| Welcome to The Cybersecurity 202! Tonight, I'm making Maangchi's bulgogi for Lunar New Year. Then tomorrow, I'll celebrate Groundhog Day by making it again. 😉 Below: A top cybersecurity official is heading to Europe amid fears of Russian cyberattacks, and lawmakers are reintroducing an effort to combat child pornography that sparked encryption concerns. | The Whisper app isn't so quiet anymore |  A mobile app where users share their secrets leaked data from millions of posts online. (Qilai Shen/Bloomberg News) | | | A social media app that encourages users to share their deepest secrets almost certainly left a trove of user messages and location data unsecured online. The unsecured information on the Whisper app included hundreds of millions of users' allegedly anonymous secrets — many of them highly personal and salacious, the research group Comparitech said in a blog post shared exclusively in advance with The Cybersecurity 202. While the information does not include people's real names, it does include information hackers could use to identify users, including their ages and the rough locations of their devices when the secrets were shared, Comparitech head of security research Bob Diachenko said in the post. That raises the specter of users being subjected to "blackmail, stalking, harassment, or other crimes," Diachenko warns. There's no evidence hackers stole the data while it was unsecured, though such thefts are common when data is unprotected and easy to locate. | | The security lapse highlights the glaring disconnect between the insecurity of many websites and the extremely personal information some people are willing to share on them. | | Whisper's website focuses on deeply personal confessions that users presumably only shared because they thought anonymity was assured. Common themes include posts about infidelity, fetishes and failed relationships. "When people use Whisper, there's a high expectation of privacy. It's literally an anonymous secret sharing app. And this is a violation of the privacy users expect," Comparitech editor and consumer privacy expert Paul Bischoff told me. | | This is a second strike for Whisper, which left years' worth of users secrets, personal details and locations accessible online in 2020, as my colleague Drew Harwell reported at the time. It's not unheard of for hackers to use such personal information they've found to extort victims. | - In one especially troubling case, a hacking group that compromised a Dutch mental health clinic reached out to patients directly and threatened to share information about their diagnoses and treatments if they didn't pay ransoms of hundreds of euros.
| | The data was secured shortly after Comparitech alerted Whisper about the security error, but Whisper officials did not respond to multiple messages from Comparitech, Bischoff told me. App officials also didn't respond to my request for comment. Comparitech is nearly certain the information was exposed on Whisper's own servers rather than stolen and exposed by hackers but can't be 100 percent confident without Whisper confirming that information, Bischoff told me. The exposed data was in two separate databases. | - One contained about 1.2 billion records that included some combination of shared secrets, geolocation and timestamps for those secrets, usernames and nicknames
- The other database contained 361 million records with similar information.
| | Whisper, which is owned by the holding company MediaLab, rejected concerns about its 2020 exposure of user data, saying most of the exposed data was intended to be public. Researchers disputed that characterization, saying the fact that data was exposed en masse would make it far easier for hackers to identify individual users. Cybersecurity consultant Dan Ehrlich called the exposed data "literally the fuel you need to run a secret police," saying it could be weaponized to expose and punish members of vulnerable minority groups based on their sexual orientation, ethnicity, health status or religion. | | |  | The keys | | A top cybersecurity official is traveling to Europe to discuss rising Russia-Ukraine tensions |  Deputy national security adviser Anne Neuberger will travel to Brussels and Warsaw. (Susan Walsh/AP) | | | The move comes amid fears about Russian cyberattacks targeting the United States and European allies as part of a tit-for-tat exchange if Russia invades Ukraine and the West responds with harsh sanctions. Deputy national security adviser Anne Neuberger is first going to Belgium to meet with allies from NATO and the European Union before going to Poland, a senior administration official said. There, she will meet with Polish and Baltic officials, as well as eastern European leaders. She also plans to hold virtual meetings with German and French officials. Neuberger will "discuss how we will coordinate and support Ukraine, and each other, in the event that cyberattacks occur," the official said. Ukrainian government agencies have been hit by destructive malware in recent weeks. Ukrainian officials have said they believe Russia was responsible. The flurry of cyber diplomacy comes just one day after the United States and Russia exchanged barbs at a meeting of the United Nations Security Council, where each accused the other of lying and promoting panic. | Lawmakers reintroduced anti-child pornography legislation that drew fire from encryption advocates |  Sen. Richard Blumenthal (D-Conn.) is introducing the bill with Sen. Lindsey Graham (R-S.C.). (Drew Angerer/Getty Images) | | | The bipartisan bill, dubbed the EARN IT Act, would open up tech platforms to legal liability when their users share child pornography — stripping protections the platforms otherwise enjoy against being held accountable for things shared by their users. It's sponsored by Sens. Richard Blumenthal (D-Conn.) and Lindsey Graham (R-S.C.). When the bill was first introduced in 2020, it sparked panic among cybersecurity advocates who feared it would force companies to stop offering end-to-end encryption — a protection they say is vital for security but that also makes it easier for criminals to share child pornography and other illegal content undetected. The system effectively blocks everyone but the sender and recipient from viewing a message's content — including the tech platform itself and police with a warrant. The reintroduced bill includes a provision aimed at allaying encryption concerns, a congressional aide told me. It states that companies can't be held liable merely for offering end-to-end encryption, but they would still be required to take other actions to reduce the spread of child pornography. A similar provision was ultimately added in 2020, which pleased some encryption hawks. Others warned it could still leave the door open to chipping away at encryption protections. | MITRE is launching a new insider threat detection service | | The U.S. government-backed research agency MITRE is partnering with the Silicon Valley firm DTEX to help detect insider threats for companies and government agencies in critical sectors such as banking, health care and transportation, the groups exclusively told The Cybersecurity 202. The project reflects roughly a decade-long push by the U.S. government and top industries to root out malicious insiders who might steal secrets for sabotage or to sell them to competitors — partly spurred by Edward Snowden's leak of a trove of NSA secrets in 2013. MITRE and DTEX's system is based on an extensive study the companies conducted on the tactics malicious insiders use to steal digital data from their organizations, which they say vastly improved their ability to detect such behaviors. MITRE runs a cadre of federally funded research and development centers that do research focused on cybersecurity and other areas of governmental interest. They're offering the service on a not-for-profit basis to government agencies and industry sectors that are deemed critical to national security or the economy in the United States, Canada, the United Kingdom, Australia and New Zealand — an intelligence sharing coalition known as the Five Eyes, Chris Folk, director of MITRE cybersecurity policy, and DTEX co-founder Mohan Koo, told me. There are about 50 organizations in the first round of customers, including some non-U.S. government agencies, they told me. | | |  | National security watch | | The intelligence community warns of security threats from sharing Americans' health information with foreign companies |  The warning came from the National Counterintelligence and Security Center, an arm of the office of director of national intelligence Avril Haines. (Graeme Jennings/Pool/AFP/Getty Images) | | | Several U.S. companies have potentially dangerous partnerships with Chinese companies that involve sharing genetic and other biomedical information that could be turned over to the Chinese government for surveillance, the National Counterintelligence and Security Center (NCSC) warned in an alert to industry. The "loss of your DNA to unwanted parties is permanent and not only affects you, but also your relatives, and potentially future generations," the alert warns. NCSC began warning last year about the dangers of working with Chinese entities on issues like biotechnology and artificial intelligence, Ellen Nakashima reported. "We think there's a lot at stake with a lot of these technologies," NCSC acting director Mike Orlando said at the time. "If we lose supremacy in these areas … we could be eclipsed as an international superpower." | | |  | Hill happenings | | A lawmaker is reining in a proposal to crack down on ransomware after complaints from cryptocurrency advocates |  Rep. Jim Himes (D-Conn.) agreed to an amendment that would let the public comment on the proposal. (Matt McClain/Pool/The Washington Post) | | | The proposal by Rep. Jim Himes (D-Conn.) would have boosted the Treasury Department's authority to monitor and freeze cryptocurrency accounts used for crimes like ransomware and money laundering. But after pushback from cryptocurrency advocates, Himes is proposing new language that would grant those authorities only after an extensive process of accepting public input, Politico's Sam Sutton reports. Himes's proposal was attached to a 3,000-page package aimed at boosting U.S. competitiveness against China that has already passed the Senate. | | |  | Global cyberspace | | A major German fuel tank company was hit in a cyberattack | | The loading and unloading systems used by the Germany-based firm Oiltanking have been brought to a standstill, German financial newspaper Handelsblatt's Claudia Scholz reports. The stoppage is affecting medium-sized gas stations and companies like Shell, which said it would be able to offset the issue. Frank Schaper, the managing director of Germany's independent tank storage association, told Handelsblatt that the country's fuel supplies wouldn't be in danger because of the cyberattack. The hack comes as Germany and other European countries brace for a potential conflict with Russia, which is building up troops on its border with Ukraine, and could lead to cyberattacks. | | |  | Securing the ballot | | | |  | Industry report | | | |  | Government scan | | | |  | Privacy patch | | | |  | Cyber insecurity | | | |  | Daybook | | - The House Oversight and Reform Committee discusses legislation to bolster the U.S. government's cyber defenses on Wednesday at 10 a.m.
- Rep. Jim Langevin (D-R.I.) discusses cybersecurity at an Axios event on Wednesday at 12:30 p.m.
- The Senate Homeland Security Committee holds a hearing with three Biden nominees for positions in the Department of Homeland Security on Thursday at 10:15 a.m.
- BSidesTLV founder Keren Elazari discusses hacker cultures at a Strauss Center event on Thursday at 1:15 p.m.
| | |  | Secure log off | | | Thanks for reading. See you tomorrow. | | |
No comments:
Post a Comment