from Net Politics and Digital and Cyberspace Policy Program

Cyber Week in Review: September 23, 2016

Utter devastation at Yahoo as half a billion records are hacked

September 23, 2016

Utter devastation at Yahoo as half a billion records are hacked
Blog Post
Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.

More on:

Digital Policy

Intelligence

Technology and Innovation

Here is a quick round-up of this week’s technology headlines and related stories you may have missed:

1. Mo’ cyber, mo’ problems. On Thursday, Yahoo announced that a hack nearly two years ago resulted in compromise of data of at least 500 million users. The company blamed a “state-sponsored actor” for the breach. The breach is almost certainly one of the largest in history. On the same day, hackers leaked Michelle Obama’s passport and details of Joe Biden and Hillary Clinton’s schedules, reportedly stolen from the Gmail account of a young Democratic operative, through DCLeaks.com, the same outlet that published Colin Powell’s personal emails earlier this month and allegedly the work of Russian intelligence. And the website of security journalist Brian Krebs was hit with a massive denial of service attack, so big that Akamai--who was offering Krebs protection from such attacks pro bono--stopped doing so. Krebs tweeted that the same entities also targeted his Skype and email accounts. But despite all the hullaballoo they cause, data breaches may not actually cost companies as much as many thought. A recent RAND Corporation study found that attacks like these typically have minor financial impacts—about $200,000 per incident.

2. ’Shadow Brokers’ got NSA exploits from server in the wild. Reuters reports that National Security Agency (NSA) hacking tools dumped on the internet last month by suspected Russian hackers were left on a server by careless employees. According to four anonymous sources, Shadow Brokers was able to compromise that server and obtained the hacking tools instead of relying on a NSA insider like former contractor Edward Snowden as some suspected. What’s more, the NSA has known about the breach since 2012, just after it happened, and has been monitoring the internet to detect their use, but did not detect any use against the United States or its allies. But as Nicholas Weaver points out, it is unlikely that the NSA has the ability to detect the exploits, which operate within Cisco and Fortinet firewalls, not on the web. Weaver criticizes the NSA’s "hubris" in knowing that the exploits had been stolen but not notifying manufacturers, calling it "evidence that the NSA is not dutifully discharging their role in defending our country from others who seek to exploit our systems."

3. IANA-clingers go out with a bang. Republican Senator Ted Cruz (TX) made a Hail Mary attempt this week to put a stop to the IANA transition, the move by the Obama administration to move control of the IANA functions, a set of clerical functions that keep the internet running smoothly, from the Department of Commerce to the Internet Corporation for Assigned Names and Numbers (ICANN). He got last minute help from GOP presidential candidate Donald Trump, whose campaign released a statement opposing the move. But despite the last minute effort, Congress moved forward with a continuing resolution that does not contain language blocking the move.

4. Tesla joins ranks of hacked cars. A team of researchers from Tencent’s Keen Security Lab announced the discovery of security vulnerabilities in the Tesla Model S, and posted a video showing them controlling the moving vehicle’s brakes, mirrors, windshield wipers, and trunk door. Tesla quickly released a software update after learning about the flaw, and noted that the security exploit was only feasible under very specific conditions. Hacks of cars—which came to the public consciousness last year when security researchers managed to remotely hack the brakes on a moving Jeep—have pushed the White House to issue guidelines for self-driving cars, as well as model legislation for states that wish to legalize automated vehicles. The Department of Transportation will also be releasing a list of best practices for improving vehicle cybersecurity.

More on:

Digital Policy

Intelligence

Technology and Innovation

Close