The Stroz Friedberg Cyber Brief


*|MC:SUBJECT|*
  FEATURED STORY            

MONDAY, SEPTEMBER 26, 2016

YAHOO MANAGEMENT UNDER SCRUTINY AFTER MASSIVE HACK

The internet search giant is facing some tough questions from authorities and customers as to why a two-year-old cyberattack has only just now come to light. Yahoo issued a statement to the Securities and Exchange Commission roughly two weeks ago saying it had no knowledge of any cybersecurity incidents. However, the company reportedly launched an investigation into a potential cyberattack on July 30, just days after it struck a deal to sell its core business to Verizon for nearly $5 billion.

Some legal analysts say the SEC may choose to make an example out of Yahoo, which disclosed last week that at least 500 million of its accounts were hacked in 2014 by what it says was a state-sponsored actor. The SEC issued guidance on reporting cyber incidents in 2011, but has yet to launch an enforcement action against a major firm for failing to report a breach in its commission filings. (FT, WSJ, Reuters, NYT)


 
  HACKERS                                          

NSA Tools: An FBI-led investigation into the leak of hacking tools used by the National Security Agency is reportedly focusing on a theory that one of its operatives left them available on a remote computer where Russian hackers found them. It remains unclear if the worker did so deliberately. (Reuters)

 

Dem Emails: Hackers posted hundreds of emails stolen from the account of Ian Mellul, a young Democratic operative, that contained details of schedules and other sensitive information related to the vice president, the first lady, and Hillary Clinton. (NYT)

 

Online Payments: Payments networks, from Swift to the latest peer-to-peer money transfer app, are only as trustworthy as their weakest link. Even with encryption, each bank or individual on a network still must be able to reliably prove who they are, which often remains a challenge, experts say. (FT)

 

Tesla: Chinese researchers said they had discovered security vulnerabilities in the Tesla Model S that allowed them to control its brakes, side mirrors, and other components. Tesla said in a statement that it "deployed an over-the-air software update" to fix the problem. (WaPo)

Krebs: Brian Krebs, the cybersecurity researcher and former Washington Post reporter, was the victim of one of the largest distributed-denial-of-service attacks in history. He speculated that the attack might be related to his reporting about a former rent-a-DDoS service whose Israeli proprietors were arrested last week. (The Hill)



  COURTS                                          

ISIS Hacker: Ardit Ferizi, a citizen of Kosovo, was sentenced to 20 years in prison for providing material support to the Islamic State terrorist group. He pleaded guilty in a Virginia federal court earlier this year to stealing data on U.S. military personnel. (Ars Technica)

Trump Hotels: Trump International Hotels Management agreed to pay $50,000 to settle with New York State over data breaches that exposed 70,000 credit card numbers and other personal information. The company violated state law by not providing notice of the breaches to consumers as soon as possible, authorities said. (Reuters)

 

  ON THE HILL                                    

FAA: The aviation watchdog adopted language seeking to ensure that cybersecurity safeguards will be incorporated into all future industrywide standards, affecting everything from aircraft design to flight operations to maintenance practices. (WSJ)

 

NHTSA: The National Highway Traffic Safety Administration called on automakers to voluntarily submit details of self-driving systems to regulators in a 15-point safety assessment. Analysts say the proposals gave companies many things they wanted, including a single, national set of rules for self-driving cars. (Reuters)

Treasury: The Office of Foreign Assets Control designated the PacNet Group, an international payments processor based in Canada, as a significant transnational criminal organization. The Washington Post takes an in-depth look at how the company helps fraudsters rake in millions. (WaPo)



  DOD                                                

Air Force: Service leaders spoke to Defense One about how the Air Force is planning to reduce cybersecurity vulnerabilities for the United States and increase them for adversaries. In 2017, the Defense Department budget for cyber operations will reach $6.7 billion, up 16 percent in a year. (Defense One)



  PRIVATE SECTOR                             

GE: General Electric is taking significant steps to lure top tech talent away from firms like Google and Amazon, as the industrial giant makes a highly-publicized foray into software engineering. The company created GE Digital, which now has 28,000 employees, as a stand-alone software unit in 2015. (WSJ)

Samsung: The Korean conglomerate opened a branch of its early-stage investment program in Tel Aviv. Investment in individual tech companies will typically be about $1 million with no limit on the number of beneficiaries. (Bloomberg)

MUST READS

After Yahoo, Cybersecurity Means Every Man for Himself: “Governments must find ways to encourage companies to undertake more responsible practices. One way will be by developing liability mechanisms to impose costs on organisations that fail to protect customers’ data. And where the consequences of cyber security breaches are especially dire — networked medical devices or autonomous vehicles, for example — governments will need to enact robust regulatory standards to ensure safety,” writes Susan Hennessey in the Financial Times.

 

Why the Silencing of Brian Krebs is a Troubling Omen: “The attacks against KrebsOnSecurity harness so-called Internet-of-things devices—think home routers, webcams, digital video recorders, and other everyday appliances that have Internet capabilities built into them...The growing supply of IoT malware is creating a tipping point in the denial-of-service domain that's giving relatively unsophisticated actors capabilities that were once reserved only for the most elite of attackers. And that, in turn, represents a threat to the Internet as we know it,” writes Dan Goodin for Ars Technica.

How Police Trace Cellphones in IEDs: “Tracking cellphone detonators has been so effective that it’s even been used by the NSA to identify IEDs in foreign war zones before they’re detonated. By sifting through call records looking for phones in potential target areas that have never before placed a call, NSA analysts can find powerful leads on where a bomb might be planted before the detonating call is placed. So it’s no surprise that bomb-detection phone-tracking techniques have found their way into the domestic fight against terror,” writes Andy Greenberg for Wired.



 

Center on National Security
Fordham University School of Law
150 W. 62nd St. 7th Floor
New York, NY 10023 US
Copyright © 2016 Center on National Security, All rights reserved.

Comment