Security News > 2020

The FBI laid out new protocols Friday for how it conducts electronic surveillance in national security cases, responding to a Justice Department inspector general report that harshly criticized the bureau's handling of the Russia investigation. The filing comes one month after the chief judge of the surveillance court - in a rare public directive - ordered the FBI to say how it would correct shortcomings identified in the watchdog report on the bureau's investigation into ties between Russia and Donald Trump's 2016 presidential campaign.

In July 2019, KrebsOnSecurity published the story Neo-Nazi Swatters Target Dozens of Journalists, which detailed the activities of a loose-knit group of individuals who had targeted hundreds of individuals for swatting attacks, including federal judges, corporate executives and almost three-dozen journalists. An FBI affidavit unsealed this week identifies one member of the group as John William Kirby Kelley.

Why the urgency? Earlier today, multiple groups publicly released weaponized proof-of-concept exploit code [1, 2] for a recently disclosed remote code execution vulnerability in Citrix's NetScaler ADC and Gateway products that could allow anyone to leverage them to take full control over potential enterprise targets. Just before the last Christmas and year-end holidays, Citrix announced that its Citrix Application Delivery Controller and Citrix Gateway are vulnerable to a critical path traversal flaw that could allow an unauthenticated attacker to perform arbitrary code execution on vulnerable servers.

A vulnerability in Broadcom's cable modem firmware has left as many as 200 million home broadband gateways in Europe, and potentially more worldwide, at risk of remote hijackings. The end result, the team says, is that crooks can remotely take over vulnerable Broadcom-based cable modems without netizens or ISPs realizing; the victim simply has to surf to a dodgy website, or similar.

As a first world householder the biggest use of energy is "Moving heat around" something like 80% of "Resistive" heating ends up wasted currently. You can store enough energy to keep a reasonably well insulated home comfortable for upto a week with a few cubic meters of water using heat pumps that over all would use between 10-25% of the energy used by resistive heating.

The CEOs of the three largest voting machine manufacturers testified before a U.S. Congressional committee on Thursday that they would be open to greater federal oversight of their equipment to help ensure the security of voting data in upcoming elections, including the 2020 presidential contest. The three companies - Election Systems and Software, Dominion Voting Systems and Hart InterCivic - have close to 350,000 voting machines deployed across the U.S. and represent more the 80 percent of the country's voting machines, according to NBC News.

In a bizarre "Whistleblower" case, federal prosecutors have charged a Georgia man in connection with an alleged "Intricate scheme" involving falsely reporting that a Savannah hospital worker committed criminal HIPAA violations. The U.S. Department of Justice says Jeffrey Parker, 43, who initially "Claimed to be a whistleblower," has been charged with falsely reporting that a "Former acquaintance" violated HIPAA by committing patient privacy violations.

The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency has warned organizations that malicious hackers continue to exploit a widely known Pulse Secure VPN vulnerability. "Although Pulse Secure disclosed the vulnerability and provided software patches for the various affected products in April 2019, the Cybersecurity and Infrastructure Security Agency continues to observe wide exploitation of CVE-2019-11510," CISA said.

Scott Matteson: How do AI and ML improve cybersecurity measures? Anish Joshi: Since AI and ML are not only used in cybersecurity but also in cybercrime, the bad guys use them to better profile their victims and accelerate attacks.

The UK Data Protection Regulator has issued a monetary penalty of £500,000 against Dixon Carphone for what it describes as "Multiple, systemic and serious inadequacies" in the firm's security posture. This allowed Dixons to argue that the PAN was not personal data, and that this aspect of the breach was consequently not subject to the personal data focus of the data protection laws.