Information Technology

A former intelligence analyst for the US Federal Bureau of Investigation (FBI) has been indicted for stealing confidential files over a period of 13 years. 

Kendra Kingsbury, of Dodge City, Kansas, has been charged by a federal grand jury in a two-count, unsealed indictment made public on Friday. The US Department of Justice (DoJ) said that between June 2004 and December 2017, the 48-year-old removed and then kept national security, secret, and confidential documents at her home.  Classified material allegedly removed from FBI systems included documents relating to cybersecurity threats, terrorism, intelligence bulletins, open FBI investigations, human operations, and files describing the “technical capabilities of the FBI against counterintelligence and counterterrorism targets.” In addition, some of the material specifically related to al Qaeda members suspected “associates” of Osama Bin Laden and emerging terrorist groups in Africa.  As an FBI intelligence analyst for over 12 years in the law enforcement agency’s Kansas division, Kingsbury had been trained in the handling of sensitive material and non-disclosure practices. During her tenure, the intelligence agent was assigned to squads including those focused on counterterrorism, drug trafficking, and gang crime.  “The defendant was not authorized to remove and retain these sensitive government materials, including the national defense Information and classified documents,” the indictment reads. “Nor did the defendant have a “need to know” in most, if not all, of the information contained in those materials.”

Kingsbury was suspended in 2017 and has now been arrested and has made her initial court appearance in the District of Kansas. The former analyst is being charged with two counts of the “willful retention of national defense information.”  “The breadth and depth of classified national security information retained by the defendant for more than a decade is simply astonishing,” said Alan Kohler, Jr. Assistant Director of the FBI’s Counterintelligence Division. “The defendant, who’s well trained in handling classified information, put her country’s sensitive secrets at risk. The FBI will go to great lengths to investigate individuals who put their own interests above US national security, including when the individual is an FBI employee.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Several cryptocurrency mining operators reportedly have halted their activities in China amidst increasing threats of a government crackdown. A senior official had called for the need to mitigate financial risks and more closely monitor activities on business platforms.  Chinese vice premier Liu He said late-Friday the country’s financial infrastructure must remain robust and guard against disruptions. Doing so would require the use of monetary policies to mitigate financial risks, noted Liu, who was speaking at the 51st meeting of the Financial Stability and Development Committee, which he chaired. In stressing the need to identify potential financial threats, he outlined the need to bolster the monitoring of business platforms that facilitated financial activities as well as crack down on Bitcoin mining and trading transactions. The mention, though, was brief and he provided no further details on possible regulations. 

Read this

Why Singapore doesn’t need Bitcoin

The island will get its first Bitcoin ATM in March, but does it really need another currency which main appeal is the anonymity it offers, especially since Singapore is reportedly susceptible to money laundering?

Read More

However, his statement marked the first time a top Chinese government official had referred specifically to crypto mining. It comes just days after three state-backed financial groups in China issued a joint statement warning against the use of cryptocurrencies as payment and reminded industry players that digital currencies should not be used in any financial activities in the country.   Liu’s remarks also prompted several crypto mining operators to halt their activities in China and look overseas for alternative mining sites, according to a Reuters report. Crypto exchange Huobi’s subsidiary Huobi Mall said via a Telegram statement Sunday that it had suspended its local businesses and was in discussions with overseas service providers for the “exports of mining rigs”. It told customers “not to worry and calm down”.  Fellow crypto mining operator HashCow said it would stop purchasing new BItcoin rigs and would refund customers that had ordered compute power but had not begun mining. The company owns 10 mining sites in China, according to Reuters. BTC.TOP also halted its activities in China, with its founder Jiang Zhuoer pointing to regulatory risks. In a post on microblogging platform Weibo, Jiang said the crypto mining pool in future would operate mainly in North America as Chinese authorities clamped down on mining activities. 

He further noted that China was likely to lose its crypto computing power to foreign markets in future, with mining pools in the US and Europe taking dominance.  Researchers last month cautioned that, unless more stringent regulations were implemented, China’s crypto mining could undermine the world’s sustainability efforts. The report estimated that the country accounted for more than 75% of Bitcoin’s hashing power or calculations, fuelled by China’s proximity to manufacturers of the required hardware and access to cheap power.  While it had outlawed financial activities involving cryptocurrencies, the Chinese government had created its own alternative that is commonly described as the digital version of the yuan or renminbi (RMB). Called Digital Currency Electronic Payments (DCEP), the digital yuan was developed on blockchain and cryptographic technologies and might later support near-field communication (NFC) capabilities, to allow offline money transfers between two digital wallets that were within proximity.  US Federal Reserve Chairman Jerome Powell said last week the government agency would be more involved in cryptocurrencies and mooted creating its own digital currency in future. He added that the Federal Reserve would soon release a discussion paper that looked at the implications of digital payments, with “a particular focus on the possibility of issuing a US central bank digital currency”. China’s threats of a potential crackdown, alongside Elon Musk’s detour on accepting Bitcoin as a payment option, led to a tumultuous week for the cryptocurrency. It shed more than 10% in value, dipping to its current hold at $35,598. RELATED COVERAGE More

The team behind the seL4 is no longer under the umbrella of Australia’s Commonwealth Scientific and Industrial Research Organisation’s (CSIRO) Data61, with members being shifted from microkernels to supporting artificial intelligence. “[CSIRO’s Data61] dismantles Trustworthy Systems (TS), the team that shook the scientific world with the first correctness proof of an OS, #seL4. TS staff to reallocate to AI projects or sacked,” professor Gernot Heiser, chairman of the seL4 Foundation, said on Friday. “Claims by [Data61] of research excellence sound hollow. I challenge you to identify work in Data61 eclipsing the TS team and #seL4. Yet it’s easy to identify highly incremental work in Data61 that seems safe.” In 2009, the security of seL4 was mathematically proven. Heiser added that total disaster was avoided thanks to the seL4 Foundation being established last year. A spokesperson for CSIRO said seL4 was a “mature area of technology” that the organisation had invested in over a number of years, and that the organisation would remain as a foundation member so it could “pivot” away from its work. “In order to support the nation in the most important areas, CSIRO will no longer maintain the existing Trustworthy Systems Group. The Trustworthy Systems group is focused on the area of formal methods for design, implementation, and verification of software systems,” CSIRO said.

“We are strengthening our focus on areas such as cybersecurity, industry 4.0 and natural hazards/environmental analytics, as well as emerging areas such as Trustworthy AI.” The spokesperson added Data61 was following new goals with money being put towards AI, “reinventing” how science would be done using digital technologies, and “putting digital science and technology at the heart of Australia’s recovery and resilience”. “As a result of the changes, there will be approximately 100 positions created including 30 new post doctorate positions,” the spokesperson said. “In the short term up to 70 people in Data61 will be potentially impacted, however, the number will likely be less as we work to redeploy people throughout the organisation. Within two years, given the new positions, we expect headcount to be higher than today.” The research conducted by Trustworthy Systems will continue at the University of New South Wales, Heiser said, but was scathing of the decision taken. “If this shining example of Aussie innovation no longer has a place in Data61, then what is the organisation good for? I find this development highly upsetting not only due to its impact on my own work, our agenda for making the world’s computing systems secure, but also as a taxpayer who is funding this organisation,” he wrote.”I am no longer convinced that my tax dollars are well spent there.” Related Coverage More

Image: Getty Images
Three months after global aviation industry IT supplier SITA fell victim to a cyber attack, Air India has disclosed the incident resulted in the data of around 4.5 million of its passengers being stolen. The breach involved personal data spanning almost 10 years, from 26 August 2011 to 3 February 2021, Air India said in a statement [PDF]. The stolen information included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data, and credit card data. No frequent flyer passwords or CVV/CVC data were stolen, however, as this information was not held by SITA. SITA, an information technology and communications company, is the data processor of Air India’s passenger service system.     While the SITA cyber attack was first discovered at the end of February, Air India said it only understood the severity of the cyber attack last month. Since then, Air India has been conducting investigations, securing compromised servers, engaging external specialists, notifying and liaising with credit card issuers, and resetting passwords of the Air India FFP program, it said. When the cyber attack was disclosed, SITA said Star Alliance and One World airlines were affected. Alongside Air India, this included Finnair, Japan Airlines, Jeju Air, Lufthansa, Malaysia Airlines, Air New Zealand, Cathay Pacific, Singapore Airlines, among others. In March, Singapore Airlines disclosed 580,000 of its frequent flyer members were compromised in the cyber attack.

According to SITA, the vendor serves around 90% of the world’s airlines, which amounts to 2,800 customers including airlines, airports, and government agencies. Over the weekend, a handful of airlines were forced to cancel or delay flights after Sabre suffered a global IT outage. Virgin Australia, American Airlines, and Alaska Airlines were among the airlines affected. Sabre blamed the outage on its hardware provider, Dell EMC. “Dell/EMC has confirmed it experienced a hardware redundancy failure that impacted Sabre’s system, including PSS and check-in,” Sabre told ZDNet. “The issue has been resolved. Dell/EMC is working to understand why the failure occurred.”Related Coverage More

TPG Telecom said on Monday morning that it had the data of two customers accessed on its legacy TrustedCloud hosting service. It added it did not believe any other customers were impacted by the breach. “The incident was isolated to the TrustedCloud service. The TrustedCloud service is hosted in a standalone environment that is separate from our telecommunications networks and other systems,” the company told the ASX. “The incident has not impacted customers from any of our other brands, products or services.” TPG Telecom gained TrustedCloud when it purchased IntraPower in 2011, with the service being “in the process of being decommissioned” and set to disappear in August. The telco said the service had only a “few” remaining customers. “We have introduced measures to improve the security of the TrustedCloud service,” TPG said. “Although we are confident this incident has not impacted our other environments, we have also increased the cybersecurity defences across our entire business.” Earlier this month, the Australian Department of Parliamentary Services has said its March outage was a result of a deliberate choice to shut down its legacy mobile device management (MDM) system after it saw an attempted intrusion on the parliamentary network.

“The attack did not cause an outage of the DPS systems. DPS shut down the MDM system. This action was taken to protect system security while investigation and remediation were undertaken,” DPS said. “To restore services, DPS brought forward the rollout of an advanced mobile services solution that replaced the legacy MDM. The new solution provides greater security and functionality for mobile devices. This rollout was a complex activity and extended the outage experienced by users.” The legacy MDM system remains in use in a limited capacity.The Australian Signals Directorate said it knew who conducted the attack, but would not say who. Related Coverage More

The recent closure of Colonial Pipeline’s natural gas distribution infrastructure from a ransomware attack brings up a question: What economic damage could be caused by a cyberattack that would render the internet unusable for an hour, 10 hours, or a day? 

ZDNet Recommends

Merchant Machine, a UK-based payments information service, took a stab at figuring out the economic damage that the loss of the internet would create, and their answer is that the world economy would lose $2.1 billion per hour — rising to $51 billion after 24 hours.The larger the country’s economy, the larger the loss. The US economy would be on a $306.3 million an hour loss rate, or $7.3 billion after 24 hours. China would lose about $244 million per hour or $5.8 billion after 24 hours.Similarly, the largest retailers will hurt the most. Amazon is out of pocket by $44 million per hour. Interestingly, advertising-supported Instagram would lose even more at $53 million per hour, according to Merchant Marine.The calculation was done simply by using information from Netblocks and dividing company annual revenues by the number of hours in a year. Such broad studies do not take into account practicalities such as being able to complete a commercial transaction in the following hour or day or week when internet connectivity would be restored. Is that really lost revenue or is it just delayed?However, the report is essentially a breakdown on the rise of dependence on digital commercial transactions — the importance of the internet is undeniable, but there are also private networks that do not rely on the internet to complete commercial transactions.A more detailed analysis of each country’s dependence on the internet can be seen here.

more coverage More

A new study from Dragos has found that a water treatment plant in Oldsmar, Florida — where hackers attempted to poison the town’s water earlier this year — was also involved in another potential breach at the same time. A browser being used on the plant’s network was traced back to a “watering hole” attack that was allegedly targeting water utilities across the country.

ZDNet Recommends

“We have medium confidence it did not directly compromise any organization,” the report said. “But it does represent an exposure risk to the water industry and highlights the importance of controlling access to untrusted websites, especially for Operational Technology and Industrial Control System environments.”The tiny town in central Florida made national news in February when hackers gained remote access to systems at a local water plant and tried to elevate levels of certain chemicals which would have been poisonous to the town’s residents. The attack was stopped before the water levels could be changed but the situation, like the recent ransomware attack on Colonial Pipeline, put a spotlight on how unprotected much of the critical infrastructure in the US is. Researchers with Dragos found that the WordPress website of a water infrastructure construction company in Florida was “hosting malicious code” in the footer file of their website as a way to lure in operators at water utilities in the state and elsewhere. The attackers allegedly took advantage of one of the many vulnerabilities that can be found in WordPress’ plugins and inserted the code, which Dragos identified as the Tofsee malware, at some point in December 2020.The report found that the website with the malicious code “was visited by a browser from the city of Oldsmar” on February 5 at 9:49 am, the same day of the poisoning event. The water plant in Oldsmar was far from the only organization that visited the site with the malicious code, according to the report. Dragos researchers found that between December 2020 and February 16, when the vulnerability was dealt with, more than 1,000 computers across the country were “profiled by the malicious code.” 

Dozens of computers from state and local government agencies, water industry-related private companies, municipal water utility customers, and others visited the site during that two month span, according to Dragos. Despite visiting the site on the same day of the attack, the watering hole attack was not connected to the poisoning attack, Dragos reiterated. “We do not understand why the adversary chose this specific Florida water construction company site to compromise and to host their code. Interestingly, and unlike other watering hole attacks, the code did not deliver exploits or attempt to achieve access to victim computers,” Dragos researchers wrote. 

“With the forensic information we collected so far, Dragos’ best assessment is that an actor deployed the watering hole on the water infrastructure construction company site to collect legitimate browser data for the purpose of improving the botnet malware’s ability to impersonate legitimate web browser activity,” the report said. Cybersecurity experts noted that the report confirmed what many have said for years about the country’s inability to protect vital infrastructure from cyberattacks. ThycoticCentrify vice president Bill O’Neill said the report was just another example of how organizations are dealing with a slate of vulnerabilities that can be exploited at any moment by attackers. “Attacks like these make it abundantly clear that we’re entering a new era of digital warfare. A digital Pearl Harbor has long been a fear of experts as our adversaries look to cause disturbances amongst our critical infrastructure,” O’Neill said. “Any major attack on our energy, water, or transportation systems could accomplish that.”Yaniv Bar-Dayan, CEO of Vulcan Cyber, explained that the watering hole attack had the makings of a very sophisticated attack and noted that it all started with a “lowly, vulnerable WordPress plugin.” “Vulnerability remediation is the dirty job of the cyber security industry. Nobody really likes to do it, and it doesn’t get the attention and resources it deserves until it’s too late,” Bar-Dayan said. “These days, a WordPress plugin vulnerability can lead to the poisoning of a water supply or the taking down of an oil pipeline.” Other experts said the findings simply confirmed the need for constant updates to be made to an organization’s content management system. The attack also highlighted how hackers use some efforts to learn what works and gather data as opposed to leveraging vulnerabilities for any specific action, according to New Net Technologies security research vice president Dirk Schrader.”For those on the defense, it confirms the need to maintain a high level of cyber hygiene and to be able to detect any malicious changes in the infrastructure,” Schrader said.  More

With major cyber attacks on critical infrastructure such as the SolarWinds attack, the Florida’s water treatment facility hack, and the US East Coast’s Colonial Pipeline ransomware crisis, the security of products — and not just information systems — really need to be taken more seriously, argues Chris Wysopal, founder and CTO of code scanning company Veracode.  While the CISO protects information in the enterprise, Wysopal is arguing this week at the RSA 2021 conference that products need an equivalent level of attention to enterprise information systems. His call for greater focus on product security comes as supply chain attacks are on the rise and governments across the world attempt to grapple with the problem of products that have been tampered with enter an organization.  “Products are different. Products leave the enterprise. Think of Tesla’s product security. It’s the car. You could think of a medical device company, but even in more information-oriented companies, it’s an app, it’s a standalone website and they’re starting to become outside of the enterprise. They have a life of their own,” Wysopal tells ZDNet. Wysopal is notable figure in the cybersecurity scene, and was one of the original vulnerability researchers and one of seven member of the L0pht ‘hacker think tank’ who told the US Senate in 1998 that the group could bring down the internet in 30 minutes.Wysopal reckons products like these need a C-level exec with a better engineering skillset than a CISO typically has — a role more focused on monitoring networks and systems to keep hackers out. “Historically, a CISO has not been required to build in security in to a piece of software or a device,” he says.   “The traditional CISO doesn’t have that security engineering and product engineering background. They traditionally have grown up through compliance or network security, and they don’t have the understanding of software or code-level vulnerabilities. So you’ll have a lot of times where you have product security not reporting to a CISO, but reporting to the VP of engineering.”

At Veracode, the CISO reports to him as the CTO, while his head of product, which sits at a director level, also reports to him. “Product security is a separate function, even at Veracode. And we’re a software-as-a-service company. We don’t ship any products or anything IoT, which I think really requires an elevated product security person.””It’s more important than the security of the rest of the business,” he argues, adding that at some point, apps become the product rather than just an extension of backend systems. This is relevant to the banking, insurance, retail, government and other sectors that now create apps that differentiate the business amongst competitors.   “The risk of that software starts to become more important,” he says. And attackers are getting ever smarter, as shown by the SolarWinds attack.”When someone is planting a sophisticated backdoor, you’re not going to be able to detect it just by looking at the code,” he says.”That’s why the integrity and security of the software development pipeline has become so important. Because that’s how you protect against someone inserting a backdoor like in SolarWinds. So instead of hoping to look at that binary artifact at the end and hoping to detect it — that’s not a good solution to this type of attack.” The solution is, he says, to have good security on all the different parts of the pipeline. This includes making sure that developers who have permission to modify code use two factor authentication when accessing a code repository to update code. They should also be cryptographically signing all the different artifacts that become part of the final build of a software product.Wysopal is optimistic that US president Joe Biden’s cybersecurity-focused executive order will have a positive impact on how cybersecurity is handled in the private sector in the US. “We see that the requirements for doing business with the federal government will be adopted in the private sector. Enterprises in lots of different sectors will push this on to their vendors. Cyber insurance companies will look at this and say, ‘Hey, this is lowering the risk of the federal government and if you do these same practices, your insurance premiums will be less.’ “The federal government is setting a good example. Parallel to that, we see that Congress, which can pass laws that affect everyone doing business in the US. Congress will also learn from this and will codify some of this into law.”In other words, Biden’s executive order, while only applying to federal agencies, could have major implications for classical critical infrastructure as well as banking, healthcare and other sectors the US considers vitally important. “That could be dictated by law. It might not just be the market making it happen,” he says. More