Overnight Cybersecurity

Hillicon Valley: Exclusive: Audit cleared Google’s privacy practices despite security flaw | US weapon systems vulnerable to cyber attacks | Russian troll farm victim of arson attack | US telecom company finds ‘manipulated’ hardware

Welcome to Hillicon Valley, The Hill’s newsletter detailing all you need to know about the tech and cyber news from Capitol Hill to Silicon Valley.

Welcome! Follow the cyber team, Olivia Beavers (@olivia_beavers) and Jacqueline Thomsen (@jacq_thomsen), and the tech team, Harper Neidig (@hneidig) and Ali Breland (@alibreland). And CLICK HERE to subscribe to our newsletter.

 

AUDIT CLEARED GOOGLE’S PRIVACY PROGRAM DESPITE SECURITY FLAW: An independent auditing firm signed off on Google’s privacy practices earlier this year after the internet giant had discovered a software bug that exposed private information on potentially hundreds of thousands of users.

The Hill obtained a redacted copy of the assessment conducted by the accounting firm Ernst and Young through a Freedom of Information Act request. The report concluded that Google had comprehensive privacy protections in place and that it was in compliance with a 2011 privacy settlement with the Federal Trade Commission (FTC).

{mosads}The latest audit was submitted to the FTC in June and covered a two-year period: April 2016 through April.

“[Google’s] privacy controls are operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information and have so operated throughout the Reporting Period,” Ernst and Young wrote in the audit.

On Monday, Google disclosed that it had discovered a security flaw in March, during the period covered by the audit. That security flaw gave third-party developers access to data on as many as 500,000 users of Google Plus, the company’s social media app.

Google said part of the reason it decided not to reveal the incident in March was because it could not determine the full effect of the exposure.

What it means: The audit is likely to raise new questions about how Google handled the potential breach and the criteria auditors are using to assess companies’ privacy policies.

And don’t forget about the regulators: The Google Plus incident could potentially lead to an FTC probe into whether the internet search giant violated the terms of the privacy settlement, which requires Google to clearly disclose all information sharing with third parties to users.

Read more here.

 

DON’T HACK MY WEAPONS SYSTEMS: The Department of Defense’s (DOD) weapon systems feature cyber vulnerabilities that leave them susceptible to attack, according to a new government report released Tuesday.

The Government Accountability Office (GAO) found in its audit of the Defense Department’s weapon systems that test teams were easily able to bypass measures meant to keep hackers out, and that in some instances just scanning for the vulnerabilities was enough to shut down the systems altogether.

The report also found that some agencies in the department were aware of some of the cyber vulnerabilities, but did not take steps to resolve them.

It was also determined that DOD not know the extent of the cyber vulnerabilities, as some of the tests on the systems were limited or cut off early.

“Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications,” the report states. 

Read more here.

 

BLOOMBERG FINDS MORE TO SUPPORT HACKING REPORT: A U.S. telecommunications company has reportedly discovered “manipulated” hardware from chip maker Super Micro.

The revelation comes days after a report said that motherboards made by the company were modified to let Chinese hackers into the computer systems that installed the chips.

Bloomberg reported Tuesday that Yossi Appleboum, a security expert working for the telecommunications company, gave the news outlet documents and analysis as evidence of the hardware manipulation.

Appleboum did not disclose the name of the telecommunications company because of nondisclosure agreements, according to Bloomberg.

The back and forth: Bloomberg reported a huge story last week that Super Micro’s chips had been compromised and later shipped to it customers which included Apple, Amazon and government contractors. At some point in Super Micro’s supply chain the Chinese government was able to modify the motherboards with small chips that would let them later hack into hardware systems.

Apple, Amazon and Super Micro have vehemently denied that this is the case, but its report today suggests that there are still questions.

Read more here.

 

A DIFFERENT KIND OF BURN: The office of an internet troll farm linked to election interference efforts by Russia’s government during the 2016 presidential election was set on fire in an arson attack early Tuesday morning, according to reports.

The Moscow Times reports that the office of the Kremlin-linked Internet Research Agency was set ablaze around 3 a.m. Tuesday local time by an unknown suspect who used a Molotov cocktail to start the fire.

Surveillance footage shows a window being broken by an unknown suspect, who sets the fire while a female employee flees the office, according to the Times. Police told Russian news outlet RBC that an investigation is underway.

An editor with Federal News Agency, one of about 16 websites operated by the Internet Research Agency that generate Russian-slanted news content, told the Times that the fire was likely related to the agency’s content, noting that other attacks have occurred.

“I believe this is tied to FAN’s activities,” chief editor Yevgeny Zubarev said. “We’re most often attacked online, but these types of attacks have already taken place offline.” 

Read more here.

 

FIGHTING BACK: An email group consisting of mostly private organizations and individuals, along with some U.S. law enforcement agencies, was recognized Tuesday for its efforts to combat so-called Nigerian email scams.

The email list, which includes U.S. federal agencies and prominent cybersecurity firms, is known as the Business Email Compromise (BEC) List and includes more than 530 participants. It was recognized by the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) with the 2018 JD Falk Award on Tuesday.

The annual award is given to a project that both seeks to protect the internet and “embodies a spirit of volunteerism and community building,” according to a release.

The list founder Ronnie Tokazowski, a senior malware analyst for the security firm Flashpoint, first created the project about three years ago to fight against the email schemes.

The fraudulent emails often use phishing or malware to target victims. Members of the BEC list have helped track the different kinds of malware being used as well as the paths of the scams themselves. 

Read about it here.

 

EX-OBAMA OFFICIAL JOINS LYFT: Lyft announced Tuesday that a former top Obama administration official will be joining the ride-hailing company’s ranks.

Anthony Foxx, Secretary of Transportation under former President Obama, will be Lyft’s new chief policy officer and adviser to the company’s co-founders.

The firm said Foxx would report directly to Lyft co-founder and president John Zimmer.

“Anthony’s unmatched experience and future-focused perspective will push us forward as we partner with cities and regulators to expand affordable mobility options, take cars off the road, and fundamentally change cities for the better,” Zimmer said in a statement.

Foxx, in his own statement, praised Lyft’s “collaborative approach to working with regulators,” and said that he was eager to help the company in this area.

Read more here.

 

THIS IS NOT THE CONTRACT YOU’RE LOOKING FOR: Google is no longer competing for a Pentagon cloud-computing contract worth up to $10 billion, saying in a statement that the contract may conflict with company principles.

A Google spokesman said in a statement obtained by Bloomberg that the company is “not bidding on the JEDI contract because first, we couldn’t be assured that it would align with our AI Principles.”

“And second, we determined that there were portions of the contract that were out of scope with our current government certifications,” the spokesman added.

Bids for the Joint Enterprise Defense Infrastructure (JEDI) contract are due from companies on Oct. 12. The project includes moving Department of Defense data to a commercially operated cloud system, according to Bloomberg.

Read more here.

 

JUSTICE DEPARTMENT CHARGES BLACK MARKET ADMINISTRATOR: “A French national who was serving at times as an administrator and senior moderator on one of the largest dark web criminal marketplaces was sentenced to 20 years in prison today, after previously pleading guilty to conspiracy to possess with the intent to distribute controlled substances and conspiracy to launder money,” the press release says.

 

A LIGHTER TWITTER CLICK: This trend is on the rise.

 

AN OP-ED TO CHEW ON: Voting systems not the only target in defending against cyberattacks on our elections.

 

NOTABLE LINKS FROM AROUND THE WEB:

Google transcript contradicts company’s testimony to Congress. (The Intercept)

After Charlottesville, white supremacists still have a safe place on Discord. (Slate)

Instagram will use machine learning to help tackle cyberbullying (Gizmodo)

Google tried to beat Facebook and all it got was Facebook’s headache (CNN Business)

Snap stock hits all-time low on report that it’s running out of cash (CBS)