Overnight Cybersecurity: Feds likely to keep iPhone hack a secret

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you…

THE BIG STORIES:

–WHAT’S MINE IS YOURS?: The FBI could avoid having to share the tool it used to hack into a locked iPhone with Apple by arguing it lacks proper knowledge of the process. FBI Director James Comey said Tuesday that the bureau may not understand the workings of the tool it used to crack the phone enough to justify a White House review into whether it should share the technique with Apple. “We are in the midst of trying to sort that out,” Comey said at a cybersecurity event at Georgetown University, according to multiple sources. “The threshold is, are we aware of the vulnerability, or did we just buy a tool and don’t have sufficient knowledge of the vulnerability to implicate the process?” But, he said, “We are close to a resolution.” Comey appeared to send a clear signal on Tuesday that the FBI doesn’t intend to help Apple uncover how it was able to unlock the device. The agency will send formal notice to the White House in the coming days saying that officials aren’t familiar with the underlying code that runs the tool it purchased, The Wall Street Journal reports, citing people familiar with the discussions. In other words, the agency isn’t capable of participating in the review process because it doesn’t know how the hack works. But critics of the so-called Vulnerabilities Equities Process were already skeptical that the review process would result in disclosure of the flaw to Apple. The rule leaves a carve-out for national security concerns that digital rights activists say is too broad, allowing the government to hoard hacking techniques at the expense of public cybersecurity. Christopher Soghoian, chief technologist at the American Civil Liberties Union, calls the process “broken.” Soghoian told The Hill recently that the makeup of the review board — which isn’t public — is disproportionately weighted toward intelligence and defense officials without representing privacy or technology experts from agencies like the Federal Trade Commission or the National Institute of Standards and Technology. Now, it appears that the FBI may be able to bypass the process entirely. To read our full piece, click here.

{mosads}–NO, YOU TELL ME: Top lawmakers on the House Energy and Commerce Committee asked major telecom providers on Tuesday to brief them on a security vulnerability in the global cell phone network. A recent “60 Minutes” segment displayed the extent of a weakness in the protocols, known as SS7, that connect cell phone networks all over the world. Tuesday’s letter was the first major sign that the issue could become a priority for Congress. The leaders of the House Energy and Commerce Committee — Chairman Fred Upton (R-Mich.) and ranking member Frank Pallone Jr. (D-N.J.) — wrote to AT&T, Verizon, T-Mobile, Sprint, CenturyLink and Frontier Communications asking them for briefings on the security flaw. “The seriousness of any such vulnerability cannot be understated,” they wrote to AT&T’s chief executive, for example. “Given the role of SS7 in our global communications networks, these vulnerabilities expose anyone using a phone to a possible security breach. … In order for the Committee to gain a better understanding of any security flaws in the SS7 protocol and the risks they represent, we request that the Chief Technology Officer of your company be available to brief the Committee.” To read more about the letter, click here. To read our full piece on the SS7 vulnerabilities, click here.

–A NEW GROUP: A newly formed hacking group supporting the Islamic State in Iraq and Syria (ISIS) claims to have infiltrated the State Department and released a “kill list” of U.S. government officials. On Sunday, the so-called United Cyber Caliphate (UCC) — formed roughly two weeks ago — posted its hacking claims and data dump to its account on the messaging platform Telegram. “USA You are our primary goal,” the post said, according to a screenshot provided by the Middle East Media Research Institute (MEMRI). “Your system failed to Tackling [sic] our attacks. Now we will Crush you again.” A State Department official told The Hill it was aware of the claims, but that security concerns inhibited the agency from saying whether it was actually infiltrated. The hackers would not have had to crack into State to get at the workers’ data. Many of the personal details released online — including names, places of work, ZIP codes and phone numbers — could have been collected from publicly available databases. Still, MEMRI cautions that the data dump should be taken seriously, regardless of its origins. To read our full piece, click here.

 

UPDATE ON CYBER POLICY:

–D-FENSE, D-FENSE. Two lawmakers on Tuesday introduced a bill to help small businesses better protect themselves from cyberattacks.

While small businesses are not high-value targets for hackers, they are still peppered by low-level attacks and frequently lack the resources or personnel to establish top-of-the-line digital defenses.

The bill, from Reps. Richard Hanna (R-N.Y.) and Derek Kilmer (D-Wash.), would direct the federal government to develop a specific cybersecurity plan for these companies that could be disseminated through Small Business Development Centers (SBDCs).

These SBDCs — partly funded by the Small Business Administration — offer resources and guidance to companies with limited staffs.

The federal government has already spent years developing a cybersecurity framework intended to help companies assess their cyber risks and design their own digital defenses. But polls show that the while the framework has been adopted by larger companies, many small firms have been less able to follow suit.

Read on, here.

 

A BIZARRE CLICK:

–WALKING WHILE LOOKING LIKE SHIA LABEOUF: A New York man was randomly sucker punched on the Lower East Side recently, and he told Gothamist that the only thing the assailant yelled while walking away was “This is because you look exactly like Shia LaBeouf!”

Read on, here.

 

A REPORT IN FOCUS:

–TELL ME SOMETHING I DON’T KNOW. Verizon’s annual Data Breach Investigations Report, out today, found that it took attackers minutes or less to gain access to systems in 93 percent of cases last year — but that it took organizations weeks to discover a breach.

In other words, hackers continue to get better and faster at what they do.

Another finding: People are still using terrible passwords: 63 percent of confirmed breaches involved leveraging weak, default or stolen passwords.

Read the whole report, here.

 

A LOOK AHEAD:

WEDNESDAY:

–The Senate Foreign Relations Committee will hold a hearing on strategic challenges and opportunities in U.S.-China relations at 10:30 a.m.

THURSDAY:

–The House Homeland Security Committee will mark up the National Cybersecurity Preparedness Consortium Act of 2016 at 2 p.m.

 

WHO’S IN THE SPOTLIGHT:

–THE DEPARTMENT OF TRANSPORTATION. The agency needs to establish a more detailed plan to help automakers respond to the threat of cyberattacks on vehicles, according to a report from the Government Accountability Office.

The report — which was first requested by lawmakers in December 2014 and made available to the public this week — calls for the DOT to better define its own role and clarify how it would interact with other federal agencies and stakeholders in the event of a vehicle cyber attack.

Most modern vehicles have software interfaces that connect to an external network, which researchers found can be exploited either directly or remotely to take over critical safety-functions like braking and steering.

Rep. Ted Lieu (D-Calif.) used the report Tuesday as an opportunity to promote a bill that would require a cross-sector study to examine detection protocols, deterrence techniques and privacy best practices.

“The GAO study… shows that progress is being made by both the Department of Transportation and automakers, but there are some glaring holes that need to be addressed quickly,” Lieu said in a statement.

To read our full piece, click here.

 

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

Legislation to combat ISIS propaganda online faces pushback from Dems. (The Hill)

Retailers on Tuesday doubled down on their opposition to a data breach notification bill favored by financial firms. (The Hill)

This timeline provides a comprehensive overview of the different fights that constitute the new Crypto War, from the early months after the Sept. 11 attacks to the present day. (The Daily Dot)

Revenue from content delivery services provider Akamai’s cloud security business rose 46 percent to $80.7 million for the first quarter. (Reuters)

Over seven million user accounts belonging to members of Minecraft community “Lifeboat” have been hacked, according to security researcher Troy Hunt. (Motherboard)

One DDoS extortion group has managed to earn over $100,000 without any evidence that it’s even capable of mounting attacks. (CSO Online)

 

If you’d like to receive our newsletter in your inbox, please sign up here.