Privacy and Cybersecurity News: Week of 10-27-2013

Experts Say Major Israeli Roadway Hit By Cyberattack
On Sunday, the AP reported that in early September “Israel’s national road network in the northern city of Haifa was shut down because of a cyberattack. . . . knocking key operations out of commission two days in a row and causing hundreds of thousands of dollars in damage.” According to the story, a Trojan horse attack targeted the Carmal Tunnel security camera system. The report stated that the attackers were unknown, however, Israel’s military chief, Lt. Gen. Benny Gantz, recently stated that “computer sabotage” was a top concern for the country and that a “a sophisticated cyberattack could one day bring the nation to a standstill.”
Adobe Breach Far Greater In Scope Than Originally Believed, Over 38 Million Users Impacted
Earlier this month, Adobe announced that its “security team discovered sophisticated attacks on [its] network, involving the illegal access of customer information as well as source code for numerous Adobe products.” While the release claimed that the company believed the hackers “removed . . . certain information relating to 2.9 million Adobe customers,” reports this week suggest that the number is far greater. Brian Krebs, who first broke the story earlier in the month, reported on Tuesday that the breach “impacted at least 38 million users.” The breach included millions of “encrypted customer credit card records.” According to Krebs’ report, Adobe is offering one year’s worth of credit monitoring to those whose credit card information was breached. In a bit of an ironic twist, the company Adobe has enlisted to monitor breached customers’ credit, Experian, is dealing with its own set of security issues after the company allegedly sold customer information directly to an online ID theft service (also reported by Brian Krebs). In addition to Krebs’ story, a report on the Adobe breach by CNET’s Lance Whitney can be found here.
NSA Intercepts Yahoo and Google Data As It Moves Between Data Centers

Barton Gellman and Ashkan Soltani of the Washington Post report that, according to documents obtained from Edward Snowden and interviews with officials, the NSA has direct access to the links that connect Yahoo and Google data centers. The NSA program, codenamed MUSCULAR, sends “millions of records every day from internal Yahoo and Google networks to data warehouses at the agency’s headquarter.” According to the Washington Post, Yahoo and Google maintain numerous ‘fortresslike’ data center facilitates across four contingents. However, while these centers themselves have a high level of protection, the data centers ‘sync’ via fiber-optic cable to prevent potential loss of data or system slowdowns. The NSA exploits this vulnerability by intercepting the data while it is in transit between these data centers.

Kenneth Corbin, writing for CIO reports that Gen. Keith Alexander, head of the NSA, denied knowledge of the program when he was questioned on stage at a cybersecurity conference hosted by Bloomberg Government on Wednesday. When questioned about the report, Alexander replied “Not to my knowledge, that’s never happened.” “I can tell you factually,” Alexander stated “we do not have access to Google servers, Yahoo servers. . . . We are not authorized to go into a U.S. company’s server and take data.” However, a close reading of Alexander’s denial still leaves room for the existence of the MUSCULAR program, which allegedly intercepts data that is being transported between data warehouses, rather than accessing the servers directly.

Bruce Schneier argues that, while the Washington Post article specifically refers to Google and Yahoo, “you have to assume that all the other major—and many of the minor—cloud services are compromised in the same way.” Additionally, Schneier argues that, due to the NSA’s extensive reach into the cloud, PRISM and other more public programs are “really just insurance: a way for the NSA to get legal cover for information it already has.” On Thursday, in response to these further revelations of NSA data collection, Google, Yahoo, and several other major tech companies sent an open letter to congressional leaders that urged the reform of NSA programs as well as called for greater transparency.

Senate Intelligence Committee Approves the FISA Improvements Act
Grant Gross of CIO reports that the Senate Intelligence Committed approved the FISA Improvements Act on Thursday after meeting in a closed session. The bill allows for the continued collection of millions of U.S. telephone records, however the bill prevents the collection of the content of these U.S. phone calls, and it imposes stiff jail time sentences for those that access data collected under the program without authorization. Ellen Nakashima, writing for the Washington Post, reports that privacy advocates have criticized the bill for legitimizing and legalizing a program “that is on shaky legal footing at best. In that sense, the bill not only preserves the NSA’s powers, it enhances them.” The bill now moves to the Senate floor.
Head of NSA Gen. Keith Alexander and Secretary of State John F. Kennedy Separately Acknowledge That Some Forms of NSA Spying May Have Been Counterproductive
On Thursday, CNN reported that both Gen. Keith Alexander, head of the NSA, and Secretary of State John Kerry stated that some of the techniques employed by the U.S. may have reached too far. In the Open Government Partnership annual summit meeting, Kerry acknowledged that in some cases, information gathering “has reached too far inappropriately.” Kerry also claimed that some of this information gathering has “been happening, in many ways, on automatic pilot” as the capacity has existed “really going back to World War II and to the very difficult years of the Soviet Union and the Cold War, and then, of course, 9/11.” Additionally CNN reported that, in a speech at the Baltimore Council on Foreign Relations, Gen. Keith Alexander recognized that the the partnerships that the US has with allies “have better value than some of the [NSA’s] collection.”
Brazil Moves to Require That Its Citizen’s Data Be Stored Within the Country
Esteban Israel and Anthony Boadle of Reuters report that Brazilian President Dilma Rousseff has ordered Brazilian lawmakers to suspend all legislative proceedings until they draft a bill that will protect Brazil’s citizenry from alleged U.S. spying. An early draft of the bill suggests that Brazil may achieve this goal by requiring that all data obtained from Brazillian users be stored inside the country. According to Anna Edgerton of Bloomberg, tech companies have responded by claiming that the new requirement would hinder expansion in Brazil. For example, the public policy director for Google in Brazil stated that “[c]ompanies would choose to implement . . . [new] services at a much later stage, if at all. Alessandro Molon, the sponsor of the bill, stated that the bill is slated to be debated on November 5, and will be voted on the day after.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s