Login

Register

Login

Register

The security issues with the Apple/Google virus tracking project | #corporatesecurity | #businesssecurity | #


With help from Eric Geller, Martin Matishak, Melissa Heikkilä, Cristiano Lima and Daniel Lippman

Editor’s Note: Morning Cybersecurity is a free version of POLITICO Pro Cybersecurity’s morning newsletter, which is delivered to our subscribers each morning at 6 a.m. The POLITICO Pro platform combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.

Advertisement

A coronavirus contact-tracing initiative from Apple and Google has some privacy and security landmines to navigate.

An advocacy group urged the Federal Energy Regulatory Commission to move ahead with cybersecurity standards despite calls to move back the timing.

A top U.N. official called for a “digital cease-fire” as the world contends with coronavirus, especially because of the need to safeguard health care organizations and employees.

HAPPY MONDAY and welcome to Morning Cybersecurity! So relatable. “If a hacker gets a hold of a Zoom, what can they tell?” Send your thoughts, feedback and especially tips to [email protected]. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.

POLITICO Pro is here to help you navigate these unprecedented times. Check out our new Covid-19 Coverage Roundup, which provides a daily summary of top Covid-19 news coverage from across all 16 federal policy verticals as well as premium content, such as DataPoint graphics. Please sign up at our settings page to receive this unique roundup sent directly to your inbox every weekday afternoon.

Sign up for POLITICO Nightly: Coronavirus Special Edition, your daily update on how the illness is affecting politics, markets, public health and more.

TRACKING DOWNSIDES — A joint Apple-Google project to track coronavirus exposure risks announced last week has sparked privacy and security fears even as some lawmakers are willing to give the tech giants some leeway. “Tech companies’ new feature to contact trace coronavirus cases has positive potential, but we must ensure privacy concerns are considered,” tweeted House Energy and Commerce Chairman Frank Pallone (D-N.J.). “I’ll be following this closely to ensure consumer privacy is protected.” Rep. Jan Schakowsky (D-Ill.), who chairs E&C’s consumer protection subcommittee, echoed the sentiment.

Some security experts said that although the plan features safeguards, they aren’t adequate given the nature of the information at play. “Phone data has NEVER been proven secure and the chance of release is above 0%,” observed Sergio Caltagirone, vice president of threat intelligence for Dragos. “In fact, this is so juicy I’d argue there will be lots of baddie[s] who are interested in finding ways to leak this.” Matt Tait, a cyber fellow at the University of Texas at Austin, spelled out a slew of other potential problems.

Jennifer Granick, surveillance and cybersecurity council for the ACLU, credited the two companies for steps to mitigate risk but said there was “room for improvement.” “These systems also can’t be effective if people don’t trust them,” she said. “People will only trust these systems if they protect privacy, remain voluntary, and store data on an individual’s device, not a centralized repository.”

Former Vice President Joe Biden, the presumptive Democratic nominee, broadly touched on the issue in his newly released proposal to “safely reopen America.” In a New York Times op-ed outlining his plan, Biden calls for a “contact tracing strategy that protects privacy. And Apple and Google reportedly will work with the U.K., too.

NOT SO SLOW — The coronavirus pandemic isn’t a reason to significantly delay supply chain cybersecurity standards for electric grid utilities, the grid resilience advocacy group Protect Our Power told FERC late last week. The North American Electric Reliability Corp. wants FERC to delay the deadline for complying with the cyber rule and other new regulations, saying compliance could disrupt operations at a critical time. But in comments filed Thursday with FERC, Protect Our Power said NERC’s requested three-month delay “may not be justified or necessarily be in the public interest.” Instead, it asked FERC to only grant a 30-day extension. “This approach would acknowledge the time lost by utilities due to the coronavirus pandemic,” the group said, “but otherwise require the industry to continue to treat the supply chain security issue with the importance and seriousness it deserves.”

In requesting a 90-day delay, NERC argued that the extra time “would allow entities to recover from” coronavirus-related strains, but Protect Our Power said such a long recovery window likely wasn’t necessary. Given that FERC issued the supply chain standard 15 months ago, the group said, “many or most utilities may already be prepared to comply with it by the current July 1 deadline.” A shorter delay, it said, “would also prevent us from having one crisis, the pandemic, unnecessarily cause us to lose focus and a sense of urgency about another crisis, supply chain risk.”

CYBER CEASE-FIRE — The United Nations’ undersecretary-general on Friday published an op-ed calling for a worldwide “digital cease-fire” during the coronavirus pandemic. “When launched successfully, digital attacks are catastrophic and can lead to loss of life,” wrote Fabrizio Hochschild. In particular, health care workers and hospitals battling Covid-19 shouldn’t have to question whether their data and medical equipment is secure or worry about it being shut down. “We must commit to an immediate digital cease-fire, and governments, civil society groups, and the private sector must set the tone. Without this step, our global response to the pandemic will be weakened,” according to Hochschild.

ALL I WANNA DO IS ZOOM-A-ZOOM-ZOOM-ZOOM — The top Republican on the House Oversight panel on Friday called for majority Democrats to abandon usage of the Zoom video conferencing service, citing security issues. “Given the concerns surrounding Zoom’s security, it is clear Zoom is not an appropriate platform for Committee business, which may be particularly sensitive during the COVID-19 pandemic,” wrote Rep. Jim Jordan (R-Ohio). “Please immediately suspend any current or future use of Zoom systems for official committee activities and take immediate steps to evaluate the Committee’s internal cybersecurity preparedness to prevent hackers from accessing sensitive committee information through the Zoom platform.”

Jordan cited the Senate sergeant at arms’ warning last week for offices to stop using it, broader hacking and malware concerns, and Zoom work done by employees in China as causes to suspend use. Jordan said House Oversight Democrats had been “Zoom-bombed,” something Democrats denied.

“Rep. Jordan’s office was consulted directly and repeatedly about using Zoom and never raised any concerns, so it’s unfortunate that he is now putting out inaccurate information in this public letter,” said Chairwoman Carolyn Maloney (D-N.Y.). “Had his office consulted with us first, we could have clarified their misunderstandings and provided more information about the steps the Committee has already taken to address any potential issues.” She said the committee would continue to use a “number of different technologies” to fulfill its responsibilities. The House was already “reevaluating” whether the chamber should switch to a government-specific form of Zoom.

EDGAR RIGHT — The SEC announced last week that it has settled charges with two traders accused of profiting by exploiting sensitive corporate earnings information hacked from its EDGAR system. David Kwon of California settled for $165,474 that represented the profits from his alleged illegal trades, and $16,254 in interest; Igor Sabodakha of Ukraine settled for $148,804 in profits, prejudgment interest of $20,945 and a civil penalty of $148,804, plus the SEC said it would dismiss charges against his wife, Victoria Vorochek, whose accounts he allegedly used to conduct trades.

The EDGAR hack generated considerable interest from Congress when the SEC disclosed it in 2017, with some lawmakers pointing to their prior concerns about SEC vulnerabilities. The SEC charges against seven individuals and two entities filed in 2019 were accompanied by criminal charges against two other men.

CRITICAL SAFETY AND PRIVACY FLAWS IN CONNECTED CARS — Drivers beware: Your rides are vulnerable to digital saboteurs. Some of Europe’s most popular connected car models have crucial security flaws that allow intruders to access personal data such as passwords and location history as well as components that control key functions such as collision-warning systems and tire air pressure, according to an investigation by British consumer group Which?.

By lifting the Volkswagen badge on the front of the car, researchers say they were able to access the vehicles’ front radar module, which controls its collision-warning system, according to our friends at POLITICO Europe’s Cyber Insights. Using a cheap laptop and a £25 gadget bought from online marketplace Amazon, the researchers also hacked into the Ford Focus’ system monitoring air pressure in tires. The investigators also got access to personal data such as Wi-Fi passwords, phone contacts and location history.

TWEET OF THE WEEKEND — And then Zoom keeps doing stuff like this.





Source link

Leave a Reply

Shqip Shqip አማርኛ አማርኛ العربية العربية English English Français Français Deutsch Deutsch Português Português Русский Русский Español Español

National Cyber Security Consulting App

 https://apps.apple.com/us/app/id1521390354

https://play.google.com/store/apps/details?id=nationalcybersecuritycom.wpapp


Ads

NATIONAL CYBER SECURITY RADIO

Ads

ALEXA “OPEN NATIONAL CYBER SECURITY RADIO”

National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.   

nationalcybersecurity.com

FREE
VIEW