Eliana Willis

The Brazilian government has created a special commission aimed at tackling electronic fraud.

Created by the Ministry of Justice (MoJ) under the National Consumer Defense Council, the commission will include representatives of antitrust regulator Cade, as well as the National Confederation of Commerce, the consumer defense bodies from the states of São Paulo, Tocantins and Porto Alegre, the Federal Public Defender’s Office, and the the Central Bank. This commission follows the recent creation of a working group, which is providing an assessment of the current online fraud landscape. The working group has the involvement of bodies such as the Brazilian Federation of Banks (Febraban) and the Central Bank.According to the MoJ, the working group will publish a final report listing proposals for combatting online fraud. The group is also due to meet with the National Data Protection Authority.In September, the MoJ started negotiations with Febraban about creating a National Cybercrime Strategy. According to Febraban, the discussions are informed by the National Strategy Against Corruption and Money Laundering, which is led by the Ministry of Justice and has been in place since 2003.The idea is to “expand the identification and repression” of the actors responsible for cybercrimes, the commission said. Other goals include jointly developing platforms for sharing fraud data, training security forces in cybersecurity and digital fraud issues, and leading public awareness campaigns on cyber risks and fraud. More

US Vice President Kamala Harris said the US will be joining the Paris Call for Trust and Security in Cyberspace — a voluntary agreement between more than 80 countries, local governments and tech companies centered on advancing cybersecurity and “preserving the open, interoperable, secure, and reliable Internet.”The announcement was part of a diplomatic trip Harris made to Paris, where she met with French President Emmanuel Macron to discuss a range of issues. Macron spearheaded the creation of the initiative in 2018 and has long sought the inclusion of the US. But the administration of former President Donald Trump refused to join, criticizing it because both China and Russia also were not part of it. In a statement, The White House said the US “looks forward to continued partnership with France and other governments, private sector, and civil society around the world to advance and promote norms of responsible behavior in cyberspace.”  “This includes working with likeminded countries to attribute and hold accountable States that engage in destructive, disruptive, and destabilizing cyber activity. The United States’ decision to support the Paris Call reflects the Biden-Harris Administration’s priority to renew and strengthen America’s engagement with the international community on cyber issues,” The White House explained. “The United States interprets the Paris Call consistent with our existing domestic and international obligations and commitments, including the importance we place on respecting human rights, freedom of expression and privacy. This announcement builds on the United States’ continuing work to improve cybersecurity for our citizens and business, including rallying G7 countries to hold accountable nations that harbor cyber criminals, supporting the update of NATO cyber policy for the first time in seven years, and the recent counter-ransomware engagement with over 30 countries around the world to accelerate international cooperation to combat cybercrime.”The Paris Call is made up of nine principles, which include protecting individuals and infrastructure, protecting the internet, defending electoral processes, defending intellectual property, the non-proliferation of malicious software, lifecycle security, cyber hygiene, banning private actors from “hacking back,” and implementing international norms “of responsible behavior.”

The effort has already led to some changes across Europe and South America that allowed for tougher cybersecurity measures around emergency phone systems, the protection of domain name systems, more prominent bug bounty programs and more. Before Harris left for Paris, two senior leaders in Congress — Senate Foreign Relations Committee chairman Robert Menendez and House Foreign Affairs Committee chairman Greg Meeks — wrote a letter to her urging for the US to join the Paris Call. “Given the recent surge of ransomware and other cyberattacks against the United States and our partners and allies, the Forum’s work on cybersecurity is essential. Cybersecurity is a critical economic and national security imperative, and confronting this challenge will require comprehensive and sustained US engagement with a wide range of stakeholders,” the two wrote. “In particular, private-sector companies play an increasingly significant role, including through the Paris Peace Forum and its Paris Call for Trust and Security in Cyberspace. We welcome your commitment to engage with our allies and partners, private-sector companies, and other important stakeholders at the Paris Peace Forum.” More

Cybersecurity education company Cybint is doing its part to address veteran unemployment — which stands at 11% right now — and the cybersecurity talent shortage through a new 3 to 6 month program that trains novices in all things security. Texas has more than 42,000 open cybersecurity positions, one of the highest rates in the country. Cybint is partnering with universities and colleges like Houston Baptist University to offer the Cybint cybersecurity bootcamp to military and veteran students. Roy Zur, Cybint’s CEO, told ZDNet he was inspired to start the program by his time in the Israeli military, where he was part of a cybersecurity unit that re-skilled 18-year-old cadets who recently joined the army. Within six months, they were able to train people with no cybersecurity knowledge in a variety of security topics, and Zur eventually brought the method to the US after 10 years in the army. Also: Getting military veterans jobs in IT and cybersecurity”I wanted to bring this concept of re-skilling people, those that are very early in their career or are career shifters. Veterans are a big part of this population in the US, and after they finish their career in the military, we want to allow them to switch to other careers,” Zur said. “Some people think that cybersecurity is this mysterious thing that you need years of practice to get into. But eventually, if you simplify it, it’s about protecting data from different perspectives and protecting networks.”Zur explained that Cybint’s educational programs range from full-time three month courses to six month part-time courses, all of which draw heavily from the National Institute of Standards and Technology’s frameworks. 

The bootcamp is divided into several pillars covering a variety of topics including protecting and defending, analyzing, investigating, and more. “By the end of the program, the graduates finish with skills in different aspects of network security, SOC analysis, SOC management, some basic aspects of malware analysis, and different aspects of forensics. They have a broad view of cybersecurity and, specifically, the hands-on skills of an entry-level security defender,” Zur said. “It’s not necessarily just for veterans, but veterans acquired great skills and experience in their military career. They have experience working under pressure and working in different environments. Most of them also have security clearances, which are important in cybersecurity. “We’ve also seen there is a significant rate of unemployment among veterans. The US government, different authorities and the military all want to help solve this problem. So it’s kind of like a win-win-win situation for everyone.”Also: VA releases new cybersecurity strategy in honor of Veterans DayZur’s goal is to partner with even more institutions, community colleges, and public universities to offer Cybint’s courses and bootcamps to students interested in cybersecurity. Ariel Julius Lee, a Cybint student and Marine Corps Veteran, said he started the program with little knowledge of the field of cybersecurity but noted that the bootcamp presented each topic for beginners. He told ZDNet the labs were especially helpful because they gave him an opportunity to apply the concepts covered by the instructors in practice. “While they have been challenging, they have helped me in reframing my approach to problem-solving. This has been the best aspect of the program thus far because implementing something you learned in practice, first-hand, is the best way to study,” Lee said.  “This bootcamp inspired me to pursue a career in the field of cybersecurity and boosted my confidence that I will be able to succeed in it.”Ethan Schellingerhout, another veteran who took part in the program, said it gave him a hands-on overview of cybersecurity through its labs and bettered his presentation skills through its research projects. It also helped prepare him for CompTIA Security+ exams.William Welch is a professor of computer information technology systems at Central Texas College, which previously hosted some of Cybint’s bootcamps. Many veterans, he said, separate from the service each week and are more than deserving of a chance to start a fresh career. “They exhibit grit, strong technical capability, and seek challenging, vital employment opportunities. The Cybint cybersecurity bootcamps are key as they train these capable veterans to handle and thrive in cybersecurity and technology organizations,” Welch said. Cybint has programs at schools in Illinois, Iowa, Louisiana, and New Hampshire in addition to its Texas locations. More

The Department of Veterans Affairs released a new cybersecurity strategy ahead of Veteran’s Day as a way to better protect the personal information of US veterans as well as to stop the potential corruption of critical data. The VA said cybercriminals have long sought access to veterans’ data for a variety of scams and exploitation, prompting the department to make changes to its security.  In 2006, the organization faced a massive data breach affecting the sensitive information of 26.5 million veterans as well as their spouses and family members.Just last month, the Justice Department sentenced a former medical records technician for the US Army after he was caught accessing personal information from US veterans and using the data to steal millions from benefits sites.While working as a civilian medical records technician and administrator with the US Army at the 65th Medical Brigade, stationed at Yongsan Garrison in South Korea, 40-year-old Fredrick Brown stole names, Social Security numbers, military ID numbers, dates of birth and contact information for thousands of military members. This occurred between July 2014 and September 2015. US Attorney Ashley Hoff noted that many of the veterans targeted in the scheme were disabled or elderly, since they received more service-related benefits.The Department of Veterans Affairs said it developed an entirely new strategy to protect veteran data. It uses new frameworks that outline ways they can protect the VA’s most critical business functions and assets while also making them more resilient. “As we continue to rapidly advance technology across VA, this strategy provides an agile framework to address the challenges of today and adapt to the technologies and threats of tomorrow,” said Secretary of Veterans Affairs Denis McDonough. 

“This comprehensive approach practices accountability and transparency, while remaining hypervigilant of cyber threats — charting a course for success at the individual and enterprise levels.”On top of securing and protecting the data of the VA and veterans, the new plan includes measures to protect information systems and assets, use innovative measures to strengthen the organization’s cybersecurity, partner with other organizations on best practices, and use risk management frameworks to bolster their cybersecurity goals. Also: Getting military veterans jobs in IT and cybersecurityThe VA added that the new strategy takes into consideration, among other things, “Executive Orders, technological advancements, innovations, and world events that have impacted the way VA delivers services.”Andrew Barratt, vice president at cybersecurity firm Coalfire, said that the VA provides additional assistance to a number of the company’s employees.”We’re pleased to see the VA take steps to formalize a refreshed strategy committing to protecting Veterans’ data. Like many cybersecurity strategies, it is high level in nature and focuses on five critical goals,” Barratt said. Coalfire’s John Dickson added that it’s less about what strategies the VA announces and more about resource allocation and sustained executive focus on cybersecurity. “Given the 2006 public security breach, other organizational security ‘near misses,’ and the VA’s historical approach to cybersecurity, this is one case where actions most certainly speak louder than words,” Dickson said. More

Google has launched ClusterFuzzLite, a continuous fuzzing solution for improving software supply chain security. 

On Thursday, Google software engineers Jonathan Metzman and Oliver Chang, together with product lead for Google’s CI/CD products, Michael Winser, said in a blog post that the new tool can run “as part of CI/CD workflows to find vulnerabilities faster than ever before.”Fuzzing is an automated testing technique for finding bugs and unexpected behavior by inputting invalid and random data into programs. This can flag up vulnerabilities or errors that may otherwise go unnoticed through manual analysis.  The new tool, ClusterFuzzLite, is based on ClusterFuzz, an open source scalable fuzzing infrastructure previously released by Google and used as the fuzzing backbone for the OSS-Fuzz program.  According to Google, ClusterFuzzLite can be integrated into existing workflows to fuzz pull requests, improving the chance of vulnerabilities to be found earlier in the development process and before changes are committed.  While ClusterFuzz and ClusterFuzzLite contain some of the same features — including continuous fuzzing, coverage report creation, and sanitizer support — the team says that the main difference is ClusterFuzz is easy to set up with closed source projects, and so developers can make use of it to quickly fuzz their software.  As of now, ClusterFuzzLite supports GitHub Actions, Google Cloud Build, and Prow. 

“With ClusterFuzzLite, fuzzing is no longer just an idealized “bonus” round of testing for those who have access to it, but a critical must-have step that everyone can use continuously on every software project,” the team said. “By finding and preventing bugs before they enter the codebase we can build a more secure software ecosystem.” Documentation on the tool can be accessed at GitHub.  In February, Google launched the Open Source Vulnerabilities (OSV) website, a platform for open source vulnerability mapping. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Multiple Israeli news outlets are reporting that Itzik Benbenisti, the person slated to become the new CEO of controversial spyware company NSO Group, has resigned just two weeks after accepting the role. The Jerusalem Post and Haaretz reported that Benbenisti decided against replacing current CEO Shalev Hulio after the US Commerce Department’s Bureau of Industry and Security added NSO Group to the Entity List “for engaging in activities that are contrary to the national security or foreign policy interests of the United States” last week. NSO Group did not respond to requests for comment, but it did confirm Benbenisti’s decision to Haaretz. His appointment to CEO had been announced on October 31, but he had not started the job yet. 

Sources told Haaretz that Benbenisti was spooked by the new sanctions as well as recent revelations about the company’s spyware that could lead to legal consequences.The US Commerce Department said NSO Group and another spyware firm called Candiru were added to the list because officials had found “evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, business people, activists, academics, and embassy workers.” The Commerce Department noted that the governments given these tools repressed a number of people in other countries, explaining that some authoritarian governments targeted “dissidents, journalists, and activists outside of their sovereign borders to silence dissent.”NSO Group continues to face a barrage of bad headlines over how its Pegasus spyware has been used around the world. Last week, a bombshell report from the University of Toronto’s Citizen Lab and the Associated Press said that even the Israeli government’s own spy agency used the tool to hack the phones of six Palestinian human rights activists. 

That report followed another about the ruler of the UAE using Pegasus to spy on his ex-wife and her British lawyers. In July, the “Pegasus Project” used information from Amnesty International, the University of Toronto’s Citizen Lab, and Forbidden Stories to uncover that the NSO Group’s spyware was used to target at least 65 business executives, 85 human rights activists, 189 journalists, and at least 600 politicians. Targeted government officials included French President Emmanuel Macron, South African President Cyril Ramaphosa, and Iraqi President Barham Salih. Cabinet ministers from dozens of countries, including Egypt and Pakistan, were also targeted. Last week, on the heels of the sanctions announcement, several US Congress members demanded the State Department further investigate how Pegasus and other spyware is being used to abuse human rights around the world.”As members of Congress deeply concerned with the rising tides of authoritarianism around the world, we have closely tracked the parallel and reinforcing proliferation of commercially distributed surveillance and cyber-intrusion tools. These are extremely sensitive and powerful technologies used by foreign governments against Americans, as well as against journalists and civic activists,” Congress members said in a joint statement. “While recent reporting confirmed that NSO Group’s Pegasus software was used against journalists, human rights activists, and opposition politicians, many others are profiting from this new arms market.”Hulio is planning to stay on as CEO to guide the company through this turbulent period, according to Haaretz.  More