The Stroz Friedberg Cyber Brief


The Stroz Friedberg Cyber Brief

*|MC:SUBJECT|*
  FEATURED STORY            

MONDAY, FEBRUARY 27, 2017

CLOUDFLARE BUG CAUSES SECURITY HEADACHES

A software bug at Cloudflare, an internet infrastructure company based in San Francisco, leaked encrypted data for months, creating security challenges for thousands of its corporate customers, including Uber, Fitbit, and OKCupid. The problem was discovered by a Google researcher who let Cloudflare know about the problem on February 18. Cloudflare says it fixed the bug immediately.

The amount of data inadvertently disclosed appears to be small, but the bug could have affected more than 6 million Cloudflare customers over the past five months. Cloudflare said it found leaked data belonging to only about 150 of its customers, but the company acknowledged that more may be affected. Security-conscious users were encouraged to change their passwords. Cybersecurity analysts say the incident underscores the potentially wide ripples that a single flaw can create in the hyper-connected world of cloud computing. (Reuters, WSJ, WaPo, Wired)


 
  HACKERS                                          

Crypto Tech: Researchers at Google and a Dutch institute cracked a widely used cryptographic technology that is one of the keystones of internet security. The algorithm, known as Secure Hash Algorithm 1 (SHA-1), is used to verify the integrity of digital files and signatures that secure credit card transactions and open-source software repositories. (Reuters, WSJ)

Espionage: An executive at FireEye says that U.S. government agencies, think tanks, and political groups should be on the lookout for an uptick in espionage attempts. Foreign countries are increasingly in search of information on changes to foreign and military policies under the new Trump administration, he says. (Bloomberg)



  COURTS                                          

Smartphone Searches: A federal judge in Chicago denied a government attempt to compel people in a building to use their fingerprints to open seized Apple devices as part of a child pornography investigation. Analysts say the case is one of a small but growing number that pit modern smartphone encryption against the Fourth and Fifth Amendments. (Ars Technica)

 

Charity: A Florida man, Timothy Sedlak, pleaded guilty in Manhattan federal court to hacking into an unnamed New York-based charitable organization that reports indicate was the Clinton Foundation. Sedlak reportedly was looking into a conspiracy theory that the organization might be funding jihadist groups. (Orlando Sentinel)

Self-Driving Tech: Alphabet’s Waymo self-driving car unit has sued Uber and its autonomous trucking subsidiary Otto over allegations of theft of its proprietary sensor technology. One of Otto’s founders, Anthony Levandowski, had been an executive on Google's self-driving project. (Reuters)

 

  ON THE HILL                                    

Governors Summit: At an annual gathering in Washington, DC, state leaders took in several briefings on cybersecurity. The issue has gained prominence at the state level in recent months, particularly after nearly all 50 states asked the Department of Homeland Security for help securing their voting systems ahead of the 2016 election. (The Hill)

Election Security: A group of Democratic and Independent senators is pressing the Election Assistance Commission, which helps certify voting systems, for a “full account” of its work to secure the 2016 election from Russian hackers. (The Hill)



  DOD                                                

NSA-Cyber: The Defense Department is considering whether it is now the time to split the leadership of the National Security Agency and U.S. Cyber Command. Experts and former security officials have seen it as inevitable that the pair will someday separate, but have expressed concern that doing so too quickly could be harmful. (The Hill)


  PRIVATE SECTOR                             

Bank Reg: As of March 1, New York’s Department of Financial Services is requiring those in its jurisdiction to maintain a cybersecurity program to protect consumer data and “ensure the safety and soundness” of the financial services industry. Executives must submit an annual certification that their company is complying and agree to notify the agency of any serious breaches within 72 hours of their discovery. (FT)

 

Google: Google offshoot Jigsaw released a new tool named “Perspective” that uses artificial intelligence to spot abuse and harassment online. It reportedly scores comments based on their perceived “toxicity.” Jigsaw has made the tool available for developers around the world. (CSM)

Apple: The tech giant’s sprawling new corporate headquarters in Cupertino, CA, dubbed "Apple Park," is set to open in April. It is expected to take about six months for the 12,000-plus workers to make the transition, Apple said. (Reuters)



  THE WORLD                                     

Russia: The treason charges brought against two state security officers and a cybersecurity expert in Moscow are reportedly linked to allegations made by Pavel Vrublevsky, a Russian businessman, seven years ago. Vrublevsky said the suspects passed secrets to Verisign and other unidentified U.S. companies, which in turn shared them with U.S. intelligence agencies. (Reuters)

United Kingdom: British authorities have arrested an unnamed suspect in connection with last year's cyberattack that infected nearly 1 million Deutsche Telekom routers. (Reuters)

MUST READS

Russia's Elite Cyber Warriors: “The trail of evidence left by these attacks, while far from comprehensive, goes some way toward indicating the way Russia under President Vladimir Putin sees the world, and how the modern Russian state must secure its place within it. It is one of tactical opportunism and flexibility, but also deep and considered strategic commitments, lines of attack and influence, that have been years in development,” writes Sam Jones in the Financial Times.

 

How to Go Invisible Online: “Becoming invisible and keeping yourself invisible require tremendous discipline and perpetual diligence. But it is worth it. The most important takeaways are: First, be aware of all the ways that someone can identify you even if you undertake some but not all of the precautions I’ve described. And if you do undertake all these precautions, know that you need to perform due diligence every time you use your anonymous accounts. No exceptions,” writes Kevin Mitnick in Wired.

 

How Palantir Helped the NSA Spy on the World: “[Peter Thiel] brings to his role as presidential adviser decades of experience as kingly investor and token nonliberal on Facebook’s board of directors, a Rolodex of software luminaries, and a decidedly Trumpian devotion to controversy and contrarianism. But perhaps the most appealing asset Thiel can offer our bewildered new president will be Palantir Technologies, which Thiel founded with Alex Karp and Joe Lonsdale in 2004,” writes Sam Biddle in The Intercept.

Learning to Love Our Robot Coworkers: “American manufacturers are producing more products now than they were before the crash, with fewer workers, which suggests that those missing jobs have been automated. And while collaborative robots are showing up on factory floors first — where automation has always debuted, taking on repetitive, heavy and hazardous work — they are likely to find their way into other workplaces soon,” writes Kim Tingley in the New York Times Magazine.



 

Center on National Security
Fordham University School of Law
150 W. 62nd St. 7th Floor
New York, NY 10023 US
Copyright © 2016 Center on National Security, All rights reserved.