The Stroz Friedberg Cyber Brief


*|MC:SUBJECT|*
  FEATURED STORY            

TUESDAY, JULY 11, 2017
FEDS SUSPECT RUSSIANS BEHIND CYBER ATTACKS ON NUCLEAR PLANTS

Russia is suspected to be behind recent hacker intrusions at American power plants, including at least one nuclear facility, according to multiple reports. Investigators cannot definitively pin the new probing attacks, which did not affect plant controls, on Moscow. But unnamed U.S. government officials told the Washington Post that the National Security Agency has detected specific activity by the Russian spy agency, the FSB, targeting the energy firms. There is no evidence the hackers breached or disrupted the core systems controlling operations at the plants. Rather, the officials said, the hackers broke into systems dealing with business and administrative tasks, such as personnel.

At the end of June, the FBI and the Department of Homeland Security sent a joint alert to the energy sector stating that “advanced, persistent threat actors” - a euphemism for sophisticated foreign hackers - were stealing network login and password information to gain a foothold in company networks and had been attempting the intrusions since at least May. Among the companies targeted was the Wolf Creek Nuclear Operating Corporation, which runs a nuclear power plant near Burlington, Kansas. Washington Post, NBC News, Ars Technica, New York Times  

Massachusetts Sen. Edward Markey, the top Democrat on the International Cybersecurity Policy subcommittee, on Monday wrote to the heads of the Department of Defense, Department of Energy, Department of Homeland Security, Federal Bureau of Investigation and the Nuclear Regulatory Commission asking how the U.S. is defending its nuclear power plants from foreign attacks and threats. Among other information, Markey wants to know the number of nuclear plants that suffered attacks, who coordinates cybersecurity for nuclear power, and recommendations for improving security. He has requested answers by Aug. 10. CNET
  HACKERS                                          

FIRMS STRUGGLE TO REGAIN FOOTING AFTER LATEST MAJOR CYBER ATTACK
Big companies, hospitals, and other organizations around the globe are still reckoning with the damage caused by a crippling cyberattack, known as NotPetya or Nyetya, at the end of June. At Mondelez International, a giant maker of snacks, thousands of servers and computers were rendered useless and production lines at some factories ground to a halt. Hospitals across the United States have not been able to create electronic records for more than a week after the software maker Nuance Communications experienced significant problems with its computers. The attacks initially targeted government agencies, banks and companies in Ukraine, but ultimately spread to major multinational companies that do business with the country. New York Times

ONLINE DRUG BAZAAR ALPHABAY GOES DARK
The largest online black market for drugs, AlphaBay, has been dark for nearly a week, and users are beginning to believe that the site isn’t coming back. While an administrator for the site suggested last week the outage was due to technical problems, many AlphaBay users are coming to the conclusion that its disappearance is due to an “exit scam” -- in which the operators of an illicit website use the pretext of a hacking incident or technical problems to abscond with customer accounts.

Earlier this year, the site was hosting up to $800,000 in daily transactions -- many of them in deadly synthetic opioids. The site is also used as a marketplace for stolen credit cards and other financial data. New York Times, Fortune

Russian hacker gets two years: Vladimir Anikeyev, the head of a Russian hacking group that the Russian authorities cracked down on last winter, was sentenced to two years in a penal colony last week in a secret trial in Moscow. A former journalist who led a collective known as Shaltai Boltai — Humpty Dumpty — until his arrest last November, Anikeyev admitted his guilt in illegally gaining access to the private data of a number of targets, including high-ranking officials, businessmen and journalists. New York Times

  COURTS                                          

CANADIAN CASE COULD CAUSE GOOGLE TO CENSOR WORLDWIDE RESULTS
Canada's top court ruled in late June that Google can be forced to delist search results worldwide to enforce the decisions of Canadian courts. Google and free-speech organizations said the Supreme Court ruling could have far-reaching consequences for freedom of expression. “Issuing an order that would cut off access to information for U.S. users would set a dangerous precedent for online speech,” the Electronic Frontier Foundation said in a statement. “In essence, it would expand the power of any court in the world to edit the entire Internet, whether the targeted material or site is lawful in another country.” Washington Post, Slate

U.S. SUPREME COURT TO WEIGH IN ON DIGITAL PRIVACY
The Supreme Court has agreed to hear Carpenter v. United States in its October term, which will determine whether the government needs a search warrant to obtain historical records of a suspect's cell phone location—or whether it may instead do so under the Stored Communication Act (SCA), which requires the government to show only that there are reasonable grounds to believe that the records are “relevant and material to an ongoing criminal investigation.” New York Times, NY Law Journal

Trump’s voter commission collection on hold: The presidential commission on election integrity, which recently asked all 50 states to hand over data including registered voters’ full names, political affiliations, and the last four digits of their Social Security numbers, told a federal judge Monday that the states can hold off on supplying the requested data until the District of Columbia federal court decides whether the commission can legally require the states to hand over the information. More than 40 states have so far refused to give all or parts of the requested information. Ars Technica

  ON THE HILL                                    

AFTER CRITICISM, TRUMP BACKS OFF CYBER COOPERATION WITH RUSSIA
President Trump appeared to reverse himself this week on the possible creation of a joint cybersecurity unit with Russia, after both Republican and Democratic lawmakers ridiculed the idea of partnering on cybersecurity with the very nation accused of interfering in the 2016 presidential campaign through hacking. Trump said on Twitter early on Sunday that he and Russian President Vladimir Putin discussed on Friday forming "an impenetrable Cyber Security unit" to address issues like the risk of cyber meddling in elections. But after hearing from various advisers that Russia might stand to gain more from the idea than the U.S., and after thinking it through, Trump sent out the tweet Sunday saying the plan was unworkable. “The fact that President Putin and I discussed a cyber security unit doesn’t mean I think it can happen,” Trump tweeted late Sunday. “It can’t—but a cease-fire can, & did!” Reuters, Wall Street Journal

Trump blocks start-up visa rule: The Trump administration has delayed the implementation of the "International Entrepreneur Rule," an Obama-era policy that would have given special visas to foreigners with $250,000 in capital to start businesses in the U.S. The rule was to have gone into effect next week. Ars Technica

  PRIVATE SECTOR                             

EFF RELEASES RANKING OF HOW WELL TECH COMPANIES PROTECT YOUR PRIVACY
The Electronic Frontier Foundation released its seventh annual “Who Has Your Back” report, evaluating 26 tech companies on how well they protect people from government surveillance. The EFF ranked the companies on five criteria: if they followed best practices for privacy, if they informed users when the government requested data, if they promised not to sell users' data, if they stood up to gag orders and if they supported reforming the National Security Agency's Section 702 surveillance program.

Only nine companies got gold stars for all five criteria: Adobe, Credo, Dropbox, Lyft, Pinterest, Sonic, Uber, Wickr and Wordpress. Google, Microsoft and Facebook missed a mark for abiding by gag orders, while Apple lost one over its stance on the NSA’s Section 702. Amazon, the last of the Big Five tech companies, scored the lowest with only two stars. CNET, EFF

Alphabet and the EU: Alphabet, the parent company of Google, has ramped up its legal firepower as it prepares to do battle with EU antitrust regulators after a landmark $2.7 billion fine last month and the possibility of a second record sanction before the end of the year. The company has reportedly retained at least five top law firms in Brussels to help it deal with its EU regulatory troubles. Reuters

  THE WORLD                                     

CHINA ORDERS TELECOMS TO BLOCK VPN WORKAROUNDS BY FEBRUARY
China’s government has told telecommunications carriers to block individuals’ access to virtual private networks by Feb. 1, a move that would shut down a major window to the global internet for Chinese web users. Beijing has ordered state-run telecommunications firms, which include China Mobile, China Unicom and China Telecom, to bar people from using virtual private networks, or VPNs. VPNs allow Chinese citizens to evade the country's notorious "Great Firewall” by routing web traffic abroad. Bloomberg, CNET, Engadget

AUSTRIA PROPOSES LAW TO ALLOW POLICE ACCESS TO MESSAGING DATA
Austria is pursuing plans to give police authority to monitor messaging services such as WhatsApp and Skype in an attempt to "close the gap" on criminals who increasingly avoid communicating via telephone. The government has asked political, technology, civil rights and legal experts to review draft legislation that would give it authority to monitor real-time conversations using new messaging services and applications when police have a court order. Reuters
MUST READS
Two-factor authentication is a mess: “Nearly all major web services now provide some form of two-factor authentication, but they vary greatly in how well they protect accounts,” writes Russell Brandom in The Verge. “Dedicated hackers have little problem bypassing through the weaker implementations, either by intercepting codes or exploiting account-recovery systems. We talk about two-factor like aspirin — a uniform, all-purpose fix that’s straightforward to apply — but the reality is far more complex. The general framework still offers meaningful protection, but it’s time to be honest about its limits. In 2017, just having two-factor is no longer enough.”

The NSA confronts a problem of its own making: “The NSA finds itself confronting two wicked problems—one technical, the other human,” writes Amy Zegart in The Atlantic. “The technical problem boils down to this: Is it ever possible to design technologies to be secure against everyone who wants to breach them except the good guys? Many government officials say yes, or at least ‘no, but…’ In this view, weakening security just a smidge to give law-enforcement and intelligence officials an edge is worth it.”

The encryption debate should end right now: “The NSA and the CIA’s recent misadventures in securing their wares is just one among many points in favor of encryption,” writes Brian Barrett in Wired. “After months of spy agency tools gone rogue, though, the only argument needed should be a lesson you probably learned in junior high: Don’t share secrets with people who can’t keep them.”
 






 

Center on National Security
Fordham University School of Law
150 W. 62nd St. 7th Floor
New York, NY 10023 US
Copyright © 2016 Center on National Security, All rights reserved.