THE KEY

Good morning! I’m Cat Zakrzewski, a tech policy reporter at the Washington Post. I’ll be taking the helm of The Cybersecurity 202 these next few weeks. If you can’t get enough of Post newsletters, sign up here for my forthcoming newsletter, The Technology 202. You won’t want to miss our daily analysis on the complex relationship between Washington and Silicon Valley, coming to your inbox later this year.

There's a new player warning about the susceptibility of the U.S. election system to disinformation-- and it's an unusual one.

McAfee, a more than 30-year old company traditionally known for is anti-virus software, just became the latest cybersecurity firm to release research into the spread of false information that could influence the midterm elections. 

It published a report Wednesday warning of the ease with which adversaries could carry out a phishing attack to target voters -- and email links to hoax election websites with inaccurate information about where to vote. McAfee also cautioned that many county websites that voters turn to for information on Election Day are “sorely lacking in basic cybersecurity measures” that would prevent bad actors from altering them with false voting instructions. 

McAfee's decision to branch into this new territory illustrates a broader shift in the industry. While social networks such as Facebook and Twitter focus on rooting out false posts and other attempts to influence public opinion on their platforms, more traditional cybersecurity companies are also getting in the game. They are expanding beyond locking down devices and thwarting viruses — and into the more abstract goal of identifying the spread of deceptive information.

McAfee Chief Technology Officer Steve Grobman said such campaigns can have “immense” power. He said adversaries often turn to the most convenient and cheapest tools at their disposal. 

“Understanding that misinformation will sometimes be the most powerful weapon adversaries have to achieve their goal is something we're very aware of,” he said. “Others in the industry are starting to see that as well.”

Earlier this year, FireEye, another California cybersecurity company, helped Facebook identify an influence operation with ties to Iran. The company’s report highlighted how the adversaries were more expansive than the disinformation campaigns previously seen from Russia and showed other foreign actors were building on the Kremlin's playbook. 

Some start-ups — including New Knowledge and ZeroFox — are specializing in detecting the spread of disinformation on social media. Both companies have raised large funding rounds from venture capitalists, underscoring the market interest in such technology. Both focus on protecting companies against social media attacks, but are also doing work related to identifying fake news or coordinated foreign influence campaigns that is relevant to election integrity efforts. 

The surge in research is likely to help policymakers respond to the increasingly sophisticated threat. Since learning of Russian actors’ campaign to spread disinformation on social media during the 2016 election, lawmakers have warned about the lack of guardrails in place to secure the U.S. midterm elections. But they’ve struggled to pass legislation that would regulate the technology companies or further secure electronic voting machines.  

New Knowledge chief executive Jonathon Morgan said his team began to focus on disinformation before the 2016 election. With backgrounds in national security, his team members recognized the potency of terrorist groups’ disinformation campaigns. He said Facebook and Twitter have been “actively collaborating” with companies such as New Knowledge, as well as other researchers, to identify bad actors ahead of the midterms. 

ZeroFox Chief Security Officer Sam Small said he could not share many specifics about what his company is doing ahead of the midterms because of its confidentiality agreements with customers. But with concerns about the proliferation of fake news in the fallout of the 2016 election, the company is working with the media to ensure their brands aren’t being used to lend validity to false information. 

As large cybersecurity incumbents such as McAfee take on a bigger role in disinformation research, he’s watching to see whether they’ll make an even bigger push into social media security. 

“We haven't seen the traditional companies launching products or services yet,” he said.

PINGED, PATCHED, PWNED

PINGED: Chinese and Russian spies are often listening to President Trump's cellphone calls, the New York Times's Matthew Rosenberg and Maggie Haberman reported Wednesday. Moreover, Trump refuses to stop using his phones even though aides have told him that the calls are not secure and that Russians are spying on him, according to the Times. As Haberman and Rosenberg noted, Trump uses three iPhones — an official phone to access Twitter and other apps, another official device to place calls and a third personal phone.

“Administration officials said Mr. Trump’s longtime paranoia about surveillance — well before coming to the White House he believed his phone conversations were often being recorded — gave them some comfort that he was not disclosing classified information on the calls,” Rosenberg and Haberman wrote. “They said they had further confidence he was not spilling secrets because he rarely digs into the details of the intelligence he is shown and is not well versed in the operational specifics of military or covert activities.” 

China uses the information it gathers from Trump's calls to try to shape his trade policy, but “Russia is not believed to be running as sophisticated an influence effort as China,” according to the Times. “Still, Mr. Trump’s lack of tech savvy has alleviated some other security concerns,” Rosenberg and Haberman reported. “He does not use email, so the risk of a phishing attack like those used by Russian intelligence to gain access to Democratic Party emails is close to nil. The same goes for texts, which are disabled on his official phones.”

This is not a new issue in the Trump administration. Politico's Martin Matishak reported last year that Sen. Ron Wyden (D-Ore.) had called for increasing the security of personal devices and email accounts that White House officials use. “Wyden noted that hackers could co-opt personal cellphones, turning microphones into listening devices, or cracking into an email account and stealing an official's contact list and launch further digital assaults,” Matishak wrote.

From Eva Galperin, director of cybersecurity at  the Electronic Frontier Foundation:

From Alex Stamos, Facebook's former chief security officer: 

Trump pushed back on the report in an early morning tweet, saying the story is "soooo wrong":

PATCHED: Google chief executive Sundar Pichai just got another letter from senators who are unimpressed that the company didn't reveal a security bug for months. In a letter dated Oct. 23, Sens. Amy Klobuchar (D-Minn.) and Catherine Cortez Masto (D-Nev.) expressed “serious concern” to Pichai that the company earlier this year did not disclose a bug that exposed the data of up to 500,000 users of Google .  “While Google has not uncovered evidence that developers took advantage of this vulnerability or that profile data was misused, it has failed to protect consumers’ data and kept consumers in the dark about serious security risks,” Klobuchar and Cortez Masto said. Sen. John Thune (R-S.D.), the Senate Commerce Committee chairman, as well as Sens. Roger Wicker (R-Miss.) and Jerry Moran (R-Kan.), who also sit on the committee, voiced discontent about Google's handling of the bug in a letter to Pichai two weeks ago.

Klobuchar and Cortez Masto chided the company for its “conscious, overt decision to keep this data exposure a secret” and asked Pichai whether Google is confident that no user data was mishandled before the vulnerability was fixed. Klobuchar and Cortez Masto said the company must protect the privacy of its users as it has “fundamentally” altered how Americans communicate. “In the process of this innovation, Google has directly profited off of the vast amount of data collected on American citizens,” they said. “These same American citizens deserve to have their privacy protected and to know that the data Google collects is safe and secure.”

PWNED: Security researchers said a company selling spyware to governments left almost all its data exposed on a command and control server that was unprotected and on a public Google Drive folder, Motherboard's Lorenzo Franceschi-Bicchierai reported Wednesday. The data was found by researchers from CSIS Security Group, according to Motherboard. “In an online chat, Wolf Intelligence founder Manish Kumar told me that it wasn’t his company that left the data online, but a reseller he refused to identify,” Franceschi-Bicchierai wrote. “He also said that he plans to sue CSIS for hacking his reseller; CSIS is adamant that it did not hack anything, as everything was exposed and open to anyone.”

Kumar's spyware company “is part of the so-called ‘lawful intercept’ industry,” according to Motherboard. “These companies generally sell spyware that infects computers and cellphones with the goal of extracting evidence for police or intelligence operations, which can be particularly useful when authorities need to get around encryption and have a warrant to access the content of a target’s communications,” Franceschi-Bicchierai wrote. “But in the past, companies like Hacking Team, FinFisher, and NSO Group have all sold their malware to authoritarian regimes who have used it against human rights defenders, activists, and journalists.”

— More cybersecurity news:

China’s foreign ministry has some suggestions for the Trump administration if they are worried about foreign eavesdropping on the U.S. president’s iPhone: use a Huawei handset instead.
Reuters
PUBLIC KEY

— “The Department of Defense announced Wednesday that it was awarding contracts to three private security firms in an expansion of its bug bounty program,” the Hill's Jacqueline Thomsen reported. “The department will now partner with Synack, HackerOne and Bugcrowd — all Silicon Valley crowdsourced companies — to add new features to the ‘Hack the Pentagon’ program. The department began the program two years ago, inviting security researchers and ethical hackers to examine the Pentagon’s networks and identify cyber vulnerabilities.”

— “As government agencies move more of their digital systems to computer clouds, the Homeland Security Department is rethinking how it deploys cybersecurity sensors to detect attempts to compromise those systems, a top official said Tuesday,” Nextgov's Joseph Marks reported Wednesday. “Currently, Homeland Security’s systems of cyber threat detection sensors, known as Einstein, cluster around a series of trusted internet connections that route information between federal agencies and the broader internet. The government has less visibility into cyber threats if they sneak past those connections. The system of trusted internet connections is ill-suited, however, for massive computer clouds, which shift data around far more dynamically.”

— More cybersecurity news from the public sector:

Despite what appears to be growing support among the cybersecurity community and some government officials, there are others pushing back against the idea that private firms should be allowed to “hack back,” or retaliate in cyberspace.
Fifth Domain
The server included military and civilian personal information, but officials say the malware used doesn't typically compromise data.
StateScoop
San Bernardino County denies EFF's request to see 6 stingray warrant applications.
Ars Technica
The story behind my top secret coffee cup
Peter Avritch
PRIVATE KEY

— Apple appears to have prevailed against the iPhone-cracking tool GrayKey from the company Grayshift, Forbes​​​​​​'s Thomas Brewster reported Wednesday. “Multiple sources familiar with the GrayKey tech tell Forbes the device can no longer break the passcodes of any iPhone running iOS 12 or above,” Brewster wrote. “On those devices, GrayKey can only do what’s called a ‘partial extraction,’ sources from the forensic community said. That means police using the tool can only draw out unencrypted files and some metadata, such as file sizes and folder structures.”

— More cybersecurity news from the private sector:

Phones can’t go more than 90 days out of date on security.
The Verge
A consulting firm that works with Democratic campaigns unknowingly left sensitive information and credentials to old voter records open on the internet.
CyberScoop
SECURITY FAILS
Cathay Pacific discovered breach in March, confirmed it in May
Bloomberg News
Decision by information commissioner comes after Cambridge Analytica scandal
The Guardian
FOR THE N00BS
In an effort to simplify its data privacy controls, Google is making it easier to delete user search history. 
CNBC
ZERO DAYBOOK

Coming soon

EASTER EGGS

Trump says political violence is an “attack” on democracy, urges “all sides to come together in peace”:

These guys stole a Tesla and revealed a huge security flaw:

Store owner says it “feels good” to sell winning ticket: