.png)
1 hour ago
2
Infosec in brief On August 29, the US Federal Emergency Management Agency fired its CISO, CIO, and 22 other staff for incompetence but insisted it wasn't in response to an online attack. New material suggests FEMA's claim may be false.
According to DHS Secretary Kristi Noem, an audit found serious security problems at FEMA and revealed that "entrenched bureaucrats" had lied about the agency's security preparedness.
"These deep-state individuals were more interested in covering up their failures than in protecting the Homeland and American citizens' personal data, so I terminated them immediately," she said.
Crucially, Noem said no data had been lost but it appears that's not the case. According to a presentation passed to Nextgov, attackers broke into FEMA in June using stolen credentials to access a Citrix system. The attackers then uploaded data from FEMA's Region 6 servers, covering Arkansas, Louisiana, New Mexico, Oklahoma, and Texas. According to the documents, FEMA didn't discover the attack until July.
By July, the Cybersecurity and Infrastructure Security Agency was telling agencies to patch against so-called CitrixBleed 2 attacks that exploited a CVSS 9.3 bug in Netscaler's ADC and Gateway platforms that would allow miscreants to steal sensitive data such as session tokens and bypass multi-factor authentication. There were warnings that the bug was being exploited back in June, but it seems they weren't heeded.
Now, it appears, FEMA's IT department is getting a complete makeover, with new staff brought in last month to fix lax security. Agency bosses instructed staff to change passwords and enable multi-factor authentication for their accounts.
PAN, PAN, PAN! Brace for impact
If you're running Palo Alto Networks GlobalProtect and PAN-OS profiles, it's time to get busy, after a massive surge in scanning attacks against the systems.
On Friday security shop Greynoise warned that its trackers have noted PAN's systems are getting pounded by scans from 1,300 unique IPs, 93 percent of which are classified as suspicious, with the other 7 percent actively malicious. Usually such activity "rarely exceeded 200 IPs," it noted.
"The October 3 surge was the largest burst of IPs scanning for Palo Alto login portals in three months," it said. "Almost all participating infrastructure was first observed in the past 48 hours. Traffic was targeted and structured, aimed overwhelmingly at Palo Alto login portals and split across distinct scanning clusters."
Attackers scanned US targets most heavily, followed by systems in Pakistan, Mexico, France, Australia, and the UK. The researchers believe the attack mimics those seen against Cisco kit last month, indicating a gang is working a similar route of exploiting an existing vulnerability to see who hasn't been patching their systems.
Defense contractor coughs up $875,000 for security snafus
After a security investigation, US defense contractor Georgia Tech Research Corporation - affiliated with the respected Georgia Institute of Technology - has agreed to pay an $875,000 settlement to the government for failing to lock down their systems.
The government said the organization, which held contracts with DARPA, the Air Force, and the Department of Defense, had lied about its level of security preparedness. For years until being discovered in December 2021, security software either wasn't installed or was poorly maintained and there was no central IT operation across the organizations to spot problems.
Two members of the Georgia cybersecurity team started the case by blowing the whistle and alerting government auditors to the problems. Christopher Craig and Kyle Koza were each awarded $201,250 as part of the settlement.
"When contractors fail to follow the required cybersecurity standards in their DoD contracts, they leave sensitive government information vulnerable to malicious actors and cyber threats," said Assistant Attorney General Brett Shumate of the Justice Department's Civil Division.
"Together with DoD and other agency partners, the Department of Justice will continue to pursue and litigate violations of cybersecurity requirements to hold contractors accountable when they violate their cybersecurity commitments."
As is traditional in so many US government settlements, the two organizations denied guilt but agreed to pay.
Crunch time for Chat Control
The European Commission's proposals to break end-to-end encryption (E2EE) are reaching a head this month, and privacy advocates are watching Germany closely, as it could be the crucial state in the decision-making process.
The Danish delegation, which currently holds the presidency of Europe, is making another attempt to force through legislation that would see every EU citizen forced to use software that scans their personal messages for "abusive material." In effect, messaging [PDF] would be scanned by mandate under the so-called Chat Control legislation.
Since 2022 certain European Parliament Members (MEPs) have been pushing to break encryption on the grounds of protecting children. Last month 600 security and academic experts urged legislators to vote against the rules, but the European lawmaking mechanism is a complex beast and it all comes down to population. To pass the legislation, EU leaders need support from nations representing the majority of the member-state bloc's population, making Germany the key player.
This week German groups formed the Chat Control Alliance to put pressure on their government to come out against the Danish proposals, saying that implementing the rules would be both a loss to personal privacy and a huge security problem. Signal [PDF] and other encrypted messaging apps are warning they'll shut down operations in Europe if the EU implements the legislation.
"If such a law on chat control is introduced, we will not only pay with the loss of our privacy. We will also open the floodgates to attacks on secure communications infrastructure," said Elina Eickstädt, spokesperson for the Chaos Computer Club.
EU lawmakers will vote on Chat Control on Tuesday, 14 October.
China hands out death sentences to online scammers
The Chinese government isn't mucking about when it comes to cracking down on cybercrime against its citizens, handing out 11 death sentences to gang members who ran a scamming center just across the border in Myanmar.
For the last decade the criminals set up call center operations with reportedly over 10,000 staff. The court heard that guards killed at least ten workers who tried to escape and injured many others.
Recruiters lured many workers to the call centers with promises of good jobs, then imprisoned them and forced them to work on financial fraud scams. This year the Chinese government cracked down on such operations in Myanmar and Thailand and repatriated citizens caught in the criminal networks.
It's estimated that the gang pulled in at least $1.4 billion through online fraud, as well as gambling and prostitution schemes. In addition to the immediate death sentences, five other gang members received death sentences suspended for two years, with another 11 receiving life sentences and a dozen more were imprisoned for five to 24 years, as well as having property confiscated. ®
