Chinese government hackers have compromised the computers of a Navy contractor, stealing massive amounts of highly sensitive data related to undersea warfare — including secret plans to develop a supersonic anti-ship missile for use on U.S. submarines by 2020, according to American officials.

The breaches occurred in January and February, the officials said, speaking on the condition of anonymity to discuss an ongoing investigation.

The officials did not identify the contractor.

Taken were 614 gigabytes of material relating to a closely held project known as Sea Dragon, as well as signals and sensor data, submarine radio room information relating to cryptographic systems, and the Navy submarine development unit’s electronic warfare library.

The data stolen was of a highly sensitive nature despite being housed on the contractor’s unclassified network.

The breach is part of China’s long-running effort to blunt the U.S. advantage in military technology and become the preeminent power in East Asia.

Government investigation finds federal agencies failing at cybersecurity basics
https://techcrunch.com/2018/05/30/government-investigation-finds-federal-agencies-failing-at-cybersecurity-basics/

The Office of Management and Budget reports that the federal government is a shambles — cybersecurity-wise, anyway. Finding little situational awareness, few standard processes for reporting or managing attacks and almost no agencies adequately performing even basic encryption, the OMB concluded that “the current situation is untenable.”

All told, nearly three quarters of federal agencies have cybersecurity programs that qualified as either “at risk” (significant gaps in security) or “high risk” (fundamental processes not in place).

1. “Agencies do not understand and do not have the resources to combat the current threat environment.”

2. “Agencies do not have standardized cybersecurity processes and IT capabilities.”

3. “Agencies lack visibility into what is occurring on their networks, and especially lack the ability to detect data exfiltration.”

4. “Agencies lack standardized and enterprise-wide processes for managing cybersecurity risks”

73 percent can’t detect attempts to access large volumes of data.
84 percent of agencies failed to meet goals for encrypting data at rest.

https://www.whitehouse.gov/wp-content/uploads/2018/05/Cybersecurity-Risk-Determination-Report-FINAL_May-2018-Release.pdf

An Exploit Left Millions of Steam Users Vulnerable for the Past 10 Years
https://motherboard.vice.com/en_us/article/9k8qv5/steam-exploit-left-users-vulnerable-for-10-years

A security researcher found a serious vulnerability that allowed hackers to take control of a Steam user’s computer.

Hackers could have taken advantage of a nasty bug in the hugely popular video game platform Steam to take over victims’ computers.

“This bug could have been used as the basis for a highly reliable exploit,” Court wrote. “This was a very simple bug, made relatively straightforward to exploit due to a lack of modern exploit protections.”

In other words, by exploiting this bug, hackers could have executed code on the victim’s machine, effectively taking full control over it.

Court said that the takeaway for this bug is that developers need to constantly review old and aging code and make sure it conforms to “modern security standards.”

Court also published a proof-of-concept video on YouTube in which he launches the calculator app (a standard trick for a hacking demo) on the target’s system taking advantage of this bug.

SUBSCRIBE

AUTHOR: LILY HAY NEWMANLILY HAY NEWMAN
SECURITY
05.23.1807:02 PM
‘SIGNIFICANT’ FBI ERROR REIGNITES DATA ENCRYPTION DEBATE

FBI HeadquartersT.J. KIRKPATRICK/BLOOMBERG/GETTY IMAGES
LAW ENFORCEMENT AGENCIES including the FBI have long criticized data encryption as a threat to their ability to fight crime. They argue that encryption allows bad actors to “go dark,” impeding agents’ ability to access the data of suspects, even with court orders or warrants. After years of raising the alarm about the going-dark problem, though, officials have yet to convince privacy advocates that undermining encryption protections would do more good than harm. And critics say that the FBI in particular has failed to show the problem is significant.

A Tuesday report in the Washington Post fueled this debate, revealing that the FBI had vastly overstated the number of devices to which it could not gain access.

Hacker gets 5 years for Russian-linked Yahoo security breach
https://www.apnews.com/2664cefa070e470584a59bd56f8688a5/Hacker-sentenced-to-5-years-for-major-Yahoo-security-breach

A young computer hacker who prosecutors say unwittingly worked with a Russian spy agency was sentenced to five years in prison Tuesday for using data stolen in a massive Yahoo data breach to gain access to private emails.

US says North Korea behind malware attacks
https://www.apnews.com/9fb4327df4994d93a3b5c49ee227b2e0/US-says-North-Korea-behind-malware-attacks

Malicious Git Repository Can Lead to Code Execution on Remote Systems
https://www.bleepingcomputer.com/news/security/malicious-git-repository-can-lead-to-code-execution-on-remote-systems/

The developers behind Git and various companies providing Git repository hosting services have pushed out a fix to patch a dangerous vulnerability in the Git source code versioning software.

The fix is included with Git 2.17.1, which patches two security bugs, CVE-2018-11233 and CVE-2018-11235.

Users of the NPM JavaScript package manager were greeted by a weird error yesterday evening, as their consoles and applications spewed a message of “ERR! 418 I’m a teapot” whenever they tried to update or install a new JavaScript/Node.js package.

Salesforce CEO Marc Benioff thinks the USA needs “a national privacy law … that probably looks a lot like GDPR.”

“This is going to help our industry,” he said on an earnings call for Salesforces Q1 2019 results. “It’s going to set the guardrails around trust, around safety. It’s going to provide the ability for the customers to interact with great next generation technologies in a safe way.”

A recent investigation into 115 of the world’s most popular VPN services revealed that many are antithetical to their stated claims. To build trust, providers make promises not to track users through logs or other identifying information. But as a popular VPN comparison site found out, this isn’t always true.

The Best VPN recently peeked under the hood of over 100 of the biggest VPN services. All told, 26 of them collect three or more important log files that could contain personal and identifying information — things like your IP address, location, bandwidth data, and connection timestamps.