19 October 2015

Morning Cybersecurity A daily briefing on politics and cybersecurity

http://www.politico.com/tipsheets/morning-cybersecurity/2015/10/the-threat-of-hacker-terrorist-team-ups-tech-giants-oppose-cisa-but-not-unanimously-finfisher-malware-used-by-governments-210767

The threat of hacker-terrorist team-ups

By TIM STARKS,  10/16/15 
With help from Joseph Marks and David Perera

A HACKER-TERRORIST TEAM-UP AND PROSPECTS FOR MORE? – In a case that could represent a scarier evolution in the consequences of hacking -- a variant aimed at creating real-world violence — a Kosovo man was charged by the Justice Department for allegedly stealing the personal information of over 1,000 U.S. military members and federal employees and handing it over to ISIL. The DOJ called the indictment the “first of its kind” in its announcement Thursday night. The suspect, Ardit Ferizi, is said to be leader of the Kosova Hacker’s Security group.

The fear is that this is one step beyond what hackers have done to date, or even what terrorists have done on the Internet to date. Hackers have been more concerned about making money or political points, while terrorist groups have primarily used computers for social media recruiting or other less overtly dangerous gestures. “The hacking-terrorism combination could be far more lethal,” as Devlin Barrett writes for The Wall Street Journal:http://on.wsj.com/1VVP4D3
But the combo has not proven too grave a threat — yet. Much of what Ferizi allegedly obtained was widely available and not official. Ferizi allegedly shared his information with Junaid Hussain, thought to be leader of the Cyber Caliphate who was killed by a drone strike this year. The Cyber Caliphate had counted as one of its biggest successes breaking into the social media accounts of U.S. Central Command. http://nyti.ms/1UfISzv
HAPPY FRIDAY and welcome to Morning Cybersecurity! We’re looking for Halloween costume ideas since it’s just around the corner. Your MC host has an idea but it depends on whether others will go along with it. As such, please send your costume suggestions, general thoughts, feedback and especially your tips totstarks@politico.com and follow @timstarks, @POLITICOPro and@MorningCybersec. Full team info is below.

FIRST IN MC: CHOPPING UP THE FEDERAL CYBER BUDGET — Offensive cyber makes up the biggest chunk of unclassified cybersecurity federal procurement spending, while training and awareness bring up the rear – and procurement spending on cybersecurity overall has jumped more than 400 percent over three years to $30.8 billion in fiscal 2014, according to an analysis recently produced by Govini, a business intelligence provider. The analysis, which divides up cybersecurity spending in a way the federal government currently does not, also pinpoints who’s leading the scramble for cyber contracts in each area; for instance, Boeing is tops dating back to 2010 on cyber offense, defined by Govini as “proactive and adversarial approach to protecting computer systems and networks,” while Northrop Grumman leads the way on boundary defense, defined as “separating and controlling access to different networks to reduce the number of successful attacks.”

The raw numbers, while illuminating, do need context. They can vary greatly from year to year, such as when a giant contract drops in a particular field. While government officials have repeatedly talked about how training is a huge priority, its last-place spending doesn’t reflect how they’re all talk and no action so much as the fact that those services are cheaper to provide than others. And a good deal of cyber spending lives in the black budget, so a swath of the spending is missing from Govini’s analysis. The full chart: http://bit.ly/1jr6NkJ

Govini said it decided to produce its “cybersecurity taxonomy” after talking to its customers. “The shocking thing for us as we spoke to our customers is that there seemed to be no common language or definition for cybersecurity,” the company’s founder and CEO, Eric Gillespie, told MC. “They struggled to understand the range of cyber spending across agencies. They knew it was growing. They knew it would continue to grow, but they fundamentally lacked a comprehensive view of that market.” More on Govini: http://wapo.st/1jraJlq

GROUP OF TECH GIANTS OPPOSES CISA, BUT NOT NECESSARILY UNANIMOUSLY — The Computer & Communications Industry Association, whose members include a number of major tech and telecom giants, wrote in a blog post Thursday that it opposes the Cybersecurity Information Sharing Act in its current form, arguing that it needs more privacy protections and might be harmful to security in some ways. The group did say it supports the idea of information sharing legislation and wants the Senate to improve the bill. Fight for the Future, a digital privacy group that has been pressuring tech companies to reject CISA, claimed a victory in the CCIA blog post, noting that bill sponsors had cited the T-Mobile/Experian breach as a reason to bring CISA to the floor – and T-Mobile is a member of CCIA. For Pros: http://politico.pro/1NeCrvr

CCIA’s Bijan Madhani offered a note of caution, however, about reading too much into the blog post about what individual members believe. “Our view as an organization doesn’t necessarily represent the views of every single one of our members,” Madhani, the group’s public policy and regulatory counsel, told MC. “I don’t want to suggest that there’s unanimous consensus. Sometimes we take a perspective that is what we think is good for the Internet as an ecosystem at large. … We run the position by membership; sometimes we get pushback, and we got some pushback on this one. We might think a position is consistent with our mission, but it might be inconsistent with some of our members.” The CCIA post:http://bit.ly/1hH65Ou

NOT SO ENCRYPTED ANYMORE? — Cyber experts are buzzing about a new technical paper describing a vulnerability the NSA might be exploiting to decrypt trillions of Web and VPN connections. “This is perhaps the biggest technical revelation about NSA capabilities in the past few years, as it reveals a potential huge capability possessed by the NSA,” Nicholas Weaver, a senior staff researcher for the International Computer Science Institute, wrote for Lawfare. Weakness in the Diffie-Hellman key exchange – a cryptographic algorithm that is “fundamental” to many protocols, including HTTPS – is at the root of the issue. Adds Paul Rosenzweig, a former Department of Homeland Security official and adviser to the Chertoff Group: “If they are right, perhaps as much as 30-50% of current traffic can, with very large effort, be decrypted.” The paper:http://bit.ly/1PW2NkZ Weaver: http://bit.ly/1OFQjk1 Rosenzweig:http://bit.ly/1MsB7Cf And an Ars Technica explainer: http://bit.ly/1Ggz874

POSTPONED UNTIL MONDAY — Apple’s response to a Brooklyn magistrate judge’s order requiring it to discuss whether unlocking an encrypted iPhone would be “unduly burdensome” to the technology company is now due Monday. The federal government and Apple filed a joint request before federal Judge James Orenstein asking for an extension from the original Thursday deadline, which he granted. The judge wrote a skeptical decision a week ago suggesting that federal prosecutors may be asking too much of Apple, a company whose decision to sell law enforcement-resistant devices was likely one it “did not make in haste, or without significant consideration of the competing interests of public safety and the personal privacy and data security of its customers.”

** A message from Northrop Grumman: Today’s enemy threats have taken on forms like never before. That’s why our full-spectrum cyber capabilities enable our military to tackle challenges at the push of a button. See how athttp://bit.ly/1LenDw5 **

FINFISHER MALWARE, FROM UGANDA TO 32 COUNTRIES — Ugandan President Yoweri Museveni, who’s up for reelection next year, used FinFisher malware to spy on political opponents, activists and the media in 2011, according to leaked documents obtained by Privacy International. The documents, detailed in the report titled “For God and My President: State Surveillance in Uganda,” were also part of a BBC Newsnight segment Thursday evening. The surveillance technology “chilled free speech and legitimate expressions of political dissent,” Privacy International asserts, and “contributed toward making Uganda a less open and democratic country in the name of national security.” The report:http://bit.ly/1k8mBsE

The report comes out the same day Citizen Lab, part of the Munk School of Global Affairs at the University of Toronto, released a report listing 32 nations where government groups used FinFisher malware in 2015, including the Belgian Federal Police, the Kenyan National Intelligence Service and Egypt’s Technology Research Department. The lab also found government users in Mexico, Ethiopia, Turkey, Venezuela and South Africa. One conclusion from the report: “Despite the disclosure of sensitive customer data” in a 2014 FinFisher breach that sent sensitive documents to WikiLeaks, Citizen Lab “scans have detected FinFisher servers in more countries than any previous round of scanning.” The story, for Pros: http://politico.pro/1LQVRt0

NOVA CYBERWAR GETS SKEPTICAL RECEPTION FROM CYBER PROFESSIONALS — Reaction to PBS NOVA’s show this week on cyber war has been decidedly mixed, especially amid criticism that the vaunted science show has declined in quality over the past few years. (cf. the episode before last, about “Noah’s Ark.”) Particularly critical was Richard Bejtlich, chief security strategist at FireEye. “It's not a show about how bad cyberwar is unless you show nuclear ICBMs! They are ‘impotent against a cyber attack,’” he tweeted, noting the heavy reliance on hyperbolic cyber tropes that also included lots of ominous music and flashing digital lights. “@novapbs repeats myth that ‘cyber attack’ is ‘just a sudden, out of the blue, digital takedown’ of ‘dams, power, factories, ATC, finance,’” he added.

Also inveighing against the shows was Scot Terban, a security researcher who tweets and blogs as Krypt3ia. “How about some fair and balanced reporting @novapbs about how hard it would be to carry out such attacks?” he tweeted. Video: http://to.pbs.org/1PklfIb

WIRED ROADS SPUR CYBERSECURITY CONCERNS — Wireless technology that lets vehicles digitally communicate with roadside infrastructure such as traffic lights can enhance safety – but only if data security problems can be solved first, warns the Government Accountability Office. In a Thursday afternoon report summarizing advice from 21 experts, the GAO said the Transportation Department and industry are taking steps to develop the technology known as the Security Credential Management System to ensure that data messages are secure and are readable only when they originate from authorized devices. But more than half of those experts expressed “a variety of concerns” about SCMS, including whether it’ll succeed and who will manage it. The report: http://1.usa.gov/1GgIOOU

QUICK BYTES

— Australia accessed the U.S. PRISM database more frequently than even the U.K. Australian Broadcasting Corporation: http://ab.co/1MD2hut

— A group of cybersecurity experts is pushing the FCC on open source routers for security reasons. Motherboard: http://bit.ly/1OG64Y0

— University of Cambridge researchers figure that 85 percent of Android devices have been exposed to critical vulnerabilities. Threatpost: http://bit.ly/1LPGy3Q

That’s all for today. Soon it will be … http://bit.ly/1QxMHj7

Stay in touch with the whole team: Joseph Marks (JMarks@politico.com,@Joseph_Marks_); David Perera ( dperera@politico.com, @daveperera); and Tim Starks (tstarks@politico.com, @timstarks).

** A message from Northrop Grumman: To meet today’s most advanced enemy threats, our military needs to be able to eliminate them — without putting troops in harm’s way. That’s why we’re the leader in full-spectrum cyber. Learn more athttp://bit.ly/1LenDw5 **


ABOUT THE AUTHOR

Tim Starks has written about cybersecurity since 2003, when he began at Congressional Quarterly as a homeland security reporter. While at CQ Roll Call, he mainly covered intelligence, but he also had stretches as a foreign policy reporter and defense reporter. In 2009, he won the National Press Club's Sandy Hume Memorial Award for Excellence in Political Journalism.

He left CQ Roll Call in March of 2015. Before coming to Politico he spent several months freelancing, writing for the Economist, the New Republic, Foreign Policy, Vice, Bloomberg and the Guardian.

He grew up in Evansville, Ind. and graduated from the University of Southern Indiana with a degree in print journalism. His first full-time reporting job was covering city hall for the Evansville Press, the former afternoon daily. He was a Pulliam Fellow at the Indianapolis Star, and participated in the Politics and Journalism Semester at the chain of newspapers anchored by the Las Vegas Review-Journal. He also was the Statehouse Bureau Chief at the Evansville Courier & Press and established the Washington bureau of the New York Sun. Some of his other freelance work has been for the Chicago Tribune, Glamour, Deutsche Welle, Ring and BookForum.

He is the founder of The Queensberry Rules, dubbed an "indispensable boxing blog" by the Wall Street Journal. He's also fond of fantasy basketball and real-life basketball -- he is from Indiana, after all -- and gets way too bent out of shape over people rooting against the home team or not walking on the right side of the sidewalk.


No comments: