Overnight Cybersecurity: US, UK blame Russia for ‘notPetya’ attack | Bannon refuses to answer questions not pre-approved by White House | ‘Hack the Air Force’ yields 100 vulnerabilities

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

 

THE BIG STORIES:

–U.S. BLAMES RUSSIA FOR ‘NOTPETYA’ ATTACK: The Trump administration on Thursday publicly blamed Russia for the massive notPetya cyberattack that ravaged computer systems worldwide last June, and warned that there would be “international consequences.” “In June 2017, the Russian military launched the most destructive and costly cyber-attack in history,” the White House said in a written statement Thursday afternoon. The White House issued the statement hours after the British government similarly blamed Russia for the destructive malware attack. The Trump administration warned the “reckless and indiscriminate” attack “will be met with international consequences.” “The attack, dubbed ‘NotPetya,’ quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas,” the White House said. “It was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict.” Reuters reported earlier Thursday that the British announcement had been coordinated with other countries including the U.S. and that some other nations were expected to make their own statements attributing the attack in comings days. The Russian government denies responsibility for the cyberattack.

{mosads}

–THE PUBLIC ATTRIBUTION of notPetya comes roughly two months after the United States publicly denounced North Korea for the “Wanna Cry” cyberattack that occurred last May. White House homeland security adviser Tom Bossert made the announcement from the White House podium, emphasizing the need to hold malicious cyber actors accountable. Britain also blamed Pyongyang for Wanna Cry. The notPetya computer virus broke out last June, first spreading to machines of organizations in Ukraine and later spreading to others in Europe and the United States. Ukraine appeared to be the initial target of the attack, generating suspicions that Russia was to blame. While the virus initially appeared to be ransomware, experts quickly concluded that it was designed to destroy data. Victims were locked out of their machines and asked to pay a $300 ransom in bitcoin; however, those who paid the ransom did not ultimately recover their stolen files. The attack had a particularly severe effect on global shipping giant A.P. Moller-Maersk, forcing the shutdown of the largest terminal at the Port of Los Angeles for several days. The Trump administration’s move is likely to ratchet up tensions with Moscow, despite President Trump’s desire to achieve better relations with Russia to cooperate on issues such as North Korea.

To read more of our coverage, click here and here.

–BANNON INTERVIEW IRKS LAWMAKERS: Former White House chief strategist Stephen Bannon would only answer questions pre-approved by the White House during an interview Thursday with the House Intelligence Committee, lawmakers said. Members from both parties were fuming after the interview, which lasted roughly three hours, saying Bannon had refused to answer any questions that touched on his work for President Trump after the 2016 election. “The only questions he would answer were questions that had been scripted, literally scripted, for him by the White House. A set of 25 questions that had been written out for him to which the answer to each must be ‘no,'” said Rep. Adam Schiff (Calif.), the panel’s ranking Democrat. Bannon invoked executive privilege when asked questions that extended beyond his list, an assertion the committee does not believe he has the grounds to make, the lawmakers said. “There is no plausible claim of privilege that could apply to those circumstances,” Schiff added. “The breadth of that claim is breathtaking and insupportable, and indeed, at times, it was laughable.”

BANNON WAS APPEARING before the committee for the second time as part of its investigation into Russian interference in the 2016 election. Rep. Mike Conaway (Texas), the senior Republican leading the probe into Russian election interference, said the committee is planning to examine what further steps the committee can take to compel the former chief strategist to provide answers. “He did not answer all the questions we’d like answered so there is frustration among the committee members with respect to that,” Conaway said. “We have further steps to take and we will be taking those.” When asked whether the committee plans to hold Bannon in contempt of Congress, Conaway said the decision extends to others like Speaker Paul Ryan (R-Wis.). “Contempt is a big deal, and I don’t have unilateral control over that conversation,” he said. Schiff, meanwhile, directly called for Bannon to be held in contempt of Congress. “In terms of next steps I think the next steps for the Congress to take is to initiate contempt proceedings,” Schiff said, adding that Bannon was given a chance to say why he should not be held in contempt.

To read more of our coverage, click here.

 

A ‘BUG BOUNTY’ UPDATE: 

RESEARCHERS FIND 100 VULNERABILITIES THROUGH ‘HACK THE AIR FORCE’: So-called white-hat hackers discovered more than 100 vulnerabilities in Air Force networks in the second round of the service’s “bug bounty” program, according to figures released on Thursday.

The program, called Hack the Air Force, invited security researchers to find and report vulnerabilities in the service’s government systems and rewarded them for doing so.

More than two-dozen hackers from around the world discovered 106 vulnerabilities in Air Force networks, which earned them nearly $104,000 combined, bug bounty platform HackerOne announced on Thursday. 

The Hack the Air Force initiative is part of a larger bug bounty effort at the Pentagon, established by Defense Secretary Ash Carter during the Obama administration to help bolster the U.S. military’s digital defenses.

“We continue to harden our attack surfaces based on findings of the previous challenge and will add lessons learned from this round,” Peter Kim, the Air Force’s chief information security officer, said in a statement Thursday. “This reinforces the work the Air Force is already doing to strengthen cyber defenses and has created meaningful relationships with skilled researchers that will last for years to come.”

The latest challenge for the Air Force generated a $12,500 payout to one hacker for discovering a vulnerability, the largest bounty paid yet in any federal bug bounty program.

Bug bounty initiatives have become increasingly popular as organizations and businesses look to secure their digital systems from mounting cyber threats.

Since the Pentagon program launched in 2016, white-hat hackers have turned up more than 3,000 vulnerabilities that have since been resolved.

To read the rest of our piece, click here.

 

A REPORT IN FOCUS:

A new report is proposing a solution to help with the ongoing debate on whether law enforcement authorities should be able to hack into a device and obtain personal information as part of a federal investigation.

The National Academies of Sciences, Engineering, and Medicine is proposing a framework to evaluate proposals from government agencies seeking “access to unencrypted versions of encrypted communications and other data.”

The report comes as federal law enforcement officials are grappling with the issue of “going-dark,” or not being able to infiltrate encrypted devices that investigators say would provide critical information to their probes. The issue came into full focus amid the dispute between the FBI and Apple over data stored on an iPhone belonging to one of the attackers in the December 2015 San Bernardino attack. 

Privacy-hawks on Capitol Hill as well as other technology experts have warned against allowing “back doors” to these devices to federal authorities, arguing that it could violate people’s civil liberties.

“The debate over efforts to enable government agencies access to plaintext has long been very polarized,” Fred Cate, chair of the committee that authored the report, said in a statement.

“This is the first time that such a diverse array of experts representing so many important and often conflicting viewpoints worked together to reach consensus on the critical issues raised by encryption and the questions policymakers should ask when addressing them,” added Cate, who serves as a Dutton Professor of Law at Indiana University.

The framework lays out eight key questions policymakers or members of the tech community should consider when drafting a “proposal to provide authorized government agencies with access to encrypted content,” according to the report.

This includes how it will help law enforcement in a case-by-case basis, how will the devices’ stored-data security be affected, what civil liberties are at risk, and what the financial costs will be, among others.

“Our hope is that this report and the framework it presents will cut through the rhetoric, inform decision-makers, and help enable an open, frank conversation about the best path forward,” Cate added.

To read more from the report, click here.

 

A LIGHTER CLICK:

Kim Dotcom weighs in on Democrats’ push for voting system cybersecurity.

 

WHO’S IN THE SPOTLIGHT:

VA SECRETARY SHULKIN AND HIS EMAIL HACKING CLAIM: Veterans Affairs Secretary David Shulkin said Thursday he won’t resign after a scathing inspector general report released the day before said his chief of staff doctored an email to gain approval to use taxpayer dollars to pay travel expenses for Shulkin’s wife.

“No,” Shulkin told reporters when asked if he has considered resigning. “Listen, I came here, I left a very good career in the private sector for one reason, and that’s because I believe so strongly that our veterans deserve better care. I’m going to stay focused on that as long as I’m here to make sure that we’re doing that every day. I’m not going to be distracted by issues like that.”

He also doubled down on allegations that the aide’s email was hacked and said the department will investigate if the doctored email was among those that were hacked.

Shulkin was speaking to reporters after a largely genial House Veterans Affairs Committee in which he acknowledged “the optics of this are not good.”

The hearing came a day after a VA inspector general report about a trip Shulkin took to Europe last year. The investigator said Shulkin’s chief of staff, Viveca Wright Simpson, changed an email to make it appear Shulkin was going to be honored at a special dinner during the trip, thus necessitating his wife’s travel.

The report also knocked Shulkin for attending a Wimbledon tennis match using tickets given to him by Victoria Gosling, an adviser for the Invictus Games. Shulkin had described her as a personal friend, but the inspector general said they only met three times before in official settings.

In an interview with Politico on Wednesday night, Shulkin suggested Wright Simpson’s email had been hacked, saying she showed him evidence someone else was sending emails in her name.

On Thursday, Shulkin told reporters that “we know” someone took over Wright Simpson’s email.

“We’ve seen that somebody is impersonating her, and we have to fully investigate that to make sure that we follow the processes,” he said.

Asked whether the doctored email was among those that were sent in her name, Shulkin said he’s “not a forensics expert.”

“That’s one of things we’re looking at,” he said. “But we have found that there are people sending emails from her account that aren’t her. That’s concerning to us.”

To read the rest of our piece, click here.

 

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

Lawmakers eye new programs to boost tech workforce. (The Hill)

Major cryptocurrency market charging users duplicative fees. (The Hill)

Cyber firm Symantec reports on an Android malware that harvests Facebook account details. (Symantec)

Russian trolls flooded Twitter after the Florida school shooting. (Wired)

A new botnet has originated from the ‘Grand Theft Auto‘ online gaming community. (Motherboard)

U.S. and British officials team up in op-ed pushing for legislation to enable swift law enforcement access to data overseas. (The New York Times)

RiskIQ surveys information security leaders on the digital threat landscape. (RiskIQ)