Overnight Cybersecurity

Overnight Cybersecurity: Mueller hasn’t contacted Sessions for interview | Data privacy shield passes first annual review | Russian group ran fake Tennessee GOP Twitter account

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

 

THE BIG STORIES:

–BE PROUD IN OUR ADEQUACY: The European Union determined that the so-called Privacy Shield, a deal allowing U.S. firms to store EU citizen’s data stateside, had performed ‘adequate[ly],’ according to its first annual report. The report, released Wednesday, found that the deal “ensures an adequate level of protection for personal data that has been transferred from the European Union to organisations in the U.S.” Privacy Shield is the second attempt at a framework to exempt U.S. companies from EU privacy laws requiring all data to be stored within the EU if there’s no contract guaranteeing protections. Around 2,400 companies currently operate through Privacy Shield. The report notes that while the current system works, it could be tweaked to work better.  The report offers certain suggested actions, including better informing EU citizens of their avenues to redress complaints, improving monitoring of businesses and bolstering coordination between federal enforcement agencies. It also asked the United States to fill empty posts on the Privacy and Civil Liberties Oversight Board.

To read the rest of our piece, click here.

–SESSIONS YET TO BE CONTACTED BY MUELLER: Attorney General Jeff Sessions on Wednesday said the special counsel has not contacted his office about a potential interview as part of its investigation into Russia’s interference in the 2016 presidential election. “I would just say, Sen. Blumenthal, my staff handed me a note that I have not been asked for an interview at this point,” Sessions told Sen. Richard Blumenthal (D-Conn.) several minutes after a heated exchange over the matter.  “My office certainly hasn’t been contacted with regard to that. Maybe you better check your source,” he added. Sessions made the statement during testimony in front of the Senate Judiciary Committee on Department of Justice oversight. He previously said the special counsel has not conducted an interview with him. Earlier in the hearing, Sessions said he did not “recall” being contacted by the counsel but would let the committee know “within hours.”

To read the rest of our piece, click here.

–RUSSIAN INTERNET TROLLS RAN INCENDIARY FAKE TENNESSEE GOP TWITTER ACCOUNT: Russian internet trolls ran a popular Twitter account that claimed to belong to the Tennessee Republican Party, BuzzFeed News reported Wednesday. The company took nearly a year to shut down the account, @TEN_GOP, despite repeated notifications from the state’s real Republican Party pointing out that the account was fake. “It was in no way affiliated with our office,” Candice Dawkins, Tennessee Republican Party’s communications director, told the news outlet. “It was very misleading.” The actual Tennessee GOP Party reported @TEN_GOP three times — September 2016, March 2017 and August 2017 — in an attempt to have Twitter take down the fake account, BuzzFeed News reported, citing email correspondence that Dawkins provided. But their efforts proved to be unsuccessful for months. The now “permanently suspended” account obtained at least 136,000 followers between when it was set up in November 2015 until it was shut down in August, the report highlighted, citing a snapshot of the account captured by the Internet Archive. The account had a knack for pushing incendiary content across the social media platform. In addition to peddling fake reports, it also sent out inflammatory messages such as one saying unarmed black men killed by police officers deserved to die, according to the report.

To read the rest of our piece, click here.

 

A LEGISLATIVE UPDATE:

MCCAIN JOINS DEMS ON SOCIAL MEDIA POLITICAL AD BILL:

Democratic Sens. Amy Klobuchar (Minn.) and Mark Warner (Va.) will unveil legislation on Thursday aimed at preventing foreign election interference by increasing digital ad transparency.

Their new bill, called the Honest Ads Act, would make political ads on social media subject to the same transparency and disclosure laws as TV and radio ads.

Sen. John McCain (Ariz.), who helped co-write the legislation, is the first Republican to sign on as a co-sponsor.

Since Facebook revealed that a Kremlin-linked group purchased $100,000 worth of ads around the time of the 2016 election, Warner and Klobuchar have floated revised Federal Election Commission regulations that would force social media companies like Facebook and Twitter to disclose who is buying political ads on their platforms.

“As much as I dislike Citizens United, at least someone can look at the TV ads being run for or against somebody,” Warner said last month. “Why don’t those rules apply to social media companies?”

To read the rest of our piece, click here.

 

 

A LIGHTER CLICK: 

HUNT IS ON FOR BRITANNIA’S NEW KING. It wasn’t the sword or the stone, but someone certainly pulled a sword from stone. The owners want it back.

 

A REPORT IN FOCUS:

TENTH ONE’S THE CHARM: Nearly nine in 10 web applications written in a popular coding language use out of date open-source components that are now known to have security vulnerabilities, according to the software analysis firm Veracode.

Veracode released its “State of Software Security 2017” on Wednesday, with data compiled from real-world scans of its customers. They found that 88 percent of Java applications have vulnerabilities from out of date components.

Programmers often use prewritten, third party coding libraries to bolster their own work. But as security flaws get patched in the libraries, those updates are often overlooked when maintaining apps.  For example, more than half of apps use out of date versions of the Apache Commons Collections library that still contain a flaw that downed the San Francisco Municipal Transportation System the day after Thanksgiving last year.

To read the rest of our piece, click here.

 

WHAT’S IN THE SPOTLIGHT:

A Democratic senator is pressing the Pentagon on cybersecurity risks after revelations that Russia reviewed the source code for software used on U.S. military systems.

Sen. Jeanne Shaheen (D-N.H.), a member of the Armed Services Committee, sent a letter to Defense Secretary James Mattis expressing “deep concerns” about reports from Reuters earlier this month that Hewlett Packard Enterprise (HPE) complied with a Russian defense agency’s request to review source code of its ArcSight cybersecurity software.

The software is used by private and public sector entities, including the U.S. military. Shaheen warned Tuesday that the review could allow Russian entities to hack into systems used on U.S. military platforms.

“HPE’s ArcSight system constitutes a significant element of the U.S. military’s cyber defenses. Therefore, the disclosure of ArcSight’s source code presents FSTEC and other Russian military and intelligence entities with the opportunity to exploit a system used on DoD platforms,” Shaheen wrote.

“Such disclosure could also lead to the illicit transfer of valuable intellectual property to domestic Russian competitors.”

The Democrat is pressing the Pentagon to disclose any “specific risk” it could face from the disclosure and what it is doing to track and mitigate risks to its systems.

HPE told The Hill earlier this month that the company “has never and will never take actions that compromise the security of our products or the operations of our customers.”

To read the rest of our piece, click here.

 

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

The UK set guidelines for cyber supply chains. (Aviation Week)

Kaspersky believes Monday’s WiFi vulnerability could be used to attack critical infrastructure. (Kaspersky Lab)

Modern Intel chips are vulnerable to neat new attack, but it requires already having had total control over the computer. (ThreatPost)

Tracking people with mobile ads is surprisingly cheap. (Wired)

“Where is Congress? The Supreme Court’s Cert in Microsoft Ireland case should spur lawmakers to act.” (Just Security)

Someone just won Jeopardy with a score of $1. (Daily Dot)

The New York Police Department doesn’t back up its millions-of-dollars forfeited assets database. “‘That’s insane,’ Manhattan Supreme Court Judge Arlene Bluth said repeatedly from the bench.” (Courthouse News, via Boing Boing)

If you’d like to receive our newsletter in your inbox, please sign up here.