Friday Five: Unsuspecting Threats, New CUI Guidance, & More

NIST ISSUES NEW GUIDELINES ON PROTECTING UNCLASSIFIED DATA IN GOVERNMENT SYSTEMS BY DAVID DIMOLFETTA

The National Institute of Standards and Technology (NIST) has updated its security standards for protecting Controlled Unclassified Information (CUI) in the federal ecosystem. This update introduces three new security control families: supply chain risk management, acquisition for outside service providers, and an overarching supervision section. These additions aim to enhance the safeguarding of sensitive unclassified data shared between federal agencies and private sector contractors. Agencies have a year to transition to these new standards, which cover diverse data types, including military records and health information. The update responds to the growing complexity of information systems and recent supply chain cyberattacks, emphasizing the protection of valuable research and development information from adversaries.

Read more

‘TUNNELVISION’ ATTACK LEAVES NEARLY ALL VPNS VULNERABLE TO SPYING BY DAN GOODIN

Researchers have discovered an attack dubbed TunnelVision that affects nearly all VPN applications, causing them to send and receive traffic outside the encrypted tunnel meant to protect it. This attack undermines the core purpose of VPNs by exposing user traffic to potential snooping and tampering and works by exploiting a DHCP server setting (option 121) to reroute VPN traffic through the attacker’s server. This method can be applied by someone with administrative control over a network or even by an unprivileged user setting up a rogue DHCP server. The attack affects all operating systems except Android, which does not implement option 121. Potential mitigations include using a VPN inside a virtual machine or connecting through a cellular device’s Wi-Fi.

Read more

ARIZONA WOMAN ARRESTED AND CHARGED IN NORTH KOREAN IT WORKER SCHEME BY AJ VICENS

An Arizona woman, Christina Marie Chapman, has been charged for her role in a scheme aiding North Korean IT workers to pose as U.S. citizens and secure remote jobs at American companies. Working with Ukrainian national Oleksandr Didenko and three North Koreans, Chapman helped compromise numerous American identities to facilitate these positions, generating at least $6.8 million in revenue. Chapman hosted computers in her home to make them appear U.S.-based and managed financial transactions for the workers. The operation involved major U.S. companies, posing a significant insider threat. The U.S. State Department is offering a reward for information on the involved North Koreans. Chapman faces up to 97.5 years in prison, while Didenko faces up to 67.5 years.

Read more

CISA ISSUES GUIDANCE TO HELP FEDERAL AGENCIES BETTER ENCRYPT DNS TRAFFIC BY DAVID DIMOLFETTA

The Cybersecurity and Infrastructure Security Agency (CISA) released guidance to help federal civilian agencies meet encryption requirements and improve internal network security by focusing on the Domain Name System (DNS) protocol. This guidance supports the zero trust security model, which requires continuous user verification for accessing sensitive systems. DNS lacks encryption, making it vulnerable to attacks like DNS spoofing. CISA's checklist advises encrypting communication pathways between devices and implementing changes in phases, starting with broad configurations and moving to specific traffic like HTTPS. This initiative aligns with the goal for agencies to adopt zero trust architecture by late September.

Read more

FBI SEIZES HACKING FORUM BREACHFORUMS — AGAIN BY LORENZO FRANCESCHI-BICCHIERAI

The FBI and international law enforcement seized the cybercrime forum BreachForums, known for trading stolen data, and took control of its Telegram channels. Previously resilient, the forum was re-established by an administrator named Baphomet after the arrest of its former administrator, Conor Brian Fitzpatrick. The FBI's message on the channels invites information on cybercriminal activity related to the forum. The site operated as a marketplace for illegal services from June 2023 to May 2024. It's unclear how the authorities seized the Telegram channels, but the FBI may have arrested Baphomet. Telegram stated it did not cooperate with law enforcement on the takedown.

Read more