U.S. National Cybersecurity Talent Discovery Program Launches on Monday; Consolidating Congressional Cybersecurity Oversight

The U.S. National High School Cybersecurity Talent Discovery Program launches on Monday (1/13). Students play a game (CyberStart) to learn whether they have the aptitude to excel in cybersecurity. It's all online and no teacher expertise in cyber or computers is required. NSF support this year enables high school students in every state to participate. High school girls are eligible to start next week; if five girls do well in a school, they win access to the game for boys as well. Here's how parents and teachers describe the impact of GirlsGoCyberStart:

"Girls Go CyberStart REALLY made a big impact on my daughter! The first year, she had zero experience in computer coding or cybersecurity. After participating, she decided to take AP Comp Sci A and now she won a summer internship at the NJ Cyber Security Office!"

"Before I recruited girls to be a part of this wonderful program, I struggled to get girls to realize they could be computer scientists. I had girls actually saying they were too stupid to do this until I said, 'Just try it.' Some of my girls found out they were good at puzzles, some found out they liked programming. I now have girls asking our counselor about computer science degrees at our local community college."

Twenty-seven state governors personally announced GirlsGoCyberStart this year and encouraged students in their states to "just try it!" The Computer Science Teachers Association is a national cosponsor.

To learn more and/or sign up: https://www.girlsgocyberstart.org/

A personal note to NewsBites readers from Alan Paller: Finding talent early is the single biggest game changer a nation can implement to increase its effectiveness in cyberspace. The UK's CyberDiscovery program proved that the CyberStart game scales to provide full national coverage and identifies large numbers of high-aptitude students even when the student doesn't know s/he has it. Now CyberStart's aptitude discovery program has become available at no cost to all high schools in the US, but it runs only once a year and sign-ups close in two weeks. If you have any relationship with a high school student or teacher or administrator or an email list or Twitter following that includes high school teachers, make sure they know about GirlsGoCyberStart in time to take advantage of it this year.

Members of the US Cyberspace Solarium Commission are likely to propose consolidating authority for cybersecurity issues under one committee in each chamber of Congress. Currently, numerous committees in each chamber address cybersecurity issues, which can slow down needed legislation.

Read more in

The Travelex currency exchange is still offline after a December 31 ransomware attack. The company says that its systems became infected with Sodinokibi, also known as REvil. The malware appears to have gained entry to the system through a known vulnerability in Pulse Secure VPN software; a patch for the flaw was made available in April 2019. (Please note that the WSJ story is behind a paywall.)

Read more in

The Pittsburgh Unified School District in Pennsylvania is recovering from a ransomware attack that infected its systems over the holiday break. Classes resumed as scheduled on Monday, January 6. The superintendent noted that while classrooms will not have laptops or Internet access, schools do have access to student information and phone systems are working.

Read more in

The Contra Costa County (California) Library System was hit with a ransomware attack late last week. The incident affects all 26 of the system's branches. On December 3, library officials said that while impacted servers were taken offline, libraries would be open as usual.

Read more in

Apple and Google pulled the ToTok messaging app from their stores after the US intelligence officials said it was likely being used as a spy tool for the United Arab Emirates. Google has put what appears to be an updated version of ToTok back in the Google Play Store. The app now asks users for permission to access and sync contact lists.

Read more in

TikTok has patched several flaws that left the social video app vulnerable to account takeovers, private data exposure, and other forms of account manipulation. Researchers from Check Point found the vulnerabilities and notified TikTok in late November 2019. The company fixed the flaws in late December.

Read more in

Google's Project Zero says it will now wait the full 90 days after notifying vendors about a bug to disclose details of the vulnerability, regardless of when the vendor makes a fix available. Previously, Project Zero would release vulnerability details as soon as a patch was released. The rationale for the change is that it will allow for more thorough patch development and wider patch adoption before details are released. Vulnerability details may be disclosed sooner than 90 days if the vendor agrees. Exceptions to the rules include allowing the vendor to request up to an additional 14 days if the patch will be ready within that time, and allowing only seven days for vulnerabilities that are being actively exploited.

Read more in

Alomere Health is notifying nearly 50,000 patients in Minnesota that their personal health information may have been compromised. Two Alomere Health employee email accounts were compromised in late October and early November 2019.

Read more in

Just one day after releasing Firefox 72, Mozilla released version 72.0.1 to address a critical vulnerability that was being actively exploited. The type-confusion flaw could be exploited to execute code or cause crashes on vulnerable systems. Firefox 72 included new privacy features and fixes for five high-severity security issues.

Read more in

A UK man has been sentenced to five years in prison for spying on people through their webcams and mobile phone cameras. Scott Cowley used the Imminent Monitor remote access Trojan (RAT) to infect the targeted computers and phones.

Read more in

On Tuesday, January 7, 2020, the city of Las Vegas, Nevada experienced a network security incident. The vector of attack is likely to have been a malicious email. City IT staff detected the breach quickly and took steps to minimize its impact. On Wednesday, January 8, the city posted a statement on Twitter that it has "resumed full operations with all data systems functioning as normal."

Read more in

Cyber analysts at Saudi Arabia's National Cybersecurity Authority (CNA) have detected a new variant of data-wiping malware. Dustman, as it has been named, was found on systems at Bapco, Bahrain's national oil company, late last year and appears to be a variant of data-wiping malware used in attacks on organizations in the Middle East last year. CNA analysts say the malware made its way into Bapco systems through the company's VPN servers. The malware affected only some of Bapco's computers, and the company continued to operate through the attack.

Read more in

Hackers are actively conducting scans to find Citrix servers that have not been patched against a critical vulnerability that affects the company's Application Delivery Controller (ADC) and Gateway products. The directory traversal flaw could be exploited to remotely execute code.

Read more in

Dragos has published a report titled North American Electric Cyber Threat Perspective that "provides a comprehensive look at threats to the North American electric sector and offers numerous defensive recommendations for asset owners and operators to implement and combat observed threats."

Read more in

The US Federal Lifeline Assurance program provides inexpensive or even free phones free with discounted service for low-income households. Researchers at Malwarebytes found that one of the phones available through the program, the $35 Unimax (UMX) U686CL device from Assurance Wireless, comes with unremovable Chinese malware preinstalled.

Read more in