We're pleased to announce that our new subscription program, CyberWire Pro, will launch soon. For cyber security professionals and others who want to stay abreast of our rapidly evolving industry, CyberWire Pro is a premium news service that will save you time and keep you informed. Learn more and sign up to get launch updates here.
Harnessing the power of one billion threat sensors worldwide, McAfee designs security fueled by Insights. MVISION Insights enables you to move beyond intelligence and empowers you to change your environment. Identify with Machine Learning. Defend and correct with Deep Learning. Anticipate with Artificial Intelligence. Move your security out of reactive mode to a proactive posture. McAfee, the device-to-cloud cybersecurity company. Go to McAfee.com/insights to learn more.
Iran fired a number of missiles at two US bases in Iraq last night--the Washington Post puts the total at “more than a dozen”--but the attack and the US reaction were sufficiently limited that, according to Foreign Policy, observers think both sides are signalling a desire for deescalation.
In any case no massive Iranian cyberattacks have so far materialized. There were some more low-level defacements of state government sites in Texas and Alabama, Vice reports, but these, like the weekend incident involving a Government Printing Office site, are generally regarded as low-grade operations by sympathizers as opposed to attacks organized and controlled from Tehran.
Most serious concerns about Iranian cyber operations center on possible threats to industrial control systems. Ars Technica has a story about how Tehran sought to recruit a US expert who worked to help Saudi Aramco remediate Iran’s Shamoon attacks on that oil company. And the Telegraph quotes a Carbon Black executive who worked as a cyber commissioner under the previous US Administration warns that a “cyber holy war” could see Iran reverse-engineering US attack tools used earlier against the Islamic Republic.
But website defacements? As CNBC puts it, they’re “meaningless.”
The Cyber Solarium commission that’s been working for the past year to develop recommendations for US cyber strategy offered a preview of their final report (expected in March or April) at the Council on Foreign Relations yesterday. CyberScoop has a summary. The Solarium will call for both enhanced US capabilities, and a White House cyber czar.
Today's issue includes events affecting Austria, China, Indonesia, Iran, Israel, Pakistan, Papua, Russia, Taiwan, United Kingdom, and United States.
Bring your own context.
Often, in the US, the Government doesn't need a warrant to get information you've submitted to a third party. Like, say, your car.
"This is the idea that a person does not have Fourth Amendment rights - rights against unreasonable searches and seizures - if they have voluntarily conveyed information to a third party. And that's, on its face, what's happening here. I mean, you probably signed some sort of policy when you purchased the car. Certainly, if you use, like, an OnStar system, you've agreed to their terms and conditions. And you are voluntarily conveying a lot of information to them. And what the third-party doctrine says is the government can obtain that information without getting a warrant. So, you know, if they even have an inkling, just some sort of reasonable suspicion that you've been going around on a crime spree, they can go to GM with a subpoena and say give us data on all of the locations Dave has been in the last year. And you wouldn't need any sort of traditional warrant to obtain that information. This, to me, is why the third-party doctrine seems outdated and limited. For one, it's not really voluntary because, as I said, eventually we're all going to have connected cars. Exactly. And in terms of the specific information we share, the most recent case dealing with this, which was Carpenter v. United States, in that case, the Supreme Court said that historical cell site data did have Fourth Amendment protection because of the broad nature of the data collected and the fact that it wasn't really collected voluntarily because a person is not actively pressing a button sharing their location data. It's collecting that information from you whether you know it or not as soon as you connect to this car. So this is just another instance where I think that entire legal doctrine needs reconsidering in an age where we submit so much to third parties that could reveal every intimate detail about our lives."
—Ben Yelin, from the University of Maryland's Center for Health and Homeland Security, on the CyberWire's Caveat podcast, 1.8.19.
Perhaps Four Amendment jurisprudence or relevant legislation need a re-look? In the meantime, do read those EULAs.
Each year, the cybersecurity industry is bombarded with threats to be concerned about. In the beginning of 2019, we heard about threats like artificial intelligence, machine learning, and ransomware attacks that would plague cyber professionals all year long. LookingGlass threat researchers want to look back at the trends that stood out to them, and which type of threats we can expect to see in 2020. Join us January 16 at 2pm ET for our webinar.
And Caveat is up. In this episode, Dave shares a Washington Post story about the data your car may be collecting about you. Ben digs in to recent revelations about government surveillance, and later in the show we interview Jason G. Weiss, former forensic expert with the FBI and current Counsel at Drinker Biddle and Reath, where he focuses on cyber security and privacy law.