Overnight Cybersecurity: Researchers spot big Wi-Fi security flaw | DHS moves to boost email security | Supreme Court to hear Microsoft data case

by Morgan Chalfant - 10/16/17 4:34 PM ET

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

THE BIG STORIES:

–RESEARCHERS SPOT MAJOR WI-FI SECURITY FLAW: A flaw in the Wi-Fi protocol used to connect laptops and smart devices to networks could leave wireless networking vulnerable to eavesdropping. The security issue was discovered by Mathy Vanhoef at the Katholieke Universiteit Leuven in Belgium. It was announced Monday morning in advance of being presented at two major conferences, but the United States Computer Emergency Response Team sent out a notice to impacted parties to be ready for the release of the research. Vanhoef has nicknamed his discovery “KRACK” short for “Key Reinstallation Attacks.” Since the flaw is in the protocol, it likely affects all hardware and software that properly implement the WPA2 standard used in modern wireless networking. Vanhoef said that devices can be patched against KRACK, making it imperative to update all phones, laptops and other products that use Wi-Fi.

To read the rest of our piece, click here.

–DHS MOVES TO BOOST FEDS’ EMAIL SECURITY: The Department of Homeland Security (DHS) announced Monday that it would increase security for anyone receiving email from federal agencies or visiting a federal website. At a meeting coordinated by DHS, the New York District Attorney’s Office and the Global Cyber Alliance, Assistant Secretary Jeanette Manfra announced the department would issue a binding directive requiring agencies to use two security protocols — DMARC, which prevents fraudsters from sending fake emails, and HTTPS, which encrypts web traffic. “Both the government and our citizens … deserve a trusted relationship,” said Manfra.

To read the rest of our piece, click here.

–SCOTUS TO HEAR DOJ PETITION IN MICROSOFT DATA CASE: The U.S. Supreme Court has agreed to hear the Department of Justice (DOJ)’s challenge in an ongoing legal battle over whether data stored by American companies overseas is covered by a U.S. warrant. The Supreme Court disclosed in its order list released on Monday that it will take up the case, U.S. v. Microsoft, in which federal investigators sought data from Microsoft that was stored on servers in Ireland. The case hinges on whether a U.S. warrant can compel American companies to turn over data stored on servers outside the United States. A lower court ruled last year that it does not, meaning that the DOJ needs to follow the same procedures used to obtain physical evidence stored outside the United States. In December 2013, the U.S. government issued a warrant in connection with an ongoing criminal narcotics investigation to seize data contained in an email account of a Microsoft customer. Microsoft refused to turn over the emails associated with the account, which were stored on servers in Ireland, spurring a legal battle that has dragged on for four years. The DOJ filed a motion to take the case to the Supreme Court in June.

To read the rest of our piece, click here.

A LEGISLATIVE UPDATE: LAWMAKERS FORMALLY INTRODUCE BILL ALLOWING HACKING VICTIMS TO ‘HACK BACK’: Reps. Tom Graves (R-Ga.) and Kyrsten Sinema (D-Ariz.) introduced a bill Friday that would allow hacking victims to “hack back” when attacked.

The Active Cyber Defense Certainty Act allows individuals and companies to hack hackers if the goal is to disrupt, monitor or attribute the attack, or destroy stolen files.

“While it doesn’t solve every problem, [the legislation] brings some light into the dark places where cybercriminals operate,” Graves said in a statement.

“The certainty the bill provides will empower individuals and companies [to] use new defenses against cybercriminals,” he said. “I also hope it spurs a new generation of tools and methods to level the lopsided cyber battlefield, if not give an edge to cyber defenders.”

The bill, which has been in the works for several months, does not allow counterattackers to destroy anything other than their own stolen files and requires that someone “hacking back” under the bill’s provisions notify the FBI National Cyber Investigative Joint Task Force.

Traditionally, the phrase “active defense” is used to describe measures that slow hackers through deception or movement of files — not hacking an attacker.

Many people working in the cybersecurity field worry that hacking back will create more problems.

“There’s a very pragmatic question — can you reasonably expect someone to go guns blazing and not harm the wrong computers?” said Jen Ellis, vice president of community and public affairs at the security firm Rapid7. “It is easy to inadvertently damage systems, lots of attacks leverage third-party assets that were also hacked, and the vast majority of us don’t have the resources to properly attribute a hacker and go after the correct system.”

Graves said he appreciated both sides being involved in the debate, but the bill was necessary to level the playing field in cyberattacks.

To read the rest of our piece, click here.

A LIGHTER CLICK: Russia’s troll army learned from “House of Cards.” (Yahoo News)

A REPORT IN FOCUS: G-7 SPOTLIGHTS FINANCIAL SECTOR CYBERSECURITY: The finance ministers and central bank governors of the Group of Seven (G-7) countries released a report on the fundamental elements for assessing effective cybersecurity in financial sector on Friday. It’s part of an effort to “build greater financial system resilience by supporting private and public entities as they design and implement cybersecurity policies and operating frameworks.”

The report outlines five “desirable outcomes” with respect to cybersecurity practices at financial organizations, as well as recommendations for promoting effective cybersecurity assessments.

The report recommends, for example, that financial organizations establish clear cybersecurity assessment objectives and report findings and ways to fix problems uncovered by the assessment.

“A secure, safe, and strong financial sector is essential to promote real growth within the U.S. economy and across the world. Cybersecurity, particularly in the financial sector, is a top priority for the United States, and we are pleased to work with the members of the G-7 to advance a common approach that enhances resiliency,” Treasury Secretary Steve Mnuchin said in a statement.

“Technology has become the global engine driving innovation and economic growth, and it provides a channel for the financial sector to engage customers and counterparties. However, this trend brings increased cyber risk, which is real, dynamic, and evolving,” Mnuchin said.

The G-7 Cyber Expert Group, established in 2015, is chaired by the Treasury Department and the Bank of England.

To read the full report, click here.

WHAT’S IN THE SPOTLIGHT: ELECTION SECURITY: The Department of Homeland Security (DHS), the Election Assistance Commission (EAC), representatives of the National Association of Secretaries of State (NASS), and state and local election officials met on Saturday as part of an ongoing effort to secure election infrastructure ahead of upcoming votes.

The federal, state and local officials convened the first-ever Government Coordinating Council on election infrastructure, according to a DHS release on the meeting, in order to discuss security and resilience efforts with regards to election infrastructure.

DHS designated polling places, voter databases, and other election-related infrastructure as “critical infrastructure” at the start of this year, opening it up to federal protections if state and local officials request help. The move proved controversial and was opposed by many state and local election officials.

The department’s election infrastructure protection efforts have been in the spotlight in the wake of Russia’s interference in the 2016 presidential election, which involved targeting election-related systems in 21 states.

“Today’s council meeting shows the seriousness with which federal, state and local officials take the threats to election infrastructure, and the level of cooperation taking place to address it,” Bob Kolasky, acting deputy undersecretary of DHS’s National Protections and Programs Directorate, said in a statement. “State and local officials have already taken a number of steps to improve the security of the nation’s elections, and under the Government Coordinating Council we will be able to further leverage resources and our collective expertise.”

In a separate statement released Monday, Indiana Secretary of State and NASS President Connie Lawson noted DHS’s “controversial” decision to designate election infrastructure as critical but insisted the secretaries of state have engaged with federal officials to “ensure that the designation does not have a negative impact, thereby helping to increase public confidence in our elections process.”

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

Equifax gets a John Oliver roasting. (The Hill)

State espionage group exploited Flash vulnerability, research says. (The Hill)

McCaskill wants answers after military and intelligence personnel files exposed. (The Hill)

ShadowBrokers hacking group cuts prices, lobs more insults. (The Hill)

Officials defend expiring surveillance law. (The Hill)

Clinton refers to Russian election interference as ‘cyber 9/11.’ (The Hill)

Telegram fined after refusing to provide user data to Russia (Endgaget)

Facebook is looking to recruit staff with national security clearances. (Bloomberg)

Iran is accused of cyberattacks on British members of parliament. (The Times)

White House cyber czar Rob Joyce now has two jobs. (CyberScoop)