Overnight Cybersecurity: Yahoo surveillance software sparks outrage

October 5, 2016
In The News
Overnight Cybersecurity: Yahoo surveillance software sparks outrage

--UNMITIGATED FURY!: Privacy advocates were quick to register outrage after a report published Tuesday revealed that Yahoo developed software to help U.S. intelligence search its customers' incoming emails. "If true, the government's directive to Yahoo to write a software program and search all of its customers' incoming emails for certain content is a gross abuse of federal power," Rep. Ted Lieu (D-Calif.) said in a statement. "Private sector companies and private citizens are not an arm of law enforcement or an extension of our intelligence agencies." Sen. Ron Wyden (D-Ore.) said that the National Security Agency has an obligation to notify the public if it is using new methods of intelligence targeting. Amnesty International said it represented "the failure of US government reforms to curb NSA's tendency to try and indiscriminately vacuum up the world's data." And the list goes on... According to Reuters, Yahoo allegedly developed a program to scan incoming email and attachments for key phrases to comply with a classified directive sent to Yahoo's legal team. The report indicates that the software was developed without consultation with Yahoo's security team, including prominent then-Chief Information Security Officer Alex Stamos. Reuters says Stamos left the company after his team discovered the surveillance software, which they initially believed to be hackers attacking the system. The report also says that employees were disappointed that chief executive Marissa Mayer decided to accept the 2015 directive and not challenge the order in court. To read our full piece, click here. To read the response from the ACLU,click here.

--IF YOU STAYED UP TILL 4 AM: ...you were likely very annoyed with Julian Assange. A Tuesday morning WikiLeaks event in Berlin did not produce the "#OctoberSurprise" to derail Democrat Hillary Clinton's presidential campaign that many had expected, but Assange said he would release more documents before Election Day. "I've seen the internet, and I understand there is enormous expectation in the United States," said Assange, the site's editor, via video conference at the event, celebrating the 10-year anniversary of WikiLeaks held at 10 a.m. Berlin time. "Some of that expectation will be addressed [when I announce upcoming projects]. But you should understand that if we're going to make a major publication in relation to the United States at a particular hour, we don't do it at 3 a.m." Many observers believed that Assange had planned to announce a post with damning evidence of corruption, wrongdoing or other scandal. Assange did announce that the site had more than 1 million documents it planned to release before the end of the year, including documents on weapons, oil, Google, surveillance and the 2016 elections. He promised the election documents would be released before Nov. 8. To read our full piece, click here.

A LIGHTER CLICK:

--WHO KNEW? ... she said, reaching for the Chex Mix.

A (NON) HACK IN FOCUS:

--HE'S BACK. (SORT OF.) (NOT.) A new posting from the hacker alias Guccifer 2.0 purported to be documents stolen from the Clinton Foundation appears to be a hoax.

Guccifer 2.0 -- believed to be a misinformation campaign operated by Russian intelligence -- posted an 860-megabyte file on Tuesday afternoon that he claimed was donor information he hacked from Clinton Foundation servers.

A sampling of the posted documents include a spreadsheet of big bank donations, a list of primarily California donors, an outdated spreadsheet of some Republican House members -- and a screenshot of files he claimed to have obtained, one of which was titled "Pay to Play."

But there are a number of red flags that suggest the documents are in fact from a previous hack on the Democratic Congressional Campaign Committee, not a new hack on the Clinton Foundation.

A spot check of some of the people on the donor list against FEC filings found that they all lined up with DCCC contributions.

To read our full piece, click here.

WHAT'S IN THE SPOTLIGHT:

--INSULIN PUMPS. A popular brand of insulin pumps appears to have security vulnerabilities that cannot be fixed through simple software updates.

Johnson & Johnson's Wi-Fi-enabled Animas OneTouch Ping system does not encrypt data or use time codes when users send commands to the device. An attacker could record a command to administer an irregular amount of insulin and replay it, throwing a diabetic off a course of medication.

The vulnerabilities were discovered by Jay Radcliffe, a senior security consultant with the security firm Rapid 7. Ratcliffe first gained some acclaim in 2011 when he demonstrated how to remotely disable his prescribed insulin pump. The OneTouch Ping, like the 2011 hack, is the brand of insulin pump he uses in real life.

"After 2011, I needed a new pump because my old one was out of warranty. I spent the last three and a half years on and off researching vulnerabilities in this one," the researcher said, quickly clarifying that age -- and not his tinkering -- ended the old warranty.

Ratcliffe notified Johnson & Johnson in April about the security problems, and both worked together to find a way to mitigate the problem.

To read our full piece, click here.

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

An encrypted communications application popular with digital security advocates received its first ever subpoena from a federal grand jury earlier this year, it revealed on Tuesday. (The Hill)

Issues: National Security and Foreign Affairs
Congressman Lieu
Washington DC Office
2454 Rayburn HOB
Washington, DC  20515
Phone: (202) 225-3976
Los Angeles Office
1645 Corinth Ave, Suite 101
Los Angeles, CA  90025
Phone: (323) 651-1040
Manhattan Beach Office (By Appointment Only)
1600 Rosecrans Avenue, 4th Floor
Manhattan Beach, CA  90266

 

Our Manhattan Beach office is not regularly staffed and is by appointment only. Please contact our office to schedule an appointment there.