International justice summit to discuss cybersecurity — What seized cybercriminal email accounts reveal.
THE MORE THINGS CHANGE… — Congress today hosts an eventcommemorating the 20-year anniversary of the first ever cybersecurity hearing, where the witnesses from that day — members of the hacking collective L0pht — will reunite to discuss what has changed, and what hasn’t. Cris “Space Rogue” Thomas, sees progress. “A lot of people in industry say, nothing ever changes,” Thomas, now the global strategy lead at IBM’s X-Force Red, told MC. And yes, people are making the same mistakes still, like bad passwords. “That’s one way to look at things,” Thomas said. “It forgets all the advances that have been made.” Twenty years ago, there were no corporate awareness campaigns on phishing, for example. The voluntary cybersecurity framework put together by government and industry highlights how both sides can collaborate, he said. But, “We still have a long way to go. There are a lot of people with their heads buried in the sand who think they aren’t at risk,” Thomas said.
Joe “Kingpin” Grand is a bit more pessimistic. There’s been incremental progress, but “it doesn’t seem like it can keep up with the scale of the attacks,” Grand, founder of Grand Idea Studio, told MC. Grand, who focused on hardware then and now, said that the so-called internet of things shows how basic security principles — like simple security measures installed at the outset — are getting neglected in favor of getting an internet-connected device to market quicker. People appear desensitized, Grand said. Then-Sen. Fred Thompson predicted that if Congress didn’t act, a big corporate hack would lead to a lawsuit and the problem would “fix itself,” as Grand paraphrased. “Twenty years later, there have been so many attacks and no sort of lawsuit has really changed anything,” Grand said.
Both Grand and Thomas agreed that there’s been another change: The sheer amount of people or things connected to the internet. “Everything’s on the network,” Grand said. “The scale of things have expanded far greater than any of us could’ve imagined back then.” Listing off the long-persisting cybersecurity issues from then and now, Thomas said, “Those issues are still there. Are they more or less prevalent than 20 years ago? Percentage-wise it’s the same, but the user base is much larger.”
The Congressional Internet Caucus Academy, Senate Cybersecurity Caucus and Congressional Internet Caucus are hosting. “So many of the concerns raised by L0pht members 20 years ago — including the weak security properties of core internet protocols, problems with authentication, and failures by vendors to maintain security across the product lifecycle — remain unaddressed today,” Sen. Mark Warner, co-chair of the Senate Cybersecurity Caucus, said in a statement to MC. “I’m hopeful that Congress today takes cybersecurity more seriously than it did in 1998 — but there remains significant room for improvement.”
CYBER ON THE AGENDA — Trump administration officials are in Bulgaria this week for the U.S.-EU Justice and Home Affairs Ministerial Meeting, bringing together the interior and justice ministers from the partner nations to discuss issues like terrorism, border security and of course cybersecurity. Attorney General Jeff Sessions arrived in Sofia on Monday, and Claire Grady, the acting No. 2 at DHS, will travel there today and Wednesday. DOJ said that Sessions’ meetings would cover “counterterrorism, cybercrime, border security, and organized crime,” while DHS said Grady would “meet with international partners to discuss joint counterterrorism efforts as well as aviation security, cybersecurity and improved vetting measures.” The U.S. and its European partners briefly discussed cybersecurity and cybercrime in the readout from last year’s ministerial.
RIGHT UP THERE WITH MS-13, APPARENTLY — Deputy Attorney General Rod Rosenstein doesn’t mince words when it comes to his, and the Justice Department’s, opinion of hackers. Speaking at the 2018 Annual Conference for Compliance and Risk Professionals in Washington on Monday, Rosenstein praisedcompanies that play by the rules. “That frees our investigators and attorneys to focus on corporate criminals who post the most dangerous and imminent threats to the American people — terrorists, drug traffickers, transnational cyber criminals,” according to Rosenstein. “Those groups do not have compliance programs. They do not make voluntary disclosures. They are not our partners in keeping the American economy healthy and prosperous.”
FROM ROMANCE TO BUSINESS — Using what it dubbed “responsible active defense techniques,” Agari captured 76 criminal email accounts from 10 different organizations over nearly a decade, and the cybersecurity company is out with a study today on what it learned. Nine of the 10 are Nigeria-based, and business email compromise — where scammers lure company officials into making wire transfers — were the most popular kind of attacks. They’re easy and quick, and net significant gains; the average payment request was $35,500, Agari found. Online scams that promised romantic relationships were the groups’ main scheme before they shifted to business email compromise. In one case a woman paid out $500,000 to a phony suitor.
ZUCKERBERG HEADS TO EUROPE — From our friends at Morning Tech: Facebook CEO Mark Zuckerberg will speak to European Parliament lawmakers in Brussels today about data protection and privacy following the recent Cambridge Analytica scandal. He’ll take questions behind closed doors from a small group of MEPs, but the conversation will be livestreamed after intense criticism over how the meeting was initially set up. His European debut comes just six weeks after Zuckerberg took to the Hill for hearings before the Senate Judiciary and Commerce committees, and the House Energy and Commerce Committee — clocking in at nearly 10 hours of testimony between the two hearings.
Taking a cue from his U.S. appearances, Zuckerberg is expected to apologize to Facebook’s European users and acknowledge that his company fell short when it came down to protecting users’ privacy. “Whether it’s fake news, foreign interference in elections or developers misusing people’s information, we didn’t take a broad enough view of our responsibilities,” he’s expected to say in his opening remarks. “That was a mistake, and I’m sorry.”
Also much like his testimonies in April, Zuckerberg is expected to renew his commitment to lawmakers that he’ll make “the significant investments needed to keep people safe.” Check out the full preview from POLITICO Europe. Zuckerberg will appear at about 12:15 p.m. ET. Follow the conversation on POLITICO Europe’s live blog here.
BANKS + MILITARY = ? — Banks are increasingly taking a “military-style” approach to battling cybercrime, The New York Times reports. That means hiring former soldiers, conducting exercises and setting up fusion centers. Past military experience battling terrorism or drug cartels translates to tracking cybercrime groups, a former member of Delta Force told the newspaper. It’s not the only news story of late connecting the military and the financial sector. CyberScoop reportedMonday on a confidential information sharing program between U.S. Cyber Command and the Financial Services Information Sharing and Analysis Center, focused primarily on nation-state hackers.
IG DINGS IRS ON HIGH-VALUE ASSETS — The IRS can do much more to identify and document its high-value assets, or HVAs, according to a new Treasury Department inspector general report. The tax agency has failed to comply with a directive issued late in the Obama administration that requires it “to inventory and validate the system access capabilities and the number of privileged accounts as well as minimize the number of privileged users to specific HVAs,” the Treasury Inspector General for Tax Administration said in the report, which is dated May 18 but was first publicized on Monday. Among the agency’s other failings: It didn’t “effectively and timely mitigate critical and high-risk vulnerabilities” in one of these mission-critical systems, and it didn’t begin cataloging historical information about when patches were applied until December. The IG recommended, among other things, that the IRS automate the process of cataloging users with high-level access and document the hardware configurations of all its HVAs. The IRS concurred with the recommendations.
RECENTLY ON PRO CYBERSECURITY — “President Donald Trump uses a White House cellphone that isn’t equipped with sophisticated security features designed to shield his communications, according to two senior administration officials — a departure from the practice of his predecessors that potentially exposes him to hacking or surveillance.” … The Committee on Foreign Investment in the United States has some shortcomings, a POLITICO investigation found. … House lawmakers will receive a classified briefing on election security today. … U.S. and U.K. elections are threatened by cyberattacks, according to Matt Rhoades, the campaign manager of Mitt Romney’s 2012 presidential bid. …The CFTC will publish new guidance on virtual currency derivatives contracts this week. … Financial market regulators in the U.S. and Canada launched the largest coordinated enforcement actions to date to combat fraudulent “initial coin offerings.”
This article originally appeared on Politico.com