NTSC Technology Security Roundup

Weekly News Roundup: October 23, 2017

Key Reinstallation Attack (KRACK) Affects Nearly All WiFi Devices Through WPA2 Security Flaw

A recently discovered flaw in the WPA2 security protocol leaves nearly all WiFi devices vulnerable for cyberattackers to exploit. According to ZDNet, “the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network.” Essentially, the vulnerability gives hackers a “skeleton key” allowing them to “decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream.” Looking at the long-term implications, Wired adds that “given the millions of routers and other IoT devices that will likely never see a fix, the true cost of Krack could play out for years.”

FBI Alert Requests Organizations to Report and Share DDoS Attack Information

A recent alert requests that organizations report and share DDoS attack information with the FBI. According to Threatpost, “The information law enforcement is seeking includes the traffic protocol used in the attack as well as any extortion or ransom demands made by attackers. The FBI is asking organizations to preserve IP addresses used in the attack, netflow and packet capture logs, as well as emails or other correspondence from the criminals.” The FBI alert states that “DDoS victims [should] contact their local FBI field office and/or file a complaint with the Internet Crime Complaint Center (IC3), regardless of dollar loss or timing of incident.”

CYBERCOM Elevation Making Progress

Ever since US Cyber Command became elevated to a unified combatant command in August, this cyber force has been making progress while it figures out leadership and resource issues. According to C4ISRNET, “The item currently setting the pace is the nomination and confirmation of a new commander that will lead the unified combatant command. […] The current commander, Adm. Michael Rogers — who also serves as the director of the National Security Agency — could be nominated or the secretary of defense could nominate another military official to lead the new command.” The article goes on to state that “the cyber mission force — a 133 team, 6,200 person workforce serving as the maneuver elements of the command — is slated to reach the original goal of full operational capability by October 2018.”

Department of Justice Framework May Clarify Legality of Active Defense

Active defense currently holds a lot legal ambiguity, especially when it pertains to hacking back for legitimate reasons or bug bounty hunters performing valuable research. Much of that ambiguity is a result of the outdated 1986 Computer Fraud and Abuse Act. However, the Department of Justice may soon provide some clarity. According to FCW, “A senior Department of Justice official said a framework to clarify how private companies can conduct information security research without running afoul of the Computer Fraud and Abuse Act is gaining traction, but that the government is content for now to keep the guidance broad and allow ‘natural momentum’ from the private sector to determine specific policies.” The Department of Justice is also in the process of reviewing the proposed Active Cyber Defense Certainty Act introduced by Rep. Tom Graves (R-Ga.).

FERC Proposes New Security Management Controls for Grid Cyber Systems

On Thursday, The Federal Energy Regulatory Commission (FERC) proposed new cyber security management controls to further enhance the reliability and resilience of the nation’s bulk electric system. These include mandatory controls to address the risks posed by malware from transient electronic devices like laptop computers, thumb drives and other devices used at low-impact bulk electric system cyber systems.