Overnight Cybersecurity: Uber under scrutiny over 2016 breach | Chinese nationals indicted on federal hacking charges | Supreme Court to weigh cellphone privacy

Overnight Cybersecurity: Uber under scrutiny over 2016 breach | Chinese nationals indicted on federal hacking charges | Supreme Court to weigh cellphone privacy
© Getty Images

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We're here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you're a consumer, a techie or a D.C. lifer, we're here to give you ...



--UBER FACING SCRUTINY OVER HACK REVELATIONS: Uber is reeling from a new controversy over revelations the company tried to cover up a massive breach last year in which hackers pilfered information from 57 million of its customers. As a result of the hack, the ride-share company now faces probes from multiple state attorneys general, as well as international regulators in Europe. The revelation has already triggered questions on Capitol Hill, with Sen. Mark WarnerMark Robert WarnerBipartisan senators urge national security adviser to appoint 5G coordinator Hillicon Valley: Commerce extends Huawei waiver | Senate Dems unveil privacy bill priorities | House funding measure extends surveillance program | Trump to tour Apple factory | GOP bill would restrict US data going to China Klobuchar unveils plan to secure elections as president MORE (D-Va.) demanding answers from company leadership on its response to the incident. "I write to you with grave concerns about your company's handling of a breach impacting millions of your users and hundreds of thousands of your drivers," Warner wrote in a letter to Uber CEO Dara Khosrowshahi on Monday. Separately, Republicans on the Senate Finance and Commerce Committees wrote to Khosrowshahi requesting information on the circumstances surrounding the data breach.

To read our latest coverage, click herehere, and here.


--FBI REPORTEDLY FAILED TO INFORM U.S. OFFICIALS THEY WERE RUSSIAN HACKING TARGETS: The FBI reportedly did not inform U.S. government officials that a Russian hacking operation was attempting to breach their personal emails. According to an investigation by The Associated Press, the bureau possessed evidence for a year that showed the officials were targets of a Kremlin-linked hacking entity known as Fancy Bear. The AP said that in the course of its almost 80 interviews, it identified only two instances in which the bureau informed the officials. Three sources confirmed to the news outlet that the bureau was aware of the cyber efforts for over a year. "The FBI routinely notifies individuals and organizations of potential threat information," the FBI said in a statement to the AP. The AP said the Fancy Bear operation was connected to DCLeaks, one of the websites that published emails of Democratic Party officials during the 2016 election.

To read our coverage, click here, and to read the full Associated Press report, click here.

--CHINESE NATIONALS FACE CHARGES FOR ALLEGEDLY HACKING INTO U.S. BUSINESSES: A federal grand jury in Pittsburgh has indicted three Chinese nationals on charges of computer hacking for allegedly penetrating networks used by Moody's Analytics and other U.S. businesses to steal sensitive information and communications. According to the indictment unsealed Monday, the three individuals -- Wu Yingzhuo, Dong Hao and Xia Lei -- are all owners, employees or associates of a Chinese cybersecurity company called Boyusec. Beginning in at least 2013, the defendants "and others known and unknown to the grand jury" used spearphishing emails containing malicious attachments or customized malware to hack into networks used by U.S. and foreign businesses, according to the indictment. Their targets included Moody's, Trimble Inc. and Siemens AG, the latter of which has offices in Pittsburgh. The hackers allegedly stole roughly 407 gigabytes of data from Siemens's network in 2015.  

To read the rest of our piece, click here.



JUSTICES TO WEIGH CELLPHONE PRIVACY IN LANDMARK CASE: The privacy of emails, photos stored in the cloud, even heart rate history from a smartwatch could be at stake, according to civil libertarians, as the Supreme Court takes up a potential blockbuster case after Thanksgiving.

When they return to the bench after the holiday, the justices will weigh whether the history of cellphone locations stored by a phone service provider is searchable without a warrant.

The case, Carpenter v. U.S., centers on Timothy Carpenter, who argues the government violated his Fourth Amendment protection against unreasonable search and seizure when it obtained his cellphone location records from MetroPCS and Sprint without a warrant. Authorities then used that data as trial evidence to convict him of a string of robberies at Radio Shack and T-Mobile stores in Michigan and Ohio from December 2010 to March 2011.

The government argues that it was well within its rights under the Stored Communications Act of 1986 to get a court order for the records. The law allows this type of data to be searched if the government can show reasonable grounds to believe it will be relevant to a criminal investigation.

To obtain a warrant, law enforcement officers, however, must show there is probable cause.

But beyond the law, the government is arguing that Carpenter lacks a legitimate expectation of privacy because he voluntarily turned his location information over to a third party when he signed up for cell service. It's a legal theory known as the third-party doctrine.

"Petitioner lacks any subjective expectation of privacy in phone-company records of historical cell-site data because they are business records that MetroPCS and Sprint create for their own purposes," acting Solicitor General Noel Francisco, acting Assistant Attorney General Kenneth Blanco and Department of Justice Attorney Jenny Ellickson argued in a court brief.

American Civil Liberties Union (ACLU) staff attorney Nathan Freed Wessler, who's representing Carpenter, called the implications of that argument "stunning."

"If the government's position wins, it would imperil the search queries people enter into Google or WebMD, our complete browsing histories showing everything we read online, the heart rate data from a smartwatch saved by Apple, a person's whole life in photos uploaded to the cloud and so much more," he said.

"In the 21st century we really can't go about our daily lives without creating these pervasive, highly sensitive digital records held by companies we interact with," he said.

To read the rest of our piece, click here.



Happy Cyber Monday!



U.S.-based cybersecurity heavyweight McAfee announced Monday that it will acquire cloud security startup Skyhigh Networks, marking its first acquisition since spinning out from Intel as a standalone company earlier this year.

"Skyhigh is an ideal complement to McAfee's strategy--one focused on building and optimizing mission-critical cybersecurity environments for the future. Cloud security has historically been an afterthought of, or impediment to, cloud adoption," Chris Young, McAfee CEO, said in a message to company stakeholders.

"With customers' most valuable asset, data, increasingly finding residence in the cloud, it's time security move to the forefront. At the same time, security cannot hinder cloud adoption, as the transformation the cloud promises extends far beyond the corridors of IT to every facet of modern business," Young continued.

California-based McAfee spun out from under Intel back in April to become an independent security-focused entity. Skyhigh, launched five years ago, is recognized as one of the top vendors of cloud access security brokers (CASB).

"Becoming part of McAfee is the ideal next step in realizing Skyhigh Networks' vision of not simply making the cloud secure, but making it the most secure environment for business," Skyhigh Networks CEO Rajiv Gupta said in a statement.

"McAfee will provide global scale to further accelerate Skyhigh's growth, with the combined company providing leading technologies and solutions across cloud and endpoint security – categories Skyhigh and McAfee respectively helped create, and the two architectural control points for enterprise security," he said.



GOP TEXAS REP. Will HurdWilliam Ballard HurdImpeachment hearings likely to get worse for Republicans The Hill's 12:30 Report: Democrats open televised impeachment hearings Here are the key players to watch at impeachment hearing MORE: Rep. Will Hurd (R-Texas) thinks there's something missing from the congressional investigation into Russia's election meddling: solutions for countering foreign disinformation campaigns.

"We're not talking enough about disinformation and how we counter disinformation," Hurd said in a recent interview with The Hill's Morgan Chalfant and Ali Breland in his Capitol Hill office. "That is where a broader conversation needs to be happening here in Congress. Because we do not have a strategy on dealing with disinformation from a nation-state actor."

The House and Senate Intelligence committees are 10 months into their parallel investigations into Moscow's interference in the 2016 presidential election.

As the committees sift through documents and conduct interviews, the conversation has largely centered on whether President Trump's campaign colluded with the Russian government.

The U.S. intelligence community in January identified disinformation as a key prong of Russia's influence campaign against the election. Moscow leveraged state-run media outlets, third-party intermediaries and paid social media "trolls" to spread propaganda, the unclassified assessment stated.

But it wasn't until September that Russia's disinformation campaign started to come into full focus, when Facebook revealed that it sold roughly $100,000 in political advertisements to Russia-linked accounts. The social media giant estimates that the ads reached as many as 146 million Americans.

Representatives from Facebook, Twitter, and Google were hauled before congressional investigators to testify at the end of October on recent efforts to exploit their platforms.

"I think the public hearings of the three social media companies was valuable to really understand how the Russians were trying to disrupt," Hurd, a member of the House Intelligence Committee, said. "I say we have to broaden the conversation. Were they trying to influence the campaign, our elections? Yes. But they were doing it to erode trust in our institutions.

"The question becomes -- how do you counter that?"

Since the election, researchers have continued to observe Russia's propaganda activity targeting U.S. audiences on social media. In August, experts told The Hill that the messaging had shifted to amplifying the messages of the alt-right and far-right.

Hurd said that rooting out Russian propaganda is a "whole-of-society problem" -- one that warrants action from government and private entities, including news agencies and social media firms.

To read more from The Hill's interview with Rep. Hurd, click here.


Starting Tuesday, check out The Hill's new daily podcasts. Journalists Alexis Simendinger and Niv Elis provide a behind-the-scenes view of the latest breaking developments, drilling deep to get to the heart of what's happening, and why it matters to you. Listen to AM View weekday mornings, PM View weekday afternoons, and Power Politics on the weekend.

Subscribe now: Apple Podcasts | Soundcloud | Stitcher | Google Play | TuneIn



'Links from our blog, The Hill, and around the Web.

The State Department loses a top IT official. (The Hill)

Intel chip bug gives attackers 'virtually complete control' over systems. (The Hill)

Feds charge Iranian hacker with stealing HBO files. (The Hill)

Op-ed: Congress poised to jam through reauthorization of mass surveillance. (The Hill)

Op-ed: We have no counterattack to Russia's information warfare. (The Hill)

Mexico's transparency authority is seeking information on the Uber breach. (Reuters)

Imgur discloses 2014 intrusion that affected 1.7 million user accounts. (Imgur)

Here are '60 cyber predictions' for the coming year. (Forbes)

Lawmakers are scrambling to address potential 2018 election hacking with legislation. (Politico)

The ACLU says the Trump administration's new VEP rules are an improvement over the Obama-era. (ACLU)

If you'd like to receive our newsletter in your inbox, please sign up here.