Similar Posts
WASHINGTON – Chinese hackers who tapped into Verizon’s system targeted phones used by Republican presidential candidate Donald Trump and his running mate JD Vance, the New York Times reported on Oct 25, citing people familiar with the matter.
The newspaper said investigators were working to determine what communications, if any, were taken.
The Trump campaign was made aware this week that Trump and Mr Vance were among a number of people inside and outside of government whose phone numbers were targeted through the infiltration of Verizon phone systems, it added.
The campaign did not immediately respond to a request for comment.
The Trump campaign was hacked earlier this year. The US Justice Department charged three members of Iran’s Revolutionary Guards Corps with the hack and trying to disrupt the Nov 5 election. REUTERS
SINGAPORE– The Cyber Security Agency (CSA) is starting a study aimed at raising the productivity and professionalism of cyber-security workers.
It may result in an outline of the competencies required of chief information security officers – known by the acronym Cisos – and their teams of security executives who are in high demand, given their key role amid surging cyber attacks.
Ms Veronica Tan, CSA’s director at safer cyberspace division, told The Straits Times: “For organisations, clarity in standards and desired skills at various roles will mean greater improvements in workforce competency and productivity.”
The study will involve industry players, training institutions and certification bodies, she added.
CSA’s plan comes as companies warm to the idea of designated cyber-security personnel, but sometimes find themselves hindered by limited budgets and a shortage of skilled talent.
Mr Nyan Yun Zaw, the first Ciso at Singapore cyber security advisory firm Athena Dynamics, said: “The industry turnover rate for Cisos is unfortunately pretty high because it is a highly challenging and stressful job.
“When the organisation faces a security incident, this is the first person everyone looks to.”
Chief information security officer, a title that arose up in the 1990s after Citibank appointed one following a cyber attack, have risen in prominence in recent years as some countries made mandatory disclosures of material cyber breaches or attacks.
There have also been high-profile cases of criminal charges taken against such officers, such as at Uber and SolarWinds.
Mr Zaw took on the job at Athena Dynamics just over a year ago when his company expanded it beyond IT infrastructure and support.
His background was a string of roles ranging from engineering, cyber security, programming, to business development and sales in the firm since its set-up in 2014.
He added to his expertise by becoming a Certified Information Systems Security Professional, a label granted by the International Information System Security Certification Consortium, also known as ISC2.
He said: “We felt that there is a need to have a dedicated Ciso since we are also part of a listed company.”
Cisos spend their time securing their companies’ assets, learning new threats and technologies, and working with cross-functional teams, he said.
He added: “Ciso is a management position, so it is important for a Ciso to be knowledgeable in various aspects of cyber ranging from governance, risk and compliance to network security architectures.”
In the 12 months leading up to September, job portal Indeed recorded 48 per cent of its postings in Singapore seeking communication skills in cyber security leaders, compared to 38 per cent specifying expertise in IT, and 16 per cent in information security.
Around the same time, the number of postings for such roles on its portal dropped 36 per cent, suggesting that firms might be filling positions through internal promotions or team restructuring, said Mr Saumitra Chand, Indeed’s career expert.
“This decline may be due to the demanding nature of leadership positions like Cisos, which require high levels of expertise and specialisation,” he said.
To help small and medium-sized enterprises (SMEs) or non-profit organisations that cannot afford designated security personnel, CSA launched its CISO-as-a-Service (CISOaaS) scheme in February 2023.
It has received about 200 applications so far.
Organisations tapping the scheme can use CSA’s panel of 19 vendors to audit their cyber health and guide them to attain CSA’s Cyber Essentials and Cyber Trust marks, with up to 70 per cent subsidies.
CSA is planning updates to the two marks to reflect new risks in cloud, operational technology and Artificial Intelligence (AI), said Ms Tan.
Digital agency Digipixel, which has used CISOaaS, said achieving both trust marks helped it gain trust from customers.
Its director, Mr Leon Tan, said: “Pooled services can sometimes lack industry-specific context, but our collaboration with CSA has been a productive exchange.”
Mr Dave Gurbani, chief executive at CyberSafe, an appointed vendor, said: “We start by conducting a cyber-security health plan, like a doctor’s check-up.”
The firm then helps its mostly SME clients work through their internal controls, configurations, policies, and training to pass the audits for CSA’s marks.
“Many SMEs still think of cyber security in terms of anti-virus tools or maybe a firewall. To put it simply, that’s like thinking you’re ready for the day just because you have your socks and shoes on,” Mr Gurbani said.
Gaps that frequently show up include outdated systems, misconfigurations from third-party vendors, and weak access controls like shared passwords and lack of Multi-Factor Authentication.
“Without guidance, these vulnerabilities can be hard to recognise and fix,” Mr Gurbani added.
Another vendor, Momentum Z, takes firms calling on the CISOaaS service through a three-pronged assessment of employees’ cyber-security basics, company’s processes and policies, and cyber-security infrastructure such as firewall, antivirus, back-up data use and endpoint security.
Chief executive Shane Chiang said he has had clients that have not changed passwords for six years, or who had been granting external vendors remote access to their network with no inkling.
He said: “’Clients are often surprised to learn the vulnerabilities in their systems, which reinforces the importance of having a Ciso to bring structure and foresight into cyber security.”
CSA’s 2023 cyber security health survey released in March noted that only one in three organisations have fully implemented at least three of CSA’s five categories of recommended measures.
More organisations need help with knowing what data they have, where the data is stored and how to secure the data, CSA’s Ms Tan said. Businesses are also weak at safeguarding their systems and networks against malicious software, as well as guarding access to data and services.
She urged more organisations to tap CSA’s tools to up their game, adding: “Unless all essential measures are adopted, organisations are still exposed to unnecessary cyber risks, especially as they accelerate digitalisation and adopt fast-evolving technologies such as AI.
“Partial adoption of measures is inadequate.”
WASHINGTON – The mastermind behind one of the biggest-ever Bitcoin heists was ordered to serve five years in prison for conspiring with his social-media rapper wife to launder money he stole by hacking into the Bitfinex exchange and grabbing cryptoassets now worth billions of dollars.
Ilya “Dutch” Lichtenstein was sentenced in Washington on Nov 14, after he and his wife, Heather Morgan, pleaded guilty last year in a scheme to hide proceeds from the 2016 hack. Morgan, known as “Razzlekhan” in her rap videos, will be sentenced Nov 18. The government recommended an 18-month sentence for her.
Lichtenstein, 37, faced as long as 20 years behind bars. But the government cited his substantial assistance that “has benefited numerous investigations.” The Bitfinex hack resulted in the theft of 119,754 Bitcoin worth about US$71 million (S$23 million) at the time. But since then, the token has surged from US$580 in 2016 to more than US$90,000 this week, boosting the value of the assets to billions.
“This is so massive, it is not comparable to other crypto crimes” based on its scale and complexity, US District Judge Colleen Kollar-Kotelly said before sentencing. Lichtenstein carried out his scheme over several years, which undermines defense claims that his actions were “impulsive,” the judge said.
Lichtenstein, a “highly skilled computer expert,” used several hacking techniques to gain access to the Bitfinex network, and then, in August 2016, fraudulently authorised more than 2,000 transactions to move Bitcoin to a cryptocurrency wallet he controlled, the government said.
He and his wife used sophisticated and meticulous money-laundering techniques to hide the stolen proceeds, including setting up accounts under fictitious identities, moving funds in small amounts, and breaking up the trail of transactions by depositing and withdrawing funds from crypto exchanges and darknet markets. They bought nonfungible tokens, gold and Walmart gift cards, according to the government.
Lichtenstein “became one of the greatest money launderers that the government has encountered in the cryptocurrency space,” prosecutors wrote in an October sentencing memo. “If the defendant were to take what he has learned from this prosecution and incorporate it into a future money laundering scheme, he would be even better-equipped to conceal his activity while monetizing his crimes,” they wrote.
Since his plea last year, Lichtenstein has assisted the government in other criminal cases, including as a government witness in a money-laundering trial involving a mixing service called Bitcoin Fog.
Other hacks
While Lichtenstein had no official criminal history before his arrest in 2022, the Bitfinex hack wasn’t his first, the government said. As a juvenile, he experimented with hacking and financial fraud, and around 2015, he illegally transferred a small amount of PayCoin, an alternative form of virtual currency, prosecutors said. The following year, he stole about US$200,000 from a virtual currency exchange, the government said.
But he also worked in legitimate businesses. While in college, Lichtenstein ran a digital marketing agency from his dorm, and after graduation, a software company he co-founded grew to 30 employees, the government said.
“His decision to use his skills for criminal ends is thus particularly disappointing, but it gives hope for continued successful rehabilitation,” prosecutors said in the sentencing memo.
Morgan attended her husband’s sentencing, along with Lichtenstein’s family. Lichtenstein expressed remorse to the judge and pledged that he would use his skills to help with cybersecurity. “I can make a real difference in the fight against cybercrime,” he said.
He asked that his wife avoid prison time. “Heather is only involved in this case because of me,” he said. BLOOMBERG
“Singapore Issues New Guidelines to Protect Businesses from AI Security Risks”
SINGAPORE – Rogue chatbots that spew lies or racial slurs may be just the beginning, as maliciously coded free chatbot models blindly used by businesses could unintentionally expose sensitive data or result in a security breach.
In new guidelines published on Oct 15, Singapore’s Cyber Security Agency (CSA) pointed out these dangers amid the artificial intelligence (AI) gold rush, and urged businesses to test what they plan to install rigorously and regularly.
This is especially crucial for firms that deploy chatbots used by the public, or those linked to confidential customer data.
Frequent system tests can help weed out threats like prompt injection attacks, where text is crafted to manipulate a chatbot into revealing sensitive information from linked systems, according to the newly published Guidelines on Securing AI Systems .
The guidelines aim to help businesses identify and mitigate the risks of AI to deploy them securely. The more AI systems are linked to business operations, the more they should be secured.
Announcing the guidelines at the annual Singapore International Cyber Week (SICW) at the Sands Expo and Convention Centre on Oct 15, Senior Minister and Coordinating Minister for National Security Teo Chee Hean said the manual gives organisations an opportunity to prepare for AI-related cyber-security risks while the technology continues to develop.
Mr Teo said in his opening address that managing the risks that come with emerging technology like AI is an important step to build trust in the digital domain. He urged the audience to learn lessons from the rapid rise of the internet.
“When the internet first emerged, there was a belief that the ready access to information would lead to a flowering of ideas and the flourishing of debate. But the internet is no longer seen as an unmitigated good,” he said, adding that there is widespread recognition that it has become a source of disinformation, division and danger.
“Countries now recognise the need to go beyond protecting digital system to also protecting their own societies,” he said. “We should not repeat these mistakes with new technologies that are now emerging.”
The ninth edition of the conference is being held between Oct 14 and 17 and features keynotes and discussion panels by policymakers, tech professionals and experts.
AI owners are expected to oversee the security of AI systems from development, deployment to disposal, according to CSA’s guidelines, which do not address the misuse of AI in cyber attacks or disinformation.
In a statement released on Oct 15, CSA said: “While AI offers significant benefits for the economy and society… AI systems can be vulnerable to adversarial attacks, where malicious actors intentionally manipulate or deceive the AI system.”
Organisations using AI systems should consider more frequent risk assessments than with conventional systems to ensure tighter auditing of machine learning systems.
WASHINGTON – Chinese hackers are positioning themselves in US critical infrastructure in the event of a clash with the United States, a top American cybersecurity official said on Nov 22.
Ms Morgan Adamski, the executive director of US Cyber Command, said ongoing Chinese-linked cyber operations are aimed at gaining “an advantage in the event of a major crisis or conflict with the US.”
Ms Adamski made the comments to researchers at the Cyberwarcon security conference in Arlington, Virginia.
On Nov 21, US Senator Mark Warner told the Washington Post that a suspected China-linked hack on US telecommunications firms was “the worst telecom hack in our nation’s history – by far.”
That cyberespionage operation, dubbed “Salt Typhoon,” has included stolen call records data, the compromise of communications of top officials of both major US presidential campaigns before the Nov 5 election, and telecommunications information related to US law enforcement requests, the FBI said, in a recent statement.
Beijing routinely denies cyber operations targeting US entities.
The Chinese Embassy in Washington did not immediately respond to a request for comment. REUTERS
An Iranian hacking group is actively scouting U.S. election-related websites and American media outlets as Election Day nears, with activity suggesting preparations for more “direct influence operations,” according to a Microsoft blog published on Wednesday.
The hackers – dubbed Cotton Sandstorm by Microsoft and linked to Iran’s Islamic Revolutionary Guard Corps – performed reconnaissance and limited probing of multiple “election-related websites” in several unnamed battleground states, the report said. In May, they also scanned an unidentified U.S. news outlet to understand its vulnerabilities.
U.S. Vice President Kamala Harris, the Democratic candidate, faces Republican rival Donald Trump in the Nov. 5 presidential election, which polls suggest is an extremely tight race.
“Cotton Sandstorm will increase its activity as the election nears given the group’s operational tempo and history of election interference,” researchers wrote. The development is particularly concerning because of the group’s past efforts, they said.
A spokesperson for Iran’s mission to the United Nations said that “such allegations are fundamentally unfounded, and wholly inadmissible.”
“Iran neither has any motive nor intent to interfere in the U.S. election,” the spokesperson said.
In 2020, Cotton Sandstorm launched a different cyber-enabled influence operation shortly before the last presidential election, according to U.S. officials. Posing as the right-wing “Proud Boys,” the hackers sent thousands of emails to Florida residents, threatening them to “vote for Trump or else!”
The group also released a video on social media, purporting to come from activist hackers, where they showed them probing an election system. While that operation never affected individual voting systems, the goal was to cause chaos, confusion and doubt, senior U.S. officials said at the time.
Following the 2020 election, Cotton Sandstorm also ran a separate operation that encouraged violence against U.S. election officials who had denied claims of widespread voter fraud, Microsoft said.
The Office of the Director of National Intelligence, which is coordinating the U.S. federal effort to protect the election from foreign influence, referred Reuters to a past statement that said: “Foreign actors — particularly Russia, Iran, and China — remain intent on fanning divisive narratives to divide Americans and undermine Americans’ confidence in the U.S. democratic system.” REUTERS