Go ahead, hack your car, Library of Congress says

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Because every car comes with a CPU—and many CPUs con­tain pro­pri­etary information—tooling around in the garage also could amount to a copy­right vio­la­tion. So said the Alliance of Automak­ers, a trade group that includes Ford and Toy­ota among many oth­er com­pa­nies, who ear­li­er this year asked the U.S. Copy­right Office to look at exemp­tions to the Dig­i­tal Mil­len­ni­um Copy­right Act. “Many of the scores of elec­tron­ic con­trol sys­tems embod­ied in today’s motor vehi­cles are care­ful­ly cal­i­brat­ed to sat­is­fy fed­er­al or state reg­u­la­to­ry require­ments with respect to vehi­cle safe­ty, emis­sions con­trol, and fuel econ­o­my,” the group wrote. “Much of the ‘per­son­al­iza­tion’ that pro­po­nents seek to achieve dis­turbs these cal­i­bra­tions and would have the effect of putting the vehi­cle into non­com­pli­ance with these legal­ly bind­ing require­ments.” But the Library of Con­gress issued exemp­tions to DMCA that also freed those who wish to mod­i­fy tablets and smart TVs. “I am glad they grant­ed these exemp­tions,” Sher­win Siy, vice pres­i­dent for legal affairs for Pub­lic Knowl­edge, an Inter­net free­dom advo­cate. Source: Wash­ing­ton Post

Online shoppers get an eyeful of data

sh_marks and spencer_280Marks & Spencer tem­porar­i­ly sus­pend­ed its web­site after “tech­ni­cal dif­fi­cul­ties” that exposed cus­tomer infor­ma­tion to oth­er web­site users. But the British retail­er said its web­site was not hacked by out­side third par­ties, and there is no secu­ri­ty risk for affect­ed cus­tomers. The M&S web­site is back online and oper­at­ing nor­mal­ly. The com­pa­ny said this was not a breach by out­side third par­ties, but a result of inter­nal tech­ni­cal dif­fi­cul­ties. Pri­or to the web­site sus­pen­sion, cus­tomers logged into the web­site could see oth­er people’s orders. And some cus­tomers report­ed­ly claimed they could see pay­ment details of oth­er cus­tomers. How­ev­er M&S insist­ed that as the details were encrypt­ed there was no secu­ri­ty risk. Source: Tech Week Europe

Millennials just say no to cybersecurity careers

Those hun­dreds of thou­sands of IT experts that will be miss­ing by 2020 won’t be easy to find, as a new study sug­gests that mil­len­ni­als are not crazy about a career in cyber­se­cu­ri­ty. A study titled “Secur­ing Our Future: Clos­ing The Cyber Tal­ent Gap,” finds that young adults are not real­ly inter­est­ed in cyber­se­cu­ri­ty, but what’s worse, the num­ber of young women in the Unit­ed States inter­est­ed in a cyber career is five times small­er. Mike Daly, cyber chief tech­nol­o­gy offi­cer at Raytheon, said it is a cul­tur­al thing: “When asked whether they had been made aware of cyber oppor­tu­ni­ties (by edu­ca­tors and oth­er adults), 47 per­cent of men said they had been made aware and only 33 per­cent of women said they had.” Many young adults haven’t heard of a cyber attack in the last year. They haven’t heard of the Talk­Talk event, the Anthem breach, or even the Amer­i­can Air­lines assault. Source: Beta News

Defense contractors, place your cyber bids

sh_cyber warfare_750Bids are due Dec. 1 on a con­tract val­ued at as much as $460 mil­lion over five years to sup­port U.S. Cyber Com­mand, which opened in 2010 at the 5,000-acre Army base in Mary­land that’s also home to the Nation­al Secu­ri­ty Agency. Major defense con­trac­tors such as Lock­heed Mar­tin, Raytheon and Gen­er­al Dynamics—traditionally known for fight­er jets, mis­siles and oth­er hardware—are expect­ed to com­pete for work accom­plished most­ly in front of a com­put­er screen. “As a defense com­pa­ny, we want to be in the area of devel­op­ing solu­tions,” said William Leigher, a retired Navy rear admi­ral and direc­tor of gov­ern­ment cyber solu­tions for Raytheon. “Every­one is think­ing pret­ty hard right now about what these forces need.” Com­pa­nies such as Raytheon antic­i­pate that Cyber Com­mand will be a hub of con­tract­ing activ­i­ty dur­ing the next few years as it cre­ates teams to pro­tect defense net­works and be at the ready to assist oth­er U.S. agen­cies in shield­ing pri­vate crit­i­cal net­works from hack­ers. Source: Bloomberg

Hey, big spenders—cybersecurity forecast at $224.5 billion

sh_cyber spending_280The glob­al cyber­se­cu­ri­ty mar­ket is esti­mat­ed at $74.2 bil­lion and is expect­ed to reach $224.5 bil­lion by 2022  with a com­pound annu­al growth rate of 14.8 per­cent dur­ing the fore­cast peri­od of 2014 to 2022, accord­ing to the Mar­ket Research Store. The loss of intel­lec­tu­al and finan­cial assets is a key fac­tor gen­er­at­ing mar­ket oppor­tu­ni­ty for cyber spe­cial­ty com­pa­nies. Oth­er fac­tors: the gov­ern­ment is increas­ing invest­ment in sophis­ti­cat­ed cyber­se­cu­ri­ty tech­nolo­gies; secur­ing the Inter­net of Things is get­ting fed­er­al­ly spon­sored research; and anti-virus and anti-mal­ware solu­tions are like­ly to acquire the high­est mar­ket share dur­ing the fore­cast peri­od. Source: Patri­arc

Boards are on board—sort of

sh_executive board_280More than two thirds of com­pa­ny board mem­bers are more involved with cyber­se­cu­ri­ty issues than they were a year ago, accord­ing to a sur­vey by BDO USA, a con­sult­ing firm. Near­ly 90 per­cent of the 150 pub­lic-com­pa­ny board mem­bers who respond­ed to the sur­vey said they’re briefed on cyber­se­cu­ri­ty at least once a year, with a third briefed at least quar­ter­ly on the issue. Sev­en­ty per­cent said they have increased com­pa­ny invest­ments against cyber attacks in the past year, the sur­vey found. Shahryar Shaghaghi, nation­al leader of tech­nol­o­gy ser­vices for BDO, said the board par­tic­i­pa­tion and involve­ment num­bers are encour­ag­ing, but he now expects more as a result of the invest­ment. “I think we need to move from reac­tive, which is respond­ing to breach­es and noti­fy­ing the board, to a more-proac­tive state, where the board can under­stand what’s going on in the orga­ni­za­tion,” he said. How­ev­er, less than half of boards have a cyber-breach response plan in place, and one-third of direc­tors say their com­pa­nies have cyber-risk require­ments for their third-par­ty ven­dors. “More than 60 per­cent of breach­es today come through third-par­ty rela­tion­ships,” Shaghaghi said. Source: Bloomberg

Justice for the hacked is on the agenda

Attor­ney Gen­er­al Loret­ta Lynch told Con­gress that she has refo­cused the Jus­tice Department’s work on fight­ing ter­ror­ism, cyber threats, white-col­lar crime and human traf­fick­ing. On the cyber front, Lynch cre­at­ed a unit with­in the crim­i­nal division’s com­put­er crime and intel­lec­tu­al prop­er­ty sec­tion. The Jus­tice Department’s nation­al secu­ri­ty divi­sion also is under­tak­ing an ini­tia­tive to “pro­mote infor­ma­tion shar­ing and resilience as part of the division’s nation­al asset pro­tec­tion pro­gram,” Lynch said in writ­ten tes­ti­mo­ny to the House Judi­cia­ry Com­mit­tee. “I have also been meet­ing per­son­al­ly with cor­po­rate exec­u­tives and gen­er­al coun­sels around the coun­try to spread our mes­sage of cyber aware­ness, to encour­age strate­gic col­lab­o­ra­tion, and to find promis­ing new ways to pro­tect Amer­i­can con­sumers from exploita­tion and abuse,” she wrote. Source: The Wash­ing­ton Examiner

Banks’ efforts to get Target documents miss the mark

sh_target_400U.S. Mag­is­trate Judge Jef­frey Keyes denied a class of banks’ motion that Tar­get pro­duce doc­u­ments gen­er­at­ed dur­ing its inter­nal inves­ti­ga­tion of the mas­sive 2013 hol­i­day sea­son data breach, high­light­ing the need for cor­po­ra­tions to struc­ture their post-breach inves­ti­ga­tions to claim attor­ney-client priv­i­lege over the inves­ti­ga­tion and any result­ing doc­u­ments. The rul­ing was the result of a dis­cov­ery dis­pute between the par­ties over doc­u­ments cre­at­ed dur­ing two sep­a­rate inves­ti­ga­tions con­duct­ed by Tar­get. Tar­get main­tained numer­ous entries on its priv­i­lege log relat­ing to these doc­u­ments, that Tar­get claimed were either attor­ney-client priv­i­leged or work prod­uct. The banks, which were grant­ed class cer­ti­fi­ca­tion, argued that the doc­u­ments at issue could not be cloaked with priv­i­lege where Tar­get would have had to inves­ti­gate and fix the data breach “regard­less of any lit­i­ga­tion.” The banks claimed that even though the inves­tiga­tive probes were launched at the direc­tion of Target’s coun­sel, dis­cus­sions with its coun­sel should still be made avail­able because they relat­ed to Target’s han­dling of reg­u­lar busi­ness func­tions. Tar­get coun­tered that it had essen­tial­ly set up a two-tracked inves­ti­ga­tion to respond to the breach. Source: The Nation­al Law Review

Excuse me, is that my password out there for all the world to see?

sh_password_280A secu­ri­ty researcher has dis­cov­ered more than 13 mil­lion plain­text pass­words that appear to belong to users of 000Webhost, a ser­vice that says it pro­vides reli­able and high-speed web host­ing for free. The leaked data, which also includes users’ names and email address­es, was obtained by Troy Hunt, an Aus­tralian researcher and the oper­a­tor of Have I Been Pwned?, a ser­vice that helps peo­ple fig­ure out if their per­son­al data has been exposed in web­site breach­es. Hunt received the data from some­one who con­tact­ed him and said it was the result of a hack five months ago on 000Webhost. Hunt has, so far, con­firmed with five of the peo­ple includ­ed in the list that it con­tains the names, pass­words and IP address­es they used to access 000Webhost. In a Face­book post, 000Webhost offi­cials con­firmed the breach and said it was the result of hack­ers who exploit­ed an old ver­sion of the PHP pro­gram­ming lan­guage to gain access to 000Webhost sys­tems. The advi­so­ry makes no ref­er­ence to the plain­text pass­words, although it does advise users to change their cre­den­tials. Source: Ars Tech­ni­ca

Let’s get legal with it

A group of U.S. and EU dig­i­tal rights orga­ni­za­tions and con­sumer groups—including the EFF, the U.S. Cen­ter for Dig­i­tal Democ­ra­cy, the Euro­pean Con­sumer Orga­ni­za­tion and Pri­va­cy International—issued a state­ment call­ing for a “mean­ing­ful legal frame­work” to pro­tect fun­da­men­tal pri­va­cy rights in the dig­i­tal era. The state­ment comes as a crit­i­cal response to the pub­li­ca­tion ear­li­er this month of the Bridges report, a joint project between U.S. and EU aca­d­e­mics advo­cat­ing for con­tin­ued reliance on exist­ing laws cou­pled with indus­try self-reg­u­la­tion as a mid­dle-of-the-road approach to safe­guard­ing pri­va­cy rights. The Bridges report advo­cates for, as they put it, “a frame­work of prac­ti­cal options that advance strong, glob­al­ly accept­ed pri­va­cy val­ues in a man­ner that respects the sub­stan­tive and pro­ce­dur­al dif­fer­ences between the two jurisdictions”—such as offer­ing stan­dard­ized user con­trols and user com­plaint mech­a­nisms, and best prac­tices for the de-iden­ti­fi­ca­tion of user data, among oth­er pro­posed mea­sures. How­ev­er the EFF et al are high­ly crit­i­cal of this approach—dubbing it “failed pol­i­cy” and “remark­ably out of touch with the cur­rent legal real­i­ty.” Source: Tech Crunch