Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …
THE BIG STORY:
–THE REDDIT HUNT. The House Science Committee is raising the heat as Republicans investigating the deletion of Hillary Clinton’s emails look into allegations about a Clinton IT staffer on the web forum Reddit. The panel has threatened to subpoena the alleged author of a Reddit post in question if he does not submit to a transcribed interview by Friday. At issue is whether an employee of the firm that managed Clinton’s server sought advice on how to digitally alter the address lines of emails thought to be from Clinton — the day after the State Department had agreed to provide certain Clinton emails to the Benghazi Committee. Some Reddit users claim to have uncovered a two-year-old post from an account believed to belong to Paul Combetta, who worked with the firm managing the server. The message has been deleted, but can be read in archives of the page saved by other users. “I may be facing a very interesting situation where I need to strip out a VIP’s (VERY VIP) email address from a bunch of archived email… Basically, they don’t want the VIP’s email address exposed to anyone, and want to be able to either strip out or replace the email address in the to/from fields in all of the emails we want to send out,” reads the post, by a user named stonetear, circumstantially linked to Combetta who is believed to have used that username elsewhere. “Does anyone have experience with something like this, and/or suggestions on how this might be accomplished?” Republicans are seizing on the matter to press ahead with the probe of Clinton’s email server. The House Oversight Committee is also carrying out its own investigation.
To read the rest of our piece, click here.
A POLICY UPDATE:
{mosads}–NY STATE CYBER REGS. Experts and stakeholders say there is a lot to like about New York’s statewide plan to increase cybersecurity in the financial sector. But they question why states are heading up the charge.
Last week, Gov. Andrew Cuomo (D) unveiled a new regulatory plan aimed to shore up security practices for banks, insurers and other financial institutions. The rules include requirements to employ a chief information security officer (CISO), regularly test networks for vulnerabilities, encrypt sensitive information, and create written policies defining security practices and incident response.
“It is a good first step,” said Simone Petrella, chief cybersecurity officer at CyberVista. CyberVista trains businesses to deal with digital threats.
“Creating a detailed cybersecurity program can actually be extremely valuable, especially in the financial industry,” she said.
Surveys conducted by the New York Department of Financial Services in 2014 and 2015 cast some doubt on the preparedness of many institutions to tackle computer threats. More than a third of small banks did not audit third-party vendors’ handling of customer data. Only a quarter of banks of any size had policies in place to deal with security risks from cloud computing.
Doug Johnson, senior vice president of payments and cybersecurity policy at the American Bankers Association said that, with a few quibbles on definitions, New York’s proposed regulations “harmonized” with what banking regulations look like on a national scale.
Requiring a CISO, he said, would be in keeping with a national requirement to have a central figure in charge of physical security.
Petrella praised the idea of adding that kind of central executive figure. However, she cautioned that there would be “a lot of challenges.”
There is a severe shortage of cybersecurity professionals, even before requiring banks and insurers to promote one to the executive level. That might lead to a skills gap, she said, for smaller companies unable to compete for experienced talent.
To read the rest of our piece, click here
A LIGHTER CLICK:
OVERNIGHT CYBER’S FIRST SKATEBOARDING UPDATE. Meet the eight-year old in the big leagues of competitive skateboarding. (via BoingBoing)
A HACK IN (EVEN LESS) FOCUS:
–FEAR: STILL HERE. The hacker Fear now acknowledges he did not hack Neustar, as he had claimed on Monday. Nonetheless, Fear still claims to have hacked government FTP servers.
“I did not hack Neustar, i lied to media to troll them,” he wrote in a Pastebin message titled “The Truth” that he tweeted to The Hill early Tuesday morning.
Fear claimed he had hacked Neustar, a company involved in registering domains, and used passwords he stole in that breach to hack a number of government websites. He claimed he had pilfered voter registration information from every county in the United States, which he planned to sell.
His original claims were reported by a number of sites, including The Hill. But Neustar quickly pushed back, noting that the company does not have access to the passwords Fear claimed to have stolen. Neustar’s only connection to the FTP servers is helping them register their internet addresses – something that does not involve a server password.
FTP – or File Transport Protocol – is a barebones way to transport files over the internet used to upload or download documents in situations that do not require the visual layout of a web site.
Fear had claimed he had access to all FTP servers with a “.us” domain (as opposed to “.com” or “.org”) and to many “.gov” FTP servers.
He now claims he hacked a much more modest sum of machines – “30+ .US and .gov domains” – and says he hacked them using vulnerabilities on the servers rather than stolen credentials. Neustar was not breached or in any way part of his spree.
Fear is also now claiming he has amassed at least 100 million social security numbers from one of the servers, a “United States banking server with known gov banks.”
WHO’S IN THE SPOTLIGHT:
–SWIFT. The Society for Worldwide Interbank Financial Telecommunication (SWIFT), the banking transaction service that hackers used to steal more than $80 million from the central bank of Bangladesh, is adding a new fraud protection system.
Starting in December, the network will send its member banks summaries of their communications, with a separate note flagging suspicious transactions.
Hackers attempted to steal more than $1 billion from the Bangladeshi bank by hacking into its systems to request large transfers from foreign accounts. The New York Fed transferred $81 million before the fraudulent activity was noticed.
The transaction summaries — which SWIFT is calling Daily Validation Reports — will give banks a better chance to see whether messages are being sent in their names and cut off robbers before another large robbery.
To read the rest our piece, click here.
IN CASE YOU MISSED IT:
Links from our blog, The Hill, and around the Web.
MIT technology can wirelessly detect human emotions. (Motherboard)
Delaware wants your blockchain-based business (GCN)
Tesla patched a remote hacking problem. (Threatpost)
North Korea has just 28 websites. (Motherboard)