November
CISA funds expanding access to cybersecurity programs at HBCUs, K-12 schools
PUBLISHED: November 1, 2022
Black communities across the U.S. are increasingly being targeted with an array of scams, attacks and disinformation campaigns, prompting several efforts to kick into high gear to address the issue.
One effort from workforce development organization CYBER.ORG is looking to kill two birds with one stone through an initiative called Project Reach – a feeder program created to recruit K-12 students to pursue undergraduate cybersecurity degrees and bolster the U.S. cybersecurity workforce.
With the help of funding from the Cybersecurity and Infrastructure Security Agency (CISA), the program was built to address the more than 760,000 cybersecurity positions currently open and increase awareness about cybersecurity issues more generally.
Project Reach initially started last year with a National Security Agency-funded pilot at Grambling State University. Cybersecurity lessons were integrated into the curricula at three high schools in Louisiana including Woodlawn High School, Huntington High School and Southwood High School.
The goal was to raise students’ foundational and technical skills in cybersecurity, according to Corisma Akins, cyber education specialist at CYBER.ORG, who added that another goal was to increase interest in Grambling State University’s cybersecurity program.
“As more Black students are exposed to cybersecurity or computer science as a profession and decide to pursue that career, the diversity gap within the industry will shrink. Black cybersecurity professionals will then be able to help their family, friends and neighbors become better equipped to prevent hackers and disinformation campaigns from targeting their communities.”
Source:
June
Bluetooth Signals Can Be Used to Track Smartphones, Say Researchers
PUBLISHED: June 13, 2022
Researchers warn Bluetooth signals can be used to track device owners via a unique fingerprinting of the radio signal. The technique was presented via a paper presented at IEEE Security and Privacy conference last month by researchers at the University of California San Diego. The paper suggests that minor manufacturing imperfections in hardware are unique with each device, and cause measurable distortions which can be used as a “fingerprint to track a specific device”.
“To perform a physical-layer fingerprinting attack, the attacker must be equipped with a Software Defined Radio sniffer: a radio receiver capable of recording raw IQ radio signals,” said researchers in a paper titled “Evaluating Physical-Layer BLE Location Tracking Attacks on Mobile Devices.”
Gadgets such as smartwatches, fitness trackers, and smartphones transmit a signal called Bluetooth beacons with an average rate of 500 beacons per minute. These constantly transmitting signals enable the functionality for lost device tracking and COVID-19 tracing apps. The critical insight from the researchers is that Bluetooth can also be used for tracking “in a highly accurate way”, as the previously known wireless fingerprints use to track Wi-Fi and other wireless technologies.
“This is important because in today’s world Bluetooth poses a more significant threat as it is a frequent and constant wireless signal emitted from all our personal mobile devices,” wrote co-author Nishant Bhaskar, a Ph.D. student at UC San Diego.
Source:
Bluetooth Signals Can Be Used to Track Smartphones, Say Researchers | Threatpost
April
CISA names former DNC official as a senior advisor
PUBLISHED: April 25, 2022
The Cybersecurity and Infrastructure Security Agency announced Monday that Bob Lord, a digital security veteran, would join the organization as a senior technical advisor. Lord previously served as the Democratic National Committee’s first chief information security officer from 2018 to 2021. He is widely credited with rebuilding the organization’s online defenses after hackers infiltrated the DNC during the 2016 presidential election in a breach that U.S. intelligence officials blamed on Russia.
“Bob’s decades of experience and unparalleled expertise will be a great asset as we further strengthen our community partnerships, expand the Joint Cyber Defense Collaborative, and continue our work as the nation’s cyber defense agency to make us more resilient,” CISA Director Jen Easterly said in a statement. “Bob and I share both a passion for helping Americans stay safe online and a dedication to raising the cybersecurity baseline across the nation. I’m super excited for the creativity he’ll bring to the team,” she added.
“As we face a pivotal moment in time for cybersecurity, I’m thrilled to contribute my experience to support CISA’s efforts to reduce risk to critical infrastructure, strengthen its collaboration with industry and make basic cyber practices accessible to all Americans,” Lord, who will advise CISA’s Cybersecurity Division, said in a statement.
Source:
Apple patches two zero-day exploits
Apple this week rushed out emergency patches for two zero-day vulnerabilities in its macOS and IOS technologies that the company said are being actively exploited. The flaws are present in macOS Catalina, BigSur, and Monterey; in devices running iOS and iPadOS; and Apple tvOS and watchOS.
The flaws are the latest in a growing number of zero-day vulnerabilities that researchers have discovered in Apple's products in recent months. The latest disclosures bring to at least four the total number of zero-days that Apple has disclosed this year alone. In January, the company disclosed two similar zero-days, at least one of which was likely being exploited at the time of patch release.
In 2021, as many as 12 of 57 zero-day threats — or more than 20% — that researchers from Google's Project Zero tracked were Apple related. Impacted technologies included Apple's macOS, iOS, iPadOS, and WebKit. In several cases, the flaws were being actively exploited by the time Apple had released a fix for them.
"Apple's iOS and MacOS code bases have been evolving for years, growing more complex, so it would not be surprising to see more vulnerabilities emerge," says Mike Parkin, senior technical engineer at Vulcan Cyber.
Source:
US State Department debuts new cyber bureau
PUBLISHED: Apr. 7, 2022
The State Department is launching its long-awaited cyberspace and digital policy bureau.
The bureau, which will be led by a Senate-confirmed ambassador, will “address the national security challenges, economic opportunities and implications for U.S. values associated with cyberspace, digital technologies and digital policy,” according to an announcement seen by The Washington Post.
The bureau is a signal that the Biden administration is focused on elevating cyberdiplomacy amid the war in Ukraine and a year of devastating ransomware hacks. Secretary of State Antony Blinken is expected to cite attacks on critical organizations like Colonial Pipeline, the war in Ukraine and competing visions for the future of the Internet in a speech today.
“Democracies must answer together the question of whether universal rights and democratic values will be at the center of our digital lives — and whether digital technologies deliver real benefits in people’s lives,” he is expected to say according to prepared remarks. “To do that, we need America’s diplomats leading the way. That’s why the work of the CDP Bureau will be so important.”
Source:
February
Senate lawmakers introduce cyber incident reporting legislation (again)
PUBLISHED: Feb. 8, 2022
The leaders of the Senate Homeland Security Committee on Tuesday introduced a legislative package meant to boost U.S. cybersecurity, warning a possible Russian invasion of Ukraine could result in cyberattacks against the U.S. by Moscow or its proxies.
The proposed legislation, dubbed the Strengthening American Cybersecurity Act, combines three bills Senate Homeland Chair Gary Peters (D-Mich.) and ranking member Rob Portman (R-Ohio) advanced out of their committee, including a measure that would require critical infrastructure firms to notify the Homeland Security Department when they are breached — legislation that was stripped from last year’s annual defense policy bill. The cyber incident reporting bill would mandate that critical infrastructure operations alert DHS within 72 hours of a breach and 24 hours if the organization made a ransomware payment.
“It is clear that, as our nation continues to counter cyber threats and support Ukraine, we need to pass this legislation to provide additional tools to address possible cyber-attacks from adversaries, including the Russian government,” Peters said in a statement, adding the combined bill would “significantly bolster and modernize federal cybersecurity as new, serious software vulnerabilities continue to be discovered, such as the one in log4j.”
Source:
January
CISA: All Large Federal Agencies Have Mitigated Log4j Vulnerability
Jan. 4, 2022
The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that all large Federal agencies have successfully mitigated the Log4j critical vulnerability that the agency discovered in early December 2021.
Agencies faced a Dec. 24. 2021 deadline to remediate the vulnerability and, to date, CISA has yet to encounter any confirmed breaches of Federal agencies via the vulnerability.
“CISA continues to work with each agency to drive further progress toward remediating all assets at risk,” the spokesperson said.
Source:
Google buys cloud security startup for $500 million
PUBLISHED: Jan. 4, 2022
Alphabet Inc-owned Google said on Tuesday its cloud division had acquired Israeli cybersecurity startup Siemplify, as the U.S. tech giant expands its security offerings amid rising cyber attacks.
Financial details of the deal were not disclosed by the companies, but a source familiar with the matter said Google paid about $500 million in cash for Siemplify. The deal came after Google made a pledge to U.S. President Joe Biden last August to invest $10 billion in cybersecurity over the next five years, amid a significant rise in cyber attacks and data breaches.
Since the pandemic started in 2020, Google's revenue from the cloud business has nearly doubled to around $5 billion as companies shifted to working from home. The need to protect and hedge against security threats has shot up in tandem, with big corporates also beefing up on cybersecurity products.
Google said Siemplify's platform would be integrated into its cloud and serve as the foundation for the capabilities it will invest in. The buyout, Google's first Israeli cybersecurity firm deal, will help the tech giant take advantage of the Middle Eastern nation's deep pool of cybersecurity talent.
Source: