Overnight Cybersecurity: Judiciary chair details cyber priorities | Cyber experts halt work with cops over travel ban | Tillerson's cybersecurity challenges

Overnight Cybersecurity: Judiciary chair details cyber priorities | Cyber experts halt work with cops over travel ban | Tillerson's cybersecurity challenges
© Getty Images

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We're here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you're a consumer, a techie or a D.C. lifer, we're here to give you ...

 

THE BIG STORIES:

--TILLERSON CONFIRMED: Newly minted Secretary of State Rex Tillerson inherits the right to represent the United States in international diplomacy - including some hot-button cybersecurity matters. Beyond the oft-mentioned U.S. relationship with Russia, Tillerson will also takes the reins of the relationship with our cyber-peer China. China had regularly attacked U.S. companies to steal intellectual property until previous Secretary of State John KerryJohn Forbes KerryRubio wants DOJ to find out if Kerry broke law by meeting with Iranians Time for sunshine on Trump-Russia investigation Pompeo doubles down on criticism of Kerry: The Iran deal failed, 'let it go' MORE negotiated a deal that left those attacks out of bounds. The accord resulted in a dramatic reduction in Chinese activity. Tillerson also may also take over Obama-era efforts to establish international cyberwarfare norms – in effect, what does and does not constitute an act of war in the digital domain. But it remains to be seen if those efforts will remain a priority in the new administration. For more on the confirmation, click here.

--SESSIONS ADVANCES FROM COMMITTEE: And with a close vote anticipated for Secretary of Education nominee Betsy DeVos, he may need to remain a senator a little while longer before being voted on as attorney general. Though much has been made of Sessions's confirmation hearing comments about implementing encryption backdoors (he's in favor), he will have to look at more than the ever-encroaching realm of surveillance. Justice is currently determining its next steps in the Microsoft / Ireland case where a court determined that data stored on foreign servers was not subject to U.S. warrants. Instead, DOJ would now be required to petition the country the server is in to access data. For more on the Sessions vote, click here.

 

A POLICY UPDATE:

--PRIORITIES: At a talk at the Federalist Society, House Judiciary Committee Chairman Bob GoodlatteRobert (Bob) William GoodlatteThe Hill's Morning Report — Sponsored by United Against Nuclear Iran — Kavanaugh, accuser say they’re prepared to testify Goodlatte: Administration undercut law, Congress by setting refugee cap Virginia reps urge Trump to declare federal emergency ahead of Hurricane Florence MORE (R-Virg.) laid out his priorities for the coming session.

"It's imperative that we continually examine federal criminal laws to ensure they protect civil liberties while also providing law enforcement with the tools needed to fight crime and keep us safe," he said.

His agenda included reform of Section 702 of the FISA Amendments Act as it comes up for renewal. Section 702 allows the intelligence community to intercept communications from foreign individuals - not just the metadata, but the actual phone calls, emails, messages and web browsing.

Privacy advocates note that narrowly targeting foreign communications is very difficult and Americans are inadvertently swept up in 702 communications.

Goodlatte also mentioned reforming the Electronic Communications Privacy Act (ECPA). Most lawmakers agree that ECPA is outdated. A law that allows federal officials to retrieve emails or other storied files left on third-party servers for more than 180 days, it passed in 1986 - before the invention of the world wide web and well before the invention of modern cloud storage or web mail.

 

A LIGHTER CLICK: 

GROWBOT!

 

SOME REPORTS IN FOCUS:

--INSIDER TRADING NO LONGER REQUIRES PANTS: Insider trading and other forms of access-related corporate crimes earn some dark web traders as much as $5000 a month, according to a new report.

Insider risk management firm Redowl and the threat intelligence firm IntSights profiled two dark web marketplaces where insiders trade privileged information for profit.

The report claims the forums are lively. "Kickass Forum" averages five posts a week, resulting in 40 bitcoins worth of transactions ($35,000). Kickass, which vets each post for accuracy, costs 1 bitcoin a year to join.

To read the rest of our piece, click here.

--MOBILE SECURITY IS THIS BAD: Most of the time, the market for security vulnerabilities focuses on vulnerabilities that not even the manufacturers know about. Colloquially, they are called "zero-days," as in "the company has had zero days to patch this bug."

But mobile systems have a unique hole in the patching process. Though Google creates Android patches, it is up to the phone manufacturers to implement them for their specific phone. So while reliable companies patch their wares every few weeks, many fly-by-night companies never do.

Making matters even more confusing, the vast majority of Android users have phones running well out of date operating systems that are no longer patched. Only around 30% of users have Android Marshmallow or newer - the operating systems still being patched.

Enter the firm Zimperium, which is allocating $1.5 million to purchase patched bugs that still function on cell phones. They will release the bugs to manufacturers for repair after one to three months - or sell immediate notification to manufacturers through a subscription service.

 

WHAT'S IN THE SPOTLIGHT:

--THAT TRAVEL BAN. STILL: Cybersecurity researchers are not working with law enforcement agencies and conferences are reconsidering events in the U.S. in the wake of President Trump's executive order temporarily halting travel from seven predominantly Muslim countries and refugee resettlement.

"I have incredible respect for the law enforcement community," Jon Sawyer, a well-known Android phone hacker, told The Hill in an interview. "I have a brother that's a sheriff -- who is a good sheriff. But when you have law enforcement blatantly ignoring the courts, that's a big issue."

Sawyer announced via Twitter over the weekend that he would no longer assist law enforcement in forensic investigations until Customs and Border Patrol (CBP) "complies with the court orders, and again when we have sane leadership."

"It makes me wonder if something I coded to help with one kind of investigation might be used to violate someone's privacy in a different investigation," he said.

Sawyer says he does formal forensic work for law enforcement agencies "several" times a year and provides help via email even more often.

"My brother, the sheriff, could call me tomorrow and ask for help and I would have to turn him down," he said.

Tech conferences have been similarly impacted by Trump's travel ban, in part because the order makes it difficult to gather international researchers into the same place.

The Internet Engineering Task Force (IETF), for example, is already reconsidering future American events.

The IETF determines communications standards used on the internet.

"The IETF does not make comments on political matters. But we do comment on topics that affect the IETF and the Internet. Specifically, the recent action by the United States government to bar entry by individuals from specific nations raises concerns for us--not only because upcoming IETF meetings are currently scheduled to take place in the U.S., but also because the action raises uncertainty about the ability of U.S.-based IETF participants to travel to and return from IETF meetings held outside the United States," it wrote on its website Monday.

Organizer Per Thorsheim outright canceled the U.S. date of PasswordsCon.

The conference, pitched as "the first and only conference about passwords," had held yearly events in both the United States and Netherlands. Its U.S. gathering had been affiliated with the BSides Las Vegas conference in June since 2015.

To read the rest of our piece, click here.

 

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

A tech glitch locked reporters out of an administration conference call about Iran. (The Hill)

With the help of an extra week, Apple breaks revenue record. (The Verge)

"The future of fake news is real time video manipulation." (Boing Boing)

Two thirds of email is Spam. (DarkReading)

Overnight Cybersecurity is the other third. (Common sense)

 

If you'd like to receive our newsletter in your inbox, please sign up here.