ATLANTA HIT BY RANSOMWARE ATTACK
Atlanta, GA is the most recent city to get hit by a ransomware attack – on Thursday, March 22. Cities seem to be a hot target, likely because they are big, public and behind the private sector when it comes to IT and cyber security (One of Atlanta’s Councilman said “As daunting as the city of Atlanta’s apparatus may seem, we’re still limited by the amount of resources we have to defend our systems,”. Atlanta’s mayor “compared the city’s network to a decade-old pickup she drove until it was wrecked”.). Atlanta’s mayor said to expect a “massive inconvenience”. The attacker is asking for $50,000 and they are considering it. One piece of good news: the city does have cyber insurance, so the taxpayers won’t be footing the entire bill to put Humpty-Dumpty back together again.
The local CBS affiliate said that the city was warned months ago that IT was in critical condition on life support, but doesn’t have the resources to recover. (Source: Atlanta Journal Constitution).
TLS 1.3 APPROVED BY IETF
After FOUR YEARS and TWENTY EIGHT drafts, the Internet Engineering Task Force, the group of geeks that control the Internet’s protocols, have approved TLS 1.3. While to the average user, that doesn’t mean anything, to the geeks in the room it means that HTTPS will be a little bit more secure – a lot bit more secure than some HTTPS traffic – and a little bit faster. While it will take some time for traffic to move to this new version, it will and it will likely do it faster than the move to 1.2 was. An effort to build in a back door to security for the convenience of network managers – and also spies and hackers – was beat down and not added to the spec. Score one for you and me. (Source: The Register).
The New York Times is reporting that the FBI is working with a team of security experts to attempt to craft a back door to encryption on mobile devices – the so called going dark problem. The team, headed up by a professor at MIT, is testing out different possibilities, although the FBI says that it is not ready to ask Congress for legislation. Yet. At least, this time, they are working with security experts, which likely would yield a better solution than anything that politicians invent. Still, there are problems. First, is it really possible to keep a back door secret? Can they get Congress, over the massive distrust on all sides of the conversation, to agree to such a law? How do they get application developers, based in foreign countries and maybe even hosted in foreign countries, to agree to such an intrusion? Lots of questions, not very many answers. (Source: New York Times).
MICROSOFT MELTDOWN PATCH WORSE THAN THE DISEASE
Microsoft’s Meltdown patch for Windows 7 64-bit and Windows Server 2008 R2 left critical kernel tables readable by anyone means that malware could read any memory, make themselves an administrator and modify the operating system’s memory map. The good news is that it does not affect Windows 8 or 10 and has been fixed in the March Windows update release. (Source: The Register).
NOT MUCH HAS CHANGED IN VOTING SECURITY SINCE 2016
I have written before that DHS won’t finish with all of the audit requests from states regarding voting process security until this summer, leaving no time to actually fix any problems. Now, the Brennan Center for Justice at NYU has released an updated version of their 2015 report on voting machine security. Only 41 states now use voting systems at least a decade out of date. That is kind of like if you were still using an iPhone 3G – one that likely has not been patched in 5 or more years. That is down from 44 states being in that position in 2015. They also talk about all the other phases of the voting process, from registering voters to election night tallys, that are likely easier to compromise. It all boils down to money and time, something the states and cities do not have available and which the feds do not think is important enough to fund. (Source: GovCyberInsider).