Other companies whose customers’ data have been exposed also disclosed breaches in 8-Ks, including Target, TJX Companies, Heartland Payment, EMC and Google. (Firms NASDAQ, Citigroup and Amazon have not.)
Disclosure of known cybersecurity threats or attacks with potential material risks allows investors to make informed decisions. Stock share pricing will fluctuate and reflect the true market value once risk has been factored by investors — and not remain artificially high.
Yet to date no filing with the SEC has been made, disclosing this specific cyber risk to investors, customers, and the public.
The SEC’s Disclosure Guidance, though, is just that — guidance. There aren’t any firm rules yet in place, and the guidance itself was published in October 2011. A lot has happened and changed about technology and cybersecurity risks since then; the guidance has not reflected the increasing threats and attacks to business’ data.
Nor does the SEC’s guidance distinguish between cybersecurity threats to service products (like banking services), versus hardlines or manufactured goods (like automobiles which offer software as an additional, non-essential feature). The software industry’s chronic security patching confuses any distinction; should software companies likewise include all security patches in their SEC filings, or continue as they have without doing so? It’s easy to see how revelations about Adobe Flash after Hacking Team was hacked have materially hurt Adobe and all companies relying on Flash — yet Adobe hasn’t released a statement at its website. (Only a statement addressing the 2013 threat to customer accounts is posted.)
Are financial services firms any more obligated than software firms? Are automobile companies, which claim ownership of on-board software, any more obligated than software companies? Continue reading
UAL also briefly grounded flights on June 2nd, due to “automation issues.”
Now the New York Stock Exchange has halted all trading shortly before noon, cancelling all open orders, due to “technical difficulties.”
There are reports that CNBC and WSJ websites are down, but they could simply be swamped by traffic.
Who’s or what’s next?
UPDATE — 12:55 pm EDT —
Looks like CNBC may only have had a brief burp due to high traffic as there are no further complaints about service interruption. WSJ’s website has been slowly working its way back to normal service; the media outlet posted an abbreviated versionfor 15-20 minutes once its technical problems had been resolved. No indication yet that anything apart from high traffic volume may have spiked the site.
UPDATE — 1:35 pm EDT —
You know what cracks me up, in a ha-ha-ouch kind of way? FBI Director Jim Comey puling about the need for back doors into technology in front of Congress today, while a major airline and the most important stock market in the world demonstrate exactly how ugly it could get if hackers with malicious intent used the back doors he demands for evil rather than good. The “technical difficulties” both UAL and NYSE experienced today could be duplicated by hackers using back doors.
The U.S. Government is an aircraft carrier, very slow to turn even when under fire. Hackers are speedboats. Asking for back doors across all technology while facing myriad fleet-footed nemesis is like chasing 38-foot Cigarette Top Gun speedboats with a carrier. Unless the carrier can see Cigarettes coming from a distance and train gun on them, Cigarettes will fly up its backside. The U.S. Government has already proven it can’t see very far ahead, stuck in a defensive posture while using its offense in ways that only ensure more attacks.
UPDATE — 2:20 pm EDT —
Fortune reports the NYSE halt was due to a “failed systems upgrade.”
Right. Upgrade. Let’s roll out an upgrade in the middle of the week, in the middle of the month, when both China’s stock market and Europe’s banksters are freaking out. Let’s not manage traders expectations in advance of the day’s trading, either.
Somebody needs to retake a course in Change Management 101 — or there’s some additional explaining required.
Reuters assures us, too:
The U.S. Department of Homeland Security said there were no signs” that the problems at NYSE and United Airlines stemmed from “malicious activity,” CNN reported.
Good to know, huh? Can’t believe they went to CNN for that.
UPDATE — 3:30 pm EDT —
The buzz since 2:00-ish pm is that Anonymous *might* be to blame for the NYSE “glitch.” The Hill, Salon, and a few other outlets reported about a cryptic tweet from @YourAnonNews late last evening:
But another Anonymous affiliate laughed it off, saying:
Timing is incredible, though; the NYSE, WSJ, and UAL outages all happened concurrent with a Congressional hearing at which FBI Director Jim Comey discussed the need for back doors into everything. What an incredible series of coincidences today.
UPDATE — 3:55 pm EDT —
Best take by far on today’s NYSE “technical difficulties”, gonzo reporting with a feminine touch from Molly Crabapple:
UPDATE — 5:00 pm EDT —
NYSE re-opened again around 3:00 pm EDT, with trading a bit jittery. Financial news outlets speculated the market closed at 17,515.42, down -261.49 (-1.47%) due to concerns over China’s tanked stock market and Greece’s EU debt woes. The Shanghai market had closed the previous day at 3,507.19 down -219.93 (-5.90%).
Feeling iffy over the Shanghai index, Hong Kong’s Hang Seng Index closed at 23,516.56 down -1,458.75 (-5.84%); Japan’s Nikkei 225 closed at 19,737.64 down -638.95 (-3.14%).
But these Asian markets weren’t affected by the NYSE’s technical difficulties today. Wonder how they will open on July 9th their local time — flat or down? I wouldn’t put my money on an uptick, but I’m not a financial adviser, either.
I imagine the bars and pubs around Wall Street saw greater-than-average action. I might put money on that.
The time has come,’ the Walrus said,
To talk of many things:
Of shoes — and ships — and sealing-wax —
Of cabbages — and kings —
And why the sea is boiling hot —
And whether pigs have wings.’
(Excerpt, Lewis Carroll’s The Walrus and the Carpenter)
Here’s an open information security topic worth examining more closely: the recent vandalization of yet another fiber optic cable on the west coast.
A total of eleven cuts have been made since last July on fiber optic cables in the greater San Francisco/Oakland area. The most recent cut occurred on June 30th. The FBI had already asked the public for help with information about the first ten cuts, made in these general locations at the time and date indicated here:
1) July 6, 2014, 9:44 p.m. near 7th St. and Grayson St. in Berkeley
2) July 6, 2014, 11:39 p.m. near Niles Canyon Blvd. and Mission Blvd. in Fremont
3) July 7, 2014, 12:24 a.m. near Jones Road and Iron Horse Trail in Walnut Creek
4) July 7, 2014, 12:51 a.m. near Niles Canyon Blvd. and Alameda Creek in Fremont
5) July 7, 2014, 2:13 a.m. near Stockton Ave. and University Ave. in San Jose
6) February 24, 2015, 11:30 p.m. near Niles Canyon Blvd. and Mission Blvd. in Fremont
7) February 24, 2015 11:30 p.m. near Niles Canyon Blvd. and Alameda Creek in Fremont
8) June 8, 2015, 11:00 p.m. near Danville Blvd. and Rudgear Road in Alamo
9) June 8, 2015, 11:40 p.m. near Overacker Ave and Mowry Ave in Fremont
10) June 9, 2015, 1:38 p.m. near Jones Road and Parkside Dr. in Walnut Creek
The FBI presented these first ten cuts as a single, undivided list. After looking at the dates and times, one can see these cuts may have occurred not as discrete events, but as three separate clusters of cuts. The first cluster occurred within a five-hour span; the second occurred nearly simultaneously at two points; and the third cluster occurred within three hours. The three clusters took place after dark, during the same evening. The tenth cut may be a one-off, or it may be connected to the third cluster as it took place within 14 hours of the eighth and ninth cuts.
The most recent cable cut, occurring this week, did not fit a pattern like the previous ten cuts. Reports indicate the cut was near Livemore — a new location much farther to the south and east in comparison, and only one cut reported rather than two or more.
Is this latest cut an outlier, or were perpetrators interrupted before they could cut again?
Taking a closer look at the previous cut events, we can see there must have been more than one individual involved in the cuts, and they may have been coordinated. Continue reading
We already knew Sony Pictures Entertainment’s (SPE) hack was bad. We knew that the parent, Sony Group, had been exposed to cyber attacks of all kinds for years across its subsidiaries, and slow to effect real changes to prevent future attacks.
And we knew both Sony Group and SPE shot themselves in the feet, literally asking for trouble by way of bad decisions. Sony Electronics’ 2005 copy protection rootkit scandal and SPE’s utter lack of disregard for geopolitics opened the businesses to risk.
But FORTUNE magazine’s expose about the hacking of SPE — of which only two of three parts have yet been published — reveals a floundering conglomerate unable to do anything but flail ineffectively.
It’s impossible to imagine any Fortune 500 corporation willing to tolerate working with 1990s technology for any length of time, let alone one which had no fail-over redundancies or backup strategies, no emergency business continuity plan to which they could revert in the event of a catastrophe. But FORTUNE reports SPE had been reduced to using fax machines to distribute information, in large part because many of its computers had been completely wiped by malware used in the attack.
Pause here and imagine what you would do (or perhaps, have done) if your computer was completely wiped, taking even the BIOS. What would you do to get back in business? You’ve given more thought about this continuity challenge than it appears most of SPE’s management invested prior to last November’s hack, based on reporting to date.
A mind-boggling part of FORTUNE’s expose is the U.S. government’s reaction to SPE’s hack. The graphic above offers the biggest guffaw, a quote by the FBI’s then-assistant director of its cyber division. Knowing what we know now about the Office of Personnel Management hack, the U.S. government is a less-than-credible expert on hacking prevention. While the U.S. government maintains North Korea was responsible, it’s hard to take them seriously when they’ve failed so egregiously to protect their own turf. Continue reading
7:03 am – Popular Security Software Came Under Relentless NSA and GCHQ Attacks (The Intercept)
7:12 am – US and British Spies Targeted Antivirus Companies (WIRED)
9:48 am – Spies are cracking into antivirus software, Snowden files reveal (The Hill)
12:18 pm – GCHQ has legal immunity to reverse-engineer Kaspersky antivirus, crypto (Ars Technica-UK)
12:57 pm* – US, UK Intel agencies worked to subvert antivirus tools to aid hacking [Updated] (Ars Technica)(*unclear if this is original post time or time update posted))
~3:00 pm – NSA Has Reverse-Engineered Popular Consumer Anti-Virus Software In Order To Track Users (TechCrunch)
(post time is approximate as site only indicates rounded time since posting)
The question I don’t think anyone can answer yet is whether the hack of Kaspersky Lab using Duqu 2.0 was part of the effort by NSA or GCHQ, versus another nation-state. I would not be surprised if the cover over this operation was as thin as letting the blame fall on another entity. We’ve seen this tissue paper-thin cover before with Stuxnet.
For the general public, it’s important to note two things:
— Which firms were not targeted (that we know of);
— Understand the use of viruses and other malware that already threaten and damage civilian computing systems only creates a bigger future threat to civilian systems.
Once a repurposed and re-engineered exploit has been discovered, the changes to it are quickly shared, whether to those with good intentions or criminal intent. Simply put, criminals are benefiting from our tax dollars used to help develop their future attacks against us.
There’s a gross insufficiency of words to describe the level of shallow thinking and foresight employed in protecting our interests.
And unfortunately, the private sector cannot move fast enough to get out in front of this massive snowball of shite rolling towards it and us.
EDIT — 5:55 pm EDT —
And yes, I heard about the Polish airline LOT getting hit with a DDoS, grounding their flights. If as the airline’s spokesman is correct and LOT has recent, state-of-the-art systems, this is only the first such attack.
But if I were to hear about electrical problems on airlines over the next 24-48 hours, I wouldn’t automatically attribute it to hacking. We’re experiencing effects of a large solar storm which may have caused/will cause problems over the last few hours for GPS, communications, electricals systems, especially in North America.
EDIT — 1:15 am EDT 23JUN2015 —
At 2:48 pm local time Christchurch, New Zealand’s radar system experienced a “fault” — whatever that means. The entire radar system for the country was down, grounding all commercial flights. The system was back up at 4:10 pm local time, but no explanation has yet been offered as to the cause of the outage. There were remarks in both social media and in news reports indicating this is not the first such outage; however, it’s not clear when the last fault was, or what the cause may have been at that time.
It’s worth pointing out the solar storm strengthened over the course of the last seven hours since the last edit to this post. Aurora had been seen before dawn in the southern hemisphere, and from northern Europe to the U.S. Tuesday evening into Wednesday morning. It’s possible the storm affected the radar system — but other causes like malware, hacking, equipment and human failure are also possibilities.
If you haven’t watched this Bloomberg-produced video yet, you should. The women directors interviewed are highly skilled and have been fighting Hollywood’s not-at-all-liberal misogyny for decades.
And yes, decades — nothing substantive has happened since 1983 when Reagan-appointee Judge Pamela Rymer ruled for two major studio defendants in the Directors Guild of America‘s lawsuits against them for their discriminatory hiring practices. There was an uptick for about one decade after the suit; by 1995, roughly 16% of movies were directed by women.
But since then the numbers have fallen, and neither the DGA nor the federal Equal Employment Opportunity Commission (EEOC) have done anything about it.
We could cut some slack on the first decade, between 1995 and 2005, right? Congress was full of right-wing zealots chasing the president over a blowjob, and the president who followed him was hyper-focused on going to war, pushed by Dick Cheney’s hand up his backside. Their administrations drifted along with them, shaped by their leaders’ attentions.
But a second decade now — over thirty years in all since 1983 — and the EEOC gave the matter no attention at all? It’s not as if the film and television industries aren’t right under the noses of people charged with paying attention. Who can work in government and say they haven’t watched any television or film in thirty years? Hello, West Wing?
Or is that an answer in itself, that the film and television industries are merely acting with government sanction, that it is U.S. government policy to discriminate in entertainment media because it serves national interests? Continue reading
But I need to get that shine back. My oldest is in a relationship with a sportsy guy, and I need to be able to talk with him without trying too hard and sounding like a total moron.
So, help a girl out. Auto racing. Baseball. Golf. That’s all that’s in my cable channel lineup right now, and I can’t muster enough excitement. Tell me what you think I should look for to get heated up about one of these, and is there something really juicy going on tomorrow?
— NHRA in Briston, TN on ESPN right now looks much as it did over the past couple decades. Is there some big technological breakthrough that makes these races different now than they were pre-2000? Fill me in.
— Folks in my other social media about were using lots of shouty caps about baseball and some guy named Scherzer. What happened? Which is/was the better game to watch: Detroit Tigers v New York Yankees, or LA Dodgers v SF Giants?
— And Tiger Woods has no game left they say, missing the cut at the U.S. Open. I did see this much in my timeline. I imagine poor Papa Earl is rolling in his grave, saying he was right that Tiger could only be stopped by a woman. I think it was the comprehensive use of word, “woman,” as in all women. Tiger hasn’t really had it together for any length of time since his marriage fell apart. Besides the current golden boy McIlroy, who else should I watch at the U.S. Open?
Golf has a little more appeal for me this summer. I used to play until a handful of years ago, when it just wasn’t fun any more. I lost my game, too, couldn’t spend enough time on the course. But now my youngest has landed his first job as bag boy at the nearby club. When he comes home after his shift it’s a hoot to listen to him describe navigating his inaugural work experience, let alone hear all the goofy things that happened to him on the job.
Like today, his first Saturday morning opening the course — he sent me a text mid-shift that read, HOLY TIPS. Came home with a wad of bills in his pocket, yelling how much he loved old dudes who played golf.
Now for this I can worked up.
This year continues to be a big one for women in film. Films featuring women as leads and/or directed by women made beaucoup at the box office. Mad Max: Fury Road, Pitch Perfect 2, Insurgent, and Fifty Shades of Grey are among the top ten films out of more than 284 released so far this year. Two of these films were directed by women; all four featured female leads. And two of these films put to lie once again the bullshit claim that ‘women can’t lead action films.’
The immense popularity of these movies — especially with women — demonstrates how much Hollywood underserves the female audience, in spite of repeated studies revealing how much women contribute to box office results. Women want women’s stories, told by women, and they’ve gotten them too rarely.
You’d think that Hollywood would actively court the single largest demographic by catering to its desires — but no. The film production pipeline remains solidly weighted toward men, still chasing the increasingly distracted 18-25 year-old male demographic.
It’s not as if women aren’t available as actors or directors. The Directors Guild of America (DGA) — the labor organization representing directors — counts among its ranks roughly 1200 female directors, reflecting the parity of female students who’ve been through film school or learned on the job in other production roles.
If a household name like Clooney doesn’t know more female directors, what exactly is it the DGA is doing for its female membership? It’s clearly not representing them within their own organization, let alone to studios and the public.
The ACLU‘s May 12th letter to the federal Equal Employment Opportunity Commission (EEOC) spelled out DGA’s complicity with Hollywood’s exclusion of female directors, when it asked the EEOC to investigate discriminatory practices. DGA has denied the use of short lists, but apart from preparing regular reports on diversity in hiring, it’s not clear at all what the DGA does to further the hiring of women directors. Continue reading
In news dump territory — 2:59 p.m. on a Friday afternoon following this last Memorial Day, to be exact — Reuters published an EXCLUSIVE story in which anonymous sources claimed the U.S. launched a cyber attack on North Korea using a modified version of Stuxnet.
This is hardly news. It’s rather a confirmation by an anonymous source, likely a government official, of the Stuxnet program’s wider aims. This was discussed here at emptywheel in 2013.
Far too much of North Korea’s nuclear energy development program looked like Iran’s for Stuxnet not to be a viable counter-proliferation tool if North Korea had succeeded with uranium enrichment.
And far too much information had been shared in tandem between North Korea, Iran, and Syria on nuclear energy and missile development (see image), for Stuxnet not to have a broader range of targets than Iran’s Natanz facility.
Let’s assume folks are savvy enough to know the Stuxnet program had more than Iran in its sights.
Why, dear “people familiar with the covert campaign,” was the confirmation to Reuters now — meaning, years after the likely attempt, and years after Stuxnet was discovered in the wild?
And how convenient this confession, five days before Kaspersky Lab revealed the existence of Duqu 2.0? Did someone “familiar with the covert campaign” believe the admission would be lost in Duqu-related news?
With the confession, though, begins a volley of exchanges:
It’s anybody’s guess what the next lob will look like, especially after NK’s foreign minister met with China for reasons believed connected to drought aid.
You can bet there will be some effort to exchange nuclear inspection access for trade and aid, as previously negotiated during Bill Clinton’s administration.
The use of stolen Foxconn digital certificates in Duqu 2.0 gnaws at me, but I can’t put my finger on what exactly disturbs me. As detailed as reporting has been, there’s not enough information about this malware’s creation. Nor is there enough detail about its targeting of Kaspersky Lab and the P5+1 talks with Iran.
Kaspersky Lab carefully managed release of Duqu 2.0 news — from information security firm’s initial post and an op-ed, through the first wave of media reports. There’s surely information withheld from the public, about which no other entities know besides Kaspersky Lab and the hackers.
Is it withheld information that nags, leaving vaporous voids in the story’s context? Possibly.
But there are other puzzle pieces floating around without a home, parts that fit into a multi-dimensional image. They may fit into this story if enough information emerges.
Putting aside how much Duqu 2.0 hurts trust in certificates, how did hackers steal any from Foxconn? Did the hackers break into Foxconn’s network? Did they intercept communications to/from Foxconn? Did they hack another certificate authority?
If they broke into Foxconn, did they use the same approach the NSA used to hack Syria — with success this time? You may recall the NSA try to hack Syria’s communications in 2012, by inserting an exploit into a router. But in doing so, the NSA bricked the router. Because the device was DOA, the NSA could not undo its work and left evidence of hacking behind. The router’s crash took out Syria’s internet. Rapid recovery of service preoccupied the Syrians so much that they didn’t investigate the cause of the crash.
The NSA was ready to deny the operation, though, should the Syrians discover the hack:
…Back at TAO’s operations center, the tension was broken with a joke that contained more than a little truth: “If we get caught, we can always point the finger at Israel.”
Did the NSA’s attempted hack of Syria in 2012 provide direction along with added incentive for Duqu 2.0? The failed Syria hack demonstrated evidence must disappear with loss of power should an attempt crash a device — but the malware must have adequate persistence in targeted network. NSA’s readiness to blame Israel for the failed Syria hack may also have encouraged a fuck-you approach to hacking the P5+1 Iran talks. Continue reading