Daily Archives: July 13, 2018

12 Russian Intel Officers charged of hacking into U.S. Democrats

The week closes with the indictment for twelve Russian intelligence officers by a US grand jury. The charges were formulated just three days before President Donald Trump is scheduled to meet with Vladimir Putin.

The special Counsel Robert Mueller, who indicted on February 13 Russians for a massive operation aimed to influence the 2016 Presidential election, now charged 12 Russian intelligence officers working under the GRU of carrying out “large-scale cyber operations” to steal Democratic Party documents and emails.

Deputy Attorney General Rod Rosenstein announced the indictment at a press conference in Washington.

“there’s no allegation in this indictment that any American citizen committed a crime.” said Rosenstein. “the conspirators corresponded with several Americans during the course of the conspiracy through the internet.”

However, “there’s no allegation in this indictment that the Americans knew they were corresponding with Russian intelligence officers,”

During the news conference, the Deputy Attorney General Rod Rosenstein described the technical details of the operations conducted by the units of Russia’s GRU intelligence agency. The cyberspies stole emails from the Democratic National Committee and Hillary Clinton’s campaign, then leaked them in ways meant to influence the perception of Americans about the Presidential election.

Rosenstein reported a second operation in which the officers targeted the election infrastructure and local election officials. The Russian intelligence set up servers in the U.S. and Malaysia under fake names to run their operations, the agents used payment with cryptocurrency that had been “mined” under their direction.

“The fine details of Russian intelligence operations — the names of officers, the buildings where they worked and the computers they used to run phishing operations and make payments — suggest that prosecutors had an inside view aided by their own or another government’s intelligence apparatus.” reads an article published by Bloomberg.

Rosenstein also remarked that “there’s no allegation that the conspiracy changed the vote count or affected any election result.”

Rosenstein also announced that Trump was informed about the indictment before the announcement and that the timing was determined by “the facts, the evidence, and the law.”

The Deputy Attorney General, confirmed that 11 of the Russians indicted were charged with “conspiring to hack into computers, steal documents, and release those documents with the intent to interfere in the election.”

“One of those defendants and a 12th Russian are charged with conspiring to infiltrate computers of organizations involved in administering elections,” he added.

“The defendants accessed email accounts of volunteers and employees of a US presidential campaign, including the campaign chairman starting in March of 2016,” 

“They also hacked into the computer networks of a congressional campaign committee and a national political committee.”

The minority at the US Government is pressing Trump to cancel the meeting with Putin because he intentionally interfered with the election to help Trump’s presidential campaign.

“These indictments are further proof of what everyone but the president seems to understand: President Putin is an adversary who interfered in our elections to help President Trump win,” Senator Chuck Schumer, the Democratic Senate minority leader said in a statement.

“President Trump should cancel his meeting with Vladimir Putin until Russia takes demonstrable and transparent steps to prove that they won’t interfere in future elections,”

Speaking on Friday, before the indictments were announced, Trump explained that he would ask Putin about the alleged interference of Russian intelligence in the Presidential election.

“I will absolutely, firmly ask the question, and hopefully we’ll have a good relationship with Russia,” Trump told a joint press conference with British Prime Minister Theresa May.

Trump described the Mueller investigation as a “rigged witch hunt,” and added that he has been “tougher on Russia than anybody.”

“We have been extremely tough on Russia,” 

Russian intelligence

Hillary Clinton and Donald Trump are tightening their grips on the Democratic and Republican presidential nominations.

Trump evidently believes that the hostility against Russia is a severe interference with the relationship and the collaboration between the two states.

Russia denies any involvement in the elections, and the Kremlin expelled 60 intelligence officers from the Russian embassy in Washington in response to a nerve agent attack on a former Russian spy in Britain.

No Americans were charged Friday, but the indictment reports unidentified Americans were in contact with the Russian intelligence officers.

According to the indictment, there was at least a person close to the Trump campaign and a candidate for Congress that in contact the Russians officers.

Pierluigi Paganini

(Security Affairs – Russian Intelligence, Presidential election)

The post 12 Russian Intel Officers charged of hacking into U.S. Democrats appeared first on Security Affairs.

O museu de desastres químicos da DuPont segue espalhando seu veneno nos EUA

Coberto de tanques de armazenagem e retenção e de chaminés, o local da antiga fábrica Chambers Works no sul de Nova Jersey incomoda os olhos. Vista da ponte que atravessa o Rio Delaware, a zona industrial parece um trecho queimado, uma mancha marrom na paisagem verde da margem oriental do rio. O verdadeiro problema da Chambers Works, porém, não está à vista.

Desde 1892, quando a DuPont escolheu esse local para abrigar suas operações de pólvora sem fumaça, a Chambers Works tem sido o marco zero para algumas das iniciativas comerciais mais ambientalmente devastadoras do mundo. Agora praticamente abandonada, a área de aproximadamente 5 km² poderia servir como um museu de desastres químicos. Gasolina com chumbo; corantes causadores de câncer; Kevlar, uma fibra sintética que causa câncer em ratos, segundo estudos; Freon, um gás refrigerante que abriu um buraco na camada de ozônio; neoprene, o tecido cuja produção libera um gás carcinogênico; urânio refinado para armas atômicas; e PFOA, um componente do revestimento antiaderente de panelas, que polui a água potável ao redor da unidade – e ao redor do mundo – estão entre os 1.200 produtos químicos que a DuPont fabricou e armazenou naquele que era seu maior complexo fabril.

Obrigado pelo Câncer

Martin Cleary se recorda dos cheiros estranhos que costumavam se infiltrar por seu local de trabalho e das águas residuais que corriam pelas valas que atravessavam o complexo a caminho do rio. “[A água] era amarela, às vezes marrom”, diz Cleary, que trabalhou em Chambers Works por mais de 37 anos e passou boa parte desse tempo inspecionando o interior dos tanques químicos. Mesmo tendo desenvolvido um câncer de bexiga que, segundo seu médico, foi consequência de seu trabalho, Cleary quase só tem coisas boas a dizer da empresa onde trabalharam ele e muitos de seus amigos.

“Cada vez que eu precisava fazer exames para os meus tratamentos, eles me davam folga, e eu valorizo isso”, disse Cleary, que continuou a trabalhar depois do diagnóstico e ao longo de duas recorrências do câncer. Ele marcava as sessões de quimioterapia na quinta-feira, para que pudesse se recuperar ao longo do fim de semana e estar bem para trabalhar na segunda-feira. Atualmente, aos 81 anos, aposentado, Cleary também é grato porque a DuPont pagou suas despesas médicas, embora se ressinta um pouco porque a empresa só o fez depois que ele entrou com uma ação. Cleary ainda se sente em dívida com sua antiga empregadora por ter fornecido a ele um filtro que removia da água potável o PFOA que vazava da fábrica, muito embora ele e os demais residentes da área precisassem cobrir os custos de manutenção e substituição desses filtros.

Alguns dos seus vizinhos na cidade de Carneys Point, onde se localiza a Chambers Works, porém, não perdoam tão facilmente a DuPont e sua sucessora, a Chemours, que assumiu a propriedade do local em 2015. A municipalidade processou a DuPont em 2016, e depois ajuizou novamente a ação contra as duas empresas em 2017, alegando que o valor pago por elas não havia sido suficiente para cobrir os custos de reparação da imensa contaminação da propriedade. Em maio, Carneys Point entrou com outra ação relativa ao local, dessa vez contra o Departamento de Proteção Ambiental de Nova Jersey [Department of Environmental Protection, DEP], alegando que o órgão público manteve os moradores da cidade fora das discussões com a DuPont e a Chemours sobre os valores necessários para a limpeza da Chamber Works.

“Nossa preocupação é que eles estejam fazendo as contas sem nós e dando à DuPont um acordo de cavalheiros”, disse Albert Telsey, o advogado que representa Carneys Point, e que descreveu a região da Chambers Work como um desastre ambiental “pior que o Exxon Valdez”, o navio petroleiro que derramou quase 40 milhões de litros de petróleo cru nas águas do Alasca.

Trabalhadores cuidam de operações químicas para fabricação de corantes nas instalações da Chamber Works nos anos 1940.

Trabalhadores cuidam de operações químicas para fabricação de corantes nas instalações da Chamber Works nos anos 1940.

Foto: E.I. du Pont de Nemours & Company/Hagley Museum

Ao longo dos 123 anos em que permaneceu no local, a DuPont liberou aproximadamente 50 mil toneladas de resíduos perigosos no solo, no ar e na água, de acordo com uma análise ambiental concluída em 2016. Depois de seis meses revisando centenas de milhares de documentos e usando um programa de computador empregado por agências reguladoras e pelos militares para estimar custos de limpeza, Jeffrey Andrilenas, o consultor que Carneys Point contratou para avaliar a contaminação ambiental, calculou que a reparação do local custaria mais de 1 bilhão de dólares.

Embora a DuPont e a Chemours tenham removido parte da contaminação nas últimas décadas, a análise concluiu que, mantido o ritmo atual, serão necessários mais 1.600 anos para descontaminar completamente a região da Chamber Works. Mesmo que fossem envidados todos os esforços possíveis, eliminar completamente do local a poluição deixada por DuPont e Chemours levaria um mínimo de 300 anos, segundo Andrilenas, que considera essa a “perspectiva otimista”. Andrilenas avaliou mais de 3 mil áreas industriais em todo o mundo ao longo dos seus 36 anos de carreira, e se referiu à Chamber Works como “uma das áreas mais contaminadas que já encontrei”.

A legislação de Nova Jersey exige que proprietários ou operadores de propriedades industriais façam a descontaminação ou entreguem ao Departamento de Proteção Ambiental o valor necessário para fazê-lo, antes que possam vender as áreas ou se fundir a outras empresas. No entanto, isso não aconteceu quando a DuPont transferiu a propriedade do local para sua filial, a empresa Chemours, e posteriormente se fundiu com a Dow.

A legislação de Nova Jersey também permite que as populações atingidas pelas áreas de contaminação industrial participem do planejamento da reparação de danos caso os poluidores não realizem a descontaminação de forma competente e em tempo hábil. A população de Carneys Point alega que a DuPont, que recebeu uma penalidade do estado em 2011 por 220 derramamentos químicos de resíduos perigosos, se enquadra nessa categoria. A cidade, no entanto, não foi incluída nas negociações entre DuPont, Chemours e o Departamento de Proteção Ambiental de Nova Jersey, segundo a ação ajuizada em maio.

Documentos mencionados na ação e analisados por The Intercept mostram que os representantes da Chemours apresentaram em dezembro de 2017 um plano para desembolsar 54 milhões de dólares na descontaminação do local, menos de 5% do que Carneys Point diz ser necessário. E enquanto a cidade pretende que a contaminação seja inteiramente removida, um dos planos mencionados em e-mails entre o DEP e a Chemours deixaria aproximadamente 45 mil toneladas de resíduos perigosos no local, segundo Andrilenas.

Os advogados da cidade inicialmente solicitaram ao DEP de Nova Jersey, em 2016, sua inclusão no planejamento relativo à área. O DEP, porém, ignorou a solicitação, bem como um abaixo-assinado com mais de mil moradores de Carneys Point, exigindo que lhes fosse permitido participar da tomada de decisão, segundo alega a petição inicial da ação.

O Departamento de Proteção Ambiental de Nova Jersey encaminhou as perguntas sobre a limpeza de Carneys Point e as duas ações ajuizadas pelos moradores da cidade para o escritório do Procurador-Geral de Nova Jersey, que se recusou a comentar.

A empresa DowDuPont apresentou uma declaração por escrito em resposta aos questionamentos feitos por The Intercept sobre Carneys Point, mas se recusou a responder perguntas específicas sobre o litígio:

A DuPont e atualmente a Chemours vêm há décadas ativamente reparando a área da Chambers Works à luz dos acordos realizados com o Departamento de Proteção Ambiental de Nova Jersey e a Agência de Proteção Ambiental dos EUA [EPA]. Estamos comprometidos em continuar a cumprir nossas obrigações ambientais nessa área.

Entendemos que a ação ajuizada em dezembro de 2016 é improcedente no mérito. O objeto da ação são as definições técnicas de propriedade e transferêncida de ativos. As caracterizações de Carneys Point quanto à natureza e ao status da reparação em curso na área estão incorretas. Em especial, a alegação de Carneys Point de que a reparação do local custará US$1,2 bilhão é imprecisa e está embasada em uma análise falha. O trabalho de reparação iniciado pela DuPont está sendo continuado pela Chemours.

A Chemours também apresentou uma declaração por escrito que tratava da área em geral, mas não respondeu perguntas específicas sobre as alegações feitas por Carneys Point:

As instalações de Chambers Works incluem diversos aterros sanitários, e o solo e os lençóis freáticos da área foram impactados pelo histórico de operações. A Chemours vem trabalhando com os órgãos ambientais, o DEP de Nova Jersey e a EPA dos EUA, para garantir que essa área não represente risco para a saúde pública ou para o meio ambiente.

A Chemours tomou medidas para reparar a área, inclusive um sistema de bombeamento e tratamento dos lençóis freáticos, com fechamento de bacias e valas, e instalação de uma parede de estacas-prancha para assegurar que o lençol freático local esteja contido. Continuamos a investigar tecnologias adicionais que possam acelerar as medidas de reparação.

Uma vista aérea do local da DuPont Chambers Works em 1959.

Uma vista aérea do local da DuPont Chambers Works em 1959.

Foto: Tricolor, Inc./E.I. du Pont de Nemours & Company/Hagley Museum

A Casa das Borboletas

Uma das razões para que a DuPont escolhesse esse ponto da região sul de Nova Jersey para sua fábrica de pólvora sem fumaça, em 1892, foi o rio, que fornecia fácil acesso de transporte. A água também dava proteção à sede da empresa, que ficava do outro lado do rio, em Wilmington, Delaware. Os dirigentes da empresa estavam preocupados com a possibilidade de que a fábrica explodisse, segundo o livro “DuPont Dynasty: Behind the Nylon Curtain” [“Dinastia DuPont: Por Trás da Cortina de Nylon”, sem tradução no Brasil], uma história abrangente do império corporativo. O medo se provou justificado. A fábrica na região sul de Nova Jersey foi cenário de várias explosões letais, incluindo pelo menos duas que aconteceram nos primeiros oito anos de funcionamento. Explosões de grandes proporções continuaram a acontecer em intervalos regulares ao longo do século que se seguiu.

Mas a pólvora foi apenas o primeiro produto perigoso a ser fabricado em Chambers Works e nas instalações vizinhas, conhecidas como Deepwater. Ao tempo da Primeira Guerra Mundial, a fábrica da DuPont também estava produzindo corantes à base de anilina, que na Europa já se havia demonstrado serem causadores de câncer. Os primeiros casos de câncer nos trabalhadores de Nova Jersey que lidavam com corantes começaram a aparecer em 1932. A empresa continuou a produzir um dos componentes carcinogênicos até 1955, embora já tivesse ciência da excessiva ocorrência de câncer de bexiga em seus trabalhadores por décadas, segundo o estudioso de saúde ocupacional David Michaels.

No começo dos anos 1920, a DuPont começou a fabricar gasolina com chumbo em seu parque industrial às margens do Rio Delaware. O processo de fabricação não apenas espalhava chumbo pelo solo – onde boa parte permanece até hoje – mas também envenenava muitos trabalhadores. O prédio de tijolos de cinco andares no local ficou conhecido como A Casa das Borboletas. O motivo do apelido foram os trabalhadores da DuPont que pareciam estar capturando no ar insetos imaginários: na verdade, estavam alucinando pelos efeitos da inalação da neurotoxina.

Segundo uma investigação feita em 1925 pelo New York Times, “cerca de 80% de todos que trabalharam n’A Casa das Borboletas’, ou que lá entraram para fazer reparos, foram intoxicados, alguns deles repetidamente”. Frank W. Durr, o primeiro caso documentado de morte por intoxicação com chumbo na fábrica, morreu em 1923 numa camisa de força, aos 37 anos. Durr, que era conhecido como “Feliz”, tinha 12 anos quando começou a trabalhar para a DuPont. Para compensar a esposa de Feliz pela morte, a empresa pagou a ela uma pensão de 17 dólares por semana, por quatro anos. O editor do jornal local, que não cobriu a morte de Durr à época, contou ao Times que não conseguira obter nenhuma informação sobre o caso porque “eles escondem as coisas na fábrica de chumbo”.

Durante os anos 1940, a Chambers Works foi também uma das instalações do Projeto Manhattan, o que deixou um legado de radiação e flúor no local de operações da DuPont. Restam muitos outros contaminantes no solo da Chamber Works. Testes acusaram a presença de 75 produtos químicos em concentração superior aos padrões de Nova Jersey nas águas do lençol freático, nos limites da área. No caso do carcinógeno benzeno, por exemplo, a medição acusou uma presença 28 mil vezes maior que os níveis tolerados. Em 1999, o estado concedeu à DuPont uma isenção por 999 anos dos limites regularmente aplicados para esses produtos químicos. Muitos outros contaminantes extrapolam os limites de segurança no local, de acordo com Andrilenas.

Um fabricante de corantes especializado no Departamento de Produtos Químicos Orgânicos Chambers Works da DuPont em Deepwater Point, Nova Jersey, acompanhado de um técnico de laboratório, verificando tonalidades de corantes nos anos 1950.

Um fabricante de corantes especializado no Departamento de Produtos Químicos Orgânicos Chambers Works da DuPont em Deepwater Point, Nova Jersey, acompanhado de um técnico de laboratório, verificando tonalidades de corantes nos anos 1950.

Foto: E.I. du Pont de Nemours & Company/Hagley Museum

O Preço do Progresso

Em alguns momentos, a DuPont considerou que parte das consequências negativas de seu trabalho eram inevitáveis. Depois que a intoxicação por chumbo chamou a atenção para sua fábrica do sul de Nova Jersey, um relatório anual de 1936 descreveu as mortes entre a força de trabalho por esse motivo como “o preço lento e gradual que a humanidade sempre pagou, e talvez deva pagar, pela conquista de novos e perigosos territórios”.

Carneys Point certamente se beneficiou de uma parte dos novos e perigosos territórios que a empresa conquistou. “A fábrica foi fenomenal para a cidade”, disse recentemente Joe Racite, ex-prefeito de Carneys Point. Racite, de 65 anos, conhece muitas pessoas que trabalharam na Chambers Works, inclusive seu falecido sogro, que trabalhou com corantes e morreu de câncer aos 56 anos. Ele ainda se lembra de uma explosão nas instalações, que quebrou as janelas de sua sala no colégio durante as provas finais em 1969. Ainda assim, quando estava no auge, a fábrica quase parecia compensar os problemas ambientais e de saúde que causava.

Atualmente, Racite já não tem tanta certeza. No começo do ano, a DowDuPont transferiu para a Índia um de seus últimos negócios: a produção de uma fibra sintética com aplicações aeroespaciais e militares, conhecida como Aramida. A Chemours recentemente colocou à venda o parque industrial. E, embora o burburinho que acompanhava a fábrica tenha se esvaído, juntamente com a maior parte dos empregos, a poluição permanece – e provavelmente ainda vai pesar sobre Carneys Point por muitas gerações.

Foto do Título: Instalações da fábrica da DuPont Chambers Works nos anos 1950.

Tradução: Deborah Leão

The post O museu de desastres químicos da DuPont segue espalhando seu veneno nos EUA appeared first on The Intercept.

Indictment of Russian Intelligence Operatives Should Quell Harebrained Conspiracy Theories on DNC Hack

With his latest indictments on Friday, Special Counsel Robert Mueller drove a particularly sharp nail into the coffin of the conspiracy theories surrounding the cyber-attack on the Democratic Party and Hillary Clinton’s presidential campaign during the 2016 election.

Spoiler alert: The Russians really did do it.

It wasn’t Seth Rich, the murdered young Democratic staffer whose name has been dragged through the mud by countless fringe theorists, and whose parents are now suing Fox News for propagating such lies.

It wasn’t an inside job by the Democrats themselves, as a group of out-of-touch former intelligence officials tried to convince themselves and the world.  The Mueller investigation isn’t a “witch hunt,” as Donald Trump and his loyalists have repeatedly claimed.

Instead, Mueller’s prosecutors charged 12 Russian intelligence officials, listed by name, rank, and job title, with engineering the hack of the Democrats during the election. In damning detail, the indictment makes the case that the hack of the Democratic Party was a highly-structured, officially sanctioned covert action operation conducted by Russian intelligence, namely the GRU, Russia’s military intelligence arm. If the allegations hold up, there can no longer be any question as to whether the cyberattack was ordered and approved by the Putin government.

The indictment also adds heft to the longstanding intelligence community consensus that the target of the covert action was Clinton and her presidential campaign, and that Moscow’s objective was to damage her campaign and help Donald Trump win. After stealing thousands of emails and other documents, the Russian intelligence officers then set up cyber fronts – DCLeaks and Guccifer 2.0 – to disseminate the material through WikiLeaks and the American press to try to influence the presidential election. The American media eagerly lapped it up without asking many questions about where the leaks were coming from.

“The object of the conspiracy was to hack into the computers of U.S. persons and entities involved in the 2016 U.S. presidential election, steal documents from those computers, and stage releases of the stolen documents to interfere with the 2016 U.S. presidential election,” the indictment states.

Perhaps the strongest evidence of possible collusion between Trump and Russia included in the indictment relates to an odd and inflammatory statement that Trump made in the midst of the campaign. On July 27, 2016, Trump publicly implored Russia to find and release Clinton’s emails that had supposedly been deleted from her personal account while she was Secretary of State. Those deleted emails had, by then, become part of the public controversy over the investigation into Clinton’s use of a private email system while she was at the State Department in the Obama administration. Trump said: “Russia if you’re listening, I hope you’re able to find the 30,000 emails that are missing.”

Friday’s indictment raises new questions about whether the Russians were, indeed, listening. It says that “on or about July 27, 2016, the [Russians] attempted after hours to spearphish for the first time email accounts at a domain hosted by a third-party provider and used by Clinton’s personal office. At or around the same time, they also targeted seventy-six email addresses at the domain for the Clinton Campaign.”


Longtime Donald Trump associate Roger Stone pauses while speaking to members of the media after testifying before the House Intelligence Committee, on Capitol Hill, Tuesday, Sept. 26, 2017, in Washington. Stone says there is "not one shred of evidence" that he was involved with Russian interference in the 2016 election. Stone's interview comes as the House and Senate intelligence panels are looking into the Russian meddling and possible links to Trump's campaign. (AP Photo/Andrew Harnik)

Longtime Donald Trump associate Roger Stone pauses while speaking to members of the media after testifying before the House Intelligence Committee on Sept. 26, 2017.

Photo: Andrew Harnik/AP

The indictment also provides details of online conversations between the Russians, using the Guccifer 2.0 persona, and “a person who was in regular contact with senior members” of Trump’s presidential campaign. That person has been identified as Roger Stone, a controversial longtime Trump ally. In August 2016, according to the indictment, the Russians, using the Guccifer 2.0 front, wrote to Stone: “do u find anyt[h]ing interesting in the docs i posted?” Days later, Guccifer 2.0 wrote again to Stone, saying “please tell me if i can help u anyhow … it would be a great pleasure to me.” In September, Guccifer 2.0 wrote again, this time asking, “what do u think of the info on the turnout model for the democrats entire presidential campaign.” Stone responded tersely: “[p]retty standard.”

The indictment also delves into the role of WikiLeaks, identified only as “Organization 1,” which acted as an intermediary between Guccifer 2.0 and the American press. While it doesn’t answer the critical question of whether WikiLeaks knew that the hacked materials were coming from the Russians, the indictment makes clear that WikiLeaks wanted materials damaging to Clinton’s campaign.

“In order to expand their interference in the 2016 U.S. presidential election,” the indictment says, the Russians “transferred many of the documents they stole from the [Democratic National Committee] and the chairman of the Clinton campaign to Organization 1.” The Russians, “posing as Guccifer 2.0, discussed the release of the stolen documents and the timing of those releases with Organization 1 to heighten their impact on the 2016 U.S. president election.”

In June 2016, WikiLeaks sent a private message to Guccifer 2.0 asking the persona to send “any new material [stolen from the DNC] here for us to review and it will have a much higher impact than what you are doing.” In July, WikiLeaks sent another message saying, “if you have anything hillary related we want it in the next tweo [sic] days prefable [sic] because the DNC [Democratic National Convention] is approaching and she will solidify bernie supporters behind her after. … we think trump has only a 25% chance of winning against hillary … so conflict between bernie and hillary is interesting.”

WikiLeaks released more than 20,000 emails and other documents stolen from the Democratic National Committee network three days before the start of the Democratic convention.

The indictment leaves plenty of questions unanswered. For example, it says that in August 2016, a congressional candidate contacted Guccifer 2.0 asking for stolen documents. Guccifer 2.0 complied, sending documents about the candidate’s opponent. But the indictment doesn’t identify the congressional candidate who sought the information.

At the same time, it purports to provide minute-by-minute details about how the Russians engineered their hack, how they distributed the information to WikiLeaks, reporters, and others, and even how they paid for it. Indeed, one of the most interesting sections of the indictment alleges that the Russians used bitcoin to anonymously finance different aspects of their cyber-attack.

The Russians “principally used bitcoin when purchasing servers, registering domains, and otherwise making payments in furtherance of hacking activity,” the indictment states. “Many of these payments were processed by companies located in the United States that provided payment processing services to hosting companies, domain registrars, and other vendors.”

But the indictment strongly suggests that even as the Russians hacked the American political system, the U.S. intelligence community was hacking the Russians in return. It includes accounts that appear to have been drawn from real-time U.S. intelligence surveillance of Russian computers watching, searching, and infecting with malware computers belonging to Democratic operatives and staffers.

For example, the indictment explains how the Russians intentionally deleted logs and computer files to hide their electronic footprints in the DNC system and states that “on occasion, the [Russians] facilitated bitcoin payments using the same computers that they used to conduct their hacking activity, including to create and send test spearphishing emails. Additionally, one of these dedicated accounts was used by the [Russians] in or around 2015 to renew the registration of a domain (linuxkrnl.net) encoded in certain X-Agent malware installed on the DNC network.”

Top photo: Special counsel Robert Mueller, center, leaves after a closed meeting with members of the Senate Judiciary Committee June 21, 2017, at the Capitol in Washington, D.C.

The post Indictment of Russian Intelligence Operatives Should Quell Harebrained Conspiracy Theories on DNC Hack appeared first on The Intercept.

Security Flaws & Fixes – W/E – 071318

Adobe Swats 112 Bugs with Latest Batch of Security Fixes (07/10/2018)
Adobe has released updates for Acrobat and ReaderConnectExperience Manager, and Flash Player. The updates consist of 112 fixes for vulnerabilities - Acrobat and Reader contained 104 of the bugs alone. Flash Player received a fix for a critical arbitration code execution issue.

Android Apps Share Pics, Video Recordings without User Knowledge (07/06/2018)
Research from a group of Northwestern University scientists shows that many Android apps on legitimate marketplaces are sharing private data without user knowledge. While analyzing media permissions and leaks from 17,260 apps across multiple Android marketplaces, the researchers found privacy issues, including apps that over-provision their media permissions and apps that share image and video data with other parties in unexpected ways, without user knowledge or consent. They also identified a previously unreported privacy risk that arises from third-party libraries that record and upload screenshots and videos of the screen without informing the user or requiring any permissions.

Apple Patches KRACK Bug in Boot Camp (07/06/2018)
Apple issued a Wi-Fi update for Boot Camp to address the KRACK (Key Reinstallation Attack) vulnerability. A logic issue existed in the handling of state transitions and this has been addressed with improved state management.

Apple Updates iTunes, iOS, Other Products (07/10/2018)
Apple released a number of advisories and updates for multiple products. These include updates for iTunesiCloudSafarimacOS High SierrawatchOStvOS, and iOS. The iOS update includes a new feature, USB restricted mode, which prevents individuals, including law enforcement, from cracking the passcode using a USB device. The feature disables USB access after the phone has been locked for 60 minutes.

Cisco Releases Advisories on Multiple Products (07/11/2018)
Cisco has issued multiple advisories for its products. The vendor's StarOS is vulnerable to a denial-of-service condition while the Web-based UI of the IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware contains a command injection vulnerability.

Compass and AcSELerator Architect Have Multiple Security Issues (07/10/2018)
Schweitzer Engineering's Compass and AcSELerator Architect contain vulnerabilities that are considered serious. An ICS-CERT advisory states that the vendor has released updates to mitigate these issues. Links to the updates are available from the advisory.

Facebook Quiz Apps Exposed User Data for Years (07/06/2018)
Popular quizzes on Facebook exposed information for more than 120 million users even if they deleted the apps, according to researcher Inti De Ceukelaire who wrote an article about his findings on Medium. Nametests,com, the site behind many of the popular Facebook quizzes, patched a privacy bug that leaked data on users, including those who had deleted the app. De Ceukelaire found that when loading a personality quiz, the Nametests site would grab his personal information and display it. He knew that this shouldn't occur but then noticed that the data request from the Nametests site was wrapped in JavaScript so it could be shared with other sites. Thus, any third party could request personal data and receive it.

Google Fixes Multiple Android Vulnerabilities in Its July Security Bulletin (07/06/2018)
Google issued its monthly Android Security Bulletin, which included fixes for three critical and eight high risk vulnerabilities in the 2018-07-01 security patch level. The three critical bugs are remote code execution issues, one each in Media framework, framework, and system. In the 2018-07-05 security patch level, 32 vulnerabilities were addressed - eight were rated critical and 24 were considered high risk.

Internet Systems Consortium Says to Upgrade Kea 1.4.0 Due to Memory Leak Bug (07/11/2018)
The Internet Systems Consortium (ISC) posted an advisory regarding a vulnerability in Kea DHCP 1.4.0 which may fail to release memory after temporarily storing client network packets. This causes a constant increase in memory consumption that can cause server resources to become exhausted, leading to loss of DHCP server functionality. The solution is to upgrade to Kea 1.4.0-P1.

Malicious PDF Contained Two Previously Unknown Zero-Day Exploits (07/06/2018)
Microsoft, in conjunction with ESETanalyzed a potential Windows kernel bug and discovered two exploits in the same PDF. One exploit affected Adobe Acrobat and Reader, while the other impacted Windows 7 and Windows Server 2008. The first exploit attacks the Adobe JavaScript engine to run shellcode in the context of that module. The second vulnerability allows the shellcode to escape the Reader sandbox and run with elevated privileges from Windows kernel memory. An ESET researcher originally found the infected PDF and sent it to Microsoft for evaluation. Both exploits have been resolved - Adobe posted an update on May 14 and Microsoft issued a patch on May 8.

Microsoft's July Security Batch Alleviates More than 50 Vulnerabilities (07/11/2018)
The Microsoft batch of fixes for July consists 14 updates to fix over 50 security issues across Windows, Internet Explorer, Edge, Office, and associated products. This round of patches includes remedies for critical bugs in the Internet Explorer and Edge browsers and .NET Framework.
Mozilla Releases Thunderbird 52.9 (07/06/2018)
Mozilla fixed a number of vulnerabilities with the release of Thunderbird 52.9. Among these is a buffer overflow that could result in an exploitable crash.
Multiple Bugs Chained Together Give Attackers Control Over WAGO HMI Devices (07/11/2018)
SEC Consult scientists posted an advisory after finding multiple bugs in WAGO's e!DISPLAY 7300T Web Panel human-machine interface products which could be put together, giving attackers complete control over the device. The researchers found the multiple reflected and one stored cross-site scripting, unrestricted file upload and file manipulation, incorrect default permissions, and remote code execution vulnerabilities and reported them to WAGO. The vulnerabilities have been remedied with the release of new firmware. WAGO has also posted its own advisory.
Multiple Vulnerabilities Found in Siemens' SICLOCK Devices (07/06/2018)
Siemens' SICLOCK devices are affected by multiple vulnerabilities that could allow an attacker to cause denial-of-service conditions, bypass the authentication, and modify the firmware of the device or the administrative client. These devices are in a phase out process. Siemens has responded with mitigations for these issues.

Multiple Vulnerabilities Found in Robot Controllers (07/10/2018)
Universal Robots' robot controllers are affected by hard-coded credentials and are missing authentication. An ICS-CERT advisory has listed some mitigating actions for these vulnerabilities.

Polar Fitness App Gives Up Military, Home Locations for Soldiers (07/10/2018)
Researchers at Bellingcat have discovered that the fitness app Polar is revealing the locations of people exercising in secret places, including intelligence agencies, military bases, airfields, and embassies worldwide. Polar Flow, which is an app and Web service from a company in Finland, lets users track their fitness and sleep activity and offers a feature called "Explore," that helps people find new training routes. However, the app is giving up information on people who are working out near military areas. The researchers said, "By showing all the sessions of an individual combined onto a single map, Polar is not only revealing the heart rates, routes, dates, time, duration, and pace of exercises carried out by individuals at military sites, but also revealing the same information from what are likely their homes as well. Tracing all of this information is very simple through the site: find a military base, select an exercise published there to identify the attached profile, and see where else this person has exercised. As people tend to turn their fitness trackers on/off when leaving or entering their homes, they unwittingly mark their houses on the map."

QNAP Boots Multiple Vulnerabilities with Update for Q'center Virtual Appliance (07/11/2018)
Core Security has advised that QNAP's Q'center Virtual Appliance Web console contains several critical vulnerabilities that could enable a hacker to take over privileges and execute arbitrary commands. The vulnerabilities affect Q'center versions 1.6.1056 and 1.6.1075. QNAP has fixed the bugs in version 1.7.1083 and later.
Researchers Identify New Rowhammer Attack Method Along with Mitigation Technique (07/06/2018)
A team of researchers has identified a new Rowhammer style attack, that target devices with the latest version of Android. Rowhammer is a bug that impacts dynamic random-access memory chips and can result in kernel privilege on Linux systems. The attack method, which has been dubbed "RAMpage," uses a root exploit and a series of app-t-o-app exploits that bypass all scenarios. The team proposes "GuardION," a lightweight defense mechanism that mitigates against Rowhammer attacks by isolating DMA buffers using guard rows.

Researchers Report Intel on New Spectre Variants, Receive $100K for Their Troubles (07/11/2018)
Two researchers have discovered variations of the Spectre zero-day attack method and have notified Intel, which rewarded them with $100,000 USD for their efforts. Vladimir Kiriansky and Carl Waldspurger have uncovered Spectre 1.1, which leverages speculative stores to create speculative buffer overflows which can modify data and code pointers. They also presented findings on Spectre 1.2 which makes CPUs vulnerable that don't enforce read/write protections. Speculative stores can overwrite read-only data and code pointers to breach sandboxes. Intel and ARM both issued white papers to discuss the two Spectre variants. Oracle also published information regarding how it is assessing its own products in relations to these vulnerabilities. .

Siemens Warns of Potential DoS Condition in SIPROTEC 5 Relays, EN100 Ethernet (07/11/2018)
Siemens advisory reveals that the EN100 Ethernet communication module and SIPROTEC 5 relays are vulnerable to bugs that can lead to a denial-of-service attack over the network. Siemens has released updates for several products, is working on fixes for the other products, and has provided remediation methods until those updates are available.

VMware Updates Squash Bug Found in ESXi, Workstation and Fusion (07/06/2018)
VMware's ESXi, Workstation, and Fusion have received updates to address multiple out-of-bounds read vulnerabilities. Successful exploitation of these issues may lead to information disclosure or may allow attackers with normal user privileges to crash their virtual machines.

Vulnerabilities Affect Rockwell Automation Allen-Bradley Stratix 5950 (07/06/2018)
Rockwell Automation's Allen-Bradley Stratix 5950 is vulnerable to several bugs that could allow an attacker to bypass client certification to create connections to the affected device or cause the device to crash, according to an ICS-CERT advisory. Some workarounds are depicted in the advisory. Rockwell Automation will inform users of updated firmware as soon as it is available.

Vulnerabilities in Broadband Gateway Routers Receive Patches (07/06/2018)
The researchers at SEC Consult have identified three critical vulnerabilities in broadband gateway routers manufactured by Advanced Digital Broadcast (ADB), whose communications devices are used by Cox Communications and Charter Communications, among other ISPs. According to the researchers, all of ADB's routers are impacted by privilege escalation, authorization bypass, and local jailbreak root vulnerabilities. ADB was first notified in June 2016 regarding these issues and patches first began rolling out a year later.

Malware Watch – W/E – -071318

Cryptocurrency Miners Take Top Spots in Check Point's Most Wanted Malware List (07/06/2018)
Check Point Software has released its list of the most wanted malware for June. The top three malware families for the month were Coinhive, Cryptoloot, and Dorkbot - the first two are cryptocurrency mining malware, while Dorkbot is a banking Trojan. Triada, Lokibot, and The Truth Spy were the top three mobile malware families identified by Check Point as hitting victims during the month of June.

GandCrab: New Updates, Same Old Nastiness from this Ransomware (07/11/2018)
The GandCrab ransomware is in version 4 and has switched from using RSA-2048 to the Salsa20 stream cipher to encrypt data. The ransomware has also stopped connecting to its command and control server before encrypting files, which, according to Fortinet, means it can encrypt users who are not connected to the Internet. Analysis shows the malware's executable and download links are being frequently updated and encrypted files are appended with the .KRAB extension.

Kaspersky Lab Reports on APT Trends in Q2 (07/10/2018)
In its Q2 2018 APT Trends Summary ReportKaspersky Lab identified cyber espionage tactics being conducted by Lazarus/BlueNoroff in both Turkey and Latin America. New APT (advanced persistence threat) activity from Olympic Destroyer during the quarter was also observed and points to a possible connection to the Sofacy threat group.

Malicious Macro Exploits Desktop Shortcuts to Deliver Payloads (07/06/2018)
Trend Micro has spotted a malicious macro that searches for specific shortcut files in the user's system, which it replaces with one that points to its downloaded malware. That malware executes when the user clicks on the modified desktop shortcut. After the malware executes, it recovers the original shortcut file to open the correct application again. The malware then assembles its payloads by downloading common tools available online like various Windows tools, WinRAR, and Ammyy Admin to gather information and send back via SMTP.

Malware Uses Stolen Digital Certificates in Two Related Campaigns (07/10/2018)
ESET has discovered a malware campaign misusing stolen digital certificates. The campaign is using a digitally signed certificate from D-Link, which was stolen and has since been revoked. Two different malware families were misusing the stolen certificate - the Plead malware, a remotely controlled backdoor, and a related password stealer component. The Plead backdoor is used by the BlackTech cyber espionage entity. ESET researchers have also identified malware samples signed using a certificate belonging to a Taiwanese security company named Changing Information Technology. That certificate was also revoked but BlackTech is continuing to use it to sign its malicious tools.

Rakhni Malware Makes Decision to Mine or to Crypt (07/06/2018)
The criminals behind the Trojan-Ransom.Win32.Rakhni family have added new functions, including cryptocurrency mining to their malicious capabilities. According to Kaspersky Lab, the Russian Federation is the main target of this Trojan, followed by Kazakhstan and Ukraine. Spam campaigns are delivering the Trojan. The downloader is an executable file written in Delphi and it installs a root certificate that's stored in its resources. All downloaded malicious executables are signed with this certificate. The malware decides whether to download a cryptor or a miner onto the infected system depending upon if the folder %AppData%\Bitcoin is present. If the folder exists, the downloader decides to download the cryptor. If the folder doesn't exist and the machine has more than two logical processors, the miner will be downloaded.

RIG Exploit Kit Delivers Monero Mining Payload Via PROPagate Injection Technique (07/06/2018)
FireEye has observed the RIG exploit kit (EK) delivering a dropper that leverages the PROPagate injection technique to inject code that downloads and executes a Monero miner. The attack chain starts when the user visits a compromised Web site that loads the RIG EK landing page in an iframe. The RIG EK uses various techniques to deliver the NSIS (Nullsoft Scriptable Install System) loader, which leverages the PROPagate injection technique to inject shellcode into explorer.exe. This shellcode executes the next payload, which downloads and executes the cryptocurrency miner.

Smoke Loader Malware Adds Sophisticated Tricks and Trickbot to Its Repertoire (07/06/2018)
A new version of the Smoke Loader malware, tracked by Cisco's Talos group, is now using the PROPagate injection technique to inject code and is making attempts to steal credentials from multiple applications. Smoke Loader is delivered via tainted Word documents and the use of social engineering methods. If the document is opened, it launches a macro and downloads the second stage, which is the Trickbot malware

Threat Group Is Back to Spy on, Attack Mid-East Targets (07/10/2018)
A previously known advanced threat entity that was first discovered by Cisco's Talos researchers has resurfaced to conduct spying missions on institutions in the Middle East, Check Point Software has said. The attack begins with a phishing email sent to targets that includes an attachment of a self-extracting archive containing two files: a Word document and a malicious executable. Claiming to be from the Palestinian Political and National Guidance Commission, the Word document serves as a decoy, distracting victims while the malware is installed in the background. According to Check Point, some of the malware's modules have been named after characters and/or actors in the Big Bang TV show, including Penny, Koothrappali, and Parsons_Sheldon.

Data Breaches – W/E – 071318

About 340 Million Records Leaked Thanks to Data Broker Exactis (07/06/2018)
Wired has reported that security researcher Vinny Troia found an exposed database containing about 340 million individual records. The haul, which belonged to data broker Exactis, was found on a publicly available server and contained data on American adults as well as businesses. Payment information doesn't appear to be exposed but the records contain highly personal data including phone numbers, email addresses, and the number, age, and gender of the person's children. Troia said, "It seems like this is a database with pretty much every US citizen in it... I don't know where the data is coming from, but it's one of the most comprehensive collections I've ever seen."

Adidas Discloses Its US Shopping Site Has Been Breached (07/10/2018)
Adidas customers using the sportswear company's US Web site may have had their data compromised. The Wall Street Journal reported this incident on June 28, two days after the German company said that it first learned of the breach. It is not clear how many individuals were affected or what the timeframe is for this breach, but Adidas said that a "few million" customers using the US shopping site may be affected.

Data Breach at Macy's Went Undetected for Nearly Two Months (07/10/2018)
In a letter mailed to customers, retailer Macy's has warned that a data breach occurred between April 26 and June 12, the Detroit Free Press has reported. Between this time period, a third-party used valid usernames and passwords to access customer accounts. The third-party obtained the information from a source that was not Macy's. The suspicious activity was first discovered on June 11. It is not known how many customers have been affected.

DOJ Says It Erred in Connecting ID Fraud Case to 2015 Data Breach (07/10/2018)
The Justice Department (DOJ), which previously said that data a Maryland woman obtained from the 2015 Office of Personnel Management (OPM) breach was used to steal identities, has backtracked on that June 18 statement. In a letter from Assistant Attorney General Stephen E. Boyd to Senator Mark R. Warner, it has been noted that an investigation "has not determined how their identity information used in this case was obtained and whether it can, in fact, be sourced directly to the data OPM breach. Because the victims in this case had other things in common in terms of employment and location, it is possible that their data came from another source." The June 18 press release claimed that Karvia Cross had pled guilty in a scheme related to using stolen personal data that had resulted from the OPM breach.

Ticketmaster Data Breach Reaches Other Companies Thanks to Magecart Attacks (07/11/2018)
A data breach that hit Ticketmaster was revealed on June 27 and blamed on a third-party supplier named Inbenta. Ticketmaster has claimed that less than 5% of its global customer base had been affected. However, researchers at RiskIQ have stated that this breach was part of a larger scheme that involved digital credit card skimming and hit over 800 ecommerce sites worldwide. Magecart is the cybercriminal gang behind this scheme, which uses scripts injected into Web sites to steal data entered into online payment forms on ecommerce sites. Hackers placed one of these digital skimmers on Ticketmaster Web sites through the compromise of Inbenta.

Timehop Reports Data Breach Affecting 21 Million Users (07/10/2018)
Timehop experienced a network intrusion that led to a breach of some data, according to a statement issued by the company. The incident was detected on July 4 when a cyber attack took place, but in its preliminary investigation, Timehop said that an unauthorized third-party used an administrator's credentials to log into the company's cloud computing provider on December 19, 2017. This unauthorized user created a new administrative user account, and conducted reconnaissance activities on four separate occasions. Twenty-one million Timehop users have had their personal data compromised as a result.

CyberCrime – W/E – 071318

Charming Kitten Threat Entity Impersonates ClearSky's Web Site (07/06/2018)
ClearSky Cyber Security, which has reported on a threat group known as Charming Kitten in the past, warned that the threat entity created a phishing site and impersonated the company. Charming Kitten, which is comprised of Iranian hackers, created the clearskysecurity\.net site and copied pages from the actual ClearSky Web site and included a sign-in option for visitors. In a separate post, ClearSky said, "These sign-in options are all phishing pages that would send the victim's credentials to the attackers. Our legitimate Web site does not have any sign in option."

Cyber Thieves Selling RDP Access to Companies for Fun and Profit (07/11/2018)
McAfee uncovered evidence that access connected to building automation and security systems for major international airport can be purchased for as little as $10 USD on the dark underground. While assessing several shops that sell Remote Desktop Protocol (RDP) access to infected machines, McAfee found a Russian business selling administrator access to a Windows Server 2008 R2 Standard machine which belonged to a US city. The going price was $10. Further scrutiny found IP addresses that belonged to a major airport's accessible login screens. Cybercriminals can gain RDP access to critical systems as a result of lax security practices.

Gentoo Admits to Cyber Attack on GitHub (07/06/2018)
An unknown entity gained control of an admin account for the Gentoo GitHub Organization and removed all access to the organization (and its repositories) from Gentoo developers. The entity then proceeded to make various changes to content. Gentoo Developers & Infrastructure escalated to GitHub support and the Gentoo Organization was frozen by GitHub staff. Gentoo has regained control of the Gentoo GitHub Organization and has reverted the bad commits and defaced content. The attack took place on June 28. In a post regarding the incident, Gentoo said that a password appeared to be to blame. "Evidence collected suggests a password scheme where disclosure on one site made it easy to guess passwords for unrelated Web pages," the report stated.

Hamas Spied on Israeli Soldiers Via Tainted Google Play Apps (07/06/2018)
The Israel Defense Forces (IDF) discovered a campaign launched by Hamas in which the militant group hacked the smartphones of Israeli soldiers who were using dating and World Cup apps to steal sensitive information, Haaretz has reported. The apps enabled Hamas to implant malware on the phones, cull such data as pictures and email addresses, and take remote control of the devices' microphones and cameras. At some points, Hamas filmed activities taking place on IDF bases without the knowledge of the soldiers. IDF security personnel first started receiving complaints from military staff in January about suspicious activity on social networks in which soldiers were pushed to download specific apps from Google Play. If downloaded, those apps gave the attackers access to all information on IDF devices.

TEMP.Periscope Gang Targets Cambodia's July Elections (07/11/2018)
Multiple Cambodian entities with ties to the country's electoral system have been hacked as the July 29 election draws near and the TEMP.Periscope gang is to blame. In research conducted by FireEye, this group, which has connections to the Chinese government, used the same infrastructure against other targets globally including the defense industrial base in the United States and a chemical company based in Europe. TEMP.Periscope has been active since at least 2013 and typically focuses on infiltrating maritime-related targets across multiple verticals, research universities, professional/consulting services, high-tech industry, healthcare, and media/publishing.

Absolvido de comprar silêncio de Cerveró, Delcídio Amaral vê brecha jurídica para voltar à política

Ninguém deu muita importância para a decisão do Supremo Tribunal Federal de devolver os direitos políticos ao ex-senador goiano Demóstenes Torres, cassado em 2012, quando estava no DEM, por defender interesses do bicheiro Carlinhos Cachoeira no Congresso. Ele deveria ficar inelegível até 2027, mas o STF lhe deu a chance de, se quiser, concorrer este ano.

Nesta sexta-feira à tarde, o ex-senador petista Delcídio Amaral, cassado depois de fazer delação premiada denunciando seus colegas, disse à reportagem do The Intercept Brasil que estuda uma maneira de voltar à política – e quer usar a ‘solução Demóstenes’. “Vamos avaliar… mas ainda estou meio assim com o que aconteceu ontem”, afirmou, aos 62 anos, se referindo à absolvição que lhe pareceu inesperada.

Ele, o ex-presidente Luiz Inácio Lula da Silva e o banqueiro André Esteves foram absolvidos da acusação de terem tentado comprar o silêncio do ex-diretor da Petrobras Nestor Cerveró – uma das delações premiadas mais badaladas da Operação Lava Jato.

Encontrei Delcídio nesta sexta no piso branco do 4º andar de um dos fóruns da Justiça Federal em Brasília. Vestindo uma camiseta branca por baixo de uma camisa azul de manga longa e terno cinza, calça creme e sapatos escuros, Delcídio contou que a decisão de voltar à política ainda depende da opinião da família – que, por hora, é contra. “Foi muito duro para minha mãe, minhas filhas, meu irmão. Eu estava num Fórmula 1, numa Ferrari, e de de repente apareceu um paredão na minha frente.”

Com a absolvição, pensa ele, não restariam motivos penais para justificar a perda de direitos políticos após sua cassação no Senado, justamente por tentar obstruir a Lava Jato, coisa que a Justiça agora diz que ele não fez. O possível candidato Demóstenes deve concorrer mesmo sem absolvição – o processo foi anulado porque havia grampos telefônicos contra um parlamentar, autorizados apenas por um juiz de primeiro grau, o que é ilegal. “No Demóstenes, anularam. No meu caso, é uma absolvição. É muito mais forte”, avaliou Delcídio.

BRAS?çLIA, DF, BRASIL, 11-07-2012, 13h30: O senador Dem??stenes Torres e seu advogado, Antonio Carlos de Almeida Castro, aguardam o resultado da vota?ß?£o da cassa?ß?£o de seu mandato no painel, em sess?£o extraordin?°ria realizada no plen?°rio do Senado Federal, em Bras??lia (DF). O senador teve seu mandato cassado por 56 votos a favor, 19 contra e 5 se absteram (Foto: Alan Marques/Folhapress, PODER)

O senador Demóstenes Torres e seu advogado, Antonio Carlos de Almeida Castro, aguardam o resultado da votação da cassação de seu mandato no painel do Senado. Ele teve seu mandato cassado por 56 votos a favor, 19 contra e 5 abstenções.

Foto:Alan Marques/Folhapress

Meia hora antes de conversarmos, Delcídio estava na sala de audiências da 10ª Vara Federal. Na mesa com ele, a advogada Carla Tortato. Ao fundo, seu ex-assessor Eduardo Mazargão, o mesmo que gravou o então ministro petista Aloízo Mercadante oferecendo a Delcídio uma espécie de “solidariedade” quando ele estava preso, por ordem do então ministro do STF Teori Zavascki, detenção essa feita em novembro de 2015. Mercadante estaria tentando comprar o silêncio de Delcídio, um fogo amigo muito perigoso dentro do PT. Ele virou delator.

O juiz Ricardo Leite, o mesmo que absolveu o ex-senador no dia anterior, recebeu o relatório de atividades da defensora na sexta informando à Justiça que Delcídio estava cumprindo bem suas obrigações como colaborador premiado:

– Quer dizer que o senhor virou fazendeiro mesmo? – questionou o magistrado.

– O senhor sabe que a minha família gostou? – respondeu Delcídio. – A gente vai pegando o gosto.

Delcídio está cuidando de fazendas que a família possui desde a época de seu bisavô, em Corumbá, no Mato Grosso do Sul, à beira do rio Paraguai, na divisa com a Bolívia. São mais de 10 mil cabeças de gado nelore. Ele estava “apartando bois” ontem à tarde no meio do mato quando recebeu o telefonema de Mazargão avisando que tinha sido absolvido. Comemorou, mas disse que não gostou da reportagem da TV Globo sobre o caso.

Engenheiro e ex-executivo da Shell e da Petrobras, Delcídio já foi do PSDB e do PT. Foi líder do governo no Senado no governo Dilma Rousseff. Esteve presente no governo do Mato Grosso do Sul de Zeca do PT. Foi ele quem apresentou Lula ao pecuarista José Carlos Bumlai, durante a campanha eleitoral de 2002. Bumlai foi outro absolvido no processo de ontem.

A avaliação preliminar é que, com os direitos políticos restaurados, o ex-senador e delator teria boas chances de vitória. “O povo acha que fui injustiçado”, disse. Mas provavelmente só nas eleições a partir de 2020. Hoje, um dos principais candidatos ao governo de Mato Grosso do Sul é o ex-juiz pedetista Odilon Oliveira, que mandou uma série de traficantes pra cadeia e vive cercado de seguranças mesmo depois da aposentadoria.

Na audiência com o juiz Ricardo Leite, o ex-senador se comprometeu a comparecer periodicamente, a partir de agora, à Justiça de Campo Grande. O procurador Ivan Cláudio Marx, que também estava à mesa, concordou, mas condicionou isso a uma análise posterior para saber se mantem o acordo. Marx perdeu a disputa de braço contra Delcídio: foi ele que pediu a condenação do ex-senador pela compra do silêncio de Cerveró, em parceria com Bumlai – o procurador só desejava a absolvição de Lula e Esteves – e ainda solicitou que o acordo de colaboração premiada fosse rescindido.

Os advogados do ex-senador pediram que a conduta de Marx fosse investigada pelo Conselho Nacional do Ministério Público, mas nada aconteceu.

Apesar disso, o clima era de cordialidade. Antes de entrarem na sala, Marx foi cumprimentar Delcídio, Carla e Mazargão. “Como vai?”, disse o procurador antes de iniciar uma conversa breve, afastada da reportagem. Dentro da sala, uma xícara branca de café foi colocada na frente do ex-senador pelo secretário do juiz. Duas garrafas de café, uma jarra de água gelada e copos descartáveis estavam numa bandeja, também à disposição da advogada, de Mazargão, do juiz e do procurador.

Foi nesse ambiente que Delcídio explicou por que ainda não pagou a multa de R$ 1,5 milhão. Disse que parcelou em suaves prestações de pouco mais de R$ 100 mil por ano, a serem quitadas até 2026.

Outros processos

Delcídio não está totalmente livre da Justiça. Ele é réu em processo que apura pagamento de propina na compra da refinaria de Pasadena pela Petrobras. Ele confessou o pagamento do suborno, mas afirma que era apenas “caixa 2 para a campanha de 2006”. Na denúncia do chamado “quadrilhão do PT”, ele deixou de ser arrolado como réu por Rodrigo Janot, passando à figura de colaborador.

Também admitiu outros crimes em seu acordo de colaboração e implicou os ex-presidentes Dilma Rousseff e Luiz Inácio Lula da Silva em uma série de narrativas desabonadoras para os dois. Na sua visão, foi sua delação que impulsionou o impeachment de 2016. “Eles [os investigadores] entraram no Congresso”, avalia.

No meio da audiência, a advogada Carla Tortato abriu seu pequeno computador portátil. Consultou o acordo de colaboração e informou ao juiz que ele já cumpriu uma série de medidas impostas por ele. Mas falta prestar sete horas de serviços comunitários por semana, durante seis meses. Leite respondeu que isso será definido depois. A defensora concordou.

Até lá, Delcídio cuida de bois, compara seu caso com o de Demóstenes Torres, presta novos depoimentos como colaborador aqui e ali, se defende em muitos processos, e pensa em voltar a dirigir seu Fórmula 1 político.

The post Absolvido de comprar silêncio de Cerveró, Delcídio Amaral vê brecha jurídica para voltar à política appeared first on The Intercept.

What Drives a Ransomware Criminal? CoinVault Developers Convicted in Dutch Court

How often do we get a chance to learn what goes on in the minds of cybercriminals? Two members of McAfee’s Advanced Threat Research team recently did, as they attended a court case against two cybercriminal brothers.

The brothers, Dennis and Melvin, faced a judge in Rotterdam, in the Netherlands. This case was one of the first in the world in which ransomware developers appeared in court and were convicted for creating and spreading ransomware.

They were responsible for creating the ransomware families CoinVault and BitCryptor. CoinVault, the better known of the two, made its appearance in late 2014. The technically skilled programmers had examined the source code of CryptoLocker, the notorious ransomware family that first struck in 2013. The brothers were not very impressed and agreed that they could do a better job. What might have started out as a fun technical challenge turned into a criminal business.

The CoinVault and BitCryptor campaigns were not as widespread as CTB-Locker, CryptoWall, or Locky ransomware campaigns. Nor did they profit as much from it, but this case is nevertheless uncommon. It is rare that the developers of ransomware are caught, let alone confess their crimes. This case gives us an opportunity to understand what drove them down a path to cybercrime.

The challenge

Why would someone write malicious code and infect thousands of people? The judge asked the brothers the same question. Their response was “Because it was a technical challenge.” “But didn’t you realize you were dealing with people?” the judge responded. Both brothers answered that they did not; they were dealing with computers and never met their victims face to face.

The judge and prosecutor did not accept their explanation. CoinVault had a built-in helpdesk function to directly communicate with their victims, thus registering their pleas. The brothers standard reaction was merciless: “Just pay the money; otherwise we won’t decrypt.” According to the prosecutor, they had plenty of opportunities to see the consequences of their actions but choose to ignore them for money.

At the trial they said they were sorry and tearfully regretted what they had done. But were these mere crocodile tears because they got caught? During CoinVault’s lifespan, several versions of the ransomware were released. Every new version was a reaction to blogs written by security researchers and takedowns performed by law enforcement. Instead of realizing that they were making a mistake and stopping, the brothers saw it as a challenge, a digital game of cat and mouse, and constantly improved their malicious code.

Their continuing to improve the ransomware shows a lack of empathy with their victims. Was there no one in their social surroundings who could straighten their moral compasses and talk sense into them?

The payment

A ransomware criminal must decide the amount of ransom to charge. Generally the more targeted a ransomware attack is, the higher the ransom demand will be. CoinVault’s infections were not targeted at one organization; they charged only US$250. The two brothers explained that they chose that price to be low enough for an average person to pay while still making a good profit. The prosecutor remarked ironically that they were “very noble [to keep] their ransom demand affordable.”

The infection

The two brothers did not directly infect their victims with ransomware; they took a multistep approach. Their distribution method was via newsgroup channels. They hooked a small piece of malicious code to known software or license-key generators before posting the software packages on the newsgroups. Once victims installed the package or ran the key generator, they would become part of a botnet through the software the brothers named Comhost, which can record keystrokes, search for credentials, and steal Bitcoin wallets. Comhost can also upload and execute binaries received from the control server they named Sonar. (We believe Sonar is modified a version of the popular Solar botnet software.)

The Sonar botnet panel.

Once they had accumulated enough bots, they simply pushed CoinVault to all their victims and locked thousands of computers at once. This method made it hard for victims to figure out how they were attacked, because weeks could pass between the initial infection and the encryption. By spreading their ransomware via newsgroups with pirated software, they discouraged victims from going to the police out of fear of prosecution and copyright-violation fines.

The CoinVault lock screen.

The arrest

In April 2015, The National High Tech Crime Unit of the Dutch Police seized the control servers for CoinVault. After the police investigated, the two brothers, aged 18 and 22 at the time, were arrested in Amersfoort, Netherlands, on September 14, 2015. Systems were infected not only in the Netherlands, but also in the United States, Germany, France, and the United Kingdom. Their mistakes? Using flawless Dutch in the ransom notes and one time they did not use a Tor connection to log in into their control server, instead using their home connection.

Flawless Dutch in the ransomware code.

Although they used an obfuscator tool (Confuser) for their code, in some of the samples the full name of one of the authors was present, because they did not clean up the debugging path.

Example:

 c:\Users\**********\Desktop\Coinvault\coinvault-cleaned\obj\Debug\coinvault.pdb

From grabbing keys to No More Ransom

During the investigation the Dutch police obtained all the decryption keys for CoinVault and partnered with the private sector to build a decryption tool for CoinVault ransomware, successfully mitigating a large portion of the damage caused by CoinVault. This effort idea gave birth to No More Ransom, an online portal supported by the public and private sector with the largest repository on the planet of free ransomware decryption tools. No More Ransom now has decryptors for 85 ransomware versions. This global initiative has prevented millions of dollars from falling into the hands of cybercriminals. McAfee is proud to be one of the founding members of No More Ransom.

Nomoreransom.org

The next steps

Extorting people with ransomware is wrong, and perpetrators must be held accountable. It is sad to see two talented young people choose a pathway to cybercrime and waste their skills—skills sorely needed in the cybersecurity sector. We hope they will have learned a lesson as they endure the consequences of their actions. The sentencing will take place in about two weeks. Perhaps after they serve their time, they will find someone willing to give them a second chance.

The post What Drives a Ransomware Criminal? CoinVault Developers Convicted in Dutch Court appeared first on McAfee Blogs.

IC3 Warns of Business Email Compromise Scams

Original release date: July 13, 2018

The Internet Crime Complaint Center (IC3) has released an alert on business email compromise scams. This type of scam targets businesses and individuals by using social engineering or computer intrusion to compromise legitimate email accounts and conduct unauthorized fund transfers or obtain personally identifiable information.

NCCIC encourages businesses and individuals to refer to the IC3 Alert and the NCCIC Tip on Avoiding Social Engineering and Phishing Attacks.


This product is provided subject to this Notification and this Privacy & Use policy.


12 Russian Intelligence Officers Accused of Hacking DNC During 2016 Election

The U.S. Justice Department has charged a dozen Russian intelligence officers with a series of hacking offenses against the Democratic National Committee (DNC). Deputy Attorney General Rod Rosenstein announced the indictments on Friday as part of the ongoing investigation into Russia’s possible interference with the 2016 presidential election. The indictment accuses the Russian intelligence officers […]… Read More

The post 12 Russian Intelligence Officers Accused of Hacking DNC During 2016 Election appeared first on The State of Security.

CVE-2018-10875

A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.

Need for Speed: Optimizing Data Masking Performance and Providing Secure Data for DevOps Users

Let’s start with a pretty common life experience — you identify a need (e.g., transportation), you evaluate your options (e.g., evaluate car manufacturers, various features, pricing, etc.), and you decide to purchase (e.g., vehicle X). This process repeats itself over and over again regardless of the purchase. What typically happens following the purchase decision is also equally likely and transferrable — that is: How do I improve it? Increase efficiency? Can I tailor it to my individual needs?

For most technology purchases, including those related to data security — and data masking in particular — the analogy holds equally true. For many of our data security customers, the desire to optimize the through-put, run-rate, or outputs from the solutions they invest in is becoming increasingly important as they race to achieve regulatory compliance with key data privacy requirements and regulations such as the European (EU)-wide General Data Protection Regulation (GDPR), HIPAA, or PCI-DSS. Equally important is that most organizations are looking to mitigate the risk of sensitive data exposure and optimize their DevOps function; allowing more end-users to access data for test and development functions, without the risk associated with using sensitive data. And, they want all this to be achieved FASTER.

Imperva offers a variety of data security solutions to support these increasingly common organizational challenges, including Imperva Camouflage. Our industry-leading data masking solution and best practice implementation process offer a one-stop means to achieve compliance support and reduce data risks in DevOps, while meeting end-user processing expectations. Simply put: the process involves the use of a production database copy, upon which the data is classified for masking, and transformation algorithms are then applied to produce fictional — but contextually accurate — data that is substituted for the original source data; all done in an expeditious manner to meet the need for speed.

You’ve decided you need data masking, but your end-users want more

In previous blogs and webinars, we highlighted the value that data masking provides for protecting data privacy and supporting industry and regulatory compliance initiatives. Industry analysts continue to see ongoing and expanding use cases and demand for the technology. This is largely due to the fact that organizational data capture and storage of data, and sensitive customer data, in particular, continues to grow. Further, changing data applications; database types, migration to the cloud (for DevOps), privacy regulations required for de-identified data, and the growth of big data applications and various data use cases all combine to drive the added need for data masking technologies and their diversification and advancement.

So, organizations are seeing the value of data masking, and many have implemented it into their overall data security strategies to provide yet another critical layer. That said, they are also demanding increased speed of masked copy processing and provisioning to ensure their DevOps teams continue to deliver on business-critical processes. How then can data masking be optimized? Let’s first take a look at typical performance considerations, and then review how the process can be optimized for end-users.

How do you measure data masking ‘performance’?

One of the most common questions asked during a sales cycle, POC or implementation relates to the length of time it will take to mask data, and how that performance is measured. The quick answer is ‘it’s complicated’. Data Masking run-rate performance is typically measured in rows per second. This is the metric most often cited by our customers, but the underlying size of a row can and does vary significantly depending on how wide the particular tables are, therefore impacting performance comparison.

Additionally, the variance in data volumes and data model complexity make it challenging to provide specific performance numbers; but these are batch processes that modify large amounts of data (excepting discovery) and therefore consume a significant amount of time for large amounts of data. That said, Imperva offers a number of avenues to optimize performance for a given customer/client’s requirements and can be reverse engineered in most cases to achieve the desired performance or run-time metric. We’ll get into the specifics on this shortly.

Aside from the inherent capabilities of the software solution itself, there are several factors that influence the performance of data masking that we discuss with our customers. We also explain that the various combination of these make it challenging for any vendor to pinpoint exact masking run times. We’ve consolidated the performance-impacting variables into three key variables, including database characteristics, hardware requirements, and masking configurations. Let’s review each of these:

  1. Database characteristics:

In general, a large database takes longer to mask than a small database- pretty simple! To be more specific the height and width (row count and columns per row) of the tables in the database being masked directly impact the runtime. Tall tables, with high row counts, have more data elements to process compared to shorter tables.

In contrast, wide tables containing extraneous non-sensitive information introduces I/O overhead throughout the data transformation process because the non-sensitive information is included, in part, during the data transformation process. This makes the input of the DevOps SME’s key to assessing the underlying databases and helping scope the performance requirements.

  1. Hardware Requirements:

Data masking can be a relatively heavy process on the database tier in that it copies and moves a significant amount of data in many cases. As we employ our best practice implementation process using a secure staging server, this introduces yet another variable that influences through-put- but also an opportunity. The processing power and I/O speed on the database staging tier greatly influence the performance- regardless of vendor or solution being deployed. When we provide base hardware specifications to customers for the staging server, we make this clear. We also help by providing a range of hardware options required depending on the underlying environment characteristics and end-user requirements- noting that where SLA windows are tight for masking then appropriate hardware should be provisioned to accommodate accordingly. The good news is that this is an easy configuration, and most customers already have access to all the tools they need to maximize their staging server to their specific requirements.

  1. Masking Configurations within the projects:

The details of the security and data masking requirements, which are driven by the organization, also influence performance. In particular, the amount and complexity of the masking being applied have an impact on masking run times. From our experience, in cases where typical sensitive data element types require masking, the data resides in 15% – 20% of the tables. If higher security requirements are imposed and additional data elements are included, this could expand to include as many as 30% – 40% of the tables.

In addition to the volume of data being masked, the specific data transformations also influence the runtimes.  There are different types of data transformers, and they each have different performance characteristics based on the manner in which they manipulate data. For example, ‘Data Generators’ synthesize fictitious numbers such as Credit Cards and Phone numbers, whereas, ‘Data Loaders’ load data such as shuffling names and addresses from defined sets. The business needs usually dictate which transformer should be used for a given data element, but sometimes the business requirement can be met with one or more transformers. In those cases, the option chosen can have an impact on performance.

For each of these key variables, it’s important to assess the business requirements and then balance appropriately with regards to the complexity of the underlying data model, the staging server horsepower, and the methods applied for the masking process. Imperva’s depth of experience in this regard provides additional value to customers when they are looking to understand the best implementation approach to meet both data security and end-user requirements. It’s a critical piece of the puzzle.

We know what impacts performance and what to consider beforehand. Now, how do we make it even better?

While we’ve focused on the more tool-agnostic variables that impact masking performance, there are also considerations within the tool itself that can help fine-tune the end result. For Imperva’s solution, there are a variety of levers that can be used to customize and optimize high-volume/high-throughput masking. For example, performance settings within the solution can be adjusted at multiple levels of the application stack including (a) the database server, (b) the Imperva Camouflage application server, and (c) within the masking engine itself to maximize performance. Settings for parallelization of operations, flexible allocation of hardware resources (RAM) and the use of bulk-SQL commands during masking operations, are some of the ways in which the performance and scalability of the Imperva Camouflage solution can also be configured.

A number of approaches for maximum scalability and performance are also available within the Imperva Camouflage solution that can be considered depending on the environment and requirements, including:

  • Multi-Threading – parallelization is used throughout Imperva Camouflage to enable masking to scale to the largest of databases and masking targets. This includes the capability to process many database columns at the same time while accounting for dependencies within certain databases.
  • Optimized SQL – although invisible to the user, Imperva Camouflage refines the SQL used to affect the masking depending on the database type as well as the particular masking operation being performed. No configuration changes are necessary to take advantage of bulk-SQL and other commands that minimize database logging overhead.
  • Execution on the Database Tier – many operations are performed directly on the database server(s) which has the effect of minimizing data movement over the network thereby maximizing performance. It also leverages the hardware resources that are typically dedicated to database servers.
  • Parallelization on the Database Tier – wherever possible, operations are performed in parallel using multiple instances on the database tier as well. For some environments, this is a combination of database engine settings as well as Imperva Camouflage configuration. By scaling up or down, the masking process can be made to conform to the needs/constraints of the given masking operation. This is one area that Imperva typically spends time with its customer’s and masking end users to ensure they are maximizing the tool’s performance.

It’s also important to reinforce that regardless of the solution, the storage architecture and configuration have a significant impact on performance. Faster storage with reads/writes spread across multiple disks will result in better performance overall. In many cases, database and storage tiers are configured for transactional workloads which are different from the bulk/batch workload that masking represents. Better performance will be found with faster storage that is in the same data center as the database server being masked, period!

Slow down to Speed up!

So, there are clearly a variety of factors that impact the run-rate of data masking, and yet there are a variety of levels (once understood) that can be unpacked of to optimize performance and achieve end-user expectations. Additionally, leveraging industry-recognized, purpose-built solutions and best-practice implementation expertise offers a much more efficient and effective way to optimize data masking run-rates; and offers a more scalable and sustainable process over the long-term.

The key is to slow down during the implementation phase. Understand your requirements. Understand your data model. Understand what resources you need to apply to your staging server and your masking processes, and you’re well on your way to optimizing the resulting output. At the end of the day, Imperva can in most cases reverse engineer a customer’s desired performance requirements and configure the solution, processes, and recommended hosting architecture to achieve the desired result.

Imperva offers a variety of data security solutions to support organizational data security efforts, with Imperva Camouflage offering industry-leading support for masking (and/or pseudonymizing) data to help achieve privacy compliance requirements (e.g., GDPR) and mitigate the risk of a costly data breach within the various DevOps environments.

Get in touch to learn more about Imperva Camouflage and Imperva’s broader portfolio of data security solutions. Also, feel free to test-drive SCUBA, our free database vulnerability scanner tool, and/or CLASSIFIER, our free data classification tool.

CVE-2013-0570

The Fibre Channel over Ethernet (FCoE) feature in IBM System Networking and Blade Network Technology (BNT) switches running IBM Networking Operating System (aka NOS, formerly BLADE Operating System) floods data frames with unknown MAC addresses out on all interfaces on the same VLAN, which might allow remote attackers to obtain sensitive information in opportunistic circumstances by eavesdropping on the broadcast domain. IBM X-Force ID: 83166.

Threat Hunting Methodologies

resources.infosecinstitute.com - Threat hunting is a proactive and iterative approach to detecting threats. It falls under the active defense category of cybersecurity since it is carried out by a human analyst, despite heavily rely…


Tweeted by @MigoKed https://twitter.com/MigoKed/status/1017880270299639810

The Dialysis Industry Is Putting Profits Over Patients. A California Democratic Party Official is Quietly Helping Them

Earlier this week, the California Democratic Party announced that it would no longer accept contributions from the private prison industry, and that it would donate the $160,000 it received from the top two prison operators — GEO Group and CoreCivic — to organizations that assist immigrants and ex-offenders. It was a heartening reversal of pay-to-play politics, made possible by an organized activist movement capitalizing on financial disclosure.

But pay-to-play still has a role within the party. According to financial statements, party vice chair Alex Gallardo-Rooker received $30,000 in the first quarter of this year from opponents of a controversial ballot measure that would cap patient payments at outpatient dialysis facilities. She waited several weeks to make a written disclosure of this relationship, contravening the party bylaws. And critics claim that she continues to stay quiet about her role as a paid consultant, even while attempting to persuade party members to oppose the initiative. It’s unclear whether Gallardo-Rooker continued receiving payments after March; second-quarter financial statements have not yet been released.

The ballot measure, Proposition 8, is modeled after the medical loss ratio in the Affordable Care Act, which mandates that insurance companies use 85 percent of revenue on medical care. Prop 8 would force dialysis facilities to devote 85 percent of their revenue to actual treatment, and refund patients if annual profits go above that threshold. The goal is to get clinic owners to update equipment and improve training at the 555 privately owned clinics in the state.

The opposition campaign, “No on 8,” claims that capping clinic profits will force widespread closures at a time when more Californians need dialysis. But supporters disagree, emphasizing that it would force reinvestment in patient care rather than executive compensation. Supporters of Prop 8 include labor unions, while the main opponents are the two companies that dominate dialysis treatment — DaVita and Fresenius. They are bankrolling the “No on 8” opposition campaign — the same campaign which has paid Gallardo-Rooker.

“An officer of our party failing to disclose her material financial interest in conversations while lobbying against workers is simply not in line with what we claim to stand for,” said Melissa Demyan, co-chair of the party’s resolution committee and a supporter of Prop 8.

Gallardo-Rooker, herself a labor leader with the Communications Workers of America, accepted three $10,000 payments as a “campaign consultant” from the opposition campaign, according to state disclosures.

“She accepted $30,000 from the ‘No’ campaign. $30,000 is more than I made last year,” said Demyan, whose committee will be deciding whether to endorse the initiative at the party’s executive board meeting this weekend.

Under a new bylaw of the California Democratic Party, any “material financial relationship” of over $1,000 with a candidate or ballot measure must be disclosed. For party officers like Gallardo-Rooker, that means filing a quarterly statement itemizing the compensation. The rule also requires party members to disclose their relevant financial relationships whenever addressing party members in meetings or in written communications about the campaign in question.


SACRAMENTO, CA - MAY 21: California State Senator Josh Newman walks onstage wearing a bear mask and danced with Democratic Party Vice-Chair, Alex Gallardo-Rooker, before addressing delegates on the final day of the California Democratic State Convention, at the Convention Center in downtown Sacramento, CA., May 21, 2017. (Photo by Jay L. Clendenin/Los Angeles Times via Getty Images)

California State Senator Josh Newman walked onstage wearing a bear mask and danced with Democratic Party Vice-Chair Alex Gallardo-Rooker before addressing delegates on the final day of the California Democratic State Convention in Sacramento, Calif., on May 21, 2017.

Photo: Jay L. Clendenin/Los Angeles Times via Getty Images


But Gallardo-Rooker’s initial first-quarter financial statement, issued April 15, did not mention the payments from the “No on 8″ campaign. Only an amended filing on May 30 included the material financial relationship with “Patients and Caregivers to Protect Dialysis Patients,” the formal name of the “No” campaign coalition. The disclosure did not specify the dollar amount.

Moreover, party members claim that Gallardo-Rooker has not followed the disclosure rules in verbal communications. For example, Gallardo-Rooker has invited delegates in San Bernardino, Kings, and Ventura counties on tours of DaVita clinics without disclosing her financial relationship with the company. “She made a phone call to me and asked me to talk to these people,” said John Griffin, the chair of the Ventura County Democratic Party. Griffin said that Gallardo-Rooker did not disclose at that time that she was a paid consultant. “I’ve since approached her and told her I would have appreciated her mentioning that. I had the impression that this was something the party was recommending.” Griffin, an SEIU member, has since endorsed the initiative.

Gallardo-Rooker has also asked caucus chairs to give her time to speak in opposition to Proposition 8 at their caucuses during this weekend’s executive board meeting. RL Miller, the chair of the party’s environmental caucus, declined the offer because Proposition 8 had nothing to do with environmentalism. “I don’t remember exactly, but I said either, ‘Are you working for the opposition?’ or ‘Are you opposing the initiative?’” Miller recalled. “She said, yes, she opposed, and launched into a long spiel as to why she opposed.”

The disclosure bylaws were put in place after a former vice chair, Eric Bauman, was revealed to have taken $12,500 a month from a 2016 campaign opposing an initiative that would have capped prescription drug prices. The initiative was no match for the pharmaceutical industry’s massive spending in opposition to it, and the initiative ultimately failed. Bauman later became party chair.

Susie Shannon, a Democratic National Committee member who authored the bylaw amendment, says she makes disclosures about her campaign commitments to initiatives even when she isn’t being paid directly. “I disclose in every communication. They say, ‘Thanks so much for doing that,’” she said.

“When somebody’s doing something anti-labor, but not being straightforward about why, and that person is an officer in the party, that’s troubling,” added another delegate, who asked that his name be withheld so he could speak more freely about party operations. “I voted for Alex Rooker. I have no quarrel with Alex Rooker. But this is a scam.”

Proposition 8 is one of several hotly contested measures on the California ballot this fall involving corporate interests. Another, Proposition 10, would repeal the restriction on local governments to design their own rent control programs. The “No” side has received an enormous amount of money from developer interests, including $644,000 from Invitation Homes, a division of private equity giant Blackstone. Invitation Homes is the largest single-family rental owner in the country, with 82,000 properties nationwide, including more than 12,700 in California.

The California Democratic Party will determine its position on all ballot measures at the executive board meeting on Saturday in Oakland. “The Democratic party is at a crossroads — if we want voters to trust us, we must provide the transparency and values of ethical leadership and stand up for workers and patients,” Demyan said. Financial disclosures go a long way toward building that trust.

Neither Gallardo-Rooker nor the California Democratic Party responded to a request for comment.

Top photo: The headquarters of German health care company Fresenius near Frankfurt am Main, Germany, on Feb. 25, 2015.

The post The Dialysis Industry Is Putting Profits Over Patients. A California Democratic Party Official is Quietly Helping Them appeared first on The Intercept.

CVE-2016-9499

Accellion FTP server prior to version FTA_9_12_220 only returns the username in the server response if the username is invalid. An attacker may use this information to determine valid user accounts and enumerate them.

CVE-2016-9500

Accellion FTP server prior to version FTA_9_12_220 uses the Accusoft Prizm Content flash component, which contains multiple parameters (customTabCategoryName, customButton1Image) that are vulnerable to cross-site scripting.

CVE-2017-13091

The P1735 IEEE standard describes flawed methods for encrypting electronic-design intellectual property (IP), as well as the management of access rights for such IP, including improperly specified padding in CBC mode allows use of an EDA tool as a decryption oracle. The methods are flawed and, in the most egregious cases, enable attack vectors that allow recovery of the entire underlying plaintext IP. Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts.

CVE-2017-13093

The P1735 IEEE standard describes flawed methods for encrypting electronic-design intellectual property (IP), as well as the management of access rights for such IP, including modification of encrypted IP cyphertext to insert hardware trojans. The methods are flawed and, in the most egregious cases, enable attack vectors that allow recovery of the entire underlying plaintext IP. Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts.

CVE-2017-13095

The P1735 IEEE standard describes flawed methods for encrypting electronic-design intellectual property (IP), as well as the management of access rights for such IP, including modification of a license-deny response to a license grant. The methods are flawed and, in the most egregious cases, enable attack vectors that allow recovery of the entire underlying plaintext IP. Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts.

CVE-2017-13092

The P1735 IEEE standard describes flawed methods for encrypting electronic-design intellectual property (IP), as well as the management of access rights for such IP, including improperly specified HDL syntax allows use of an EDA tool as a decryption oracle. The methods are flawed and, in the most egregious cases, enable attack vectors that allow recovery of the entire underlying plaintext IP. Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts.

CVE-2017-13096

The P1735 IEEE standard describes flawed methods for encrypting electronic-design intellectual property (IP), as well as the management of access rights for such IP, including modification of Rights Block to remove or relax access control. The methods are flawed and, in the most egregious cases, enable attack vectors that allow recovery of the entire underlying plaintext IP. Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts.

CVE-2017-13094

The P1735 IEEE standard describes flawed methods for encrypting electronic-design intellectual property (IP), as well as the management of access rights for such IP, including modification of the encryption key and insertion of hardware trojans in any IP. The methods are flawed and, in the most egregious cases, enable attack vectors that allow recovery of the entire underlying plaintext IP. Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts.

CVE-2017-13097

The P1735 IEEE standard describes flawed methods for encrypting electronic-design intellectual property (IP), as well as the management of access rights for such IP, including modification of Rights Block to remove or relax license requirement. The methods are flawed and, in the most egregious cases, enable attack vectors that allow recovery of the entire underlying plaintext IP. Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts.

CVE-2016-6563

Processing malformed SOAP messages when performing the HNAP Login action causes a buffer overflow in the stack in some D-Link DIR routers. The vulnerable XML fields within the SOAP body are: Action, Username, LoginPassword, and Captcha. The following products are affected: DIR-823, DIR-822, DIR-818L(W), DIR-895L, DIR-890L, DIR-885L, DIR-880L, DIR-868L, and DIR-850L.

CVE-2016-6565

The Imagely NextGen Gallery plugin for Wordpress prior to version 2.1.57 does not properly validate user input in the cssfile parameter of a HTTP POST request, which may allow an authenticated user to read arbitrary files from the server, or execute arbitrary code on the server in some circumstances (dependent on server configuration).

CVE-2016-9484

The generated PHP form code does not properly validate user input folder directories, allowing a remote unauthenticated attacker to perform a path traversal and access arbitrary files on the server. The PHP FormMail Generator website does not use version numbers and is updated continuously. Any PHP form code generated by this website prior to 2016-12-06 may be vulnerable.

CVE-2016-6567

SHDesigns' Resident Download Manager provides firmware update capabilities for Rabbit 2000/3000 CPU boards, which according to the reporter may be used in some industrial control and embedded applications. The Resident Download Manager does not verify that the firmware is authentic before executing code and deploying the firmware to devices. A remote attacker with the ability to send UDP traffic to the device may be able to execute arbitrary code on the device. According to SHDesigns' website, the Resident Download Manager and other Rabbit Tools have been discontinued since June 2011.

CVE-2016-9485

On Windows endpoints, the SecureConnector agent must run under the local SYSTEM account or another administrator account in order to enable full functionality of the agent. The typical configuration is for the agent to run as a Windows service under the local SYSTEM account. The SecureConnector agent runs various plugin scripts and executables on the endpoint in order to gather and report information about the host to the CounterACT management appliance. The SecureConnector agent downloads these scripts and executables as needed from the CounterACT management appliance and runs them on the endpoint. The SecureConnector agent fails to set any permissions on downloaded file objects. This allows a malicious user to take ownership of any of these files and make modifications to it, regardless of where the files are saved. These files are then executed under SYSTEM privileges. A malicious unprivileged user can overwrite these executable files with malicious code before the SecureConnector agent executes them, causing the malicious code to be run under the SYSTEM account.

CVE-2016-9482

Code generated by PHP FormMail Generator may allow a remote unauthenticated user to bypass authentication in the to access the administrator panel by navigating directly to /admin.php?mod=admin&func=panel

CVE-2016-9486

On Windows endpoints, the SecureConnector agent must run under the local SYSTEM account or another administrator account in order to enable full functionality of the agent. The typical configuration is for the agent to run as a Windows service under the local SYSTEM account. The SecureConnector agent runs various plugin scripts and executables on the endpoint in order to gather and report information about the host to the CounterACT management appliance. The SecureConnector agent downloads these scripts and executables as needed from the CounterACT management appliance and runs them on the endpoint. By default, these executable files are downloaded to and run from the %TEMP% directory of the currently logged on user, despite the fact that the SecureConnector agent is running as SYSTEM. Aside from the downloaded scripts, the SecureConnector agent runs a batch file with SYSTEM privileges from the temp directory of the currently logged on user. If the naming convention of this script can be derived, which is made possible by placing it in a directory to which the user has read access, it may be possible overwrite the legitimate batch file with a malicious one before SecureConnector executes it. It is possible to change this directory by setting the the configuration property config.script_run_folder.value in the local.properties configuration file on the CounterACT management appliance, however the batch file which is run does not follow this property.

CVE-2016-6564

Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks. Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit. This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel. The binary has been shown to communicate with three hosts via HTTP: oyag[.]lhzbdvm[.]com oyag[.]prugskh[.]net oyag[.]prugskh[.]com Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations. Examples of a request sent by the client binary: POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1 Host: 114.80.68.223 Connection: Close An example response from the server could be: HTTP/1.1 200 OK {"code": "01", "name": "push_commands", "details": {"server_id": "1" , "title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}} This binary is reported to be present in the following devices: BLU Studio G BLU Studio G Plus BLU Studio 6.0 HD BLU Studio X BLU Studio X Plus BLU Studio C HD Infinix Hot X507 Infinix Hot 2 X510 Infinix Zero X506 Infinix Zero 2 X509 DOOGEE Voyager 2 DG310 LEAGOO Lead 5 LEAGOO Lead 6 LEAGOO Lead 3i LEAGOO Lead 2S LEAGOO Alfa 6 IKU Colorful K45i Beeline Pro 2 XOLO Cube 5.0

CVE-2016-9487

EpubCheck 4.0.1 does not properly restrict resolving external entities when parsing XML in EPUB files during validation. An attacker who supplies a specially crafted EPUB file may be able to exploit this behavior to read arbitrary files, or have the victim execute arbitrary requests on his behalf, abusing the victim's trust relationship with other entities.

CVE-2016-6578

CodeLathe FileCloud, version 13.0.0.32841 and earlier, contains a global cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request.

CVE-2016-9489

In ManageEngine Applications Manager 12 and 13, an authenticated user is able to alter all of their own properties, including own group, i.e. changing their group to one with higher privileges like "ADMIN". A user is also able to change properties of another user, e.g. change another user's password.

CVE-2016-6566

The valueAsString parameter inside the JSON payload contained by the ucLogin_txtLoginId_ClientStat POST parameter of the Sungard eTRAKiT3 software version 3.2.1.17 is not properly validated. An unauthenticated remote attacker may be able to modify the POST request and insert a SQL query which may then be executed by the backend server. eTRAKiT 3.2.1.17 was tested, but other versions may also be vulnerable.

CVE-2016-9491

ManageEngine Applications Manager 12 and 13 allows an authenticated user, who is able to access /register.do page (most likely limited to administrator), to browse the filesystem and read the system files, including Applications Manager configuration, stored private keys, etc. By default Application Manager is running with administrative privileges, therefore it is possible to access every directory on the underlying operating system.

CVE-2016-9483

The PHP form code generated by PHP FormMail Generator deserializes untrusted input as part of the phpfmg_filman_download() function. A remote unauthenticated attacker may be able to use this vulnerability to inject PHP code, or along with CVE-2016-9484 to perform local file inclusion attacks and obtain files from the server.

CVE-2016-9492

The code generated by PHP FormMail Generator prior to 17 December 2016 is vulnerable to unrestricted upload of dangerous file types. In the generated form.lib.php file, upload file types are checked against a hard-coded list of dangerous extensions. This list does not include all variations of PHP files, which may lead to execution of the contained PHP code if the attacker can guess the uploaded filename. The form by default appends a short random string to the end of the filename.

CVE-2016-9494

Hughes high-performance broadband satellite modems, models HN7740S DW7000 HN7000S/SM, are potentially vulnerable to improper input validation. The device's advanced status web page that is linked to from the basic status web page does not appear to properly parse malformed GET requests. This may lead to a denial of service.

CVE-2016-9498

ManageEngine Applications Manager 12 and 13, allows unserialization of unsafe Java objects. The vulnerability can be exploited by remote user without authentication and it allows to execute remote code compromising the application as well as the operating system. As Application Manager's RMI registry is running with privileges of system administrator, by exploiting this vulnerability an attacker gains highest privileges on the underlying operating system.

CVE-2016-9496

Hughes high-performance broadband satellite modems, models HN7740S DW7000 HN7000S/SM, lacks authentication. An unauthenticated user may send an HTTP GET request to http://[ip]/com/gatewayreset or http://[ip]/cgi/reboot.bin to cause the modem to reboot.

CVE-2016-9493

The code generated by PHP FormMail Generator prior to 17 December 2016 is vulnerable to stored cross-site scripting. In the generated form.lib.php file, upload file types are checked against a hard-coded list of dangerous extensions. This list does not include all variations of PHP files, which may lead to execution of the contained PHP code if the attacker can guess the uploaded filename. The form by default appends a short random string to the end of the filename.

CVE-2016-9495

Hughes high-performance broadband satellite modems, models HN7740S DW7000 HN7000S/SM, uses hard coded credentials. Access to the device's default telnet port (23) can be obtained through using one of a few default credentials shared among all devices.

CVE-2016-9497

Hughes high-performance broadband satellite modems, models HN7740S DW7000 HN7000S/SM, is vulnerable to an authentication bypass using an alternate path or channel. By default, port 1953 is accessible via telnet and does not require authentication. An unauthenticated remote user can access many administrative commands via this interface, including rebooting the modem.

CVE-2016-6543

A captured MAC/device ID of an iTrack Easy can be registered under multiple user accounts allowing access to getgps GPS data, which can allow unauthenticated parties to track the device.

CVE-2016-6545

Session cookies are not used for maintaining valid sessions in iTrack Easy. The user's password is passed as a POST parameter over HTTPS using a base64 encoded passwd field on every request. In this implementation, sessions can only be terminated when the user changes the associated password.

CVE-2016-6553

Nuuo NT-4040 Titan, firmware NT-4040_01.07.0000.0015_1120, uses non-random default credentials of: admin:admin and localdisplay:111111. A remote network attacker can gain privileged access to a vulnerable device.

CVE-2016-6554

Synology NAS servers DS107, firmware version 3.1-1639 and prior, and DS116, DS213, firmware versions prior to 5.2-5644-1, use non-random default credentials of: guest:(blank) and admin:(blank) . A remote network attacker can gain privileged access to a vulnerable device.

CVE-2016-6557

In ASUS RP-AC52 access points with firmware version 1.0.1.1s and possibly earlier, the web interface, the web interface does not sufficiently verify whether a valid request was intentionally provided by the user. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request.

CVE-2016-6542

The iTrack device tracking ID number, also called "LosserID" in the web API, can be obtained by being in the range of an iTrack device. The tracker ID is the device's BLE MAC address.

CVE-2016-6558

A command injection vulnerability exists in apply.cgi on the ASUS RP-AC52 access point, firmware version 1.0.1.1s and possibly earlier, web interface specifically in the action_script parameter. The action_script parameter specifies a script to be executed if the action_mode parameter does not contain a valid state. If the input provided by action_script does not match one of the hard coded options, then it will be executed as the argument of either a system() or an eval() call allowing arbitrary commands to be executed.

CVE-2016-6546

The iTrack Easy mobile application stores the account password used to authenticate to the cloud API in base64-encoding in the cache.db file. The base64 encoding format is considered equivalent to cleartext.

CVE-2016-6559

Improper bounds checking of the obuf variable in the link_ntoa() function in linkaddr.c of the BSD libc library may allow an attacker to read or write from memory. The full impact and severity depends on the method of exploit and how the library is used by applications. According to analysis by FreeBSD developers, it is very unlikely that applications exist that utilize link_ntoa() in an exploitable manner, and the CERT/CC is not aware of any proof of concept. A blog post describes the functionality of link_ntoa() and points out that none of the base utilities use this function in an exploitable manner. For more information, please see FreeBSD Security Advisory SA-16:37.

CVE-2016-6551

Intellian Satellite TV antennas t-Series and v-Series, firmware version 1.07, uses non-random default credentials of: ftp/ftp or intellian:12345678. A remote network attacker can gain elevated access to a vulnerable device.

CVE-2016-6562

On iOS and Android devices, the ShoreTel Mobility Client app version 9.1.3.109 fails to properly validate SSL certificates provided by HTTPS connections, which means that an attacker in the position to perform MITM attacks may be able to obtain sensitive account information such as login credentials.

CVE-2016-6548

The Zizai Tech Nut mobile app makes requests via HTTP instead of HTTPS. These requests contain the user's authenticated session token with the URL. An attacker can capture these requests and reuse the session token to gain full access the user's account.

CVE-2016-6544

getgps data in iTrack Easy can be modified without authentication by setting the data using the parametercmd:setothergps. This vulnerability can be exploited to alter the GPS data of a lost device.

PirateBay Like Best Torrent Sites — Free Movie Download Websites

There's no doubt that PirateBay (TPB) is one of the world's most famous and widely used torrent download website, but it has again been caught mining cryptocurrency by using its visitors' CPU processing power. This is the second time when The Pirate Bay has been caught mining digital coins. In September last year, PirateBay was found quietly running CoinHive JavaScript code to mine Monero

CVE-2018-10631

Medtronic N'Vision Clinician Programmer 8840 N'Vision Clinician Programmer, all versions, and 8870 N'Vision removable Application Card, all versions. The 8840 Clinician Programmer executes the application program from the 8870 Application Card. An attacker with physical access to an 8870 Application Card and sufficient technical capability can modify the contents of this card, including the binary executables. If modified to bypass protection mechanisms, this malicious code will be run when the card is inserted into an 8840 Clinician Programmer.

Russians indicted over US election hack

bbc.co.uk - The US justice department has indicted 12 Russian intelligence officers for hacking the Democratic National Committee in the 2016 election. Deputy Attorney General Rod Rosenstein said the dozen accus…


Tweeted by @AnnaAnnaou https://twitter.com/AnnaAnnaou/status/1017848883936886784

A Swing-State Election Vendor Repeatedly Denied Being Hacked by Russians. The New Mueller Indictment Says Otherwise.

Shortly before the 2016 presidential election, Russian military hackers tried to trick employees of VR Systems, a Florida-based e-voting vendor, into downloading computer-hijacking malware, according to a top-secret NSA report published by The Intercept last year. As recently as last month, the company denied any breach had occurred. But, in fact, the hacking attempt worked, judging from an indictment of 12 Russian military officers prepared by Special Counsel Robert Mueller and handed down by a grand jury today.

Although the indictment doesn’t mention VR by name, referring to the polling and registration software maker as “U.S. Vendor” or “Vendor 1,” the facts laid out in the indictment line up with what was previously know about the 2016 spear-phishing campaign against the company. The indictment alleges that “in or around August 2016, [Russian military officer] KOVALEV and his co-conspirators hacked into the computers of a U.S. vendor (“Vendor 1″) that supplied software used to verify voter registration information for the 2016 U.S. elections.”

Compare that to a section describing VR Systems from the NSA report:

Russian General Staff Main Intelligence Directorate actors … executed cyber espionage operations against a named U.S. company in August 2016, evidently to obtain information on elections-related software and hardware solutions. … The actors likely used data obtained from that operation to … launch a voter registration-themed spear-phishing campaign targeting U.S. local government organizations.

The indictment continues:

In or around November 2016 and prior to the 2016 U.S. presidential election, KOVALEV and his co-conspirators used an email account designed to look like a Vendor 1 email address to send over 100 spearphishing emails to organizations and personnel involved in administering elections in numerous Florida counties.

Compare that once more to the NSA report, which noted that Russian

cyber actors used the vr.systems@gmail.com account to contact U.S. email addresses 1 to 122 associated with named local government organizations.

Today’s indictment further states that “the spearphishing emails contained malware that the Conspirators embedded into Word documents bearing Vendor 1’s logo.” This lines up with documents obtained by The Intercept through a state public records request showing that the hackers used VR Systems’ logo in their attempt to further spread malware to the aforementioned local election officials across the country:

VR Systems has repeatedly denied that it was ever hacked. When I asked VR last month about the NSA’s estimate that at least one employee of the company “likely” had their email account compromised, a company spokesperson replied: “To be clear, there was no ‘hack’ by any standard definition of the word.” The spokesperson added that “VR Systems engaged the services of one of the top cyber security companies in the world and they conducted a full assessment of our systems and determined that our system was not breached as a result of this attempt.” Based on the Department of Justice’s indictment, that is a falsehood.

VR Systems, which sells digital pollbook software used to verify eligible voters, has customers in eight states, including the electoral battlegrounds like North Carolina and Virginia. The company spokesperson did not return a request for comment.

Top photo: A voter casts his primary vote in Hialeah, Fla., on Aug. 30, 2016.

The post A Swing-State Election Vendor Repeatedly Denied Being Hacked by Russians. The New Mueller Indictment Says Otherwise. appeared first on The Intercept.

CIPL Hosts Special Executive Retreat with APPA Privacy Commissioners on Accountable AI

During the week of June 25, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP hosted its annual executive retreat in San Francisco, California. The annual event consisted of a closed pre-retreat session for CIPL members, a CIPL Panel at the APPA Forum Open session followed by a CIPL reception and dinner and a special all day workshop with data protection commissioner members of the Asia Pacific Privacy Authorities (“APPA”) on Accountable AI.

CIPL Pre-Retreat Closed Session

On June 25, 2018, CIPL hosted a closed pre-retreat session for members on global privacy developments at Hunton Andrews Kurth’s San Francisco office. The session consisted of a discussion of current EU General Data Protection Regulation (“GDPR”) implementation, compliance and enforcement issues, the impact of the GDPR on global organizational privacy management programs and the interrelation between the GDPR and ePrivacy. This was followed by a discussion of emerging new privacy laws in Latin America and India, the growth of the APEC Cross-Border Privacy Rules (“CBPR”) and Privacy Recognition for Processors systems, and developments in EU adequacy negotiations.

CIPL Panel at APPA Forum Open Session

On June 26, 2018, CIPL held a panel on Accountable and Interoperable Cross-border Data Flows as part of the 49th APPA Forum Open Session. The panel discussed the many requirements organizations have to contend with when transferring data across borders, the latest updates to the APEC CBPR system and the recently introduced U.S. Clarifying Lawful Overseas Use of Data Act. Data as a driver of innovation and the need for its ability to flow across jurisdictions was also discussed.

CIPL Special Executive Retreat Workshop on Accountable AI

On June 27, 2018, CIPL hosted a full day workshop on accountable AI at Google’s offices in San Francisco. Data protection commissioner members of APPA attended and participated in the day-long event. The workshop marked the third major event to date in CIPL’s Project on Artificial Intelligence and Data Protection: ​Delivering Sustainable AI Accountability in Practice.

The workshop included several keynote addresses on AI from leading technologists and data scientists, followed by three panel sessions on current uses of AI in the public and private sectors, the key data protection challenges and risks associated with AI and the elements of accountable AI. Over 100 invited guests attended the session, including CIPL members, data privacy regulators from around the globe, business and technology leaders and academics.

The workshop commenced with leading AI technology experts and engineers from Intel, Google, Accenture and Microsoft sharing their industry insights and experiences on the growing array of current applications of AI as well as the trajectory of AI’s role in society going forward. A discussion of the technical aspects of AI, including the black box concept and neural nets, and their impact on data protection principles followed.

The second panel featured short presentations from data protection regulators on their current initiatives surrounding AI and on the wide variety of challenges that organizations will face as both AI technologies and privacy frameworks and regulations develop. Following presentations from the UK Information Commissioner’s Office, Japan Personal Information Protection Commission, Singapore Personal Data Protection Commission and the Office of the Privacy Commissioner for Personal Data, Hong Kong, regulators and experts from industry further discussed the challenges and risks associated with AI both universally and in specific jurisdictions.

The final panel of the day featured a discussion on the elements of accountable AI and potential solutions for enabling responsible data use for AI applications. Top privacy executives from leading CIPL member companies discussed their organizations’ current initiatives for delivering accountability in the AI context and also some of the key issues that organizations are working on, including transparency and the role of the user and accountability.

CIPL’s AI project aims to provide a more nuanced and detailed understanding of the opportunities presented by AI, potential misalignment with data protection laws and practical ways to address the issues through the lens of organizational accountability. For more details about the project, please see the project workplan.

Microsoft Notepad For Windows Gets Its First Major Update In Years

Microsoft to update Windows Notepad App, includes the Ability to Zoom

Notepad, a simple text editor for Microsoft Windows and a basic text-editing program, has got its first major update in years.

For those unaware, Notepad was first released as a mouse-based MS-DOS program in 1983, and has been included in all versions of Microsoft Windows since Windows 1.0 in 1985. It can be used as a digital diary to write notes, create documents, write HTML codes, etc.

Microsoft have tried to meet the needs of their users by updating Notepad with a bunch of new features. The upgrade will be useful for users who use Notepad for development, logs, or simple text manipulation.

The new Notepad features will allow users to not only change font sizes onscreen, but also zoom into the text for easier read just by simply holding the Ctrl button and the + or – keys. It will also add a feature that will allow users to delete a previous word just by using ctrl + backspace.

Besides these, it also has made some improvements to find and replace experience on Notepad, including the option to do wrap-around find/replace to the find dialog.

“A long outstanding request has been to add the ability to display line and column numbers when word-wrap is enabled,” the company added.

“This is now possible in Notepad and we’ve made the status bar visible by default. You can still turn the status bar off in the View menu.”

A few other fixes, such as improved performance when opening large files, arrow keys now correctly unselect text first and then move the cursor. Further, while saving a file in Notepad, the line and column number no longer reset to 1. Also, Notepad now correctly displays lines that don’t fit entirely on the screen.

The new Notepad features are a part of the Windows update that is currently codenamed Redstone 5. It has already been released for Windows Insiders in the Fast ring in the form of Windows 10 Insider Preview Build 17713, who can now go ahead and download the latest build to experience the new Notepad App for Windows. However, the remaining users will have to wait to for the Redstone 5 to be released later this year.

Besides Notepad updates, Microsoft has also been working on improvements in the Build 17713, which includes providing users with new controls over auto-play videos in to the Windows 10 web browser Microsoft Edge, speeding up Sign in option in Windows 10 Shared PC, Dictionary function in Edge PDF reader, strengthening the Windows Defender Application Guard, and adding biometrics in the Remote desktop for additional security.

You can read more on what’s new in Build 17713 by clicking here.

The post Microsoft Notepad For Windows Gets Its First Major Update In Years appeared first on TechWorm.

How To Use The IIoT To Immunize Against Critical Infrastructure Hacks

Recent news of Russia hacking U.S. critical infrastructure operators, including energy, nuclear, water, aviation and critical manufacturing facilities, means scary times for facility owners and operators. Industrial Internet of Things’ (IIoT) network connections for energy and utilities increased 41 percent in the last year alone. If all those connections are vulnerable, should facilities avoid adopting new IIoT connections? How do you monitor the IIoT for a Russian hack, or any hack, for that matter?

Just as every immunization contains a harmless dose of a pathogen, the IIoT itself can be used to protect against infrastructure hacks. The administrative tool, as it were in this case, is the monitoring devices that gauge real-time network health and security. Such continuous monitoring acts as a facility’s immune system, ferreting out breaches before they become infections. Here is how critical infrastructure operators can leverage the IIoT to prevent future attacks.

Monitor, Notify, Eradicate

In the U.S., industrial device-to-device connections are expected to top nearly 180 million in 2020. While each and every device and connection represents a possibility for increased efficiency and automation, it also presents potential vulnerabilities. However, the benefits to business operations outweigh the exposure to risk with the right security capabilities in place.

With public utility providers rapidly adopting the IIoT, real-time network monitoring and regularly scheduled security updates are imperative to keeping the public safe from the meddling of malicious entities. Because command and control centers within these facilities can be manipulated to make it seem that systems are running normally when they are not, its imperative to use third-party systems with the capacity to remote monitor and notify any type of abnormality in a matter of minutes.

Using the IIoT to Secure Connected Systems

While the IIoT may not be the first line of defense against intruders – rather, that duty belongs to a host of security protocols – the IIoT can help mitigate damage when intruders do manage to break through barriers and affect systems. For example, Bloomberg’s report of recent Russian hacks on U.S. infrastructure notes that one breach affected a nuclear power plant. “While the core of a nuclear generator is heavily protected, a sudden shutdown of the turbine can trigger safety systems,” it notes. “These safety devices are designed to disperse excess heat while the nuclear reaction is halted, but the safety systems themselves may be vulnerable to attack.”

This is precisely the circumstance where the IIoT can step in and assist in keeping systems running and alerting the proper entities when they cease functioning. With advancements in cloud computing power, wifi connectivity, and affordable sensor technologies, the IIoT is increasingly available for businesses to implement continuous diagnostics. With continuous diagnostics, utilities operators have access to a separate system that continually monitors equipment and provides real-time diagnostics. The moment a system goes down, they can know not only that it is down but also have insight into the reason for the down-time.

The Duplicitous Promise of Increased Connectivity

The Internet of Things has forever changed the risk factor of connected systems, yet we can also tap the power of the private sector and its innovation to mitigate the potential for widespread damage. As more companies move their operations to the IIoT, it will be vital for companies to have security measures in place that detect, analyze and provide recommendations on a course of action for both operational and cybersecurity issues.

Saar Yoskovitz
Saar Yoskovitz, CEO and Co-founder at Augury Saar Yoskovitz is an avid entrepreneur with extensive experience in Machine Learning, Signal Processing Algorithms and System Architecture. He is the CEO and Co-founder of Augury. Previously, Saar worked as an Analog Architect at Intel. He holds a B.Sc. in Electrical Engineering and a B.Sc. in Physics from the Israel Institute of Technology (Technion). During his studies, Saar initiated a voluntary project called “Select – Students for Technological Advancement,” for which he received Israel’s Council of Higher Education (MALAG) award for social involvement.  

Saar Yoskovitz Web Site

The ISBuzz Post: This Post How To Use The IIoT To Immunize Against Critical Infrastructure Hacks appeared first on Information Security Buzz.

CVE-2018-1000207

MODX Revolution version <=2.6.4 contains a Incorrect Access Control vulnerability in Filtering user parameters before passing them into phpthumb class that can result in Creating file with custom a filename and content. This attack appear to be exploitable via Web request. This vulnerability appears to have been fixed in commit 06bc94257408f6a575de20ddb955aca505ef6e68.

CVE-2018-1000210

YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line "currentType = Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.

CVE-2018-1000209

Sensu, Inc. Sensu Core version Before version 1.4.2-3 contains a Insecure Permissions vulnerability in Sensu Core on Windows platforms that can result in Unprivileged users may execute code in context of Sensu service account. This attack appear to be exploitable via Unprivileged user may place an arbitrary DLL in the c:\opt\sensu\embedded\bin directory in order to exploit standard Windows DLL load order behavior. This vulnerability appears to have been fixed in 1.4.2-3 and later.

CVE-2018-1000211

Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API's authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry.

CVE-2018-1000208

MODX Revolution version <=2.6.4 contains a Directory Traversal vulnerability in /core/model/modx/modmanagerrequest.class.php that can result in remove files. This attack appear to be exploitable via web request via security/login processor. This vulnerability appears to have been fixed in pull 13980.

CVE-2018-1000206

JFrog Artifactory version since 5.11 contains a Cross ite Request Forgery (CSRF) vulnerability in UI rest endpoints that can result in Classic CSRF attack allowing an attacker to perform actions as logged in user. This attack appear to be exploitable via The victim must run maliciously crafted flash component. This vulnerability appears to have been fixed in 6.1.

Standing Rock Activist Accused of Firing Gun Registered to FBI Informant Is Sentenced to Nearly Five Years in Prison

Following an emotional hearing in Bismarck, North Dakota, this week, Oglala Lakota Sioux water protector Red Fawn Fallis was sentenced to 57 months in prison on charges stemming from her arrest while opposing the Dakota Access pipeline.

Fallis was arrested in October 2016 when hundreds of law enforcement officers descended on a protest camp in the pipeline’s path to forcibly evict its residents. She was accused of firing three shots from a revolver underneath her stomach after being tackled by several officers and pinned face down in a ditch alongside the highway.

As The Intercept first reported last year, the gun Fallis was accused of firing belonged to an FBI informant named Heath Harmon who had developed a romantic relationship with Fallis in the weeks leading up to her arrest. Harmon told state and federal investigators that he met Fallis at the water protectors’ Rosebud Camp after being tasked by the FBI with serving as an “observer” of the protest movement. He said he had been recruited by his brother, Chad Harmon, a Bureau of Indian Affairs police officer.

Chad Harmon was subsequently appointed by the BIA to serve as acting chief of police of the Standing Rock Sioux Tribe, a position he held from January to April 2018, BIA spokesperson Nedra Darling confirmed in a statement to The Intercept.

Fallis’s arrest occurred on land that would still belong to the Great Sioux Nation had the U.S. government honored the Fort Laramie treaties of 1851 and 1868. In January, after U.S. District Judge Daniel Hovland rejected attempts by Fallis’s defense team to make treaty rights and the sprawling intelligence apparatus targeting pipeline opponents central to her case, Fallis pleaded guilty to felony counts of civil disorder and possession of a firearm by a convicted felon. As part of the plea bargain, prosecutors dropped the most serious charge against her — discharge of a firearm in relation to a felony crime of violence — which could have carried a life sentence.

University of Colorado professor Glenn Morris, a founder of the Colorado chapter of the American Indian Movement who regards Fallis as a niece, told The Intercept that her prison sentence could not be understood apart from a long history of U.S. colonization and the vastly disproportionate violence directed against Indigenous women. “They can bring thousands of guns to stolen treaty territory, and they have the audacity to charge this Native woman who is trying to protect her territory, her land, and the sanctity of her traditions with a crime of violence,” said Morris, who testified in support of Fallis at Wednesday’s hearing.

Morris and Fallis’s sister, Red Dawn Foster, both spoke of Fallis’s generous spirit and her contributions to the camps at Standing Rock and her community in Denver. University of Colorado integrative physiology professor Roger Enoka also testified that a phenomenon called “reactive grip response” can lead to accidental discharge of a firearm during a rapidly unfolding traumatic situation.

Hovland declined to consider Fallis’s intent as part of his ruling. “I’m not going to go down that path, try to determine what Ms. Fallis’s intent was when that firearm was discharged,” he said. The judge noted that he had the discretion to sentence Fallis to a lengthier prison term under the statutes in question, characterizing her nearly five-year sentence as “sufficient to the goals of sentencing and not greater than necessary.” Prosecutors had recommended a seven-year sentence, while Fallis’s defense attorneys had asked for 24 to 30 months.

Hovland said he would recommend Fallis be placed in a federal prison in Phoenix or Tucson. She will receive credit for nearly 18 months of time served. Following her release from prison, currently marked for late 2021, she will be subject to three years’ supervised release.

During brief remarks at the conclusion of the hearing, Fallis said her relationship with Harmon had been an unfortunate influence, and poor choices had hindered her decision-making, according to Frances Madeson, communications coordinator for the Water Protector Legal Collective. Fallis took responsibility for the revolver in her possession and expressed remorse for any danger caused to police officers and other community members. She told the courtroom that she would devote some her remaining time in prison to developing a project called Keepers of the Wisdom, focused on building relationships between Indigenous elders and youth.

Fallis is the second NoDAPL water protector arrested during the police raid on October 27, 2016, to be sentenced to a multiyear prison term. On May 30, Chumash water protector Michael “Little Feather” Giron was sentenced to three years in prison on a federal charge of civil disorder. Oglala Lakota Sioux water protector Michael “Rattler” Markus has pleaded guilty to the same charge in exchange for prosecutors dropping other federal felony counts. His sentencing hearing is scheduled for September.

Glenn Morris sees Fallis’s case as part of a larger Indigenous-led struggle for self-determination and protection of the earth. “This case and this issue is not about her solely,” he said. “What happened at Standing Rock was an inspiration to Indigenous people from around the world. We’re seeing that continuing up in British Columbia with the Trans Mountain pipeline, or the plans to resist the extension of Keystone XL this next year, or the resistance at Ojibwe territory with Line 3.”

Top photo: Red Fawn Fallis waves a flag symbolizing the American Indian Movement at Standing Rock on Aug. 20, 2016.

The post Standing Rock Activist Accused of Firing Gun Registered to FBI Informant Is Sentenced to Nearly Five Years in Prison appeared first on The Intercept.

CVE-2018-10098

In MicroWorld eScan Internet Security Suite (ISS) for Business 14.0.1400.2029, the driver econceal.sys allows a non-privileged user to send a 0x830020E0 IOCTL request to \\.\econceal to cause a denial of service (BSOD).

CVE-2018-7535

An issue was discovered in TotalAV v4.1.7. An unprivileged user could modify or overwrite all of the product's files because of weak permissions (Everyone:F) under %PROGRAMFILES%, which allows local users to gain privileges or obtain maximum control over the product.

CVE-2018-1255

RSA Identity Lifecycle and Governance versions 7.0.1, 7.0.2 and 7.1.0 contains a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to a vulnerable web application, which is then reflected back to the victim and executed by the web browser.

CVE-2018-1245

RSA Identity Lifecycle and Governance versions 7.0.1, 7.0.2 and 7.1.0 contains an authorization bypass vulnerability within the workflow architect component (ACM). A remote authenticated malicious user with non-admin privileges could potentially bypass the Java Security Policies. Once bypassed, a malicious user could potentially run arbitrary system commands at the OS level with application owner privileges on the affected system.

IOCs and Artifacts

resources.infosecinstitute.com - Unusual behavior of information technology assets within an organization may be a hint that the organization is undergoing a cyberattack. Threat-hunting teams will often assess the environment for co…


Tweeted by @Myinfosecfeed https://twitter.com/Myinfosecfeed/status/1017816597870862336

How to Get Paid for Proposals

Proposals are one of the most expensive things you will spend your time on in a small business (or a large business, for that matter). You not only spend tons of time discovering and understanding what the client needs, but you also spend countless hours (often late at night) putting the proposal together, polishing it, tweaking the numbers and creating a whiz-bang presentation to accompany the proposal.

All of that for free, and often for nothing.

I’m very much against charging by the hour, but in this case calculating your effective hourly rate is a good exercise:

Let’s say that you recently landed a project and you’re going to make $10,000 from it. You’re going to spend 50 hours delivering the project so you’re earning $200 per hour (this is your billable rate). Easy calculation. But when you figure in the time that you spent on putting the proposal together – lets say another 20 hours – you’re only generating around $142 per hour, or a 25% drop in your effective hourly rate. Add in the other non-billable time you spent with the client and you’re easily pushing your effective hourly rate – for that project – down below 50% of your billable rate.

Pushing your effective hourly rate down is of course not the only bad thing that happens.

It breaks my heart

You put your heart and soul into understanding what the client really needs, give them the benefit of your experience to make sure they don’t fall into traps and put a lot of thought and effort into how you can help them solve their business problem. You’re invested – both in time and in emotional energy.

So when they turn you down, there’s a double whammy. You’ve just done a lot of work for nothing and you’ve just had your emotional investment kicked in the face (or that’s how it feels, at least at first). That hurts – especially when you’re new to the game. Over time you learn that opportunities come and go and you get less emotionally invested, but each time a proposal doesn’t hit the mark you take an emotional hit.

But what if there’s a better way? What if you could actually get paid for your proposals? And have your client like it that way?

There is a way to do this, and it starts with understanding the value of the proposal.

Proposals are valuable

By the time a client asks you to put together a proposal, you’ve already been dancing for a while. You’ve had some initial meetings, a couple of discovery sessions and they like what they see.

Now they ask you to do a proposal, and you’re going to have to spend more time with them. You need to make sure you understand exactly what they need, how much you can get done within their budget, what takes priority and where the skeletons are. You’re going to apply your expertise to dig into details, find out what else needs fixing and so on…the point is you’re going to spend more time with them.

Then you head off to your cave, put together the proposal and present it to them. And they say thanks, great work, we’ll get back to you. So far so good.

How much value did your potential client get from this proposal development process? The answer is: a lot.

They’ve just had an expert analyse their problem, dig into the details and tell them what they need to do to solve the problem. They now understand their problem a lot better and know what needs to be done to fix it (even if they don’t have the expertise to do it themselves). And of course you may not be the only one submitting a proposal, so the client has received a lot of valuable advice – from multiple experts.

And you gave it to them for free.

Doctors charge for “proposals”

Think about it this way: when you go to a doctor with a complaint, they will diagnose you, maybe run some tests, make some recommendations and perhaps prescribe some medicine. Then they’re going to ask you to come in for an extended treatment or checkup to see if things have improved. And you’re happy to pay for this initial consultation.

When you develop a proposal for a client, you’re effectively doing what a doctor does in an initial consultation. You’re listening to the “patient”, running some tests to find out if there’s a deeper cause for the problem, and applying your expertise to recommend a way to get rid of the problem.

You’ve provided a lot of value, but you’re willing to give it away for free because that’s the way your industry usually works. Doctors don’t work like this; they charge for the “proposal” phase of their work with you.

The first key in moving from free to paid proposals is to understand that your proposal is tremendously valuable to your client. 

But you need to present it to them as something valuable; and you need to deliver that value. The way to do that is to provide a roadmap.

The differences between a proposal and a roadmap

A proposal is usually a document that defines a scope of work, the number of hours required to do it and a price. If you’ve been at this for a while you will know that you need to base the proposal on the client’s ROI (Return On Investment) – what they get in return for their investment in your services.

A roadmap is also a document, but in this case the document clearly spells out what the client will need to do (or get done first), second and so on. A roadmap sometimes includes a timeline to help the client understand how long the whole process could take. Again, justifying the business case is critical to help the client make the right decision.

A roadmap is the output of one or more roadmap sessions. A roadmap session is like a discovery session, but includes co-development of the roadmap.

If you’re familiar with project planning, you will already have noticed that a roadmap is a high-level project plan.

But there are more differences between a proposal and a roadmap:

A difference in process

When you follow the proposal route of getting work, your engagement with the client looks something like this:

  • initial meeting to see if there’s a fit (make sure you can you help them);
  • a series of meetings to discover what they really need;
  • crafting the proposal;
  • (if you’re experienced) working with the client on the draft proposal to make sure you’re hitting the mark;
  • presenting the final proposal to them; and
  • hoping for the best.

When you use the roadmap route, the engagement looks a little different:

  • initial meeting to see if there’s a fit (can you help them);
  • present the roadmap option (standard for each client); and
  • hope for the best.

A difference in what they get

Your client can do only one thing with a proposal: say yes or no (or haggle a bit). A roadmap is something they can use; on their own, with you or with someone else:

  • A proposal effectively says “here stuff I will do for you”. A smart proposal says “here’s how I will solve your problem and here’s the ROI”.
  • A roadmap says “here’s where you need to get to, here’s the road you need to follow and here are the stops along the way. You can use this roadmap on your own, with me or with someone else.”

A difference in the size of the commitment

Saying yes to a proposal is a big step, because it usually requires the client to make a big financial investment. The risk for the client is high and their objections will reflect that.

Saying yes to a roadmap exercise is a much smaller commitment. My roadmap sessions typically run for half a day (usually with a couple of hours before and after) and therefore cost a lot less. Much easier for the client to say yes to this much smaller investment.

A difference in how they perceive your expertise

When you present a roadmap option you are clearly placing yourself in charge of the situation. You know exactly how you’re going to go about building the roadmap, you have a defined process and the confidence to present this as the right option for the client. (This is why the client is hiring you in the first place: you are the expert, you know how this should be done and you know exactly how to go about doing it.)

When you present a proposal, you are to some extent asking the client to approve not just the expenditure, but also to make a judgment on whether this is the right thing to do. You’ve given up some control of your expertise.

A difference in the amount of time involved

The proposal route is a big investment (in time) for you and for your client. It is not uncommon to spend tens or even hundreds of hours on discovery meetings, user requirements analysis and proposal polishing for a large contract. A roadmap approach, on the other hand, is a lot smaller investment for you and for your client. You’ve spent maybe two or three hours with the client and then it’s up to them to decide.

(There are more differences, for example the idea that a roadmap is a collaborative exercise versus a proposal which is something you give to the client, but I think you get the point.)

Roadmaps don’t contain pricing

None of my roadmaps contain pricing. The whole idea is that the client can use the roadmap now, later, on their own, with me or with someone else – so I don’t want them to confuse the roadmap with a proposal. Where appropriate, I will send a proposal for some or all of the work in the roadmap; the proposal can be very short because the heavy lifting has already been done in the roadmap.

So how do you move from (free) proposals to (paid) roadmaps?

To get a client to pay for a roadmap, you have to deliver value. That value comes from three places:

  • the roadmap itself: the output of the roadmap session(s) – a tool the client can use;
  • the process you will use to create the roadmap: this is where your expertise has to shine; you must know exactly how you’re going to go about creating the roadmap; what happens before, during and after the roadmap session(s); what the output will look like, and how you’re going to get the client to co-develop the roadmap;
  • your confidence: you have to be confident that this is the right thing to do, the right way to do it and that it delivers substantial value to your client.

This is not an easy road by any means, but there is a way to build up to it:

  • Start by taking proposals you’ve done in the past and turning them into roadmaps. Can you make them look like high-level project plans? Can the work be clearly grouped into relatively small chunks where each chunk builds on the previous one? Is there value from each chunk of work?
  • Define your process for creating a roadmap. Before you head into a roadmap session, there’s likely some pre-work that you need to do, for example running an analysis on their website (if that’s part of the problem) or doing an analysis of their business using something like the Tornado Method. Then define what the output would typically look like, and what you need to do during a roadmap session to get there. Then define what happens after the session. Turn it all into a collection of checklists.
  • Trial and refine your process. Find a friend or a willing client to be your first roadmap client. Follow your process and make sure you make notes of what’s working and what needs to be improved. Refine your process and repeat the exercise. Each time you do it you will gain more confidence.

Remember that a roadmap is a short, low-cost exercise and therefore relatively easy to sell to potential clients. You have to stress that the exercise delivers a roadmap that they can then use themselves, with you or with someone else; and you will follow up with a proposal if and when they’re ready for it.

A roadmap gives your client clarity on their problem and what they need to do to solve it. They may not have the expertise to do it themselves (that’s where you will eventually earn your keep), but just the process of building the roadmap provides them with peace of mind and builds trust that you can solve the problem for them.

Finally, a roadmap educates your client. They will understand that there is a well-defined process for solving the problem, the sequence in which the work needs to be done and what they get out of each part. An educated client is a collaborative, engaged and enthusiastic; your expertise just helps them solve a problem.

What you can do now

It took me about two years to move from free proposals to paid roadmaps. You can get there a lot faster because you can tap into articles like this and a growing awareness amongst professionals that even proposals are highly valuable.

I will be releasing a step-by-step guide on how to move from free proposals to paid roadmaps in the near future. To get notified when this is released, sign up for my newsletter here – you will get access to more articles like this, I promise I won’t spam you and you can unsubscribe at any time.

And if you have questions or comments, please drop me a note!

US indicts 12 Russian intel officers for hacking Democrats in 2016

Special counsel Robert Mueller and his team have received an indictment for 12 Russian intelligence for hacking Democrats leading up to the 2016 presidential election. The spies are accused of digitally infiltrating the Democratic National Committee and Hillary Clinton's campaign, along with stealing information of 500,000 US voters, and releasing emails with the express purpose of influencing the election.

Via: CNBC

Source: Indictment: United States of America vs. Defendents | DOJ

Microsoft Windows POP/MOV SS Local Privilege Elevation

This Metasploit module exploits a vulnerability in a statement in the system programming guide of the Intel 64 and IA-32 architectures software developer's manual being mishandled in various operating system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS. This Metasploit module will upload the pre-compiled exploit and use it to execute the final payload in order to gain remote code execution.

Security Analysts Are Overworked, Understaffed and Overwhelmed — Here’s How AI Can Help

Times are tough for security analysts. In addition to the growing industrywide talent shortage, the threat landscape is expanding in both volume and sophistication — and security teams lack the resources they need to keep up.

To some extent, static processes — such as vulnerability assessments, firewalls and activity monitoring — can help organizations determine who is accessing enterprise data, identify vulnerabilities and detect risky behavior.

However, these systems can’t think on their own or react to deviations or unexpected circumstances. The threat landscape is simply too dynamic, and cybercriminal tactics evolve too quickly for programmatic processes to keep up.

Is AI the Answer to Common Security Pain Points?

How can security teams gain ground in this never-ending race against malicious actors? One solution is to adopt tools that learn, adapt and proactively detect threats — even in a rapidly changing environment.

Let’s take a look at some common pain points for analysts and explore how artificial intelligence (AI) can help shed light on the many frightening unknowns of cybersecurity.

Too Many Alerts, Too Little Time

Today’s largest enterprise networks can generate billions of events per day from a wide range of data sources, including security devices, network appliances, mobile applications and more. The staggering volume of alerts strains security analysts and diminishes the speed and accuracy with which they can process threat data.

Limited Budgets Lead to Limited Talent

According to a recent survey, 66 percent of information security professionals believe there aren’t enough qualified analysts in the field to handle the increasing volume of security threats. In addition, many organizations have limited budgets, restricting security teams from hiring the talent they need to protect their networks. AI-powered tools can automate security processes and perform complex tasks, freeing overworked analysts to focus on more pressing matters.

The Problem of False Positives

A security analyst typically investigates 20–25 incidents every day. This investigation entails gathering information from local logs, correlating indicators of compromise (IoCs) with threat intelligence feeds and conducting outside research for additional context. This process is extremely time-consuming and leads to false-positive rates as high as 70 percent.

Not Enough Hours in the Day

Time is a critical resource for security analysts, who must determine whether to escalate an alert or write it off as a false positive in under 20 minutes. Due to the around-the-clock nature of incident response, security teams should invest in machine learning tools that can filter out the noise and present reliable analysis with speed and scale.

Keeping Up With Cybercriminal Innovation

Attackers are innovating every day, and evasion techniques are becoming increasingly sophisticated — making it harder and harder for security teams to identify potential threats. AI can detect these threats more reliably and learn from features that most human analysts would miss.

Sampling of security incidents by attack type, time and impact, 2015 through 2017

Untapped, Unstructured Data

Many security teams are letting a big chunk of valuable intelligence go to waste. On average, 80 percent of the unstructured, human-generated knowledge found in security blogs, news articles, research papers and more is invisible to traditional systems. AI-based systems can curate this wealth of information, extract crucial threat data and tie it to IoCs found in the network.

A universe of security knowledge, dark to your defenses

Take the Pressure Off Security Analysts

Today’s threat landscape is as volatile as ever, and the ongoing battle between malicious actors and cyberdefenders will only intensify as attack tactics evolve. While there’s no end in sight, AI and machine learning can help level the playing field.

By investing in tools that automatically ingest and prioritize threat intelligence — including unstructured data — and proactively identifying new cybercrime patterns, security leaders can take some of the pressure off their human analysts and free them to focus on day-to-day incident response and bigger-picture defense strategies.

The post Security Analysts Are Overworked, Understaffed and Overwhelmed — Here’s How AI Can Help appeared first on Security Intelligence.

GNU Privacy Guard 2.2.9

GnuPG (the GNU Privacy Guard or GPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440. As such, it is meant to be compatible with PGP from NAI, Inc. Because it does not use any patented algorithms, it can be used without any restrictions.

Packet Storm: Microsoft Windows POP/MOV SS Local Privilege Elevation

This Metasploit module exploits a vulnerability in a statement in the system programming guide of the Intel 64 and IA-32 architectures software developer's manual being mishandled in various operating system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS. This Metasploit module will upload the pre-compiled exploit and use it to execute the final payload in order to gain remote code execution.

Packet Storm

Packet Storm: GNU Privacy Guard 2.2.9

GnuPG (the GNU Privacy Guard or GPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440. As such, it is meant to be compatible with PGP from NAI, Inc. Because it does not use any patented algorithms, it can be used without any restrictions.

Packet Storm

CVE-2017-1367

IBM Security Identity Governance and Intelligence Virtual Appliance 5.2 through 5.2.3.2 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 126860.

CVE-2018-14047

** DISPUTED ** An issue has been found in PNGwriter 0.7.0. It is a SEGV in pngwriter::readfromfile in pngwriter.cc. NOTE: there is a "Warning: PNGwriter was never designed for reading untrusted files with it. Do NOT use this in sensitive environments, especially DO NOT read PNGs from unknown sources with it!" statement in the master/README.md file.

CVE-2018-9070

For the Lenovo Smart Assistant Android app versions earlier than 12.1.82, an attacker with physical access to the smart speaker can, by pressing a specific button sequence, enter factory test mode and enable a web service intended for testing the device. As with most test modes, this provides extra privileges, including changing settings and running code. Lenovo Smart Assistant is an Amazon Alexa-enabled smart speaker developed by Lenovo.

CVE-2018-9067

The Lenovo Help Android app versions earlier than 6.1.2.0327 had insufficient access control for some functions which, if exploited, could have led to exposure of approximately 400 email addresses and 8,500 IMEI.

CVE-2017-1395

IBM Security Identity Governance and Intelligence Virtual Appliance 5.2 through 5.2.3.2 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 127341.

Chrome users get Site Isolation by default to ward off Spectre attacks

Site Isolation, the optional security feature added to Chrome 63 late last year to serve as protection against Spectre information disclosure attacks, has been enabled by default for all desktop Chrome users who upgraded to Chrome 67. How Site Isolation mitigates risk of Spectre attacks “In January, Google Project Zero disclosed a set of speculative execution side-channel attacks that became publicly known as Spectre and Meltdown. An additional variant of Spectre was disclosed in May. … More

The post Chrome users get Site Isolation by default to ward off Spectre attacks appeared first on Help Net Security.

Total AV 4.6.19 Insecure Permissions

A vulnerability allows local attackers to escalate privilege on TotalAV versions 4.1.7 through 4.6.19 because of weak "C:\Program Files\TotalAV" permissions. The specific flaw exists within the access control that is set and modified during the installation of the product. The product sets weak access control restrictions. An attacker can leverage this vulnerability to execute arbitrary code under the context of Administrator, the IUSR account, or SYSTEM.

Packet Storm: Total AV 4.6.19 Insecure Permissions

A vulnerability allows local attackers to escalate privilege on TotalAV versions 4.1.7 through 4.6.19 because of weak "C:\Program Files\TotalAV" permissions. The specific flaw exists within the access control that is set and modified during the installation of the product. The product sets weak access control restrictions. An attacker can leverage this vulnerability to execute arbitrary code under the context of Administrator, the IUSR account, or SYSTEM.

Packet Storm