Tuesday, March 14, 2017
No security is perfect if there are people involved.
Zack Whittaker reports:
A unsecured backup drive has exposed thousands of US Air Force documents, including highly sensitive personnel files on senior and high-ranking officers.
Security researchers found that the gigabytes of files were accessible to anyone because the internet-connected backup drive was not password protected.
The files, reviewed by ZDNet, contained a range of personal information, such as names and addresses, ranks, and Social Security numbers of more than 4,000 officers.
Read more on ZDNet. The leak was discovered by the MacKeeper Security Research team, who provide their own report on the incident, here. The team reports:
The most shocking document was a spread sheet of open investigations that included the name, rank, location, and a detailed description of the accusations. The investigations range from discrimination and sexual harassment to more serious claims.
So will the Air Force contact MacKeeper or Zack and ask them who the apparent owner of the misconfigured Rsync backup is? Will they send folks to MacKeeper and Zack’s to obtain the files?
What will the Air Force do in terms of any discipline of the unnamed officer who appears to own the backup? And what will the Air Force do to prevent another breach like this?
Hey, when you’re good, you’re good. Who is buying besides governments? Why not software manufacturers?
A new report from Rand Corp. may help shed light on the government’s arsenal of malicious software, including the size of its stockpile of so-called “zero days” — hacks that hit undisclosed vulnerabilities in computers, smartphones, and other digital devices.
The report also provides evidence that such vulnerabilities are long lasting. The findings are of particular interest because not much is known about the U.S. government’s controversial use of zero days. Officials have long refused to say how many such attacks are in the government’s arsenal or how long it uses them before disclosing information about the vulnerabilities they exploit so software vendors can patch the holes.
Rand’s report is based on unprecedented access to a database of zero days from a company that sells them to governments and other customers on the “gray market.” The collection contains about 200 entries — about the same number of zero days some experts believe the government to have. Rand found that the exploits had an average lifespan of 6.9 years before the vulnerability each targeted was disclosed to the software maker to be fixed, or before the vendor made upgrades to the code that unwittingly eliminated the security hole.
Some of the exploits survived even longer than this. About 25 percent had a lifespan of a decade or longer. But another 25 percent survived less than 18 months before they were patched or rendered obsolete through software upgrades.
Financial Attackers as Sophisticated as Nation-State Groups: FireEye
Financially motivated attackers have become just as sophisticated as threat actors sponsored by nation states, according to the 2017 M-Trends report published on Tuesday by FireEye-owned Mandiant.
… Until 2013, cybercriminals mostly launched what experts described as “smash and grab” attacks – little effort was put into hiding their actions and maintaining access to the breached system. In the following years, the line between the level of sophistication exhibited by financial attackers and nation-state actors became increasingly blurry, and now researchers say that line no longer exists.
… The full M-Trends 2017 report is available online in PDF format.
So now their data will be limited to that obtained by a warrant?
Facebook bars developers from using data to create surveillance tools
Facebook Inc barred software developers on Monday from using the massive social network’s data to create surveillance tools, closing off a process that had been exploited by U.S. police departments to track protesters
Facebook, its Instagram unit and rival Twitter Inc came under fire last year from privacy advocates after the American Civil Liberties Union (ACLU) said in a report that police were using location data and other user information to spy on protesters in places such as Ferguson, Missouri.
In response to the ACLU report, the companies shut off the data access of Geofeedia, a Chicago-based data vendor that said it works with organizations to “leverage social media,” but Facebook policy had not explicitly barred such use of data in the future.
“Our goal is to make our policy explicit,” Rob Sherman, Facebook’s deputy chief privacy officer, said in a post on the social network on Monday.
… Ozer praised the companies’ action but said they should have stopped such use of data earlier. “It shouldn’t take a public records request from the ACLU for these companies to know what their developers are doing,” she said.
It was also unclear how the companies would enforce their policies, said Malkia Cyril, executive director of the Center for Media Justice, a nonprofit that opposes government use of social media for surveillance.
Again, I think that cities should do this themselves and sell access to anyone who wants it.
New York City Sues Verizon Over Fiber-Optic Cable Coverage
New York City filed a lawsuit Monday against Verizon Communications Inc., alleging t he company failed to deliver a 2008 promise to offer fiber-optic cable connections to every home in the city.
The breach-of-contract suit is the latest step in what has been a year of tension between the city and the company.
Last summer, the city's Department of Information Technology & Telecommunications released an audit examining a franchise agreement that Verizon signed with the city in 2008. The agreement permitted Verizon to deploy its fiber-optic network, Fios, as long as it ran its fiber network past all city dwellings by 2014.
The deal technically only covers cable TV, but Verizon also offers high-speed internet over the same fiber-optic cables.
I’ve been telling my lawyer friends that my students are already programming their replacements.
Rise of the Robolawyers
How legal representation could come to resemble TurboTax
Something to discuss with my Data Management students.
Intel's $15 billion purchase of Mobileye shakes up driverless car sector
Intel Corp agreed to buy Israeli autonomous vehicle technology firm Mobileye for $15.3 billion on Monday in a deal that could thrust the U.S. chipmaker into direct competition with rivals Nvidia Corp and Qualcomm Inc to develop driverless systems for global automakers.
… The stakes are enormous. Last year, Goldman Sachs projected the market for advanced driver assistance systems and autonomous vehicles would grow from about $3 billion in 2015 to $96 billion in 2025 and $290 billion in 2035.
[From a Letter to Intel employees:
Many of you have asked why we think autonomous cars and vehicles are so important to Intel’s future. The answer is DATA. Our strategy is to make Intel the driving force of the data revolution across every technology and every industry. We are a DATA company. The businesses we focus on, and deliver solutions to, create, use and analyze massive amounts of data.
I recently had a chance to speak at the LA Auto show and the title of my presentation was “Data is the New Oil.” My message was simple: automobiles and the automotive industry are increasingly driven by data and computing. The saying “What’s under the hood” will increasingly refer to computing, not horsepower.
At four terabytes of data per day, the average autonomous car will put out the data equivalent of approximately 3,000 people.
How much is a CEO worth?
Verizon originally wanted $925 million discount for Yahoo’s online services
Verizon initially thought the biggest data breaches in Internet history merited a $925 million discount on its acquisition of Yahoo’s online services, nearly three times what the two companies finally agreed upon.
Yahoo disclosed new details about its negotiations with Verizon in a regulatory filing Monday. The filing doesn’t say why Verizon relented on its original demand, issued Feb. 1. Verizon ultimately accepted Yahoo’s offer to trim the sale price by $350 million instead.
… Although she hasn’t divulged her plans, Mayer isn’t expected to work for Verizon. If she leaves, Mayer will receive a $23 million severance package, according to Monday’s filing. The amount is lower than a $44 million valuation disclosed in September because $21 million in stock options and other awards have vested in Mayer’s account since then.
Besides her severance package, Mayer will gain control of stock options valued at $56.8 million, according to the filing.
Something to play with on my old but still functional PCs.