| Good morning and welcome to The Cybersecurity 202! As someone watching "Murder, She Wrote" for the first time, I am reserving judgment on whether Jessica Fletcher is the most prolific serial killer in television history. Was this forwarded to you? Sign up here. Below: Researchers uncover a backdoor in and military radios, and lawyers want the name of the nation that aided an FBI operation. First: | Judge tells hacked law firm to hand over some client names |  The SEC wanted nearly 300 client names. (Andrew Harnik/AP) | | | A federal judge ordered a hacked law firm to give a federal regulator a list of seven clients whose material nonpublic information may have been accessed by Chinese hackers. But the judge also ruled that the regulator — the Securities and Exchange Commission — shouldn't be able to get a list of nearly 300 other clients whose material nonpublic information the law firm found wasn't accessed by the hackers. "The court finds some merit to both parties' positions, but ultimately holds that the SEC's demand for the names of affected clients does not exceed its statutory authority or cross any constitutional lines," U.S. District Judge Amit Mehta — a federal judge who also serves on the Foreign Intelligence Surveillance Court — wrote in his opinion. The Monday afternoon ruling is the latest development in a case that raises thorny questions about the role of cyber regulators, law firms, client secrets and the willingness of victims to report cyberattacks to the federal government. Adding to the drama, both the SEC and law firm Covington & Burling earlier this year signaled that they wouldn't be happy with such a ruling, raising the odds that it could be appealed. | - Covington & Burling spokesman David Schaefer told The Post in a statement that the firm is "appreciative of the Court's thoughtful consideration of the fundamental principles at stake. We believed from the beginning that we had a duty to protect our clients' confidential information and are grateful for the broad amicus support our position received from both the client community and the legal profession," Schaefer said. He also said that the firm will "review the decision carefully and consider any next steps in consultation with our affected clients."
- The SEC declined to comment.
| | The case originates with a hacking campaign disclosed by Microsoft in March 2021. Chinese hackers at the center of the cyberattacks caused havoc for victims around the world when they leveraged vulnerabilities in Microsoft's email software. Covington investigated and found that it was breached in November 2020. "State-sponsored" Chinese hackers focusing on a "small group of lawyers and advisors" were behind the attack, and they were "principally focused on state espionage to learn about policy issues of specific interest to China in light of the incoming Biden Administration," Covington told the SEC in a letter. After the SEC in early 2022 found out that Covington was hit, it eventually sent Covington a subpoena for nearly a dozen different types of documents. Covington said it couldn't comply with one of the requests — a demand for records that could identify Covington clients or impacted public companies hit in the cyberattack. That request is at the center of the dispute, and the SEC went to court over it. Covington has argued that it has a duty to keep client names confidential. It has also said that the SEC's demand for client names could damage relationships between law firms and clients, and could also disincentivize victims of hacks from turning to law firms. It also warned — alongside other law firms and the Chamber of Commerce — that victims could be disincentivized from reporting hacks to the federal government. That's a critical point because the U.S. government says it relies on voluntary cooperation from victims to understand the scope of hacks and respond. | | In his opinion, Mehta didn't disagree. | | The policy concerns by Covington, other law firms and groups like the Chamber "are not unfounded," Mehta wrote. "The SEC's approach here could cause companies who experience cyberattacks to think twice before seeking legal advice from outside counsel," Mehta wrote. "Law firms, too, very well might hesitate to report cyberattacks to avoid scrutiny of their clients." But Mehta noted that "[t]he court's role, however, is limited. Its task is only to assess whether the subpoena exceeds the SEC's statutory authority or fails to meet minimum constitutional requirements. It is not to pass on the wisdom of the SEC's investigative approach." | The ruling and what's next | | Mehta's ruling only requires Covington to "disclose the names of the seven clients as to whom it has not been able to rule out that the threat actor accessed material nonpublic information." The SEC wanted a list of nearly 300 clients that also includes clients whose material nonpublic information Covington found wasn't accessed. "In the court's estimation, the SEC has not made the case that it needs the names of the 291 clients whose material nonpublic information Covington has determined was not accessed," Mehta wrote. "Those clients, by the SEC's own admission, are not relevant to its investigation. Therefore, the court is not prepared to grant the SEC access to a client list of nearly 300 names when only seven are actually needed to satisfy the agency's stated law enforcement interests." Mehta noted that the SEC argued that it couldn't "independently verify" Covington's accounting, but said that didn't mean it should get the full list of names. Neither Covington nor the SEC have said whether they plan to appeal the ruling. But a lawyer representing Covington, Theodore J. Boutrous Jr., said at a May 9 hearing that identifying even the seven clients whose material nonpublic information may have been breached — as Mehta eventually ordered them to do on Monday — would in some ways be worse than just having work-product protections, because it would reveal that their material nonpublic information was accessed. | | |  | The keys | | Researchers uncover backdoor in and military radios |  Security researchers say they discovered an apparently deliberate backdoor in encrypted radios that police, military and critical infrastructure organizations use. (Katherine Frey/The Washington Post) | | | Security researchers say they discovered an apparently deliberate backdoor in encrypted radios that police, military and critical infrastructure organizations use and that might have been there for decades, Joseph Cox reports for Motherboard. The flaw would let someone decrypt encrypted voice and data communications and send fraudulent messages to spread misinformation or redirect personnel and forces during critical times," Kim Zetter writes for WIRED. It's one of a set of flaws that Dutch researchers from Midnight Blue found in a European radio standard known as TETRA in 2021, but that they agreed not to disclose while manufacturers created fixes. Here's what others are saying about the development, from both stories: | - An attacker could carry out "a trivial type of attack that fully breaks the algorithm," Jos Wetzels, one of the researchers, told Cox. "That means an attacker can passively decrypt everything in almost real time. And it's undetectable, if you do it passively, because you don't need to do any weird interference stuff."
- The chair of the technical body at ETSI responsible for the TETRA standard, Brian Murgatroyd, told Zetter it shouldn't be called a backdoor because the algorithm was instead designed for commercial use that could meet non-European export requirements.
- Matthew Green, a Johns Hopkins University professor and cryptographer, told Zetter that the weakness is a "disaster," and added, "I wouldn't say it's equivalent to using no encryption, but it's really bad.
| Jack Smith's office probing 2020 meeting where Trump praised election security measures |  Special counsel Jack Smith's office asked former officials to provide information on a February 2020 Oval Office meeting where President Donald Trump praised improvements to U.S. election security. (Tom Brenner for The Washington Post) | | | Special counsel Jack Smith's office asked former officials to provide information on a February 2020 Oval Office meeting where former president Donald Trump "touted his administration's work to expand the use of paper ballots and support security audits of vote tallies." Sean Lyngaas, Kylie Atwood, Zachary Cohen and Evan Perez write for CNN, citing people familiar with the matter. They write: "Trump was so encouraged by federal efforts to protect election systems that he suggested the FBI and Department of Homeland Security hold a press conference to take credit for the work, four people familiar with the meeting told CNN." | | The investigators appear to be interested in Trump's understanding of election security efforts before he began campaigning against their integrity. "Smith's office has in recent months interviewed multiple former US officials with knowledge of the February 2020 Oval Office briefing," CNN says, citing sources, though "not everyone who attended the meeting and has talked to the special counsel was asked about it." | - Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, has been interviewed by Smith's team, the New York Times reported in May.
- As our colleagues recently reported, Mark Meadows, Trump's last White House chief of staff, joked about the president's baseless election claims just before participating in a phone call where Trump claimed some 5,000 dead voters were in Georgia and said the results in the state should be overturned.
| Defense lawyers urge judge to reveal nation that aided FBI in global encrypted phone operation |  A group of defense lawyers is asking a judge to reveal the nation that aided the FBI in a secretly run phone operation. (iStock) | | | A group of defense lawyers is asking a judge to reveal the nation that aided the FBI in a secretly run operation dubbed "Anom" that used encrypted phones to target criminals around the world, Joseph Cox reports for Motherboard. Cox writes: "The news provides the first substantial legal challenge in the U.S. to the FBI's operation of its tech company, which resulted in the arrest of more than a thousand alleged criminals, tons of drugs, and over a hundred weapons." | - The Anom enterprise was an FBI-run service that allowed the agency to track criminals' communications under the radar. The Justice Department has previously said the network grew to around 12,000 devices in over 100 countries and impacted over 300 criminal organizations.
- U.S. and Australian intelligence agencies began publicly unveiling the Anom operation about two years ago, though the operation also enlisted an unnamed third country in the European Union that collected Anom messages and relayed them back to the United States, Cox writes.
| | The lawyers' motion filed in the Southern District of California "focuses solely on the documents and information in the government's possession related to its use of an unknown third-party country to obtain the evidence in this case," the motion's text reads. This is not the first time the information has been requested by defense lawyers, according to the report. A complete understanding of the nations involved in the message transfers is essential for crafting legal defenses, the current lawyers claim. | | |  | Government scan | | | |  | Industry report | | | |  | Global cyberspace | | | |  | Cyber insecurity | | | |  | Privacy patch | | | |  | Daybook | | | |  | Secure log off | | | Thanks for reading. See you tomorrow. | | |
No comments:
Post a Comment