Login

Register

Login

Register

#mobilesecurity | #android | #iphone | Will SCOTUS narrow CFAA? | #cybersecurity | #informationsecurity


With help from Eric Geller, Martin Matishak, Cristiano Lima and Leah Nylen

Editor’s Note: Morning Cybersecurity is a free version of POLITICO Pro Cybersecurity’s morning newsletter, which is delivered to our subscribers each morning at 6 a.m. The POLITICO Pro platform combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.

The Supreme Court could narrow the scope of the 1986 law that to this day still is the main avenue for federal hacking prosecutions.

MC exclusive: An activist group is asking Oregon to investigate mobile voting firm Voatz for violating state law.

“Bad bots” and unwanted emails using the keywords “Covid” or “corona” are on the rise, research out today found.

HAPPY TUESDAY and welcome to Morning Cybersecurity! Listen, all y’all, it’s a sabotage. Send your thoughts, feedback and especially tips to [email protected]. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.

POLITICO Pro is here to help you navigate these unprecedented times. Check out our new Covid-19 Coverage Roundup, which provides a daily summary of top Covid-19 news coverage from across all 16 federal policy verticals as well as premium content, such as DataPoint graphics. Please sign up at our settings page to receive this unique roundup sent directly to your inbox every weekday afternoon.

Sign up for POLITICO Nightly: Coronavirus Special Edition, your daily update on how the illness is affecting politics, markets, public health and more.

SCOTUS DIGS CFAA CASE — The Supreme Court on Monday agreed to hear a major case involving the 1986 Computer Fraud and Abuse Act that could, for the first time, redefine the chief federal law used in hacking prosecutions. One expert who has studied the law extensively believes the court is likely to narrow the law, which critics have long viewed as overly broad.

The Supreme Court in the past few years has issued decisions narrowing federal criminal law, such as in McDonnell v. United States and Yates v. United States, observed Orin Kerr, a professor at the University of California Berkeley School of Law. The case, Van Buren v. United States, asks whether a police officer “exceeded authorized access” to a license plate database to look up information for someone who was not in law enforcement in return for money. The officer, Nathan Van Buren, was convicted of violating CFAA and that ruling was upheld by an appeals court.

Kerr told MC he thinks the government knows it doesn’t have a winning hand on CFAA. The circuit courts have been split on how broadly to interpret CFAA in past cases. “It’s interesting the government has had the opportunity to seek review in the Supreme Court” but “did not do so,” Kerr said. “They can read those cases, too.”

The likeliest outcome, according to Kerr: The Supreme Court votes to narrow the law, and Congress writes legislation to govern criminal penalties for government employees who misuse sensitive databases. “They don’t have that law and they need that law,” Kerr said. Critics of CFAA, including Kerr, say the law as currently written could criminalize a wide range of common internet behaviors.

FIRST IN MC: NEW PRESSURE ON VOATZ — The controversial mobile voting firm Voatz may have violated Oregon consumer protection law by making false claims about the security of its internet voting app, an activist group said in a letter to Oregon Attorney General Ellen Rosenblum. In urging Rosenblum to investigate the company’s behavior, Free Speech For People cited damning audits by researchers at MIT and Trail of Bits as well as Voatz’s “false, misleading or specious” pushback to those audits as evidence that it violated the Unlawful Trade Practices Act in Oregon, where two counties have pilot-tested its app. The letter also cited Voatz’s misrepresentation of a still-secret DHS audit and its refusal to release an audit performed by ShiftState Security. Susan Greenhalgh, Free Speech for People’s senior adviser on election security, and Ron Fein, its legal director, argued that “Voatz has been making false, misleading or deceptive claims to promote and sell its product.”

Voatz told MC it would “participate in any conversation with the AG’s office to resolve all questions.” A spokesperson added, “We’re believers that all technology should be considered, vetted, and tested carefully — including ours.” If Oregon opens an investigation, it would be merely the latest headache for the company. Already, the bad publicity from the excoriating security audits led West Virginia to cancel its partnership with Voatz for the state’s May 12 primary. In 2018, West Virginia became the first state to let military and overseas voters use Voatz in a live election.

“Voatz has been marketing its product with emphatic claims regarding security, but those claims don’t hold up in the light of the independent security reviews recently published,” Greenhalgh told MC. “It’s time to investigate to determine if those faulty claims could constitute a violation of law.”

BOTS GOT CAUGHT — Automated malicious activity accounted for a quarter of all internet traffic in 2019, an eye-popping figure that represents the rapid proliferation of so-called bad bots, the security firm Imperva said in a report out today. Unlike their legitimate counterparts such as Google’s web scraper, malicious bots power activities such as fraud and hacking. Roughly three-quarters of these bots are what Imperva calls “advanced persistent bots,” which are difficult to block because they “cycle through random IP addresses, enter through anonymous proxies, change their identities, and mimic human behavior.” “Bad bots” afflict many different industries but are especially widespread in education (where they hunt for research papers) and finance (where they breach accounts through credential stuffing), according to Imperva, which sells services to defend against automated attacks.

Tiny websites faced the largest share of bad bots as a percentage of their total visitors in 2019, Imperva said, followed closely by small sites. And bad bots most frequently impersonated human beings using Google Chrome, as they’ve done since 2015, a few years after Chrome became the most widely used browser. In fact, 79 percent of bad bots pretended to be desktop computer users in 2019, while only 13 percent pretended to be mobile device users. In more whimsical news, Imperva found that a tiny fraction of bots hasn’t been updated to mimic the latest browsers in a long time — some bots out there are still pretending to be human beings running Internet Explorer 5, which was released in 1999.

ANOTHER MEASURE OF A BIG RISE — Forcepoint observed over a half-million blocked malicious, spam and phishing emails with embedded URLs featuring “Covid” and “Corona” keywords each day from the end of March through last week, the company said in a report out today. The three-month examination looked at data beginning in January, with the numbers that month “negligible.”

BILL WOULD REQUIRE APP WARNING LABELS — First from our friends at Morning Tech: A House bill set to be introduced today would require consumers to click through a warning before downloading software or an app originating from countries deemed a national security risk, including China and Russia. It’s the latest congressional measure to target popular apps like the Russia-based FaceApp and TikTok, owned by the Beijing-based ByteDance, over privacy and security concerns. The standalone Online Consumer Protection Act, slated to be unveiled during today’s pro forma session by Rep. Jim Banks (R-Ind.), would empower regulators to level civil and criminal penalties against firms that fail to display the notice.

“Parents and consumers have a right to a warning that by downloading some apps like Russia’s FaceApp or China’s TikTok, their data may be used against the United States by an adversarial or enemy regime,” Banks, a member of the House Armed Services Committee, told MT. Sen. Rick Scott (R-Fla.) last year introduced a separate bill to require app distributors to disclose the origin of products on their online clearinghouses, citing growing concerns over the security of TikTok and FaceApp.

FTC MOVING FORWARD WITH ‘SAFEGUARDS RULE’ UPDATE — The FTC is working to make a planned May workshop on its cybersecurity rules for financial institutions into a virtual one, Andrew Smith, the head of the agency’s Bureau of Consumer Protection, said Monday. Last year, the agency proposed an update to the “Safeguards Rule” for the first time since it took effect in 2003. The rule, which was created by the Graham-Leach-Bliley Act, requires financial institutions to take steps to protect the security of customer data and information.

The law applies not just to banks, but any companies that provide financial services such as payday lenders, tax preparers, credit reporting agencies and ATM operators. Speaking at a virtual event hosted by the American Bar Association, Smith said the proposed refresh would add 12 new requirements, including that a company must have a designated individual responsible for security who reports to the board and must adopt encryption.

The FTC held a public comment period last summer and had scheduled a May 13 workshop to get further feedback on the proposal. “Our plan right now is to do that virtually,” Smith said of the workshop. “We are considering how we can accommodate everyone’s needs but continue apace with the rulemaking.”

ODNI SEEKS EXTENSION — The Office of the Director of National Intelligence is seeking more time to respond to requests from House Intelligence Chairman Adam Schiff (D-Calif.) about management of the clandestine community and election security efforts. “The committee is in discussions with ODNI about their response to the Committee’s oversight requests, since ODNI has indicated that they require additional time to respond,” according to a committee spokesman. Schiff had requested for the panel to receive a written election security update by May 10, following reports that intel briefers in a classified congressional briefing last month had been instructed to downplay the threat of interference from Russia.

TWEET OF THE DAY — We are the virus, etc. etc.

______________________________________________________________________________________________

Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.

.  .  .  .  .  .  . .  .  .  .  .  .  .  .  .  .   .   .   .    .    .   .   .   .   .   .  .   .   .   .  .  .   .  .





Source link

Leave a Reply

Shqip Shqip አማርኛ አማርኛ العربية العربية English English Français Français Deutsch Deutsch Português Português Русский Русский Español Español

National Cyber Security Consulting App

 https://apps.apple.com/us/app/id1521390354

https://play.google.com/store/apps/details?id=nationalcybersecuritycom.wpapp


Ads

NATIONAL CYBER SECURITY RADIO

Ads

ALEXA “OPEN NATIONAL CYBER SECURITY RADIO”

National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.   

nationalcybersecurity.com

FREE
VIEW