The US Department of Justice has charged four Russians—two intelligence officers and two private hackers—with over 47 counts of computer crime, fraud and identity theft, for their role in the compromise of over one billion Yahoo! user accounts in August 2013 and 2014. The indictment found that the compromise enabled direct unauthorised access to Yahoo! Accounts, targeting the personal information of Russian journalists and opposition politicians, as well as stealing financial information, and conducting mass spam campaigns using the compromised, but otherwise legitimate, e-mails. Perplexingly, one of the Russian intelligence officers charged by the US was arrested last December by Russia for undisclosed treasonous actions on behalf of the United States.
The US has earmarked US$1.5 billion for the Department of Homeland Security to build better tools for protecting federal networks and critical infrastructure in its 2018 budget blueprint. The Trump administration isn’t letting other departments off the hook either, developing metrics to track federal agencies’ compliance with the NIST cybersecurity framework. The White House has also brought on Rob Joyce, previously Chief of the NSA’s offensive ‘Tailored Access Operations’ team, to manage the federal government’s cybersecurity policy.
Personal information has continued to drip like a tap this week, with a database from Dun and Bradstreet, a business services company, being released by an anonymous source to web security expert Troy Hunt, who currently runs the public data breach notification service Have I been pwnd?. The database holds personally identifiable information which includes the names, job titles, emails, phone numbers and work addresses of over 33 million people, 101,013 of whom are employees of the US Department of Defense. Jamaica felt the pain of data breaches as well, reporting US$100 million lost over 200 reported cases of cybercrime in 2016.
Here in Australia, Minister for Defence Industry Christopher Pyne launched the ‘Next Generation Technologies Fund’ this week, which will allocate $730 million in investments for innovators and researchers working on developing Australia’s future defence capabilities, including in cybersecurity. The fund is part of a wider initiative to improve Defence Innovation collaboration and connections. An expanded write-up of that initiative is here. Qantas has announced a similar approach to coaxing innovations from small businesses and start-ups, launching the ‘Avro’ accelerator program and offering 10 start-ups the chance to work with Qantas and other big corporates for 12 weeks, while earning $150,000 along the way.
Some innovation efforts that took place in the Middle East are also worth making note of. The Israeli Defence Force hosted a Pokémon-themed training exercise for IDF cyber cadets to ‘catch ‘em all’, with “‘em” in this case being malware hidden deep within a network they were assigned to protect. Talk about great news for Israeli Pokémon fans who fancy a career in cyber! Or maybe not, with the IDF’s security division banning Pokémon Go on-base, fearing that the interactive game would lead to the leaking of photographs on-site and base locations.
The ongoing spat between the Netherlands and Turkey regarding the impact of Turkish President Erdogan’s political campaign in the Netherlands’ Turkish communities spilled online this week. Several prolific Twitter accounts, including BBC North America and Forbes, were hijacked, having their display pictures switched to the Turkish Flag, and tweeting out swastikas and Turkish hashtags #Nazialmanya and #Nazihollanda, comparing ‘Nazi Germany’ with ‘Nazi Holland’. The accounts were compromised after the third party analytics service, Twitter Counter, was hacked, providing a stark reminder that an account’s security is only as strong as its chosen third party app’s.
In other news, the Australian Cyber Security Centre’s 2017 Conference wrapped up in Canberra this week. Among its all-star line-up, among others, was our favourite @Cyber_Roo, as well as the Australian Federal Police’ David McLean hinting that ‘interesting developments’ had taken place in the hunt for perpetrators of DDoS attacks that contributed to #censusfail. Strangely enough, the ACSC gig coincided with hacker conference BSides Canberra 2017. It’s hard to say which crowd had more fun, but the conference swag game definitely goes to BSides, which handed out fully programmable badges with customisable displays to its delegates.