Overnight Cybersecurity: Mueller probe cost $6.7M in early months | Senate confirms Homeland Security nominee | Consumer agency limits data collection | Arrest in Andromeda botnet investigation

The Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

 

THE BIG STORY:

–THE COST OF THE QUAGMIRE: The cost of special counsel Robert Mueller’s investigation into Russian interference in the U.S. election over the first four and a half months topped $6.7 million, according to the first public accounting of the probe released Tuesday. Mueller’s office spent just over $3.2 million from the date his appointment, May 17, through Sept. 30. The bulk of the expenses went toward staff, with $1.7 million spent on salaries and benefits. The special counsel has hired 17 attorneys to date to work on the probe. Just over $220,000 was spent on travel during that period, while $156 went to a mysterious line item: “Transportation of things.” “Justice Department components that support the special counsel’s office,” meanwhile, spent an additional $3.5 million in expenditures “attributable to the investigations,” according to a report released Tuesday.

{mosads}

–…A CHEW TOY FOR CRITICS TWICE A YEAR, BUT LITTLE REAL RECOURSE: Mueller is required to produce a public expense report every six months, giving critics repeated opportunities to hammer the special counsel over his budget. Trump has tweeted about the “costly” investigation, and some conservatives have argued it is a waste of taxpayer dollars. But Congress has few avenues to cut off Mueller’s funding. His budget is not part of the annual Justice Department funding package that Congress approves, but instead comes from a permanent Treasury Department account. And the Justice regulations stipulate that he must be provided “all appropriate resources” to conduct this investigation.

To read the rest of our piece, click here.

 

THE NEW BOSS AT DHS:

The Senate confirmed President Trump’s pick to lead the Department of Homeland Security after John Kelly left the agency for his White House post earlier this year.

Senators voted 62-37 on Kirstjen Nielsen’s nomination to be DHS secretary, with 10 Democratic senators and Independent Sen. Angus King (Maine) siding with Republicans to support her.

Nielsen, who was nominated in October, was expected to secure confirmation after clearing a procedural hurdle in a 59-33 vote on Monday evening.

Republicans have praised Nielsen, a cybersecurity expert and former Homeland Security official.

But Democrats raised concerns during her confirmation hearing about her lack of leadership experience, noting that DHS is a sprawling agency with roughly 240,000 employees.

“Why should we believe that, as smart as you are, and as well-spoken as you are, that someone who, as far as I know, never led an organization of even 100 people, much less 240,000, is ready to take on this responsibility?” Sen. Tom Carper (D-Del.) asked during her confirmation hearing.

To read the rest of our piece, click here.

 

A REGULATORY UPDATE:

CONSUMER AGENCY LIMITS DATA COLLECTION: Interim Consumer Financial Protection Bureau head Mick Mulvaney announced Monday that the board would stop collecting personally identifiable information.

Mulvaney said the decision to eschew such information, often abbreviated PII, stemmed from an Inspector General’s report expressing concern for information security.

“That scares me to death,” he said.

“Until the folks at the IG and everybody, including inside and outside this organization, tell me that we have the very best data security, I have instructed them to stop collecting PII-level information,” he later added.

“So no more loan-level information. If we are collecting statistical data on the numbers of loans and the size of loans and the dollar amounts of loans, hey, that’s great, okay?  But if we can trace it back to you or your business, no.”

Though Mulvaney is currently running the agency, he is being sued alongside the Trump administration over the legality of his appointment. 

 

A LIGHTER CLICK:

LACKS THE MOXIE. Pepsi claims it didn’t hack the Russian government.

 

A REPORT IN FOCUS:

MAILSPLOIT: Carefully crafted messages can trick DMARC, the protocol that double checks whether emails are from the senders they say they are, in a variety of email clients.

While anyone can put any address in the “from” field of an email, DMARC allows recipients to verify if the sender was authorized to use that address.

But researcher Sabri Haddouche figured out that taking advantage of certain text encoding tricks, more than 30 different email clients could be fooled into making a faulty DMARC check.

Haddouche calls the glitch “Mailsploit.”

Yahoo, Hushmail and Protonmail have all issued fixes. Apple and Microsoft both say they are developing solutions for their desktop email programs. Gmail was never affected by the bug.

 

WHAT’S IN THE SPOTLIGHT:

AR3S: On Monday, an international coalition of law enforcement entities and private sector groups announced they had arrested a suspect in connection with Andromeda, a program that built malicious networks of hijacked computers.

But the coalition, which included the FBI, Europol and German authorities, was tight lipped about the person arrested.

Andromeda was a commercially available product to set up criminal networks of hacked computers, meaning many individuals could have been arrested in conjunction with the investigation.

Researchers at Recorded Future believe that authorities arrested a hacker known as Ar3s who was associated with selling Andromeda. They note that, Ar3s, the de facto official vendor of the program, appears to have mysteriously vanished from hacker forums toward the end of November.

According to researchers at Group-IB, Ar3s has been an active participant on hacker forums like Damagelab since 2009, when he claimed to be a 24-year-old from Belarus.

The Recorded Future report provides some evidence that he was being honest, at least on the Belarus point. Accounts associated with Ar3s traced back to a Belarus cell phone provider.

 

IN CASE YOU MISSED IT:

‘Links from our blog, The Hill, and around the Web.

The Army finalizes its plans to directly commission cybersecurity officers from the private sector. (The Hill)

A federally funded cybersecurity lab has a new director. (The Hill)

NIST released a new draft of updates to its widely influential cybersecurity framework. (NIST)

A misconfigured database spilled the personal information of more than 30 million users of a mobile keyboard app – including their contacts.  (MacKeeper)

The world may only have a tenth of the artificial intelligence pros we need – or fewer. (The Verge)

There’s a company collecting kid’s brainwave patterns without a privacy policy. (CSO)

Trump’s pick for Defense undersecretary for research and engineering comes from NASA. (FCW)

It just got easier to discover leaky cloud storage accounts. (The Register)

If you’d like to receive our newsletter in your inbox, please sign up here.