News Bites for Friday June 22, 2018
Latest Cost Estimates For Equifax Breach is $439 Million
According to recent (March) tax filings, costs related to their breach are now $439 million, making the Equifax breach the costliest in US history. Assuming insurance does pay, it would cover, at most, $125 million, leaving Equifax to write a check for $300 million plus. Given that none of the lawsuits have been settled yet, that $439 million number is sure to grow. While Equifax’s investors can write that check, I am sure that none of them are happy about doing so. (Source: Computing.co)
Apple, Others Allows Russians to Look for Vulnerabilities in Software Used by the Pentagon and FBI
After all, what could go wrong?
U.S. tech companies have given in to Russian, Chinese and other country’s demands to review the source code for their products. Not only does this expose vulnerabilities (which they likely will NOT point out to the U.S. company), but it also gives away U.S. intellectual property, all in a never ending quest to increase sales and profit.
A bill currently in Congress would force companies who do business with the government to disclose any source code review done by military adversaries. Forcing companies to disclose will keep the pressure on to stop doing that.
The limited leaks that we have already seen have caused companies to do a quick dance to try and mitigate the PR damage.
The companies say that the reviews are done in company controlled facilities. I am sure that they use one of those memory wipers from the Men In Black movies on the reviewers before they leave the room.
The knowledge that the Russians and Chinese get is, of course, used against everyday companies as well as the government and is used to build competing products that they sell against ours.
The article has a graphic with examples of software reviewed and who uses it. (Source: Reuters)
Senate Votes 85 to 10 to Continue ZTE Ban
ZTE, the Chinese electronics maker said to be a national security threat to America, was banned last month, from buying parts and selling products in the U.S. by the Commerce Department. President Trump tried to overturn the ban, which basically shut the company down, by asking the company to pay a billion dollar fine and saying that would make it a non-threat. The Senate attached a bill to the Defense Authorization Bill outlawing ZTE, nullifying Trumps gimicky non-solution. Trump could risk shutting down the Armed Forces by vetoing the bill, but even if he did, which would be an incredibly risky political move given his base, at 85 to 10, any veto would be quickly overridden. (Source: Politico)
macOS Quicklook Feature Exposes Data on Encrypted Volumes
Let’s assume that you have some sensitive pictures and you store them on an encrypted volume on your mac. MacOS conveniently creates thumbnails of those pictures to show you and stores them unencrypted, so while the full resolution picture is encrypted, the thumbmail is not. Apple says this is a feature and is not going to fix it.
This problem also exists on Windows. If you store a Word or Excel document, for example, on an encrypted volume, the temp file that those programs use will be on an unencrypted system volume. The only way to “fix” this is to encrypt the system volume. (Source: Ars Technica)
Software Supply Chain is a Critical Issue
Recently there have been a number of reports of cities having credit card breaches. It turns out that it all ties back to the same vendor that those cities all use called Superion. At least 10 cities have reported being breached and there are probably more. Superion has finally admitted that the breach was due to a WebLogic (Oracle) bug that had not been patched. The cities counted on Superion to keep them safe. Superion is blaming Oracle. Ultimately, it is the cities and taxpayers who will foot the bill for this mess – a mess caused by not managing the entire software supply chain from end to end. Likely those cities were not even aware that they were running Oracle software. Who’s fault is that? (Source: Dark Reading)
by 