Overnight Cybersecurity: Kaspersky to testify before House | US sanctions Iranians over cyberattacks | Equifax reveals flaw that led to hack

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

THE BIG STORY:

–U.S. SANCTIONS IRANIAN NATIONALS: The Trump administration on Thursday sanctioned seven Iranian nationals and an Iran-based computer security company for their role in cyberattacks targeting the U.S. financial system. The Treasury Department announced sanctions on 11 entities and individuals for supporting Iran’s elite Islamic Revolutionary Guards Corps (IRGC) and networks responsible for the cyberattacks. Treasury Secretary Steven Mnuchin cast the new sanctions as part of a broader effort by the Trump administration to “take strong actions to counter Iran’s provocations.” Those sanctioned include a private Iranian computer security company called ITSec Team, which allegedly conducted distributed denial of service (DDoS) attacks against at least nine large U.S. financial organizations, including banks and stock exchanges, between 2011 and 2012. The security company also did work on behalf of the Iranian government during the same period, according to the Treasury. The administration also sanctioned three Iranian nationals for acting in connection with ITSec Team and sanctioned four Iranian nationals for their work on behalf of an Iran-based computer security company called Mersad Co., which has been affiliated with the IRGC, the Treasury said.

To read the rest of our piece, click here.

THE LATEST EQUI-FACTS:

{mosads}

–FTC OPENS INVESTIGATION: The Federal Trade Commission (FTC) on Thursday announced that it had launched an investigation into the Equifax breach that left sensitive information for 143 million Americans exposed to hackers. “The FTC typically does not comment on ongoing investigations,” FTC spokesman Peter Kaplan said in an email. “However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach.” It is extremely rare for the agency to publicly confirm an investigation.

To read the rest of our piece, click here.

–…SPURRING A MORNING STOCK MARKET DROP: Shares of the embattled credit reporting company dropped nearly 10 percent after the market opened Thursday morning, sinking as low as $90.64 per share, about $8 lower than Wednesday’s close. Equifax stock recovered slightly by 11 a.m., reaching $95 per share. It closed for the day at 96.66.

To read the rest of our piece, click here.

–ATTACK VECTOR IDENTIFIED: Equifax has identified the flaw in its website that hackers used to breach its systems. In a consumer update Wednesday night, the credit reporting firm pointed to a known security issue in the web applications software Apache Struts as the one used in the breach. Struts is a popular web software, but security issues have frequently arisen. The flaw in Struts that was used by the hackers had actually been patched by the time hackers used it against Equifax — the patch was released mid-March, while the breach was in May. But the patch had to be individually applied for all the web applications using Struts on the server, a process that takes time and effort. According to the Equifax post, the company is still working on determining which accounts the hackers actually accessed. While the attackers could potentially have taken Social Security numbers and other personal information on as many as 143 million Americans, it is still unclear how many they actually accessed.

To read the rest of our piece, click here.

–DEM WANTS FREEZE FEES FROZEN, PLEASE: The top Democrat on the Senate Finance Committee on Thursday released a bill to ban credit reporting agencies from charging customers for credit freezes, following the massive Equifax data breach. Equifax stoked controversy by continuing to charge customers the fee to freeze their account, despite being the company at the center of the breach. Offered by Sen. Ron Wyden (Ore.), the Free Credit Freeze Act would prevent credit reporting agencies such as Equifax from charging customers to freeze their credit accounts, a tool meant to prevent identity theft and fraud. “Companies like Equifax that have stockpiled massive, insecure databases of Americans’ most sensitive personal data must make security the top priority at every single stage,” Wyden said. “Given the frequency of these mega breaches, it is simply unacceptable for the credit agencies to continue to charge hardworking Americans who want to protect their credit and their identity from fraudsters.”

To read the rest of our piece, click here.

–OTHER DEMS TARGET COMPANY’S DATA BROKERAGE ARM: Sen. Ed Markey (D-Mass.) introduced legislation Thursday that would press data broker companies, including recently breached credit report company Equifax, to implement better privacy and security practices. “We need to shed light on this ‘shadow’ industry of surreptitious data collection that has amassed covert dossiers on hundreds of millions of Americans,” Markey said of his “Data Broker Accountability and Transparency Act” in a press release. The Equifax breach gave hackers potential access to the personal information of as many as 143 million Americans. Though best known for credit reports, Equifax is also a data broker, selling the data it amasses to advertisers to aid in targeted advertisements and services. The bill, co-sponsored by Sens. Richard Blumenthal (D-Conn.), Al Franken (D-Minn.) and Sheldon Whitehouse (D-R.I.), would mandate “comprehensive” privacy and security programs at data brokers and allow the public to opt out of having their data included in data sales.

To read the rest of our piece, click here.

— BE WARY OF SCAMS: The government is warning Americans about scammers looking to capitalize on the recent Equifax data breach through fraudulent emails or phone calls. The Federal Trade Commission (FTC) issued an alert Thursday warning consumers to beware of phone calls from individuals purporting to be Equifax representatives asking for account or personal information. “Don’t tell them anything,” the alert says. “That’s just one scam you might see after Equifax’s recent data breach.” The Department of Homeland Security’s computer emergency readiness team distributed a related warning cautioning individuals “to be wary of calls or emails purporting to be from Equifax agents.” The government is directing individuals to report any fraudulent calls or emails to the FTC.

To read the rest of our piece, click here.

A LIGHTER CLICK:

POOR COMMUNICATION SKILLS are as American as baseball.

WHO’S IN THE SPOTLIGHT:

EUGENE KASPERSKY: The CEO, founder and namesake of Kaspersky Lab will testify before lawmakers. He was invited one day after the U.S. government barred federal agencies from using software produced by the Russian-origin cyber firm over national security concerns.

Republicans on the House Science Committee wrote to Eugene Kaspersky on Thursday asking him to testify at a subcommittee hearing on September 27.

“The purpose of this hearing is to conduct oversight of the cybersecurity posture of the federal government, and examine the extent to which the federal government utilizes your company’s products,” Rep. Darin LaHood (R-Ill.), chairman of the subcommittee on oversight, wrote in the letter to Kaspersky.

A committee aide said that the hearing will examine risks that Kaspersky products pose to U.S. information systems. On Wednesday, the Department of Homeland Security banned federal use of Kaspersky Lab software.

Kaspersky has been in the spotlight for months over allegations of ties between the company and Russian intelligence.

To read the rest of our piece, click here.

…MEANWHILE, RUSSIA ISN’T THRILLED:

In a statement, the Russian Embassy in the United States labeled the decision “regrettable” and signaled that it would hurt prospects for better ties between the two nations, according to Reuters.

“These steps can only evoke regrets. They only move back the prospects of bilateral ties recovery,” the embassy said late Wednesday.

To read the rest of our piece, click here.

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

Gowdy: Huckabee Sanders doesn’t get say in whether Comey broke law (The Hill)

Data on 600,000 Alaskan voters was exposed online. (The Hill)

Lindsey Graham would subpoena James Comey if he doesn’t come testify at his committee voluntarily. (The Hill)

Former CIA Deputy Director Michael Morell resigned Thursday from his post as a senior fellow at the Harvard Kennedy School after the school gave leaker Chelsea Manning a fellowship. (The Hill)

A legal start up will pay you to sue Equifax. (Motherboard)

Don’t forget about the 200,000 credit card numbers also vulnerable in the Equifax breach. (Krebs)

Samsung launched a bug bounty. (ZDNet)

If you’d like to receive our newsletter in your inbox, please sign up here.