the U.S. District Court for the Eastern District of New York ([spam URL stripped]) names seven individuals employed by Aventura Technologies of Commack, Long Island as participants in a years-long scheme that sold Chinese security hardware to a wide range of U.S. government agencies including the U.S. Army, Navy and Air Force, as well as the Department of the Treasury. In all, the company sold technology across more than 60 contracts with the U.S. Government.
The DOJ outlines an extensive fraud, including import fraud, defrauding the government and money laundering. The government arrested six individuals on Thursday. The government also seized a 70-foot luxury yacht and froze approximately $3 million in 12 financial accounts, according to a statement.
Though Aventura claimed in its dealings with the U.S. Government that its cameras, night vision cameras, turnstiles and other technology were manufactured in a factory in New York, they were actually sourced from a range of manufacturers in China, some with ties to the Chinese government.
Cameras manufactured in China were outfitted with Aventura’s logo and the phrase “Made in USA” before being resold to U.S. government agencies. Cabasso and others took extensive measures to conceal the source of the hardware, urging their partners in China to remove the manufacturer’s name from circuit boards and communications sent between client and server software used by its networked cameras and other equipment.Link to Original Source
113584000
submission
chicksdaddy writes:
Hardware vendors like DLink, NETGEAR and Linksys frequently claim that security is their top priority, but The Security Ledger reports (https://securityledger.com/2019/08/huge-survey-of-firmware-finds-no-security-gains-in-15-years/) that a survey of more than 6,000 firmware images from those device makers and more than a dozen others found lax security standards for the software running connected devices and no improvement in firmware security over the past 15 years.
“Nobody is trying,” said Sarah Zatko, the Chief Scientist at the Cyber Independent Testing Lab (CITL) (https://cyber-itl.org/), a non-profit organization that conducts independent tests of software security. “We found no consistency in a vendor or product line doing better or showing improvement. There was no evidence that anybody is making a concerted effort to address the safety hygiene of their products,” she said.
Zatko presented the findings of CITL’s extensive study in Las Vegas on Friday on the sidelines of the Black Hat and DEF CON conferences at an event hosted by The Hewlett Foundation (https://hewlett.org/). CITL was started by Sarah and her husband Peiter (aka “Mudge”) Zatko. It bills itself as a kind of “Consumer Reports” for cyber security, partnering with that organization as well as The Ford Foundation, The Digital Standard and online payments firm Stripe.
In what it bills as the "first longitudinal study of IoT software safety," CITL study surveyed firmware from 18 vendors including ASUS, D-link, Linksys, NETGEAR, Ubiquiti and others. In all, more than 6,000 firmware versions were analyzed, totaling close to 3 million binaries created from 2003 to 2018.
CITL researchers studied publicly available firmware images and evaluated them for the presence of standard security features such as the use of non-executable stacks, Address Space Layout Randomization (ASLR) and stack guards, which prevent buffer overflow attacks.
The results were not encouraging. Time and again, firmware from popular brands failed to implement basic security features as part of the software build process — even when researchers studied the most recent versions of the firmware.
The use of stack guards to protect against buffer overflow attacks and non-executable stacks to protect against “stack smashing" and address space layout randomization (ASLR) was rare, even though such features are a standard part of modern operating systems and software applications.
CITL's security tests were not comprehensive — just the opposite. “Stack guards and buffer overflow protection are the canaries in the coal mine,” she said: basic protections that all software should employ. The absence of even basic protections suggests that the tested firmware may contain more serious vulnerabilities and that firmware security is years behind the security of applications like Windows, OS X or Google Chrome and FireFox.
“These are the seatbelts and airbags of the software world. These numbers are unheard of in operating systems or (Web) browsers. Its just a sign that they’re not trying,” Zatko said.
Even worse, CITL researchers found no clear progress in any protection category over time, said Zatko. Researchers documented 299 positive changes in firmware security scores over the 15 years covered by the studybut 370 negative changes over the same period. Looking across its entire data set, in fact, firmware security actually appeared to get worse over time, not better, CITL said.
112786164
submission
chicksdaddy writes:
Serious and exploitable security flaws in VxWorks, a commonly used operating system for embedded devices, span 13 years and could leave billions of connected devices vulnerable to remote cyber attacks and hacks, The Security Ledger reports. (https://securityledger.com/2019/07/critical-flaws-in-vxworks-affect-billions-of-connected-things/)
The security firm Armis on Monday published a warning (https://armis.com/urgent11/) about 11 critical, zero day vulnerabilities in the VxWorks operating system, which is owned and managed by the firm Wind River. (https://www.windriver.com/products/vxworks/) The vulnerabilities were found in VxWorks implementation of TCP/IP. They affect more than 200 million devices and billions of deployed endpoints. They could allow attackers to remotely take control of everything from networked printers and security appliances to industrial and medical devices, according to Ben Seri, the Vice President of Research at Armis.
At least a couple of the flaws were described as “more serious” than EternalBlue, the Microsoft Windows flaw that powered both the WannaCry and NotPetya malware outbreaks.(https://politics.slashdot.org/story/17/08/11/233200/russian-group-that-hacked-dnc-used-nsa-attack-code-in-attack-on-hotels)
Six of the 11 flaws discovered by Armis are so-called “remote code execution” or “RCE” flaws, which are considered among the most dangerous kinds of software hole, as they allow remote attackers to place and execute their own code on vulnerable devices. The remaining flaws are a mix of denial of service flaws, information leak vulnerabilities and other lower risk security holes.
SCADA and industrial control system devices, healthcare devices like patient monitors and MRI machines, as well as networking equipment, networked printers and VOIP phones are all potentially vulnerable to the flaws, Armis said in a blog post Monday.
110970722
submission
chicksdaddy writes:
In comments submitted to the Federal Trade Commission, Microsoft Corp. is arguing that repairing its devices could jeopardize the cyber security of Trusted Platform Module (TPM) security chip. Don’t believe them.
The argument comes in an unsigned letter (https://securepairs.org/wp-content/uploads/2019/06/MSFT-COMMENT.pdf) to the FTC from Microsoft and dated May 31st. The statement was submitted ahead of Nixing the Fix (https://www.ftc.gov/news-events/events-calendar/nixing-fix-workshop-repair-restrictions), an FTC workshop on repair restrictions that is scheduled for mid-July.
Microsoft was one of a number of companies that submitted comments to the Commission critical of so-called “right to repair” laws proposed in 20 states (https://uspirg.org/news/usp/california-becomes-20th-state-2019-consider-right-repair-bill) this year. They would legally mandate that manufacturers make diagnostic information, tools and replacement parts available to owners and independent repair professionals.
“The unauthorized repair and replacement of device components can result in the disabling of key hardware security features or can impede the update of firmware that is important to device security or system integrity,” Microsoft wrote. “If the TPM or other hardware or software protections were compromised by a malicious or unqualified repair vendor, those security protections would be rendered ineffective and consumers’ data and control of the device would be at risk,” the company wrote. “Moreover, a security breach of one device can potentially compromise the security of a platform or other devices connected to the network.”
Firms like Microsoft, Lexmark, LG, Samsung and others use arguments like this all the time and then not too subtly imply that their authorized repair professionals are more trustworthy and honest than independent competitors. But that’s just hot air. They have no data to back up those assertions and there’s no way that their repair technicians are more trustworthy than owners, themselves.
As for the underlying argument about repair threatening Microsoft’s device security model? Well, that’s wrong, also, according to securepairs.org, a group of information security professionals who support the right to repair. (https://securepairs.org/)
There’s nothing inherent in repair or the things called for in right to repair laws like providing diagnostic software, diagnostic codes, schematics and replacement parts that puts the integrity of the TPM or the trust model it anchors at risk. Nor does the TPM require that the devices it secures remain pristine: using the same hardware and software configuration as when they were sold by the OEM.
After all, TPMs are in Dell computers. Dell makes diagnostic software and diagnostic codes (https://www.dell.com/support/home/us/en/04/quicktest) and schematics available for their hardware and I haven’t heard Microsoft or anybody else suggest that a TPM on a repairable Dell laptop is any less secure than the TPM on an unrepairable Microsoft Surface.
As securepairs points out: if Microsoft wants to make devices that nobody can service and repair without breaking their security model, they’re entitled to do that. They can make Surface Pros so hardened and tamper proof that merely opening them will destroy them. What they can’t do is make devices that are repairable, and then lock out everyone but their own service technicians. In short: if its safe and possible for a Microsoft authorized technician to service a Surface Pro, then it is safe and possible for an owner of the device to do so, or an independent repair technician. Full stop.
110507314
submission
chicksdaddy writes:
Implicit bias among security workers poses a real risk to industry, prompting cyber security workers to misinterpret critical data and reach incorrect decisions based on that data, a new study by the firm Forcepoint (https://www.forcepoint.com )warns.
Well documented flaws in human reasoning such as confirmation bias, aggregate bias and availability bias can lead security workers to make misinformed decisions about threats or reach inaccurate conclusions based on the information and data their tools provide them. That, in turn, could leave their organizations vulnerable to attack, or make it difficult to properly respond to cyber attacks and other incidents, according to the report, which warns organizations not to overlook bias when interpreting security data.
The report (https://www.forcepoint.com/sites/default/files/resources/files/report_thinking_about_thinking_cybersecurity_bias_en.pdf), by research scientist Dr. Margaret Cunningham of Forcepoint’s X-Labs, examines the role of six common biases in cybersecurity decision-making and offers guidance on how to identify and avoid them using applied insight.
“Decision-making is central to cybersecurity–from regular end users and coworkers who are sharing our network, to people working in (security operations centers), to organizational leaders who deal with purchasing security solutions and hiring security personnel. It is critical to understand that everyone, from novices to experts, is subject to cognitive bias,” said Cunningham in an email interview with The Security Ledger (https://securityledger.com/2019/06/cognitive-bias-is-the-threat-actor-you-may-never-detect/).
108512916
submission
chicksdaddy writes:
Some of the world's leading cybersecurity experts have come together to counter electronics and technology industry efforts to paint proposed right to repair laws in 20 states as a cyber security risk. (https://securepairs.org/top-cybersecurity-experts-stand-up-for-digital-right-to-repair/)
The experts have launched securepairs.org (https://www.securepairs.org), a group that is galvanizing information security industry support for right to repair laws that are being debated in state capitols. Among the experts who are stepping forward is a who's who of the information security space, including cryptography experts Bruce Schneier of IBM and Harvard University and Jon Callas of ACLU, secure coding gurus Gary McGraw of Cigital and Chris Wysopal of Veracode, bug bounty pioneer Katie Moussouris of Luta Security, hardware hackers Joe Grand (aka KingPin) and Billy Rios (@xssniper) of Whitescope, nmap creator Gordon "Fyodor" Lyon, Johannes Ullrich of SANS Internet Storm Center and Dan Geer, the CISO of In-Q-Tel.
Together, they are calling out electronics and technology industry efforts to keep replacement parts, documentation and diagnostic tools for digital devices secret in the name of cyber security.
“False and misleading information about the cyber risks of repair is being directed at state legislators who are considering right to repair laws,” said Paul Roberts, the founder of securepairs.org and Editor in Chief at The Security Ledger (https://www.securityledger.com), an independent cyber security blog. “Securepairs.org is a voice of reason that will provide policy makers with accurate information about the security problems plaguing connected devices. We will make the case that right to repair laws will bring about a more secure, not less secure future.”
“As cyber security professionals, we have a responsibility to provide accurate information and reliable advice to lawmakers who are considering Right to Repair laws,” said Joe Grand of Grand Idea Studio (https://www.grandideastudio.com/), a hardware hacker and embedded systems security expert.
The group will counter a stealthy but well-funded industry effort to kill off right to repair legislation where it comes up. That has included the creation of front groups like the Security Innovation Center (https://securityledger.com/2018/02/new-lobbying-group-fights-right-repair-laws/) which has enlisted technology industry executives and academics to write opinion pieces (https://www.sctimes.com/story/opinion/2019/04/22/keep-repair-secure/3502493002/) casting right to repair laws as a giveaway to cybercriminals.
Securepairs organizers say they hope to mobilize information security professionals to help secure the right to repair in their home states: writing letters and emails and providing expert testimony about the real sources of cyber risks in connected devices.
107488520
submission
chicksdaddy writes:
The grandson of Theo Brown, a legendary engineer and inventor for John Deere who patented, among other things, the manure spreader (https://patentimages.storage.googleapis.com/54/ff/82/f0394b8734e070/US1139482.pdf) is calling out the company his grandfather served for decades for its opposition to right to repair legislation being considered in Illinois.
In an opinion piece published by The Security Ledger entitled "My Grandfather's John Deere would support Our Right to Repair," (https://securityledger.com/2019/03/opinion-my-grandfathers-john-deere-would-support-our-right-to-repair/), Willie Cade notes that his grandfather, Theophilus Brown is credited with 158 patents (https://patents.google.com/?inventor=Theophilus+Brown), some 70% of them for Deere & Co., including the manure spreader in 1915. His grandfather used to travel the country to meet with Deere customers and see his creations at work in the field. His hope, Cade said, was to help the company's customers be more efficient and improve their lives with his inventions.
In contrast, Cade said the John Deere of the 21st Century engages in a very different kind of business model: imposing needless costs on their customers. An example of this kind of rent seeking is using software locks and other barriers to repair — such as refusing to sell replacement parts — in order to force customers to use authorized John Deere technicians to do repairs at considerably higher cost and hassle. "It undermines what my grandfather was all about," he writes.
Cade , who founded the Electronics Reuse Conference (https://www.ereuseconference.com/). He is supporting right to repair legislation that is being considered in Illinois (https://illinoispirg.org/feature/ilp/right-repair) and opposed by John Deere and the industry groups it backs.
"Farmers who can’t repair farm equipment and a wide spectrum of Americans who can’t repair their smartphones are pushing back in states across the country."
106541108
submission
chicksdaddy writes:
New Hampshire lawmakers got an early taste last week of the arguments that manufacturing, technology and telecommunications lobbyists will use to try to hobble and defeat right to repair legislation in 16 states this year, The Security Ledger reports (https://securityledger.com/2019/02/in-granite-state-industry-groups-paint-dark-picture-of-right-to-repair/). Their message: 'Be afraid. Be very afraid.'
The bill HB 462 (HB 462 (https://legiscan.com/NH/text/HB462/id/1842976), ) is sponsored by NH Rep. David Luneau (http://www.gencourt.state.nh.us/house/members/member.aspx?member=377307), an MIT graduate with degrees in Electrical Engineering and Computer Science. It is similar in scope to right to repair bills filed in 16 other states, from Massachusetts to Hawaii (https://r2rsolutions.org/news/update-tracking-right-repair-legislation-across-50-states/)). It would require original equipment manufacturers (OEMs) that do business in New Hampshire to make the same documentation, parts and tools available to device owners and independent repair professionals as they make available to their licensed or “authorized” repair professionals. Documentation, tools, and parts needed to reset product (software) locks or digital right management functions following maintenance and repair would also need to be made available to owners and independent repair professionals on “fair and reasonable terms.
But that didn't stop industry groups and their lawyers from arguing that there will be dark times in the Granite State should the bill become law. At a hearing NH House's Commerce and Consumer Affairs Committee, lawmakers heard that curious children could find themselves dismembered by run-away washing machines. Industry reps warned that a illegally modified lawn tractors and leaf blowers could belch pollution in defiance of the EPA.
Representatives from a wide range of industries opposing the legislation filled a small hearing room in the New Hampshire state house. They included the Association of Equipment Manufacturers, wireless industry group CTIA, TechNet, the technology industry lobby, the Association of Home Appliance Manufacturers (AHAM) and more. Their message: repairs performed by the owners of lawn equipment, electronics and home appliances or independent repair professionals carry serious economic, safety and security risks.
Christina Fisher, the Executive Director for Massachusetts and the Northeast at technology industry lobby TechNet said the right to repair bill was “legislation in search of a problem." The servicing of home security and other smart devices make repair a “life or death” issue, she warned, adding that New Hampshire would be branded an “anti competitive” state if it passed the law.
“There is a lot at stake when it comes to Right to Repair, and you could feel those stakes in the room,” Nathan Proctor, the head of the right to repair campaign (https://uspirg.org/feature/usp/right-repair) at the US Public Interest Research Group (PIRG), told The Security Ledger. “Legislators have their work cut out for them sifting through all the frantic opposition and their deceptive, and at times bizarre, arguments,” he wrote.
Right to repair legislation was defeated in 17 states in 2018, with most bills failing to make it out committee. (https://repair.org/legislation/). The same forces are lining up to square off against the legislation in 2019, said Gay Gordon-Byrne of the Repair Coalition. (https://www.repair.org)
“There is the same opposition, same arguments, and often the same lobbyists at all of these hearings,” wrote Gay Gordon-Byrne, Executive Director of the Repair Association in an email. “The larger problem is not the lobbyist testimony at hearings, which are often laughable, but the behind the scenes damage done by opposition.”
106251684
submission
chicksdaddy writes:
The North American Electric Reliability Corp. (NERC) imposed its stiffest fine to date for violations of Critical Infrastructure Protection (CIP) cybersecurity regulations. But who violated the standards and much of what the agency found remains secret, The Security Ledger reports. (https://securityledger.com/2019/02/secrecy-reigns-as-nerc-fines-utilities-10m-citing-serious-cyber-risks/)
In a heavily redacted 250 page regulatory filing (https://www.nerc.com/pa/comp/CE/Enforcement%20Actions%20DL/Public_FinalFiled_NOP_NOC-2605_Part%201.pdf), NERC fined undisclosed companies belonging to a so-called “Regional Entity” $10 million for 127 violations of the Critical Infrastructure Protection standards, the U.S.’s main cyber security standard for critical infrastructure including the electric grid. Thirteen of the violations listed were rated as a “serious risk” to the operation of the Bulk Power System and 62 were rated a “moderate risk.” Together, the “collective risk of the 127 violations posed a serious risk to the reliability of the (Bulk Power System),” NERC wrote.
The fines come as the U.S. intelligence community is warning Congress of the growing risk of cyber attacks on the U.S. electric grid. In testimony this week, Director of National Intelligence Dan Coats specifically called out Russia’s use of cyber attacks to cause social disruptions, citing that country’s campaign against Ukraine’s electric infrastructure in 2015 and 2016. (https://www.lawfareblog.com/intel-chiefs-testify-global-threats-cybersecurity-and-elections)
The extensively redacted document provides no information on which companies were fined or where they are located, citing the risk of cyber attack should their identity be known. Regional Entities account for virtually all of the electricity supplied in the U.S. They are made up of investor-owned utilities; federal power agencies; rural electric cooperatives; state, municipal, and provincial utilities; independent power producers; power marketers; and end-use customers.
However, details in the report provide some insight into the fines. For example, violations of a CIP statue that requires companies to “manage electronic access to (Bulk Electric System) Cyber Systems by specifying a controlled Electronic Security Perimeter” is rated a serious risk. So too are violations of CIP requirements calling for covered entities to “implement and document” access controls for “all electronic access points to the Electronic Security Perimeter(s).” Specific requirements that were violated suggest that the companies failed to implement access controls that “denies access by default,” “enable only ports and services required for operations and for monitoring Cyber Assets within the Electronic Security Perimeter,” and ensure the authenticity of parties attempting to remotely access the company’s “electronic security perimeter.”
105670670
submission
chicksdaddy writes:
What's the US Army doing advertising for a signals intelligence analyst to work out of St. Petersburg, Russia?(https://www.linkedin.com/jobs/search/?keywords=US%20Army%20Intelligence%20Analyst%20&location=Russian%20Federation&locationId=ru%3A0) No, its not Glasnost or a thawing in US-Russian relations — just a weird pattern of behavior spotted by researchers at the firm Evolver (https://evolverinc.com/is-your-company-hiring-in-russia-without-knowing-it-linkedin-job-postings-and-the-associated-cyber-risk/) that LinkedIn has yet to explain.
As reported by The Security Ledger (https://securityledger.com/2019/01/that-other-moscow-sketchy-linkedin-job-posts-mix-us-russian-locales/), LinkedIn ads with Russian locales have been spotted in association with open positions at a wide range of firms, from the State of Florida to defense contractor General Dynamics to Enterprise Medical Service (https://www.enterprisemed.com/) a medical office in Moscow...Idaho, on the border with Washington State.
Location appears to be the common thread. Firms affected have job openings in US cities with Russian namesakes, including St. Petersburg, Florida, Moscow Idaho and others.
Chip Block of Evolver said the purpose of the bogus ads is unclear, but seems suspicious, if not malicious. “We are pretty sure this is a man-in-the-middle data capture scheme,” he told Security Ledger. “If you go to the links, you are asked to enter your e-mail before being redirected to the job site. This is not being done by LinkedIn, but someone external. Someone is using this to capture emails and create potential targets,” he said.
LinkedIn said it is investigating “a potential issue with our job ingestion tool that seems to have incorrectly assigned the location of a job post on a small number of job listings."