THE KEY

A new project from the cybersecurity firm Bugcrowd and a University of California researcher aims to protect well-intentioned hackers from legal action when they reveal security vulnerabilities in an organization’s networks or software.

The project, called Disclose.io, offers companies, academic institutions or even government agencies a standard legal agreement they can post that says, in effect, it’s okay to hack us if you do it in good faith. It’s a way to tell security researchers — sometimes called white hat hackers — that they won’t get sued or face criminal charges if they find a flaw on an organization’s systems and report it responsibly.

The effort highlights how federal anti-hacking laws aren’t keeping pace with the way security vulnerabilities are often identified and patched. Laws such as the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act don’t contain protections for researchers who disclose bugs, creating a legal gray area discouraging ethical hacking. Disclose.io could help close that gap.

“It should be built into those policies, but we’re not there yet. And this is a stopgap for people to take advantage of until we’re there,” said Jason Haddix, Bugcrowd’s vice president of trust and security.

The problem is real and well known. In recent years, companies have sued or threatened legal action against researchers who have uncovered serious vulnerabilities — sometimes to prevent an embarrassing flaw from being disclosed publicly. In one extreme example last year, the FBI investigated security researchers in Georgia who discovered that millions of voter registration records were publicly accessible on the state’s election website.

And it’s not just the law that hasn’t caught up. Private companies and other organizations have widely inconsistent approaches for handling these disclosures. Some have no policies in place for protecting security researchers. And even those that do tend to use convoluted or murky legal language, Haddix said. That makes it difficult for white hat hackers to draw the line between what an organization sees as permissible and what could get them in trouble.

“A lot of times the legal language can get like spaghetti,” Haddix told me. “It’s hard to unwrap if you're not a lawyer.” In turn, he said, researchers are reluctant to report potentially serious security flaws because they fear the repercussions.

Disclose.io seeks to simplify things. It offers a template with boilerplate language that spells out in plain terms what security researchers can and can’t do if they decide to probe for bugs, and offers them legal safe harbor if they play by the rules. The template is open sourced, meaning anyone is free to use it or modify it. The target audience is “everyone on the Internet,” Haddix said — from major tech companies to mom-and-pop shops.

It's a sign that the private sector is taking the lead on this issue, rather than waiting for the government to take action, Ars Technica’s Sean Gallagher wrote in a post on Disclose.io: “Given how regulated information security practices have become in some industries — and how badly legislation regarding any sort of hacking has been handled over the past few years — using ‘open source,’ battle-tested boilerplate contracts to speed adoption of disclosure and bug bounty programs might be a lot easier and a lot less expensive than anything mandated by new government regulation.”

Disclose.io grew out of work by Amit Elazari, a doctoral candidate at the University of California at Berkeley School of Law, who has advocated for standardizing disclosure and bug bounty programs, which offer financial rewards for reporting flaws. Some early incarnations of the project have been promising. Mozilla executives recently credited Elazari for motivating them to add new safeguards to their bug bounty program. “The legal protections afforded to bounty program participants have failed to evolve,” they wrote, “putting security researchers at risk and possibly stifling that research.”

Other companies have rolled out programs like the one Disclose.io proposes.

Dropbox, for example, revised its disclosure terms earlier this year to better protect white hat hackers after a security firm sued a reporter for writing about an apparent bug in its software. “Anything that stifles open security research is problematic,” Dropbox's head of security wrote in a blog post, “because many of the advances in security that we all enjoy come from the wonderful combined efforts of the security research community.”

PINGED, PATCHED, PWNED

PINGED: “Top national security officials made a rare appearance in the White House briefing room Thursday to warn that Russia continues to target the U.S. election system and vow that the Trump administration has made combating interference a priority ahead of the midterms in November,” The Washington Post's Shane Harris and Felicia Sonmez reported. “Although the officials, including Director of National Intelligence Daniel Coats and national security adviser John Bolton, did not offer new details about any attacks or announce new policies, their show of unity just steps from the Oval Office appeared aimed at easing public concerns about President Trump’s public skepticism of Russia’s intentions.”

In addition to Coats and Bolton, FBI Director Christopher A. Wray, Homeland Security Secretary Kirstjen Nielsen and National Security Agency Director Paul Nakasone also briefed reporters on election security. “In regards to Russian involvement in the midterm elections, we continue to see a pervasive messaging campaign by Russia to try to weaken and divide the United States,” Coats said, as quoted by my colleagues. Wray said the FBI has got “open investigations with a foreign influence nexus” across the country. “Make no mistake, the scope of this foreign influence threat is both broad and deep,” he said. 

“Nakasone, who is also the newly installed commander of U.S. Cyber Command, which has the authority to attack and disable foreign computer networks, was asked what orders he had been given to counteract Russian interference,” Harris and Sonmez wrote. “Nakasone did not answer that question directly. 'We’re not going to accept meddling in the elections,' he said.”

PATCHED: “A bipartisan group of senators has unveiled a comprehensive package of Russia sanctions and measures to counter cybercrime, the latest attempt to push congressional leaders to intensify punitive measures against would-be election hackers ahead of November,” my colleague Karoun Demirjian reported on Thursday. 

The proposed legislation includes several cybersecurity measures, such as the creation of an Office of Cyberspace and the Digital Economy at the State Department, according to a statement from Sen. Lindsey O. Graham's (R-S.C.), one of the measure's sponsors. Another provision would punish Russians who have “the capacity or ability to support or facilitate malicious cyber activities.”

Additionally, the package contains two bills that Graham introduced this week alongside Sens. Sheldon Whitehouse (D-R.I.) and Richard Blumenthal (D-Conn.). Under the International Cybercrime Prevention Act, prosecutors would have the ability to take down botnets while the second bill ... would make hacking voting systems used in federal elections a federal crime.

“The current sanctions regime has failed to deter Russia from meddling in the upcoming 2018 midterm elections,” Graham said in a statement. “Our goal is to change the status quo and impose crushing sanctions and other measures against Putin’s Russia until he ceases and desists meddling in the US electoral process, halts cyber-attacks on US infrastructure, removes Russia from Ukraine, and ceases efforts to create chaos in Syria.”

PWNED: A Russian woman who worked for the U.S. Secret Service at the U.S. Embassy in Moscow turned out to be a suspected spy with access to the Secret Service's intranet and email, The Guardian's Nick Hopkins reported Thursday. “The woman had been working for the Secret Service for years before she came under suspicion in 2016 during a routine security sweep conducted by two investigators from the US Department of State’s Regional Security Office (RSO),” Hopkins wrote. “They established she was having regular and unauthorised meetings with members of the FSB, Russia’s principal security agency.”

The suspected spy, who worked at the embassy for over a decade, was let go last summer. A source told The Guardian that the woman could access sensitive information. “‘She had access to the most damaging database, which is the US Secret Service official mail system,’ the source said,” Hopkins wrote. “‘Part of her access was schedules of the president — current and past, vice-president and their spouses, including Hillary Clinton.’” In a statement, the Secret Service did not deny that the woman, who was part of a category of employees called Foreign Service Nationals, had been suspected of spying, according to the Guardian. “At no time, in any US Secret Service office, have FSNs been provided or placed in a position to obtain national security information,” the agency said in the statement.

— More cybersecurity news:

The heads of the national security agencies on Thursday said that Russia was still trying to influence United States elections, contradicting statements made by President Trump.
The New York Times
National Security
Heather Washkuhn’s testimony is vital to the government’s case that President Trump’s ex-campaign chairman hid income and lied to banks.
Rachel Weiner, Justin Jouvenal and Devlin Barrett
Public Safety
Andrew Miller’s challenge to the legal authority of the special counsel was rejected by the chief federal district judge in D.C.
Ann E. Marimow and Manuel Roig-Franzia
CHAT ROOM

— Several reporters and analysts pointed out the contrast between the warnings that top U.S. officials issued about Russian efforts to interfere in the  elections and Trump's statements on the matter:

From The Post's Philip Rucker:

From CNN's Kaitlan Collins:

From The Hill's Jordan Fabian:

From the Wall Street Journal's Dustin Volz:

From Clint Watts, a former FBI agent and senior fellow at George Washington University's Center for Cyber and Homeland Security:

PUBLIC KEY

— “With the midterm elections just three months away, campaigns are largely on their own in the increasingly challenging task of protecting sensitive information and countering false or misleading content on social media,” the Associated Press’s Steve Peoples and Christina A. Cassidy report.

Raffi Krikorian, the Democratic National Committee’s chief technology officer, told the AP that small campaigns may struggle to find support in defending themselves from cyberthreats as the DNC’s resources are limited. “For all the high-level campaigns I’m worried, but at least there are people to talk to,” Krikorian said. “The mid-sized campaigns are at least getting technical volunteers, but the truly down-ballot campaigns, that’s where the state parties and coordinated campaigns can help, but there’s no doubt that this is an uphill battle when we’re dealing with a foreign adversary.”

— Sens. Ron Wyden (D-Ore.) and Rand Paul (R-Ky.) have questions about the NSA’s announcement in late June that the agency had started deleting all call records since 2015 it obtained from telecom service providers under the Foreign Intelligence Surveillance Act.

The NSA said in a June statement that because of “technical irregularities,” the agency received some call records it was not authorized to obtain. In a letter released yesterday, Wyden and Paul asked Robert Storch, the NSA’s inspector general, to investigate how the agency came to delete those records. “Vital questions remain about how the NSA collects sensitive information, as well as how the agency has addressed its latest admitted violations of the law and Americans’ privacy,” Paul said in a statement. “Our letter seeks answers to help ensure innocent Americans' rights are being respected.”

— More cybersecurity news from the public sector:

The bureau has lost about 20 top cybersecurity leaders to lucrative corporate jobs over the past five years, even as hacking threats multiply.
Politico
CYBERCOM's chief is working to provide an assessment to Pentagon leadership on whether CYBERCOM and NSA should split.
Fifth Domain
DISA is offering new unclassified services to Defense Department mission partners.
Nextgov
Sen. Ron Wyden has asked the Department of Homeland Security how it is turning the implementation of an important email security protocol at federal civilian agencies into “actionable cyber intelligence” to guard against hackers.
CyberScoop
PowerPost
The libertarian senator has been a fierce proponent of Trump’s outreach to Russia, even while most of Congress criticizes the president’s interactions with Russian President Vladimir Putin.
Karoun Demirjian
PRIVATE KEY

— “Organizers behind the newly revealed batch of fake Facebook accounts often sought to work alongside legitimate groups organizing rallies and protests in the U.S., marking a new strategy in efforts to sow discord through social media ahead of the midterm elections,” the Wall Street Journal reports. “Collaborating with grass-roots organizations on existing events goes beyond the tactics employed by the Internet Research Agency, according to Graham Brookie, director of the Atlantic Council’s Digital Forensic Research Lab, which analyzes misinformation online and works with Facebook. The Kremlin-backed IRA group created hundreds of fake accounts and pages on social media during and after the 2016 U.S. election.”

— More cybersecurity news from the private sector:

An ex-cop is putting together a list of all the devices that can help bypass Apple's USB Restricted Mode feature. The cheapest are under $10.
Forbes
A former Tesla Inc. employee at the electric car maker’s battery plant in Nevada is seeking at least $1 million in defamation damages after it accused him of sabotage, hacking into computers and stealing confidential information leaked to the media.
Associated Press
A GE engineer with ties to Chinese companies was arrested for allegedly stealing files related to proprietary power turbine technology, which the FBI says he elaborately concealed to avoid detection.
THE NEW WILD WEST

— A hacker group with ties to Pakistan launched cyberattacks against government agencies in the United States, Britain, Spain and Russia, according to a report released Thursday by Palo Alto Networks’s Unit 42 threat research team.

The researchers said they noticed the attacks in February from the hackers, who they refer to as the “Gorgon Group.” The following month, they discovered that U.S., Russian and Spanish government agencies that operate in Pakistan were the targets of cyberattacks. “As we continued to investigate, it became apparent that Gorgon Group had been consistently targeting worldwide governmental organizations operating within Pakistan,” the researchers wrote.

Aside from targeting government organizations, the hackers also engaged in cybercrime across the world. Gorgon Group was effective but its attacks “lacked overall sophistication,” according to the report.

— More cybersecurity news from abroad: 

Google’s development of a censor-friendly mobile search app sent shares of China’s dominant search engine plunging, but analysts cautioned Google still faces hurdles in regaining re-entry to the country.
Wall Street Journal
Open debate about the ethics of tech is a strength, not a weakness, of the U.S. system.
Foreign Policy
FOR THE N00BS
The Switch
The case highlights not only the limits of wearable tech, but also what can happen when consumers try to hold companies accountable.
Brian Fung
The Switch
How the unplugging debate -- and the actual needs of customers -- are starting to make their way into Microsoft's design.
Hayley Tsukayama
ZERO DAYBOOK

Coming soon

  • Black Hat USA security conference on Aug. 8 through Aug. 9 in Las Vegas.
  • DEF CON security conference on Aug. 9 through Aug. 12 in Las Vegas.
EASTER EGGS

What you need to know about Paul Manafort and the Foreign Agents Registration Act:

Ride in Elon Musk's Tesla Model 3, a giant phone on wheels:

Late-night hosts on Paul Manafort’s ostrich jacket: