SEC Hacked, Kaspersky Banned for use by Federal Government, 200 Million GOP Voters data exposed, and more!
Infosec News
INFORMATION SECURITY NEWS
For The Week of 9/19-9/26 2017
The Information Security News Service is a project of LARS (Laboratory for Advanced Research in Systems) in the CS Department at the University of Minnesota Duluth. We send out top stories in information security every Tuesday (except during some academic breaks). If you have stories you’d like to see featured, please email them to infosec...@d.umn.edu.
CURRENT NEWS
SEC hacked
The SEC’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) network was hacked last year. The network stores data that companies are required to disclose to the SEC, but not necessarily to the public. The SEC hasn’t stated which companies are affected by the breach, but the SEC chairman has said that the hacks “may have provided the basis for illicit gain through trading”.
http://money.cnn.com/2017/09/20/investing/sec-edgar-hacking/index.html?iid=EL
Federal Banhammer Comes Down on Kaspersky
Kaspersky labs is a Russian company with some (alleged) ties to the Kremlin. It is, therefore, not a great idea for federal agencies to use antivirus software developed by Kaspersky labs. A law banning Kaspersky software from federal agencies was passed on September 13, and agencies have one month to stop using any Kaspersky products (and Kaspersky has a month to hypothetically do as much damage as they can, if they want). While Kaspersky has stated that they don’t have “inappropriate ties with any government”, there is some evidence to the contrary. Founder Eugene Kaspersky graduated from the KGB’s elite cryptography institute. In addition, in 2009, Kaspersky told his staff to work on a secret project per a request from Lubyanka (one of the FSB’s Moscow offices).
https://www.nytimes.com/2017/09/04/opinion/kapersky-russia-cybersecurity.html
https://www.theregister.co.uk/2017/09/13/kaspersky_shrugs_off_us_ban/
A lighter take: https://www.theregister.co.uk/2017/09/06/banning_kaspersky_from_us_govt_computers/
GOP Data Firm Exposes 200 Million Voters’ Data
The addresses, birthdates, phone numbers, and analysis on over 198 million GOP voters’ political leanings, as well as predicted ethnicity and religion. More than a terabyte of data was stored on an unsecured Amazon server, iNote. At present there are as many as only 212 million GOP voters and due to the exposure a majority of these voters are at risk.. The data firm, Deep Root Analytics, claims that the exposed data was not maliciously accessed. Instead it was found that anyone with access to the URL. Through a combination of information gathering techniques the data found in the exposure can be utilized to create very unique portfolios for individuals.
https://gizmodo.com/gop-data-firm-accidentally-leaks-personal-details-of-ne-1796211612
Supreme Court Case to Decide if Government Needs Warrant to Use Cell Phone Location Data
The Supreme Court is to decide if people can expect cell phone location data to be private. The case, Carpenter vs United States, concerns a man who was convicted of armed robbery after cell-site location data (CSLI) placed him near the robberies. However, no warrant was used in obtaining the CSLI data. The Sixth Circuit upheld his conviction, saying Carpenter had no expectation of privacy in CSLI data, and that no warrant was needed. The case hinges on the “third party doctrine” of the Fourth Amendment, which says that we give up the right to privacy when we share information with third parties (phone companies, ISPs, etc). Since there is no expectation of privacy on this information, the government can use it and still satisfy the Fourth Amendment. The Supreme Court’s decision to uphold or reject this doctrine will have some big implications on individual privacy for the future.
https://motherboard.vice.com/en_us/article/59zq5x/scotus-cell-location-privacy-op-ed