Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …
THE BIG STORY:
PENTAGON HAD CLASSIFIED DATA IN LEAKY CLOUD STORAGE: Classified data on a joint program run by the National Security Agency (NSA) and the Army was posted to an unsecured Amazon cloud account according to researchers at cybersecurity firm Upguard. Anyone on the internet with knowledge of the URL could access its contents.
…LABELLED ‘NOFORN’: The bucket, Vickery says, held dozens of viewable files, including a downloadable virtual hard drive used for secure communications within the federal government. When opened, the file revealed data labeled with the classification “NOFORN” — indicating that the information was too secretive to even be shared with foreign government allies. The documents appear to relate to a failed intelligence sharing system developed for the Army.
{mosads}
…NOW TAKEN DOWN (PHEW!): According to Upguard, the unsecured server contained data which appeared to belong to the U.S. Army Intelligence and Security Command, a military intelligence and information operations unit jointly run by the Army and the NSA. Upguard security expert Chris Vickery notified the Pentagon of the data exposure in late September and was informed on Oct. 10 that the exposed data was secured. The owner of the storage bucket, however, remains unknown.
To read the rest of our piece, click here.
A LEGISLATIVE UPDATE:
A House Democrat is calling on the FBI to brief Congress for apparently deciding not to notify victims hacked by the same Russian group believed to be behind leaked Democratic Party emails.
In a letter to FBI head Christopher Wray, Rep. Ted Lieu (D-Calif.) cited a recent Associated Press report that the vast majority of government-employed hacking targets of the Russian phishing campaign that ensnared Hillary Clinton campaign chief John Podesta were not notified by the bureau of the attacks.
“I respectfully request that you brief Members of Congress on the FBI’s reasoning for maintaining its silence and detail the Bureau’s policy regarding the notification of Cyber intrusions affecting current or former U.S. government officials,” Lieu wrote.
To read the rest of our piece, click here.
A LIGHTER CLICK:
THE WEIRD, HIDDEN SUBTEXT OF SANTA BRINGING YOU H&M CLOTHES THIS YEAR.
LISTEN TO THE HILL’S NEW TWICE-DAILY PODCAST:
In today’s Hillcast PM View, the daily evening update on what went down in Washington: Democrats nix a scheduled White House meeting after a Trump tweet raised the specter of a shutdown; the GOP makes progress on some major tax obstacles; and a court prepares to rule on who really runs the Consumer Financial Protection Bureau. Host Niv Elis talks to The Hill’s Scott Wong, Naomi Jagoda, and Sylvan Lane about what happened today on Capitol Hill. Listen here.
And subscribe here to all of The Hill’s new podcasts: Apple Podcasts | Soundcloud | Stitcher | Google Play | TuneIn
A REPORT IN FOCUS:
HEALTH-CARE EMAIL IS SICK: A new study shows more than half of emails that appear to be from health-care providers are fraudulent.
The email protocol was not designed to check if the return address on a message is accurate. Any sender name or email address can be placed on a message. An add on protocol known as DMARC can be installed to double checks if emails are authentic, but not all web domains use it.
Agari, which provides email security using DMARC, found that just under 57 percent of the emails purporting to be from any of the more than 1,911 health-care websites it protects were fraudulent. That data comes from the rate Agari sites labeled emails as fake.
Agari checked DMARC usage across the health-care industry in firms with revenue over $1 billion. Only 2 percent of companies had both installed DMARC and set DMARC to either delete fraudulent messages or send them to spam.
Agari conducted the study, released Tuesday, in conjunction with the Global Cyber Alliance and the health threat information-sharing group, the NH-ISAC.
To read the rest of our piece, click here.
WHO’S IN THE SPOTLIGHT:
THE EPA: A limited government advocacy group claims in a lawsuit filed Tuesday that the Environmental Protection Agency (EPA) has failed to respond to open records requests for documents related to employee use of encrypted messaging.
Politico first reported in early February that EPA employees were using the encrypted messaging app Signal to determine how to respond to a feared purge of climate science from the then-new Trump administration. Depending on the content of the conversations, those chats may run afoul of record-keeping laws.
The Cause of Action Institute — a group aligned with GOP mega-donors Charles and David Koch — filed several Freedom of Information Act requests for documents relating to the Signal messages, including in August and September for records from software that could detect the Signal app on phones. According to the group, the EPA has not responded either of those requests.
The institute, which already filed a lawsuit over the documents requested in August, submitted another suit on Tuesday in the Washington, D.C. federal court to compel the release of documents from both requests.
To read the rest of our piece, click here.
IN CASE YOU MISSED IT:
‘Links from our blog, The Hill, and around the Web.
Nine in ten firms failed to patch problems in the software package that felled Equifax. (The Hill)
Community banks file lawsuit against Equifax over breach (The Hill)
FCC honcho Ajit Pai slammed tech companies that back net neutrality. Also Cher. Ajit Pai slammed Cher. (Recode)
…You really shouldn’t mess with someone who has their own Navy. (YouTube)
…Meanwhile, India is now backing net neutrality. (Motherboard)
The Government Accountability Office found that the Office of Management and Budget has gotten lax about auditing IT spending, and may be sacrificing billions in dollars saved by oversight. (FCW)
A judge accused Uber employees of withholding evidence in Google’s Waymo lawsuit. (CNBC)
If you’d like to receive our newsletter in your inbox, please sign up here.