STE WILLIAMS

Android’s April update just landed and this month the headline story is two critical CVE-level patches among a total of 11 affecting anyone with handsets running versions 7, 8, and 9.

The good news is that as far as Google knows, none of this month’s flaws are being exploited. That could change, of course, which is why getting the updates should be a priority as soon as they become available from this week.

The first two criticals are identified as CVE-2019-2027 and CVE-2019-2028, affecting all versions 7.x, 8.x, and 9.0 of the core AOSP, the part of the OS that is universal to anything running Android.

Both are Remote Code Execution (RCE) vulnerabilities in the oft-patched media framework, either of which could allow an attacker to “execute arbitrary code within the context of a privileged process.”

The final critical bug is CVE-2019-2029, another RCE affecting all versions from 7.x and up that will be shipped to users on the 2019-04-05 patch level (see below for an explanation of what that means).

The other eight AOSP flaws are all marked high priority, including six elevation of privilege (EoP) flaws and three information disclosure.

Qualcomm

As usual, Qualcomm gets a small blizzard of fixes, 30 of which are in open-source components and another 44 in proprietary software. The first group includes one critical along with others rated high. The second includes six criticals with the rest marked high priority.

This is what’s good about Android’s now-monthly patch update – users applying it are fixing a lot of important security problems that might once have lingered for months or years.

Android’s confusing patching system

Assuming you’re running Android 7 or later, the latest update will appear as either ‘1 April 2019’ or ‘5 April 2019’ in Settings About phone Android security patch level.

Although announced this week, when they become available to download depends on which Android handset you own.

If it’s one of Google’s Pixel smartphones, the patches should be available almost immediately. For other vendors, it could take from weeks to a month or two.

For example, a handset I use for testing runs Android 8.1 but as of April 2019, its patch level is still set to 1 December 2018. Because vendors now have the job of offering updates, this isn’t Google’s doing.

What’s the difference between the two patch dates?

If your device’s security patch level is set to the first day of the month (i.e. 1 April), that means you have the Android updates up to that month but the vendor updates only up to the previous month (i.e. March).

If you’re lucky enough to see the fifth day of the month (5 April), that means you have updates from both Google and the device maker.

From a security perspective, being on the first of these tracks isn’t as much of a disadvantage as it sounds because the most valuable flaws attackers look for are always ones applying to all handsets, not simply those from a specific vendor. The important thing is to receive the updates as frequently, and soon, as possible.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FnxE1auymoM/

Earl Enterprise – the owner behind a slew of US restaurant chains – confirmed on Friday that one or more hackers had installed credit card slurping malware on point-of-sale (PoS) systems at a half dozen of its restaurant brands.

The company said that potentially affected restaurants include its brands Buca di Beppo, Earl of Sandwich, Planet Hollywood, Chicken Guy!, Mixology and Tequila Taqueria. It’s set up a look-up tool at this site that lets you search for affected locations by city, state and brand.

The company said that the malware was designed to capture payment card data, which may have included credit and debit card numbers, expiration dates and, in some cases, cardholder names.

The dates of potentially affected transactions vary by location, though overall, customers who used their payment cards at the potentially affected locations between 23 May 2018 and 18 March 2019 might have been affected. The malware didn’t affect orders paid for online through third-party applications or platforms.

Earl Enterprise said that the breach has now been contained and that it’s working with two cybersecurity firms on an internal investigation, as well as with federal law enforcement. It’s working “diligently” with security experts on further remediation, it said, and plans to closely monitor its systems and take additional security measures “to help prevent something like this from happening again in the future.”

Earl Enterprise first got a heads-up about the PoS malware back in February, when security journalist Brian Krebs contacted the company to let it know that he’d found a big cache of credit and debit card numbers belonging to the company’s customers that were being sold on the Dark Web.

Krebs asked Earl Enterprises how many customers in total may have been affected by the 10-month breach, but it didn’t respond. Krebs himself reports that he found about 2.15 million payment card details in a batch of stolen cards that an underground shop was calling the “Davinci Breach.”

Krebs had reached out to the executive team at Buca di Beppo in late February after determining that most of the restaurant’s locations were likely involved in a data breach that first turned up on Joker’s Stash: an underground carding shop that regularly sells batches of freshly ripped-off payment card details.

After carders buy those payment card details, they can then put all the legitimate card details onto the fresh magnetic stripe of a blank card, thereby cloning the card and using the counterfeit card to buy high-ticket items.

That’s actually the nature of fresh charges against Max Ray Vision, a computer security consultant turned hacker who was serving what was a record-setting, 13-year prison sentence for illegal hacking when he was sent away in 2010 but who racked up even more charges from behind bars. In December, the hacker, known as the “Iceman”, was charged with allegedly using a contraband cellphone to loot debit card accounts and to then fund a drone delivery of even more contraband dropped into a Louisiana prison yard.

Check your statements!

Earl Enterprise is urging customers to check their credit and debit card statements with an eye out for fraudulent charges. You’re not responsible for fraudulent charges, but card issuers aren’t necessarily going to tug your sleeve when one gets made on your account. That’s why it’s a good habit to regularly monitor statements for suspicious activity.

If you see something wonky, don’t hesitate to report it to the card issuer. We the people are typically not held responsible for fraudulent activity – reported in a timely fashion. Don’t delay, if you don’t want to get stuck paying for somebody else’s shopping spree.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/QVz_HrJ7_X4/

Over 13,500 internet-connected storage devices have been exposed online by users who failed to set access passwords for them, it emerged last week.

The affected drives all use the Internet Small Computer Systems Interface (iSCSI), which is an implementation of the older SCSI interface that connected disk drives directly to computers.

iSCSI, which was standardised in 2000, enabled that protocol to operate over IP connections so that devices could connect to drives across local area networks, or wide-area connections including the general internet.

Today, people use iSCSI to connect to a range of devices including the kinds of network-attached storage (NAS) drives that you’d find in a small office, and larger banks of network storage devices in datacentres.

iSCSI is also a common way for computers to connect to virtual machines (VMs). These are software files containing entire operating systems that run on a thin layer of software rather than directly on a physical server, making it possible to run many of them on a single computer at once. VMs are the basis for modern cloud computing, which relies entirely on virtualised resources.

Here’s the problem with putting things on the internet, though: They’re usually easy to find and connect to. If you put something like an iSCSI device online and then fail to secure it with login credentials, it means that it’s publicly available for anyone to access.

A cybersecurity researcher using the name A Shadow discovered this and publicised it on Saturday 30 March 2019:

Just #discovered new type of attack vector.
More than a 13K possible vulnerable #iSCS cluster left on the internet… twitter.com/i/web/status/1…

—
A Shadow (@arealshadow) March 30, 2019

They found over 13,500 of these iSCSI devices exposed online, available for anyone to access and exposing the data that they held. This gives anyone successfully connecting to a drive complete freedom to download its contents, delete it, or alter it to insert malware.

Many of these iSCSI addresses belonged to private companies, the researcher added, making them prime targets for cybercriminals.

ZDNet verified A Shadow’s findings by searching for unprotected iSCSI devices on the IoT search engine Shodan. It found exposed devices from a variety of organisations, including a branch of a YMCA, a Russian government agency, and several universities and research institutes.

This isn’t an issue with the iSCSI protocol so much as with its implementation.

The users who install these devices should make efforts to secure them, although in many cases they won’t be aware that they need to.

This is where the second line of defence could come in. iSCSI-enabled device vendors could either force users to configure passwords before allowing them to connect to a network, or better still configure the devices with individual passwords out of the box.

California’s recently-passed IoT cybersecurity bill, SB-327, enforces just such a measure. It’ll be interesting to see if it has any effect in stopping mass exposures like this one.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/x8vFb5BEM-k/

Researchers have discovered the latest way to drive a Tesla off track (and into oncoming traffic), and it needs only the simplest of hacking tools: a can of paint and a brush will do it, or small, inconspicuous stickers that can trick the Enhanced Autopilot of a Model S 75 into detecting and then following a change in the current lane.

Mind you, the feature they “attacked” for their research project is for driver assistance, not really an autopilot, regardless of what Tesla calls it.

Tesla’s Enhanced Autopilot mode has a range of features, including lane centering, self-parking, automatic lane changes with driver’s confirmation, and the ability to summon the car out of a garage or parking spot.

To do all that, it relies on cameras, ultrasonic sensors and radar, as well as hardware that allows a car to process data using deep learning to react to conditions in real-time. APE, the Autopilot engine control unit module, is the key component of Tesla’s auto-driving technology, and it’s where researchers at Keen Security Lab – a division of the Chinese internet giant Tencent Keen – focused their lane-change attack.

They explained their latest Tesla attack in a recent paper, reverse-engineering several of Tesla’s automated processes to see how they’d do when environmental variables changed.

One of the most unnerving things they accomplished was to figure out how to induce Tesla’s Autopilot to steer into oncoming traffic. In the best of all possible worlds, in real life, that wouldn’t happen, given that a responsible, law-abiding driver would have their hands on the wheel and would notice that the car’s steering was acting as if it were drunk.

How did they do it?

By slapping three stickers onto the road. Those stickers were unobtrusive – nearly invisible – to drivers, but machine-learning algorithms used by the Autopilot detected them as a line that indicated the lane was shifting to the left. Hence, Autopilot steered the car in that direction.

From the report:

Tesla autopilot module’s lane recognition function has a good robustness in an ordinary external environment (no strong light, rain, snow, sand and dust interference), but it still doesn’t handle the situation correctly in our test scenario. This kind of attack is simple to deploy, and the materials are easy to obtain…

Tesla uses a pure computer vision solution for lane recognition, and we found in this attack experiment that the vehicle driving decision is only based on computer vision lane recognition results. Our experiments proved that this architecture has security risks and reverse lane recognition is one of the necessary functions for autonomous driving in non-closed roads. In the scene we build, if the vehicle knows that the fake lane is pointing to the reverse lane, it should ignore this fake lane and then it could avoid a traffic accident.

The Tesla teasers

Keen researchers have remotely flummoxed Teslas before. These are the guys who, a few years ago, remotely slammed on the brakes of a Tesla Model S from 12 miles away, popped the trunk and folded in the side mirror, all while the car was moving.

In their recent work with forced lane-change, they noted that Autopilot uses a variety of measures to prevent incorrect detections, including the position of road shoulders, lane histories, and the size and distance of various objects.

Another section of the paper explained how the researchers exploited a now-patched, root-privileged access vulnerability in the APE by using a game pad to remotely control a car. Tesla fixed that vulnerability in its 2018.24 firmware release.

The report also showed how researchers could tamper with a Tesla’s auto-wiper system to activate wipers when rain isn’t falling. Tesla’s auto-wiper system, unlike traditional systems that use optical sensors to detect raindrops, uses a suite of cameras that feed data into an artificial intelligence network to determine when wipers should be turned on.

The researchers found that they could make small changes to alter images in a way that would throw off Tesla’s AI-based image recognition but would be undetectable to the human eye. Hence, they tweaked an image of a panda to the extent that the AI system interpreted it as a gibbon, though it still looks to humans like a picture of a panda. Using those pixel-level changes, they tricked Tesla’s auto-wiper feature into thinking rain was falling.

However, that trickery requires direct feeding of images into the system. Eventually, the researchers say it may be possible for attackers to display an “adversarial image” that’s displayed on road signs or other cars that does the same thing.

This isn’t the first time that researchers have fooled self-driving cars by slapping stickers somewhere in their view. In 2017, they showed that putting stickers onto road signs could confuse autonomous cars’ systems.

Currently, fiddling with the external, physical environment isn’t where the efforts are going to secure self-driving systems against attack. That should perhaps change, the Keen researchers believe, given that such attacks are feasible, and they should be factored in to design companies’ efforts to secure the cars.

Having said that, it’s debatable whether attackers will crawl out onto the highway and paint redirecting lane markers or affix stickers into the oncoming path of a Tesla. Yes, the Keen researchers used a controlled environment to demonstrate that a Tesla Model S 75 can be forced to follow a fake path without asking the driver for permission, as the Autopilot component is supposed to do when changing lanes…

…which should serve as another reminder that getting behind the wheel of a car comes with responsibilities, like keeping your hands on said wheel in accordance with the relevant laws, and keeping one’s eyes on the road to make sure you’re not being led astray by stickers stuck on by researchers trying to fool the car’s computer into seeing a lane where it shouldn’t be.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/sjp0ylE9LrY/

Storing Britain’s obsolete nuclear submarines has cost the nation £500m – with some 1960s boats having been in storage for longer than they were in service.

The National Audit Office’s (NAO) latest report into British nuclear submarine storage and disposal revealed that nine of the 20 vessels moored at Devonport and Rosyth dockyards still contain spent nuclear fuel.

Meg Hillier, chair of the Commons Public Accounts Committee, said: “For more than 20 years the Ministry of Defence has been promising to dismantle its out-of-service nuclear submarines and told my committee last year that it would now address this dismal lack of progress.”

The NAO pegged the cost of scrapping just one submarine at around £96m, adding that costs had spiralled by £800m between 2002 and 2016. Most worryingly, the NAO also pointed out “the lack of berthing space within the Devonport dockyard”, urging the MoD to get on with it. No nuclear submarines have been fully scrapped since the UK moved its nuclear deterrent from RAF aircraft to Royal Navy submarines in the 1960s.

MPs tear ‘naive’ British Army a new one over Capita recruitment farce

READ MORE

HMS Swiftsure, the Navy’s first operational nuclear-powered submarine, launched in 1971, will be dismantled in 2023, the MoD promised the NAO. The initial plan was to start scrapping old boats by 2011, a date long since missed.

When a submarine is decommissioned, it is defuelled; radioactive material is removed from the hull and disposed of*..

Higher-level radioactive waste, including the reactor pressure vessel (RPV), needs a more involved disposal plan. The MoD’s current plan for disposal of RPVs involves a “geological storage facility” in Cheshire that is expected to be open for use in the “mid 2020s”.

A spokesman for the MoD said: “The disposal of nuclear submarines is a complex and challenging undertaking. We remain committed to the safe, secure and cost-effective de-fuelling and dismantling of all decommissioned nuclear submarines as soon as practically possible.”

Another boat in long-term storage is HMS Conqueror, the Falklands War boat captained by Commander Chris Wreford-Brown. In May 1982, Wreford-Brown sank the Argentine cruiser ARA General Belgrano, Britain’s first and only publicly confirmed submarine kill since WWII. In a curious twist of history, the Belgrano was originally commissioned into the US Navy as USS Phoenix in 1935, surviving the Japanese attack on Pearl Harbour in 1941 and the rest of WWII to be sold to the Argentinians in the 1950s.

With the total financial liability of nuclear decommissioning estimated at £7.5bn by the NAO, the nuclear submarine legacy is another crushingly expensive millstone around the MoD’s neck along the same lines as the disastrous Capita-run Recruiting Partnership Programme contract. ®

Bootnote

*(This would be a handy infographic if you were ever tasked with the job)

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/04/03/mod_nuclear_submarine_scrapping_nao_report/

The teenager who hacked TalkTalk three years ago has been hauled before court charged with computer misuse offences after allegedly amassing a Bitcoin fortune worth more than £300,000.

Elliot Gunton, who pleaded guilty in 2016 to hacking Brit ISP TalkTalk, was said to be selling stolen personal data on cybercrime forums and trading in cryptocurrency without declaring it on his tax returns, according to constables from Norfolk Police.

He denies the charges.

Court reporters from the Eastern Daily Press, covering Gunton’s trial at Norwich Crown Court, detailed how police became aware of what the 19-year-old was allegedly up to because they were enforcing a sexual harm prevention order (SHPO) by carrying out random inspections of his computers.

Indecent images of children had been found on Gunton’s machines by police investigating the TalkTalk hack and the order was made when he was sentenced, the court was told.

Detective Constable Jamie Hollis, of Norfolk Police’s public protection unit, told the court Gunton had been visited four times between August 2016 and December 2017 to ensure he was complying with the order. A normal condition of SHPOs is that they ban the offender from using private browsing mode, deleting browser history or doing anything else that prevents unskilled police employees on home visits from trawling through an offender’s internet activities.

“Our unit does not have specialist software for home visits and we have to rely on the honesty of the offender,” said DC Hollis, as reported by the Eastern Daily Press. “It would be impossible for us to know if he has deleted any history.”

However, police decided to step up their intrusive surveillance of Gunton after learning that he intended to appeal against his SHPO, and on a later visit took his laptop away for forensic analysis. The court was told that they found CCleaner, a popular disk cleanup and file deletion utility, had been installed on it. Crown prosecutors alleged that the presence of CCleaner was a breach of Gunton’s SHPO.

“He said he was involved in stocks and shares and that is where he could make his money,” added DC Hollis. “He was adamant he would be a millionaire in three years.”

Bitcoin banditry allegations

When police raided Gunton’s home two weeks later they seized a £10,000 Rolex and an iPhone that had been locked in a safe. Detective Constable Mark Stratford, of Norfolk Police’s cyber and serious organised crime directorate, told the court they also found a “nano ledger” for Gunton’s Bitcoin account. Although it was protected by either an eight-digit PIN or a recovery phrase, Gunton allegedly did not disclose them when asked during a police interview under caution, instead making no comment throughout.

DC Stratford analysed Gunton’s laptop to uncover his Bitcoin account numbers and traced transactions through the blockchain to discover a Bitcoin deposit worth $100,000 had been made into Gunton’s wallet on 18 December 2017.

Barrister Kevin Barry, prosecuting, also told the court that Gunton had “been deeply involved in extensive criminal activity with a view to making a large profit”. He said that the teenager had earned his Bitcoin wealth by selling stolen Instagram data on an unnamed internet forum, including posts where Gunton allegedly claimed to have “fresh to market” details of “high tier” Instagram users.

Gunton, of Mounteney Close, Sprowston, Norwich, is charged with five criminal offences. Those include crimes under the Computer Misuse Act 1990, which the EDP reported “include supplying profile user names and email accounts believing that they were likely to be used to commit or to assist in the commission of an offence”.

He is also accused of money laundering over his Bitcoin usage and of breaching his SHPO. He denies all the charges.

The case continues. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/04/03/elliott_gunton_denies_instagram_login_sales_bitcoin/

In a time of disruption in the security and tech worlds, cybersecurity professionals can’t afford to become complacent – even in the face of a skills shortage.

Image Source: Adobe Stock (vchalup)

It’s definitely a job seeker’s’ market out there in the cybersecurity employment pool. According to an about-to-be released report from ISSA and ESG, 74% of organizations today have been impacted by the cybersecurity skills shortage. Meantime, a report released last month from ISACA says that 60% of organizations need a minimum of three months to fill cybersecurity vacancies because there aren’t enough bodies to fill seats.  

On their face, these stats may engender a bit of complacency from cybersecurity professionals. It would only be natural to figure that anybody with a pulse and some security experience has got it made.

But here’s the rub.

Many disruptive forces are at play that are set to drastically change the way security duties are carried out in the coming years. New security automation platforms, new architectures, and complex hybrid cloud implementations require major shifts in bread-and-butter security technical knowledge. Not only is security technology changing rapidly, but so are many of the fundamental roles held by cybersecurity professionals. Tons of emerging technologies and pervasive use of the Internet of Things are touching every aspect of business operating models, and software delivery is becoming more agile and embedded into lines of business. As a result, security pros are tasked to take positions requiring more consultative leadership and more enablement of democratized security across the organization.

That is why even the most veteran security pro can’t afford to become complacent about professional development. Those who want to truly future-proof their careers need to start honing new skills now to keep up with the disruptions as they hit the industry. The following are some of the most important skills that will make security professionals more instrumental to their current employers, more recruitable, and more likely to command higher salaries.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/careers-and-people/6-essential-skills-cybersecurity-pros-need-to-develop-in-2019/d/d-id/1334312?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

But executives aren’t confident in the accuracy of cybersecurity assessment data received from their vendors, a new study shows.

Financial services executives and managers responsible for the corporate checkbook would rather forgo business with a partner that is not serious about cybersecurity than run the risk of a breach, a new report found.

Some 97% consider cyber risk to be an important or critical issue, and 78% of those surveyed would refuse a partnership with a company that had poor cybersecurity performance, according to a new survey of 129 financial service professionals by security-rating firms BitSight and the Center for Financial Professionals.

“These results not only talk to the importance of having a strong third-party risk management program in place, but – when you think about the implication that they have for a company doing business with financial firms – now you have to demonstrate strong cybersecurity performance or you might lose business,” said Jake Olcott, vice president of government affairs for BitSight.

Suppliers and supply chains have become the latest focus of companies trying to reduce their cyber risk. In 2018, a survey by the Ponemon Institute found that nearly 60% of organization had a data breach caused by a third party, but that only 34% of companies had created an inventory of all their suppliers. 

The most recent high-profile attack on a third-party supplier — the breach of remote work enabler Citrix — underscores the danger. The company announced in early March that the FBI had notified the firm that attackers had downloaded business documents from its internal network.

About half of all attacks involve jumping from one corporate network to another, a technique dubbed “island hopping,” according to a recent report.

“Supply chains are easy and lucrative targets,” Mike Bittner, digital security and operations manager at The Media Trust, a website security firm, said in a statement. “In today’s digital environment, they are extremely complex and dynamic, they lie outside the perimeter of the IT infrastructure, and they are, therefore, hard monitor.”

For the most part, company executives believe — whether correctly or not — that they have a handle on the situation. More than 80% of respondents indicate that their executive management is “confident in their approach to measuring and managing third-party risk,” according to the BitSight/CeFPro survey. Yet, only 44% of boards had regular reports on their third-party risk.

The Attestation Situation

Among the greatest challenges facing companies are a lack of faith in the accuracy of cybersecurity assessment data received from vendors, as well as the timeliness of that data, the survey found.

Part of the problem is that companies often continue to manually poll their vendors, asking the firms to attest to certain security measures without conducting any sort of assessment. Such attestation requires a great deal of time on the part of both companies, resulting in a great deal of paperwork.

Yet, ask a supplier whether such attestation is effective, and most will say no, BitSight’s Olcott says.

“It is definitely inefficient and most people think it is ineffective,” he says. “I think what we will see in the real world is that being replaced by real-time, automated and continuous data collection.”

Automation and continuous data collection are already growing popular in another area of third-party risk: The management of open-source components used in software development. Companies such as Sonatype, WhiteSource, and Snyk are using a variety of scanning to take stock of the third-party libraries being used by developers.

The adoption of such technologies is a direct result of increasing pressure on software vendors to reduce the number of vulnerabilities in their products and online services. With enterprises increasingly focusing on their third-party cyber risk, software vendors won’t be the only suppliers under pressure to up their security game, Olcott says.

“Companies are increasingly trying to compete, not only on price and performance, but also on security,” he says. “This issue is becoming much more critical.”

Related Content:

• Who’s the Weakest Link in Your Supply Chain?
• Citrix Breach Underscores Password Perils
• Tackling Supply Chain Threats
• Two-Thirds of Organizations Hit in Supply-Chain Attacks
• Everything I Needed to Know About Third-Party Risk Management, I Learned from Meet the Parents

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/risk/financial-firms-scrutinize-third-party-supplier-risk/d/d-id/1334322?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Names, addresses, Social Security numbers, and birth dates may have been pilfered in the attack.

Georgia Tech this week revealed that an attacker infiltrated a central database and stole personal information on up to 1.3 million current and former faculty, students, staff, and university applicants. 

The unknown attacker or attackers broke in via a Georgia Institute of Technology Web application, according to the university, which said it discovered the breach in late March. Georgia Tech security officials are investigating the attack to determine the scope, including what information may have been stolen – names, addresses, Social Security numbers, and birth dates.

“The U.S. Department of Education and University System of Georgia have been notified, and those whose data was exposed will be contacted as soon as possible regarding available credit monitoring services,” Georgia Tech said in a statement on its website.

Read more here.

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/georgia-tech-cyberattack-exposes-data-of-13-million-people/d/d-id/1334325?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Former Mozilla CTO Andreas Gal says he was interrogated for three hours by America’s border cops after arriving at San Francisco airport – because he refused to unlock his work laptop and phone.

Gal, now employed by Apple, today claimed he was detained and grilled on November 29 after landing in California following a trip to Europe.

He had attempted to pass through US customs via a Global Entry electronic kiosk. He wasn’t expecting a problem, since the Hungarian-born techie is now an American citizen, but it was not to be.

“On this trip, the kiosk directed me to a Customs and Border Patrol agent who kept my passport and sent me to secondary inspection,” Gal said. “There I quickly found myself surrounded by three armed agents wearing bullet proof vests. They started to question me aggressively regarding my trip, my current employment, and my past work for Mozilla, a non-profit organization dedicated to open technology and online privacy.”

Gal said the g-men were rather interested in his time at Firefox-maker Mozilla, and of his recent trip to Canada. They also went through his wallet and luggage, and this led to a request by the agents for Gal to unlock his Apple-issued iPhone XS and MacBook Pro so they could search it, it is claimed.

Given the devices were emblazoned with big red stickers reading “PROPERTY OF APPLE. PROPRIETARY,” and he had signed confidentially agreements with Cupertino, Gal said he asked for permission to call his bosses and/or a lawyer to see if he would get into trouble by handing over access. When this request was repeatedly refused, we’re told, he clammed up, taking the Fifth, and citing constitutional rights against unwarranted searches.

Irked by Gal’s refusal, it is claimed, the border agents told him he had no constitutional nor any legal protections, and threatened him with criminal charges should he not concede to the search. He said he was eventually allowed to leave with his belongings, the devices still locked, and no charges were pressed. Gal said the agents did take away his Global Entry pass, which allows express entry through customs, as punishment for not complying with their demands.

How random is random?

Gal believes the ordeal was not a random search gone awry, but rather a targeted attempt by the government to send a message. Certainly more and more security researchers report being grilled by US border patrol, if they can even get a visa to enter the country, that is.

“My past work on encryption and online privacy is well documented, and so is my disapproval of the Trump administration and my history of significant campaign contributions to Democratic candidates,” Gal noted. “I wonder whether these CBP [Customs and Border Patrol] programs led to me being targeted.”

US border cops told to stop copying people’s files just for the hell of it

READ MORE

Now, Gal has enlisted the help of the ACLU to probe into the brouhaha, and determine whether his civil rights were violated. The civil-liberties watchdog has filed a complaint [PDF] with the Department of Homeland security to determine whether the search violated the US Constitution and demand an investigation of whether the CBP’s entry policies are illegal.

“CBP’s baseless detention and intrusive interrogation of Andreas Gal and the attempted search of his devices violated his Fourth Amendment rights,” ACLU Northern California senior counsel William Freeman said of the complaint.

“Furthermore, CBP’s policies lack protections for First Amendment rights by allowing interrogation and device searches that may be based on a traveler’s political beliefs, activism, nation of origin, or identity.”

A spokesperson for the border patrol told us: “As a matter of policy, CBP can’t comment on pending litigation.” ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/04/02/us_border_patrol_search_demand_mozilla_cto/