Proactive Computing | Optimizing IT for usability, performance and reliability since 1997

Category: #Trending (Page 1 of 8)

Auto Added by WPeMatico

Israel appears to confirm it carried out cyberattack on Iran nuclear facility


Shutdown happened hours after Natanz reactor’s new centrifuges were started

Israel appeared to confirm claims that it was behind a cyber-attack on Iran’s main nuclear facility on Sunday, which Tehran’s nuclear energy chief described as an act of terrorism that warranted a response against its perpetrators.

The apparent attack took place hours after officials at the Natanz reactor restarted spinning advanced centrifuges that could speed up the production of enriched uranium, in what had been billed as a pivotal moment in the country’s nuclear programme.

Continue reading…

Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Martin Chulov Middle East correspondent

Microsoft lands $21 billion contract to arm US soldiers with futuristic augmented-reality headsets

The Pentagon will pay Microsoft billions of dollars to build augmented-reality headsets for its soldiers. The devices will be backed by the tech firm’s Azure cloud computing services, which was compromised by hackers last year.

The contract was announced on Wednesday and could earn Microsoft up to $21.88 billion over 10 years. Back in 2018, the US Army gave Microsoft $480 million to develop a prototype headset built around the company’s HoloLens technology. Based on its performance, Microsoft will now provide up to 120,000 of the headsets, dubbed the Integrated Visual Augmented System, or IVAS.

The IVAS can project holographic video-game style maps, thermal and night imaging, and target-identification information to soldiers. It can also show where the soldier’s weapon is aimed, and monitor vital statistics like their heart rate.

Also on

FILE PHOTO.Pentagon ‘assessing systems’ after TENS OF THOUSANDS of servers compromised in global Microsoft hack… blamed on ‘Chinese hackers’

However, the project is not without its problems. A CNBC reporter tested the prototype headset in 2019 and described it as “a bit buggy,” saying that it needed to be restarted during a demonstration session. Several months later, the military was still reporting glitches with the devices, including GPS and imaging errors, and “poor low light and thermal sensor performance.”

While Microsoft will have a decade and more than $20 billion to iron these issues out, there could be more potential snafus on the horizon. The headsets will be linked to Microsoft’s Azure cloud computing service, a service that the company said was hacked last December, leaving 911 emergency lines down in multiple US states. Even before that particular breach, security researchers were finding flaws with Azure, with one branding it a “cloud security nightmare.”

Also on

FILE PHOTO.Police departments across US report ‘nationwide’ 911 OUTAGE, possibly caused by Microsoft cloud glitch

Despite this, the US military seems confident. Microsoft was awarded a $10 billion cloud computing contract by the Pentagon last October, beating out rivals Amazon and Google in the competition. Amazon has since filed a lawsuit, arguing that former President Donald Trump – a fierce critic of Amazon CEO Jeff Bezos – intervened to land Microsoft the deal.

Back in 2018, Microsoft President Brad Smith pledged the company would “provide the US military with access to the best technology… all the technology we create. Full stop.” However, not all of his employees felt as enthusiastic.

While Smith described the military as “ethical and honorable,” more than 90 Microsoft employees signed a letter in early 2019 protesting the development of the IVAS headsets. 

Also on

© AFP / Justin SullivanMicrosoft staff protest over Pentagon contract for augmented reality tech ‘designed to kill people’

“The application of HoloLens within the IVAS system is designed to help people kill,” they wrote. “It will be deployed on the battlefield, and works by turning warfare into a simulated ‘video game,’ further distancing soldiers from the grim stakes of war and the reality of bloodshed.”

The employees said that they “did not sign up to develop weapons,” and demanded more control over “how our work is used.”

Whether Microsoft persuaded or ignored these disgruntled employees, the IVAS project is now a reality, and worth 44 times as much money as the prototype. Yet as Big Tech and the military grow ever closer, similar campaigns within Microsoft’s competitors have been more successful. Google dropped out of an AI contract with the Pentagon in 2019 after employees spoke out against their software being used to help target drone strikes. Employees at Apple and Amazon have also pressured their bosses not to help the US military.

Think your friends would be interested? Share this story!

Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: RT

‘Trump War Room’ Twitter account goes on the attack as impeachment trial kicks off


As President Donald Trump’s second Senate impeachment trail commenced on Tuesday, the Twitter account that formerly belonged to his reelection campaign’s rapid response team posted commentary on the proceedings and criticism of congressional Democrats.

One tweet from the “Trump War Room” account issued on Tuesday afternoon targeted Sen. Patrick Leahy (D-Vt.), who is presiding over Trump’s trial in his capacity as president pro tempore of the Senate.

“Imagine having a ‘trial’ where the ‘judge’ had already voted to convict the defendant?” the tweet read. “That’s what happens in banana republics, third world dictatorships and now the United States Senate. SAD!”

The “Trump War Room” account is one of the last remaining Twitter accounts affiliated with Trump and his aides that is accessible on the platform.

Twitter permanently suspended the former president’s personal account last month, as well as the @TeamTrump account used by his campaign.

Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Quint Forgey

Welsh woman marks 110th birthday with viral TikTok fame


Amy Hawkins becomes star of social networking site after great-grandson posts video of her singing

She is the oldest person in Wales and now she may be the oldest person on TikTok. Amy Hawkins has become a star of the social networking site after her great-grandson posted a video of her singing on her 110th birthday.

The former dancer made her debut on the site earlier this week singing the music hall song It’s a Long Way to Tipperary and her family have posted several videos since, including one in which she performs a dance with her 14-year-old great-grandson Sacha Freeman.

Continue reading…

Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Kevin Rawlinson

Nuclear weapons agency updates Congress on hacking attempt


The Department of Energy and the National Nuclear Security Administration, which maintains the U.S. nuclear weapons stockpile, told congressional staffers in several briefings this week that there is currently no known impact to its classified systems from a massive hack that targeted its networks, according to an official with direct knowledge of the briefings.

The officials told staffers, however, that the incident has proven how difficult it is to monitor the Energy Department’s unclassified systems, and acknowledged that an issue with a network extension within the Office of Secure Transportation — which specializes in the secure transportation of nuclear weapons and materials — had been discovered.

Energy Secretary Dan Brouillette, DOE’s Chief Information Officer Rocky Campione, and NNSA CIO Wayne Jones all participated in the briefings to the relevant congressional oversight bodies.

The officials told congressional staffers that there was an attempt to breach Los Alamos National Laboratory and the nuclear administration’s field office in Nevada via the vulnerability in a software developed by SolarWinds — a company whose IT management tools are used across the government. The supply-chain attack has affected dozens of federal and private sector entities, who were exploited by suspected Russian hackers as early as March of this year.

The officials said they do not consider either the lab or the field office to have been compromised, and noted that all national labs have been instructed to shut down and fully remove SolarWinds products from their systems.

Still, the department’s investigation is ongoing, the officials said, and neither DOE nor NNSA has a full picture of the impact of the hack — or what it will cost to fix it. The officials said it will probably be expensive to mitigate the damage and prevent it from happening again, but that they are still determining what kind of extra funding and resources the department will need.

The internal investigation has been complex and time-consuming because the compromised SolarWinds software was used widely throughout the nuclear security administration, officials told the staffers — including at the Los Alamos, Lawrence Livermore, and Sandia national labs; NNSA headquarters; NNSA’s Emergency Communication Network; NNSA’s Mixed Oxide Fuel Fabrication Facility, where fuel is made for reactors; the Nevada National Security Site, a disposal site; and Naval Reactors, which provides propulsion plants for nuclear powered ships.

DOE first found evidence of the hack last Monday, officials familiar with the matter said, and began coordinating notifications about the breach to their congressional oversight bodies on Thursday after being briefed by Campione, who oversees DOE’s cybersecurity. Campione told DOE officials last week that, in addition to the labs and the Office of Secure Transportation, suspicious activity had also been found in networks belonging to the Federal Energy Regulatory Commission (FERC), which stores sensitive data on the nation’s bulk electric grid.

Shaylyn Hynes, a DOE spokesperson, said in a statement last week that an ongoing investigation into the hack had found that the perpetrators did not get into critical defense systems.

“At this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission essential national security functions of the department, including the National Nuclear Security Administration,” Hynes said. “When DOE identified vulnerable software, immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network.”

Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Natasha Bertrand

How U.S. agencies’ trust in untested software opened the door to hackers


The massive monthslong hack of agencies across the U.S. government succeeded, in part, because no one was looking in the right place.

The federal government conducts only cursory security inspections of the software it buys from private companies for a wide range of activities, from managing databases to operating internal chat applications. That created the blind spot that suspected Russian hackers exploited to breach the Treasury Department, the Department of Homeland Security, the National Institutes of Health and other agencies. After embedding code in widely used network management software made by a Texas company called SolarWinds, all they had to do was wait for the agencies to download routine software updates from the trusted supplier.

As investigators race to assess the damage from the hacks, experts and lawmakers are calling for increased scrutiny of the third-party code that government agencies allow on their networks and demanding a fix for a long-known weakness.

“The government desperately needs to set minimum security requirements for software and services, and refuse to buy anything that doesn’t meet those standards,” said Sen. Ron Wyden (D-Ore.). “It is incredibly self-defeating for federal agencies to spend billions on security and then give government contracts to companies with insecure products.”

Over the past week, agencies rushed to scrub the malicious code from their networks while senior officials huddled in emergency meetings — all amid reports of more victims in the federal government, state governments and private industry. As the extent of the attack became clearer, cyber experts warned that cleaning up the mess could take months or years.

SolarWinds, whose 330,000 customers include key federal agencies, major telecommunications firms, every branch of the military and four-fifths of the Fortune 500, is one of the most extreme examples of the dysfunction that made this hack possible, but it is far from the only poorly guarded vendor with hooks into the most important computer networks in the world.

The U.S. government relies on private vendors of all sizes to supply its agencies with software. Some have expert security teams, such as Amazon, which provides cloud hosting services, and SAP, whose software helps agencies process large quantities of data. But others, both large and small, have less rigorous security testing procedures and are more vulnerable to this kind of compromise, cyber analysts say.

On Thursday, federal investigators said SolarWinds’ Orion software was not the only way the hackers had invaded their targets, warning of “additional initial access vectors and tactics, techniques, and procedures … that have not yet been discovered.”

And now that the hackers have had months to establish a foothold in the federal networks, the Cybersecurity and Infrastructure Security Agency warned, removing them “will be highly complex and challenging.”

Building better software

The SolarWinds hack — which officials have linked to Russia’s foreign intelligence service, the SVR and which Secretary of State Mike Pompeo late Friday publicly pinned on Russia — reflects a level of sophistication that may be impossible to completely block, but technical professionals and policymakers say new approaches to software development and procurement could at least give defenders a fighting chance.

Attacks on vendors in the software supply chain represent a known issue that needs to be prioritized, said Rep. Jim Langevin (D-R.I.), the co-founder of the Congressional Cybersecurity Caucus.

“The SolarWinds incident … underscores that supply chain security is a topic that needs to be front and center,” Langevin said.

He said Congress needs to “incentivize” the companies to make their software more secure, which could require expensive changes.

Some others are calling for regulation.

“Absolutely there needs to be more oversight of these kinds of companies,” said Emile Monette, the former chief of CISA’s supply chain risk management program. He said the government should require contractors to certify their software is free of even “moderate-impact bugs.” Typically, vendors assure only that their software is free of particularly dangerous vulnerabilities, labeled as “critical” or “high impact.”

Private companies regularly deploy software with undiscovered bugs because developers lack the time, skill or incentive to fully inspect them.

Monette said agencies must “be prepared to pay for increased security” in their purchases and encouraged the government to “double down on investments” in areas such as software security.

Buyer beware

It can be hard, however, for federal agencies and Fortune 500 companies to identify weaknesses when they don’t understand the complexity of what they’re buying or the ways in which it could be defective.

“Security is not a significant consideration or even well understood,” said Bryan Ware, CISA’s former assistant director for cybersecurity. “Plenty of sophisticated [chief information officers] bought and deployed [SolarWinds’ software], so it’s not just the vendor I’m questioning.”

There is no central inventory of which government agencies use which software in which offices, which is part of why it has taken agencies so long to determine if they have been hacked.

“The first-order problem is still trying to get our arms around all of the applications and software that reside on the 101 civilian executive branch networks,” said former CISA Deputy Director Matthew Travis.

Travis bemoaned the decentralized approach and encouraged Congress to authorize CISA and OMB “to re-architect the archaic federal enterprise” and push more applications to the cloud.

The automated gatekeepers that do exist — two CISA-run network security programs — also weren’t equipped to identify the SolarWinds intrusion, much less stop it.

One program, dubbed “Einstein,” is supposed to stop threats from crossing the threshold into federal civilian agencies’ networks, but can only spot malicious activity that it has seen before, a shortcoming that the hackers carefully exploited by using servers not previously flagged as malicious.

The other, Continuous Diagnostics and Mitigation, brings together scanning and monitoring services that are supposed to spot and block suspicious behavior on those networks. But CDM’s understanding of what should generate a red flag is limited to clearly suspicious activity, such as offsite transfers of massive encrypted files — which didn’t occur with the infected SolarWinds updates.

Calls for action on the Hill

Some in Congress are ready to act. In a statement, Rep. Ted Lieu (D-Calif.) said he was “working on legislation to ensure that vendors doing business with the United States government maintain a vulnerability disclosure policy.”

But new regulations might not solve the problem, technical specialists said.

“Government-mandated security requirements are probably more likely to HARM security than to HELP it,” Andy Keiser, a former top House Intelligence Committee aide and Trump transition national security adviser, wrote in an email. “The standards would be slow, outdated, cumbersome [and] pick incorrect winners and losers.”

Congress should “carefully explore penalties for negligence” in software design, Ware said, but only in a limited way, “because it could lead to negative unintended consequences.”

The government already runs security certification programs for cloud platforms and defense industrial base contractors. Congress could examine and modify them, Ware said, to confront this new challenge.

Regardless of who controls the Senate in the 117th Congress, the Democratic-led House will likely be more open to new federal mandates. A House Homeland Security Committee aide, who requested anonymity to discuss internal planning, said that it was too early to discuss regulation but added, “I’m sure we will have hearings on [SolarWinds] in the new year.”

Getting under the hood

Rather than imposing new security requirements on vendors, some experts say agencies should pay more attention to the software they buy and routinely test it for flaws.

James Lewis, a cyber expert at the Center for Strategic and International Studies, floated the idea of an executive order instructing agencies “to monitor and better manage their use of these kinds of platforms,” and requiring sector-specific regulators to demand the same of companies in critical industries, such as electricity and health care.

“Require something similar to what Apple does on the App Store,” Lewis said, noting that the tech giant reviews every submitted app and only approves those it certifies to be secure.

Some private companies do monitor third-party software in this way, but routine software auditing would likely be a massive burden on federal agencies, few of which have enough security personnel to handle this work on top of their existing tasks.

One approach would be to centralize software testing at one agency. The most natural fit might be CISA, which in April became the operator of a central marketplace for government cybersecurity services.

Ware said this could prevent a situation where one agency discovered a problem in software used across the government but failed to report it to those other customers.

Not everyone is convinced that this centralization would work.

“Talent is in short supply everywhere, no one [is] going to volunteer people for transfer, and DHS doesn’t have the clout to steal from the agencies with talent — the [intelligence community], DoD and FBI,” Lewis said. He suggested instead that the software security oversight start at OMB, whose authority to issue edicts to other agencies is more established.

Nascent efforts

Some parts of the government are already working to encourage better coding practices, though it’s slow going.

For more than two years, one federal agency has been convening meetings of outside experts to discuss the creation of a kind of ingredient label for software, a “bill of materials” that would provide transparency about the code used in each program. While this software bill of materials wouldn’t completely solve the problem that led to the SolarWinds crisis, Ware and other cyber experts say it would encourage more careful coding by making an application’s digital contents more transparent.

The agency behind this effort is the Commerce Department’s National Telecommunications and Information Administration, one of the first agencies to discover that it had been hacked as part of the SolarWinds campaign.

Martin Matishak contributed to this report.

Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Eric Geller

« Older posts