Overnight Cybersecurity: Watchdog seeks release of Clinton aide’s deposition

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

THE BIG STORY:

–TODAY, IN CLINTON NEWS: The conservative watchdog group Judicial Watch is seeking to unseal videos of court-ordered interviews with top aides of former Secretary of State Hillary Clinton. The depositions were taken as part of an open records lawsuit seeking documents related to former deputy chief of staff Huma Abedin’s employment status. It was dismissed in 2014, but reopened the following year, after the discovery of Clinton’s use of a private email server while in office. The interviews themselves concern “the creation and operation of clintonemail.com for State Department business, as well as the State Department’s approach and practice for processing FOIA requests that potentially implicated former Secretary Clinton’s and Ms. Abedin’s emails and State’s processing of the FOIA request that is the subject of this action,” according to the group. Some of Clinton’s stiffest foes are continuing their pursuit of the Democratic presidential nominee, even after her defeat in the election. President-elect Donald Trump has said that he does not plan to push a prosecution of Clinton, but others haven’t given up the chase. To read our full piece, click here. To read about the Judicial Watch motion, click here.  

–MEANWHILE…: The State Department on Monday released 80 of the 15,000 Hillary Clinton emails uncovered by the FBI during its investigation into the former secretary of State’s personal email server. Many of the documents — comprising about 340 pages — are “near duplicates” of documents Clinton provided to the State Department in 2014 and have already been made public, according to the agency. A “near duplicate,” according to the agency, would include emails identical to previously released chains that were forwarded from Clinton to aides with the note “Please print,” for example. To read our full piece, click here.

A POLICY UPDATE:

–NDAA. The Senate is expected this week to take up the annual defense policy bill, passed by the House last week. The proposal has a number of cyber-related goodies, including elevating the U.S. Cyber Command to full combatant command unit.

The $619-billion legislation also includes a measure from Rep. Cedric Richmond (R-La.) that would direct the Department of Homeland Security (DHS) to create an agency plan to patch the government’s digital security holes and shore up against future attacks.

A LIGHTER CLICK:

–THIS ISN’T REALLY FUNNY. No, really. It’s not.

A REPORT IN FOCUS:

–DISTRIBUTED MAYHEM: Researchers at Newcastle University unveiled a distributed guessing attack that can generate working credit card information – including number, expiration date and security code – in as little as six seconds.

Payment systems are designed to notice when an attacker tries to guess a credit card number or expiration date to pay for something. After a few bad guesses, a site will lock someone out.

But Mohammed Ali (PhD. student at Newcastle, not boxer who spells his name differently) found that VISA did not check to see if people were attempting the same card number simultaneously across multiple sites.

To take advantage of this quirk, a criminal could purchase a list of stolen credit card numbers without expiration dates or security codes. Ali notes it’s possible to guess. Credit card numbers follow numbering conventions, like the first numbers describing the vendor and the last digit being the result of a formula run on the prior numbers. Not all of the card numbers that meet the conventions are active numbers.

Since card numbers are only valid for 60 or so months, trying the same number with different expiration dates on 60 different sites that only ask for number and expiration date guarantees that, on some site, an active card will be matched with its correct expiration date on the first try. There is a chance that people guessing credit card numbers will come up blank in this step. For them, it is time to guess the next credit card number.

If the first step worked, armed with that working card number and expiration date, it only takes a thousand guesses to attempt every security code. But there are more than 1000 different sites on the internet that sell goods.

Automating the process, says Ali in the most recent IEEE Security & Privacy journal, can bring back a working set of credit card credentials in as little as six seconds – the amount of time it would take a person to run two purchases.

MasterCard, says Ali, cuts off a guesser after 10 tries even across sites.

WHO’S IN THE SPOTLIGHT:

THE PRESIDENT OF THE UNITED STATES (SORT OF): The White House announced on Monday new initiatives to bolster computer science in K–12 education.

Citing the rapidly expanding demand for technology jobs, the Obama administration outlined new efforts by two federal agencies: The National Science Foundation plans to spend $20 million on computer science education in 2017, on top of the $25 million it spent in 2016, with an emphasis on training teachers.

And the National Science and Technology Council will create a framework to help guide federal efforts “to support the integration of computer science and computational thinking into K–12 education,” according to Monday’s release.

The two agencies’ efforts, it said, will complement the Obama administration’s wider efforts to expand science, technology, engineering and math (STEM) in education.

To read the rest of our story, click here.

A LOOK AHEAD:

TUESDAY:

–A pair of House Oversight subcommittees will hold a hearing on the implementation of their scorecard for federal IT modernization, at 2 p.m.

WEDNESDAY:

–The full Oversight committee at 9 a.m. will examine the “costs of overclassification on transparency and security.”

–House Homeland Security Chairman Michael McCaul (R-Texas) will deliver his State of Homeland Security address, at 11 a.m.

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

How Russia’s election-tampering efforts give it an edge in developing international agreement in cyber norms. (Council on Foreign Relations.)

A Pennsylvania prosecutor’s office and two businesses were among hundreds of thousands of victims of an international cybercrime operation disabled by federal authorities and the European Union last week. (The Associated Press)

Court documents released today add few new details to the Avalanche malware network takedown the U.S. and 40 other nations celebrated last week. But they do give some anonymized details about the Pennsylvania victims that tied the case to that jurisdiction. (Department of Justice)

The House is looking for an IT systems analyst. If you get the job, we expect a 5 percent finders fee. (House of Representatives)

In a letter to Sen. Mark Warner (D-Va.), the FCC Chair speculated about security warning labels in the future. (Scribd)

If you’d like to receive our newsletter in your inbox, please sign up here.