The 2016 presidential election was noteworthy not just because of its outcome, but also for the extent to which both parties used technical data collection behind-the-scenes to secure victories in swing states. Just last week, a cyber risk analyst stumbled onto a trove of that gathered data, collected on 198 million Americans, on an unprotected server.

The analyst, Chris Vickery, an employee of the cyber security startup UpGuard, came across the 1.1 terabytes of data on an Amazon cloud server, which wasn’t password protected and was accessible to anyone with the URL address. According to UpGuard, it took Vickery several days to download the extensive dataset, which may have been left open and exposed for 10 to 14 days.

UpGuard is calling this leak the “largest known data exposure of its kind,” and confirmed that the discovered content includes names, dates of birth, home addresses, phone numbers, and indications of individuals’ ethnicities and religions. Voters’ political views on hot-button campaign issues such as fossil fuels and taxes were also minutely recorded, likely for future micro-targeted campaigns.

Currently downloading what is, basically, the home address of every Trump supporter.

Understand the cloud before you upload to it. pic.twitter.com/nRPb98jwoP

— Chris Vickery (@VickerySec) June 13, 2017

The information was collected by GOP data firm Deep Root Analytics, one of three data firms hired by the RNC to help Donald Trump win the presidential election.

The firm acknowledged that the data was theirs on Friday and released a statement apologizing for the breach.

Deep Root Analytics CEO Brent McGoldrick said the company takes “full responsibility” for the leak. He added that the mistake was likely due to “a recent change in asset access settings since June 1.”

Although much of the data collected by Deep Root Analytics is available online through more innocuous sources, many have been quick to analyze the leak’s potential cyber security ramifications.

“That such an enormous national database could be created and hosted online, missing even the simplest of protections against the data being publicly accessible, is troubling,” UpGuard said on their website.

This leak also comes at a time when the U.S. elections and elections in other western nations have been the targets of increasingly aggressive cyber attacks.

“This is deeply troubling,” Privacy International’s policy officer Frederike Kaltheuner told BBC News. “This is not just sensitive, it’s intimate information, predictions about people’s behavior, opinions, and beliefs that people have never decided to disclose to anyone.”

While this leak could have been much more damaging and revealed more secretive information, experts say this should be a cautionary warning. If companies don’t make cyber security a priority, individuals may have to worry a lot more the next time a leak occurs.

Celia Heudebourg

Celia Heudebourg is an editorial intern for Law Street Media. She is from Paris, France and is entering her senior year at Macalester College in Minnesota where she studies international relations and political science. When she’s not reading or watching the news, she can be found planning a trip abroad or binge-watching a good Netflix show. Contact Celia at Staff@LawStreetMedia.com.

The post Accidental Data Leak Exposes 198 Million Americans’ Personal Information appeared first on Law Street.

U.S. Intelligence officials testified in front of the Senate Armed Services Committee on Thursday morning, addressing Russia’s election cyberattack, and the overall importance of U.S. intelligence forces. President Barack Obama called for the hearing after responding with sanctions and expulsions of Russian diplomats last week. An unclassified report on Russian hacking of Democratic National Committee emails is expected early next week.

Senator John McCain (R-AZ), the chairman of the Senate Armed Services Committee, opened the hearing with a statement: “The goal of this review, as I understand it, is not to question the outcome of the presidential election. Nor should it be. As both President Obama and President-elect Trump have said, our nation must move forward. But we must do so with full knowledge of the facts.”

Top-ranking members of the intelligence community, including Director of National Intelligence James Clapper, answered questions from a bi-partisan cohort of lawmakers. Senator Claire McCaskill (D-MO) asked Clapper if it’s healthy when elected officials question U.S. intelligence, likely alluding to President-elect Donald Trump. Skepticism is healthy, he said, but “there’s a difference between skepticism and disparagement.”

Clapper added: “Congress must set partisanship aside, follow the facts, and work together to devise comprehensive solutions to deter, defend against, and, when necessary, respond to foreign cyberattacks.” Since the CIA and the FBI concluded that Russia was the culprit behind the DNC hack, and in fact likely interfered with the aim of electing Trump, the president-elect has disputed those findings, and has seemed to place more trust in Russian President Vladimir Putin than U.S. intelligence.

Trump said the idea of Russia interfering in the presidential election on his behalf is “ridiculous.” Using his Twitter account as a megaphone, Trump has undermined the intelligence community’s findings, and has urged Congress to “move on.” Democrats and Republicans alike have expressed alarm at the Russian hack, and at Trump’s seeming ambivalence in responding to the cyberattack.

In a pair of tweets on Wednesday, Trump quoted Julian Assange, the founder of Wikileaks, who said Russia did not provide him with any hacked emails. “Julian Assange said ‘a 14 year old could have hacked Podesta’ – why was DNC so careless? Also said Russians did not give him the info!” Trump tweeted, referring to Hillary Clinton’s campaign manager John Podesta, whose emails were leaked in the weeks and months  leading up to Election Day. In Thursday’s hearing, Clapper was asked if Assange is a reliable source of information. “Not in my view,” he replied.

Last week, Obama responded to the Russian hack in a flurry of diplomatic moves. He ejected 35 Russian diplomats from the U.S., ordered the closure of two Russian-owned compounds in Maryland and Virginia, and slapped sanctions on a Russian intelligence agency. Trump has viewed the intelligence agencies’ conclusions, and the uproar from both parties, as a way to undermine his election victory. 

Lindsey Graham, the outspoken Republican senator from South Carolina, addressed Trump directly as the hearing came to a close. “I want to let the president-elect to know that it’s okay to challenge the intel,” he said, “but what I don’t want you to do is undermine those who are serving our nation in this arena until you’re absolutely sure they need to be undermined.” Graham added: “The foundation of democracy is political parties, and when one political party is compromised all of us are compromised.”

Alec Siegel

Alec Siegel is a staff writer at Law Street Media. When he’s not working at Law Street he’s either cooking a mediocre tofu dish or enjoying a run in the woods. His passions include: gooey chocolate chips, black coffee, mountains, the Animal Kingdom in general, and John Lennon. Baklava is his achilles heel. Contact Alec at ASiegel@LawStreetMedia.com.

The post U.S. Intelligence Officials Testify at Senate Hearing on Russian Hacking appeared first on Law Street.

America is dealing with a hacking crisis. It seems that every other day we are bombarded with the latest hacking stories from both the private and public sectors. We are told to be cautious with all of our online activity and to remember all uploaded material remains in cyberspace forever. Almost all of us personally know someone who has dealt with identity theft and all the hassles that ensue. Some of the biggest companies in the world with the means to access the most anti-hacking software available aren’t immune to the problem. Even the national government recently made headlines concerning Chinese cyber attacks. So what can be done? In his 2015 State of the Union, President Obama addressed cybercrime. The Obama administration proposed new legislation and amendments to the Computer Fraud and Abuse Act. Will these proposals better protect Americans from hackers?

Case Study: Ashley Madison

Just last week, a new team of hackers were at it again. People are already discreet about dating websites and apps. A level of anonymity is essential for a high volume of users. This is even truer when a dating website revolves around married men and women cheating. Ashley Madison’s slogan is “Life is short. Have an affair.” Some may chalk it up to karma, but the invasion of privacy for these members is real.

The hackers call themselves “The Impact Team.” According to Brian Krebs, the blogger who initially reported the hack, they threatened to release stolen information unless the website shut down entirely. Apparently, the team gathered users’ nude photos, sexual fantasies, names, and credit card information. It also claims to have addresses from credit card transactions.

Members of the website can post basic information and use limited features without charge. The company rakes in money when members exchange messages, photographs, and gifts. The website even offers a feature to “collect gifts” for women to send and men to pay for later. The website also has a $19 deactivation fee. This happens to be one of the major qualms of the hacker team, who claim that information is never truly deleted from the website. The hackers’ manifesto published by Krebs stated, “Full Delete netted $1.7 million in revenue in 2014. It’s also a complete lie…Users almost always pay with credit card; their purchase details are not removed as promised, and include real names and address, which is of course the most important information the users want removed.”

Ashley Madison boasts over 37 million members, making it the second largest dating website in the world, second to Match.com. Ashley Madison’s parent company, Avid Life Media, values itself at $1 billion and was looking to go public on the London market this year. Ashley Madison has done away with the deactivation fee, but has yet to comment on whether or not it will shut down.

Although the majority of people aren’t online dating in order to have an affair, the hack embodies everything scary about online interactions. Personal information and discreet activities on websites or social media applications can be made public in the blink of an eye. Just this past March, 3.5 million AdultFriendFinder users were hacked. The hackers exposed email addresses, usernames and passwords, birthdays, zip codes, and sexual preferences. Overall, the trend doesn’t look good.

Hacking Statistics

Verizon Data Breach Investigations Report

Verizon conducts an annual Data Breach Investigations Report (DBIR). The latest report shows that 96 percent of online security incidents fall into nine patterns: “miscellaneous errors, such as sending an email to the wrong person; crimeware (various malware aimed at gaining control of systems); insider/privilege misuse; physical theft/loss; web app attacks; denial-of-service attacks; cyberespionage; point-of-sale intrusions; and payment card skimmers.” The 2015 report investigates more than 2,100 data breaches and roughly 80,000 reported security incidents. Over 70 organizations around the world help contribute to the report.

The 2015 DBIA reports a $400 million loss from approximately 700 million compromised records in 61 countries. The report shows that in 70 percent of the cases where the hacker’s motivation is known, there is a secondary victim. This is exemplified in the Ashley Madison case. Although the hackers are targeting the owners of the company, the users are violated as well. And in 60 percent of cases, hackers are able to infiltrate a company in a matter of minutes. The time of discovery falls significantly below that level.

The method of tricking people into divulging their information, like credit card numbers, is still around but is a much less effective method. Now, phishing campaigns are a primary source of attacks. A hacker usually phishes by sending an email with malware, usually included as an attachment. Today 23 percent of recipients open these types of email and 11 percent open the attachments. For over two years, more than two-thirds of cyber-espionage included phishing.

In more uplifting news, malware on cellphones doesn’t even account for 1 percent of the problem. Mobile devices are not the preferred medium for data breaches. Only about 0.03 percent of cell phones contained malicious materials.

U.S. Companies Hacked

According to a study conducted by the Ponemon Institute, the financial loss by cybercrime doubled from 2013 to 2014. Retailers lost approximately $8.6 billion in 2014 due to cyber crime. Furthermore, successful cyber attacks resulted in a $20.8 million loss in financial services, $14.5 million loss in the technology sector, and $12.7 million loss in the communications industries.

Last year was plagued by cyber attacks. In January, Target announced 70 million customers had contact information compromised, while 40 million customers had credit and debit card information compromised. In the same month, Neiman Marcus announced that 350,000 customers had credit card information stolen, resulting in fraudulent charges on 9,000 customers’ credits cards. In April, an AT&T worker hacked the system for two weeks and accessed personal information including social security numbers. In May, EBay asked all its customers to switch their passwords after a cyber attack accessed over 233 million EBay customers’ personal information. In August, over 60 UPS stores around the country were hacked, compromising financial data. The list continues…

The Computer Fraud and Abuse Act

In order to combat these cyber attacks, Congress passed the 1986 Computer Fraud and Abuse Act (CFAA). The act made accessing a protected computer a federal crime. Although it was initially established to protect government organizations and a few financial institutions, over the course of time, it eventually broadened. It was first amended in 1994 to allow private citizens to file civil suits against cyber attacks that resulted in loss or damages. It was again broadened in 1996 to encompass any computer used in interstate commerce. After 9/11, the Patriot Act amended the CFAA to permit the search and seizure of records from any Internet Service Providers (ISPs). Later in 2008, the CFAA was again amended to allow companies to file suits when the loss and/or damages did not surpass $5,000.

The CFAA has been subject to its fair share of criticism. Many believe the act to be too broad in scope. Opponents argue that computer policies are often “vague, confusing and arbitrary,” and breaking these policies shouldn’t be a federal violation. Institutions, like the Center for Democracy & Technology, Americans for Tax Reform, the Competitive Enterprise Institute, and the American Civil Liberties Union all have advocate against the CFFA.

The Ninth Circuit Court of Appeals agreed. In a 2012 case, United States vs. Nosal, the court ruled that “a person who violates an employer’s computer use policy is not criminally liable for federal penalties under the Act.” The court argued that the law was not enacted to federally punish smaller crimes. However, a strong dissent left the issue controversial, if not unresolved. The definition of “exceeds authorized access” left ample room for a Supreme Court review. The crime only becomes a felony if it is executed for profit, the gained information is worth over $5,000, and/or the act is committed to further a state or federal crime.

The White House’s New Proposals

The Cyber Security Legislative Proposals aim to enhance cybersecurity information sharing between the private sector and government, modernize law enforcement authorities to combat cyber crime with the appropriate tools and training, and streamline national data breach reporting requirements. Last December President Obama announced,

In this interconnected, digital world, there are going to be opportunities for hackers to engage in cyber assaults both in the private sector and the public sector. Now, our first order of business is making sure that we do everything to harden sites and prevent those kinds of attacks from taking place…But even as we get better, the hackers are going to get better, too. Some of them are going to be state actors; some of them are going to be non-state actors. All of them are going to be sophisticated and many of them can do some damage.

A main target of the proposal is a number of amendments to the already-controversial CFAA. First, the proposal would increase the penalty for “circumventing technical access barriers,” i.e. hacking into a computer by sidestepping security or guessing another’s password. Violators under the current law risk a misdemeanor to a three-year felony. The proposal advocates punishment to start as a three-year felony and maximize as a ten-year felony.

Second, for contract-based crimes, the proposal would officially end the aforementioned circuit split. It states that breaking written policies would be a federal crime and officially defines “exceeds authorized access.” A person would exceed authorized access if he or she accesses information “for a purpose that the accesser knows is not authorized by the computer owner.” Technically, this would include using a work computer for personal activities like Facebook; however, the government would limit criminal liability by requiring the violation fall under one of three conditions: the breach happened on a government computer, the breach results in over $5,000 worth of information, or “if the user violated the written condition in furtherance of a state or federal felony crime.” These changes, along with a variety of others, make up the administration’s proposal.

Conclusion

Whether these proposals will pass through Congress remains to be seen. Broadening the scope of hacking to allow more crimes to fall under federal jurisdiction has traditionally lacked support from the body. The proposals are controversial, with a lot of personal information and accessibility at stake. It will be interesting to see the reaction from the public if these proposals are enacted. Cyber crime is an ongoing problem that affects all citizens, regardless of demographics, and only seems to be exploding. If this isn’t the answer, then what is?

Resources

Primary

White House: Updated Administration Proposal

Additional

Verizon: The 2015 DBIR

CNN Money: Hackers threaten to release names from adultery website

The Heritage Foundation: Cyber Attacks on U.S. Companies in 2014

Jolt Digest: United States vs. Nosal

Tech Target: What is the Computer Fraud and Abuse Act?

The Washington Post: Obama’s proposed changes to the computer hacking statute

The White House: Securing Cyberspace

Verizon: Verizon 2015 Data Breach Investigations Report Finds Cyberthreats Are Increasing in Sophistication

Jessica McLaughlin

Jessica McLaughlin is a graduate of the University of Maryland with a degree in English Literature and Spanish. She works in the publishing industry and recently moved back to the DC area after living in NYC. Contact Jessica at staff@LawStreetMedia.com.

The post Combatting Cyber Attacks: Will Congress Adopt Obama’s Plans? appeared first on Law Street.

Last Thursday, United States officials revealed that they believe Chinese hackers were responsible for the May cyber attacks on U.S. federal agencies. The attacks compromised the personal information of more than four million current and former government workers. China responded by dismissing such accusations as “groundless” and “irresponsible,” stopping just short of ensuring that China does not condone cyber attacks. “We are very firm on this,” said China’s Foreign Ministry Spokesman Hong Lei. This is just the latest incident in a back-and-forth saga between the U.S. and China when it comes to cyber crimes.

Lei’s statement may not have been completely truthful. In May 2014, Lei released a similar response to the Justice Department’s indictment of five Chinese hackers for cyber crimes against five U.S. companies and a labor union in the steel, solar, and nuclear-power industries. According to the Guardian, “China’s foreign ministry called the allegations preposterous and accused the U.S. of double standards.” But the accused in the 2014 case were members of China’s People’s Liberation Army. In other words, their attacks do represent China engaging the United States. It is evident that the U.S. must take a firm stand against China’s aggression. Nevertheless, there are numerous challenges and implications to consider on that front.

For one, China’s assertion that the U.S. resentment of Chinese attacks represents a double standard is justified. Edward Snowden’s release of NSA files unveiled a surveillance program that spanned numerous countries, including China. In March of last year, Snowden leaked another document exposing the NSA’s penetration into the networks of Chinese telecommunications giant Huawei Technologies in search of evidence that the company was involved in espionage operations for Beijing. This complicates how far the U.S. can go to condemn China’s actions in the cyber sphere.

The potential costs of engaging China in cyber warfare are massive. Cyber attacks can threaten the control systems of dams, water-treatment plants, and power grids, compromise sensitive information stored on government networks, and access video surveillance cameras. Electronic door locks, elevators, and even life-sustaining medical devices are vulnerable to cyber attacks. While the U.S. rarely has to worry about war in its territory, in the cyber realm, physical boundaries are irrelevant. The statistics regarding the cost of cyber crimes are staggering. The Center for Strategic and International Studies estimates the annual cost of cybercrime and economic espionage to the world economy at $375-575 billion. Telecommunications giant IBM claims that there were 1.5 million monitored cyber attacks in the United States in 2013 alone. In a “60 Minutes” interview, FBI Director James Comey said, “There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese, and those who don’t know they’ve been hacked by the Chinese.”

Political action is fraught with challenges, too. China, with its massive population and rapidly developing economy, lends itself to lucrative opportunities for American corporations. Consequently, the Chinese and U.S. economies are closely intertwined. According to the CIA World Factbook, China ships 17 percent of its exports to the U.S. and is the largest foreign holder of U.S. Treasury bills, bonds, and notes. So, the government response to Chinese cyber attacks cannot deter China from doing business with American corporations. Germany’s cancellation of its longstanding contract with Verizon following Snowden’s NSA leaks serves as a cautionary tale, and the fact that most major Chinese corporations are government owned only further complicates the issue.

So, the U.S. government is left with few options. One thing it can do is encourage the development of cyber technology. The government should support programs such as the DARPA Cyber Grand Challenge, a competition aimed towards creating an automated cyber defense system, and incentivize the best cyber experts to work with the government by providing resources and appropriate compensation.

More importantly, the government needs to send the message that attacks on American networks will not be tolerated. This could mean under-the-table threats of retaliation to avoid negative media attention. Fear of retaliation should deter Chinese attacks, and if attacks persist, the government can deny visas to Chinese citizens, limit military ties, or implement economic sanctions. It is important to keep the campaign low-key and ensure that economic sanctions do not incite an aggressive Chinese response.

Examples of the United States asserting itself following a breach of security are littered throughout history; the U.S. defeat of Japan following Pearl Harbor and the assassination of Osama bin Laden following 9/11 demonstrated that we are not afraid to track down and engage our enemies. It is time to assert our status as the world’s leading superpower once again.

Hyunjae Ham

Hyunjae Ham is a member of the University of Maryland Class of 2015 and a Law Street Media Fellow for the Summer of 2015. Contact Hyunjae at staff@LawStreetMedia.com.

The post The U.S. Needs to Take a Firm Stand Against China on Cyber Attacks appeared first on Law Street.

United States Central Command (CentCom) reported today that its social media accounts had been hacked by people claiming to be from ISIS. CentCom, part of the Department of Defense, has played a main role in recent conflicts in Iraq, Afghanistan, and others. Based in Tampa, Florida, it’s responsible for American security interests in more than 20 different nations. Here’s what the account looked like before it was suspended:

DEVELOPING: CENTCOM’S Twitter account appears hacked http://t.co/TYVHIsjUN1 (Twitter screenshot) pic.twitter.com/FS8AFYRGjO

— USA TODAY (@USATODAY) January 12, 2015

Whoever hacked the account posted threatening messages to American troops such as “AMERICAN SOLDIERS, WE ARE COMING, WATCH YOUR BACK. ISIS.” There was also a tweet that linked to a longer statement that included:

In the name of Allah, the Most Gracious, the Most Merciful, the CyberCaliphate under the auspices of ISIS continues its CyberJihad. While the US and its satellites kill our brothers in Syria, Iraq and Afghanistan we broke into your networks and personal devices and know everything about you.

You’ll see no mercy infidels. ISIS is already here, we are in your PCs, in each military base. With Allah’s permission we are in CENTCOM now. We won’t stop! We know everything about you, your wives and children. U.S. soldiers! We’re watching you!

ISIS propaganda photos were also posted on CentCom’s YouTube page. Its Facebook page, however, appears to be untouched. Central Command has confirmed that its accounts have been compromised.

The hacking occurred while President Barack Obama was delivering a speech to the Federal Trade Commission (FTC) about cyber security. As of now, however, the only thing that the White House has said is that they’re “obviously looking into” the breach.

Most concerning of all, whoever hacked the accounts claimed that they had also gotten access to confidential information from CentCom, although that’s yet to be confirmed, and Defense officials have said that they don’t believe any information was taken. Some of the posts linked to documents, but those documents could have been found on Pentagon websites, among other places. They’re surely a far cry from damaging confidential information.

This comes less than a day after “hactivist” group Anonymous declared war on the organization.

Cyberwar has become a real issue, and it appears that no one is completely safe.

Anneliese Mahoney

Anneliese Mahoney is Managing Editor at Law Street and a Connecticut transplant to Washington D.C. She has a Bachelor’s degree in International Affairs from the George Washington University, and a passion for law, politics, and social issues. Contact Anneliese at amahoney@LawStreetMedia.com.

The post ISIS Supporters Hack US Central Command Online Accounts appeared first on Law Street.