Go ahead, hack your car, Library of Congress says

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Because every car comes with a CPU—and many CPUs contain proprietary information—tooling around in the garage also could amount to a copyright violation. So said the Alliance of Automakers, a trade group that includes Ford and Toyota among many other companies, who earlier this year asked the U.S. Copyright Office to look at exemptions to the Digital Millennium Copyright Act. “Many of the scores of electronic control systems embodied in today’s motor vehicles are carefully calibrated to satisfy federal or state regulatory requirements with respect to vehicle safety, emissions control, and fuel economy,” the group wrote. “Much of the ‘personalization’ that proponents seek to achieve disturbs these calibrations and would have the effect of putting the vehicle into noncompliance with these legally binding requirements.” But the Library of Congress issued exemptions to DMCA that also freed those who wish to modify tablets and smart TVs. “I am glad they granted these exemptions,” Sherwin Siy, vice president for legal affairs for Public Knowledge, an Internet freedom advocate. Source: Washington Post

Online shoppers get an eyeful of data

sh_marks and spencer_280Marks & Spencer temporarily suspended its website after “technical difficulties” that exposed customer information to other website users. But the British retailer said its website was not hacked by outside third parties, and there is no security risk for affected customers. The M&S website is back online and operating normally. The company said this was not a breach by outside third parties, but a result of internal technical difficulties. Prior to the website suspension, customers logged into the website could see other people’s orders. And some customers reportedly claimed they could see payment details of other customers. However M&S insisted that as the details were encrypted there was no security risk. Source: Tech Week Europe

Millennials just say no to cybersecurity careers

Those hundreds of thousands of IT experts that will be missing by 2020 won’t be easy to find, as a new study suggests that millennials are not crazy about a career in cybersecurity. A study titled “Securing Our Future: Closing The Cyber Talent Gap,” finds that young adults are not really interested in cybersecurity, but what’s worse, the number of young women in the United States interested in a cyber career is five times smaller. Mike Daly, cyber chief technology officer at Raytheon, said it is a cultural thing: “When asked whether they had been made aware of cyber opportunities (by educators and other adults), 47 percent of men said they had been made aware and only 33 percent of women said they had.” Many young adults haven’t heard of a cyber attack in the last year. They haven’t heard of the TalkTalk event, the Anthem breach, or even the American Airlines assault. Source: Beta News

Defense contractors, place your cyber bids

sh_cyber warfare_750Bids are due Dec. 1 on a contract valued at as much as $460 million over five years to support U.S. Cyber Command, which opened in 2010 at the 5,000-acre Army base in Maryland that’s also home to the National Security Agency. Major defense contractors such as Lockheed Martin, Raytheon and General Dynamics—traditionally known for fighter jets, missiles and other hardware—are expected to compete for work accomplished mostly in front of a computer screen. “As a defense company, we want to be in the area of developing solutions,” said William Leigher, a retired Navy rear admiral and director of government cyber solutions for Raytheon. “Everyone is thinking pretty hard right now about what these forces need.” Companies such as Raytheon anticipate that Cyber Command will be a hub of contracting activity during the next few years as it creates teams to protect defense networks and be at the ready to assist other U.S. agencies in shielding private critical networks from hackers. Source: Bloomberg

Hey, big spenders—cybersecurity forecast at $224.5 billion

sh_cyber spending_280The global cybersecurity market is estimated at $74.2 billion and is expected to reach $224.5 billion by 2022  with a compound annual growth rate of 14.8 percent during the forecast period of 2014 to 2022, according to the Market Research Store. The loss of intellectual and financial assets is a key factor generating market opportunity for cyber specialty companies. Other factors: the government is increasing investment in sophisticated cybersecurity technologies; securing the Internet of Things is getting federally sponsored research; and anti-virus and anti-malware solutions are likely to acquire the highest market share during the forecast period. Source: Patriarc

Boards are on board—sort of

sh_executive board_280More than two thirds of company board members are more involved with cybersecurity issues than they were a year ago, according to a survey by BDO USA, a consulting firm. Nearly 90 percent of the 150 public-company board members who responded to the survey said they’re briefed on cybersecurity at least once a year, with a third briefed at least quarterly on the issue. Seventy percent said they have increased company investments against cyber attacks in the past year, the survey found. Shahryar Shaghaghi, national leader of technology services for BDO, said the board participation and involvement numbers are encouraging, but he now expects more as a result of the investment. “I think we need to move from reactive, which is responding to breaches and notifying the board, to a more-proactive state, where the board can understand what’s going on in the organization,” he said. However, less than half of boards have a cyber-breach response plan in place, and one-third of directors say their companies have cyber-risk requirements for their third-party vendors. “More than 60 percent of breaches today come through third-party relationships,” Shaghaghi said. Source: Bloomberg

Justice for the hacked is on the agenda

Attorney General Loretta Lynch told Congress that she has refocused the Justice Department’s work on fighting terrorism, cyber threats, white-collar crime and human trafficking. On the cyber front, Lynch created a unit within the criminal division’s computer crime and intellectual property section. The Justice Department’s national security division also is undertaking an initiative to “promote information sharing and resilience as part of the division’s national asset protection program,” Lynch said in written testimony to the House Judiciary Committee. “I have also been meeting personally with corporate executives and general counsels around the country to spread our message of cyber awareness, to encourage strategic collaboration, and to find promising new ways to protect American consumers from exploitation and abuse,” she wrote. Source: The Washington Examiner

Banks’ efforts to get Target documents miss the mark

sh_target_400U.S. Magistrate Judge Jeffrey Keyes denied a class of banks’ motion that Target produce documents generated during its internal investigation of the massive 2013 holiday season data breach, highlighting the need for corporations to structure their post-breach investigations to claim attorney-client privilege over the investigation and any resulting documents. The ruling was the result of a discovery dispute between the parties over documents created during two separate investigations conducted by Target. Target maintained numerous entries on its privilege log relating to these documents, that Target claimed were either attorney-client privileged or work product. The banks, which were granted class certification, argued that the documents at issue could not be cloaked with privilege where Target would have had to investigate and fix the data breach “regardless of any litigation.” The banks claimed that even though the investigative probes were launched at the direction of Target’s counsel, discussions with its counsel should still be made available because they related to Target’s handling of regular business functions. Target countered that it had essentially set up a two-tracked investigation to respond to the breach. Source: The National Law Review

Excuse me, is that my password out there for all the world to see?

sh_password_280A security researcher has discovered more than 13 million plaintext passwords that appear to belong to users of 000Webhost, a service that says it provides reliable and high-speed web hosting for free. The leaked data, which also includes users’ names and email addresses, was obtained by Troy Hunt, an Australian researcher and the operator of Have I Been Pwned?, a service that helps people figure out if their personal data has been exposed in website breaches. Hunt received the data from someone who contacted him and said it was the result of a hack five months ago on 000Webhost. Hunt has, so far, confirmed with five of the people included in the list that it contains the names, passwords and IP addresses they used to access 000Webhost. In a Facebook post, 000Webhost officials confirmed the breach and said it was the result of hackers who exploited an old version of the PHP programming language to gain access to 000Webhost systems. The advisory makes no reference to the plaintext passwords, although it does advise users to change their credentials. Source: Ars Technica

Let’s get legal with it

A group of U.S. and EU digital rights organizations and consumer groups—including the EFF, the U.S. Center for Digital Democracy, the European Consumer Organization and Privacy International—issued a statement calling for a “meaningful legal framework” to protect fundamental privacy rights in the digital era. The statement comes as a critical response to the publication earlier this month of the Bridges report, a joint project between U.S. and EU academics advocating for continued reliance on existing laws coupled with industry self-regulation as a middle-of-the-road approach to safeguarding privacy rights. The Bridges report advocates for, as they put it, “a framework of practical options that advance strong, globally accepted privacy values in a manner that respects the substantive and procedural differences between the two jurisdictions”—such as offering standardized user controls and user complaint mechanisms, and best practices for the de-identification of user data, among other proposed measures. However the EFF et al are highly critical of this approach—dubbing it “failed policy” and “remarkably out of touch with the current legal reality.” Source: Tech Crunch