| Welcome to The Cybersecurity 202! Does anyone else's cat treat wet food gravy like the main course, and the actual food like an afterthought? Below: The FBI warns about the cybersecurity risks of out-of-date medical devices, and Montenegro deals with a cyberattack. First: | Famed hacker 'Mudge' testifies on Twitter security before a Senate panel today |  Peiter "Mudge" Zatko will testify today. (Matt McClain/The Washington Post) | | | When Twitter whistleblower Peiter "Mudge" Zatko sits in front of the Senate Judiciary Committee microphones this morning, lawmakers will have their chance to explore his serious allegations about slipshod security at the social media giant. The mystery is how much they will actually ask about it. Republicans have indicated a desire to probe Twitter's treatment of conservatives. And as my colleague Cristiano Lima observed, lawmakers might also have other less-security-related topics on their mind, like Elon Musk's court battle over his attempt to scuttle his pledged purchase of Twitter. Several senators told me Monday evening that they still needed to study Zatko's claims before talking about what issues they might bring up at the hearing. But at least one senator coming into the hearing is focused on the security worries that Zatko raised: Sen. Richard Blumenthal (D-Conn.). "The national security interest, it could be at risk as a result of failures to properly secure information," Blumenthal told me. "There's a pattern of failure that we see for protection of privacy … and why does he think those failings are occurring?" Blumenthal also said his office had talked with Zatko about the ineffectiveness of the Federal Trade Commission in serving as an enforcement agency, something Zatko "has some pretty insightful and strong views on." | | My colleagues Cat Zakrzewski and Joseph Menn have more on the FTC's role, stemming from Zatko's allegation that Twitter never developed an information-security program to comply with a 2011 FTC consent decree. The FTC answered that it's committed to enforcing its orders and investigating potential violations. | What major security shortcomings does Zatko allege? | | Zatko made his initial accusations in an 84-page complaint to the Securities and Exchange Commission, details of which The Washington Post published last month. Besides the allegations about compliance with the FTC decree, Zatko's complaint says: | - More than half of Twitter's 500,000 servers ran on software that was outdated or had other known security problems.
- Twitter employees "repeatedly" and intentionally installed spyware on their work computers "at the request of external organizations."
- The Indian government compelled Twitter to hire its government agents, who would have access to large amounts of sensitive data.
- Twitter mishandled user personal information in several ways, including by giving about half of the company's 10,000 employees access to user data.
| | Twitter has responded to Zatko's claims by saying: | - The company prioritizes security, contrary to Zatko's complaint.
- Twitter fired Zatko for poor leadership.
- Zatko's allegations are "riddled with inaccuracies."
| | Zatko has spent three decades highlighting security flaws during stints as a member of a famed hacker collective, government employee and in the corporate world. Beyond Blumenthal, the two leaders of the Senate Judiciary Committee — Chairman Richard J. Durbin (D-Ill.) and top GOP member Charles E. Grassley (Iowa) — have indicated at least some interest in probing Zatko's security-related complaints. | | Durbin and Grassley sent a letter Monday to Twitter CEO Parag Agrawal, inviting him to testify and asking him questions about Zatko's allegations. | | But expect other topics to surface as well at today's hearing. "I'm anxious to see how candid he's going to be," said Sen. John Neely Kennedy (R-La.), who told reporters he hadn't read Zatko's complaint and wasn't sure if Twitter was more or less secure than other organizations. Twitter in general, he said, needs to "stop censoring conservative content, and censor as little content as possible." Twitter has, like many social media platforms, denied GOP gripes about censorship. After Zatko's turn before Congress, executives from Twitter and other social media companies are set to appear before the Senate Homeland Security and Governmental Affairs Committee on Wednesday. | | |  | The keys | | Hackers could target out-of-date medical devices, FBI warns |  The FBI warning comes as officials warn about specific vulnerabilities in medical devices. (Al Drago/Bloomberg News) | | | The FBI has "identified an increasing number of vulnerabilities posed by unpatched medical devices that run on outdated software and devices that lack adequate security features," it said in an alert to industry. Medical devices have been hit by hackers before, but the alert from the FBI represents a stark warning about the vulnerabilities. "Medical device hardware often remains active for 10-30 years, however, underlying software life cycles are specified by the manufacturer, ranging from a couple months to maximum life expectancy per device allowing cyber threat actors time to discover and exploit vulnerabilities," the FBI said. "Legacy medical devices contain outdated software because they do not receive manufacturer support for patches or updates, making them especially vulnerable to cyberattacks." U.S. cybersecurity officials this month have warned about vulnerabilities in infusion pumps and patient monitors. However, authorities haven't seen any "known public exploits" of the vulnerabilities, according to notices published when announcing the vulnerabilities. | Montenegro is dealing with a cyberattack — and it blames Russia | | A ransomware group calling itself "Cuba" has taken responsibility for the Aug. 20 cyberattack, which prompted Montenegro's government to take websites offline, the Associated Press's Dusan Stojanovic reports. Officials from Montenegro, a member of the NATO alliance which is a candidate for European Union membership, have blamed it on Russia. "The attack, described by experts as unprecedented in its intensity and the longest in the tiny nation's recent history, capped a string of cyberattacks since Russia invaded Ukraine in which hackers targeted Montenegro and other European nations, most of them NATO members," Stojanovic writes. Albania, another NATO ally, last week cut ties with Iran over a cyberattack. | CISA asks for comment on incident reporting rules for critical infrastructure |  The rules came in response to waves of cyberattacks, including a hack that targeted Colonial Pipeline. (Dustin Chambers for The Washington Post) | | | The public has until Nov. 14 to comment on the law that will require critical infrastructure owners and operators to report hacks to the federal government, FedScoop's Nihal Krishan reports. The Cybersecurity and Infrastructure Security Agency is planning on holding listening sessions across the country until November, CISA said. "In its request for public comment CISA said it is particularly interested in feedback on its definitions of the terminology to be used in the proposed regulations, the manner in which reports will be required to be submitted under [the law], and other incident reporting requirements including the requirement to report a description of the vulnerabilities exploited," Krishan writes. | | |  | Global cyberspace | | | |  | Cyber insecurity | | | |  | On the move | | - Brian Boetig, a former director of the National Cyber Investigative Joint Task Force, has joined FTI Consulting as a senior managing director.
| | |  | Daybook | | - Twitter whistleblower Peiter "Mudge" Zatko testifies before the Senate Judiciary Committee today at 10 a.m.
- Current and former executives at social media companies testify before the Senate Homeland Security Committee on Wednesday at 10 a.m.
- A Senate Judiciary Committee panel holds a hearing on protecting Americans' personal information from hostile foreign actors on Wednesday at 3:30 p.m.
- Deputy national security adviser Anne Neuberger speaks at a DefenseScoop event on Thursday at 9 a.m.
- The House Homeland Security Committee holds a hearing on the cybersecurity of industrial control systems on Thursday at 10 a.m.
| | |  | Chat room | | | |  | Secure log off | | | Thanks for reading. See you tomorrow. | | |
No comments:
Post a Comment