Overnight Cybersecurity: Mozilla presses FBI to disclose hacking trick

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

THE BIG STORIES:

–TODAY, IN FBI NEWS: Mozilla is pressing the government to disclose a possible security vulnerability in its Firefox web browser that helped the FBI track down visitors to a child pornography site. The vulnerability is at the center of a case in the Western District of Washington. Mozilla filed a brief on Wednesday with the court asking that the FBI disclose the vulnerability to it before releasing it to anyone else, including the defendant in the case. Mozilla said there is good reason to believe the unknown vulnerability is still active and it is putting millions of users at risk. “Absent great care, the security of millions of individuals using Mozilla’s Firefox Internet browser could be put at risk by a premature disclosure of this vulnerability. This risk could impact other products as well,” the group wrote in the court filing. The federal case centers around a child pornography website that the FBI took over in order to track visitors to the site. The site was located on the deep web outside the reach of common search engines. To access it, users were required to have special anonymity software, called the Tor Browser, which is partially based on Firefox’s open source code. The FBI exploited a software vulnerability in the Tor network that allowed law enforcement to trace the location of the computers visiting the site. Because Tor’s code is partially based on Firefox, the group believes the vulnerability is widespread. “Mozilla has contacted the Government about this matter but the Government recently refused to provide any information regarding the vulnerability used, including whether it affects Mozilla’s products,” the group said. To read our full piece, click here.

{mosads}–MEANWHILE…: A group of senior officials from the United States and China on Wednesday held their first meeting on cybersecurity issues in accordance with an anti-hacking pledge struck by the two nations in September. The so-called Senior Experts Group addressed “international norms of state behavior and other crucial issues for international security in cyberspace,” according to a State Department statement that provided few other details. The meeting was led on the U.S. side by Christopher Painter, coordinator for cyber issues at State, and Wang Qun, director-general of the Department of Arms Control in China’s Ministry of Foreign Affairs, on the Chinese side. Other officials from the State Department, the Department of Defense, Department of Justice and Department of Homeland Security were also present. The group is expected to meet twice a year. To read our full piece, click here.

UPDATE ON CYBER POLICY:

–WE’RE ALL FRIENDS HERE. A Republican will co-sponsor a bill from Sen. Ron Wyden blocking a Justice Department request to expand its remote hacking powers, an aide to the Oregon Democrat tells The Hill.

The measure, originally expected this week, is now anticipated early next week. Wyden’s office would not name the anticipated co-sponsor on Thursday.

At issue is a proposed alteration to little-known criminal procedure rules — approved by the Supreme Court last month — that would allow judges to grant warrants for electronic searches in multiple locations, even when investigators don’t know the physical location of a device.

The Justice Department, which has been working for years on getting the change, insists the revision to what’s known as Rule 41 is a necessary update to match the realities of modern digital investigations.

Onlookers say the opposition to the change has united civil liberties advocates from both sides of the aisle who are concerned that the amendment is a form of government overreach.

To read our full piece, click here.

A LIGHTER CLICK:

–IT FINALLY HAPPENED. “CSI: Cyber” has been canceled.

While we won’t be crying any tears over this, there’s some question in The Hill’s offices whether our merciless mocking brought this to bear.

A HEARING IN FOCUS:

–NOT SEEING EYE TO EYE HERE. A criminal investigation is underway over the removal of tens of thousands of taxpayers’ personally identifiable information from the Federal Deposit Insurance Corporation (FDIC), the agency’s internal watchdog said Thursday.

“I can confirm the existence of one criminal investigation arising out of the incidents that form the basis for today’s hearing,” said FDIC Acting Inspector General Fred W. Gibson Jr. during a House Committee on Science, Space and Technology subcommittee hearing.

Gibson cautioned that case is open and “in a pre-indictment phase which limits my ability to discuss it directly.”

The FDIC on Monday reported to Congress five “major” data breach incidents.

Each case involves employees with authorized access to the data who inadvertently downloaded information with personal files when they left the agency.

Lawmakers on Thursday accused the agency of not taking the breach seriously enough.

“Mr. Gross, you and I are viewing this incident from a completely different perspective,” Rep. Bill Posey (R-Fla.) said. “[You] call it a data breach. Where I’m from, we call it a theft if you take something that’s not yours.”

To read our full piece, click here.

WHO’S IN THE SPOTLIGHT:

–SWIFT. The widely used banking payment network was not breached in the $81 million hack of the Bangladesh central bank, the company’s chief executive said Thursday.

“At the end of the day, we weren’t breached. It was, from our perspective, a customer fraud,” Gottfried Leibbrandt, CEO of the Society for Worldwide Interbank Financial Telecommunication (SWIFT), said at a financial conference in Frankfurt.

Security researchers with the British defense contractor BAE Systems said last month that hackers exploited a flaw in a client messaging software known as Alliance Access.

The software comes from the Brussels-based SWIFT, a collective owned by over 3,000 financial institutions. Banks across the world use the system to exchange information about financial transactions.

In February, unknown hackers stole $81 million from the Bangladesh account at the Federal Reserve Bank in New York in what is considered the largest cyber heist in history.

According to BAE, the thieves used the malware to hide evidence and delay discovery of the attack, including erasing records of illicit transfers.

To read our full piece, click here.

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

FBI Director James Comey says he expects the U.S. government to seek more lawsuits over access to encrypted communications. (The Hill)

Rep. John Ratcliffe (R-Texas) on Thursday introduced a bill that would force the White House to sanction seven Iranians recently indicted for a series of coordinated cyberattacks against the U.S. financial sector and for infiltrating a New York dam. (The Hill)

Europe’s biggest software company, SAP, is the subject of a U.S. security alert over a vulnerability the firm disabled six years ago that can still give outside attackers remote control over older SAP systems if the software is not properly patched. (Reuters)

Cyberattack techniques used by the U.S.-led coalition against the Islamic State could also be used by other countries, U.S. Defense Secretary Ashton Carter said. (Reuters)

The Pentagon’s internal watchdog is launching two audits of the sprawling Defense Department’s cybersecurity, officials said.

British broadband operator TalkTalk said it has bounced back from a customer data theft in October, stabilizing its customer base in the final quarter after 95,000 subscribers left following the breach. (Reuters)

If you’d like to receive our newsletter in your inbox, please sign up here.