Friday Five: 9/13 Edition
Hackers hit a U.S. power utility, a new audit on whether schools are monitoring employee access to student data, and more - catch up on the week's news with the Friday Five!
1. Hackers Attempted DDoS Attack Against Utility: Report by Akshaya Asokan
For 10 hours last March attackers managed to carry out a distributed denial of service attack against a U.S. power utility. While the attack didn't result in a lapse of service, it did cause a disruption between remote sites and the utility's control center. NERC, the North American Electric Reliability Corporation, disclosed the attack in a report it released last week, "Risks Posed by Firewall Firmware Vulnerabilities." (.PDF) While the nonprofit, which oversees the reliability of the U.S.'s power systems, didn't name the vendor, it did acknowledge the attack came - as the name of the report suggests - as a result of a vulnerability in the vendor's firewall. The report encourages entities to use VPNs, use access control lists, segment (and monitor) their network, and to implement redundant solutions to preserve the functionality of firewalls.
2. Community Projects Highlight Need for Security Volunteers by Rob Lemos
A nice piece via Dark Reading's Rob Lemos on community software projects, like those in place at the Georgia Institute of Technology, Carnegie Mellon University, and the University of Southern Florida and how it’s critical that security figures into these projects. One of the article's tentpoles is a project at Georgia Tech, the Basic Laboratory Information System or BLIS, that contained vulnerabilities that Rapid7, the vulnerability management firm, found. The school and those in charge of BLIS were quick to respond but the fact that they existed in the first place serve as a reminder that security should play a bigger part when it comes to issuing software, especially when the software, like BLIS, handles medical and hospital data. These projects, Lemos points out, need volunteers who are security professionals to vet code and ensure their integrity.
3. Florida’s Auditor General Puts Focus on Student Data Protection by Eve Rosen
We shared this story earlier this week on our Twitter but it’s still worth flagging the news, especially if you follow matters of data protection as it pertains to schools and universities. In this piece, via the Florida’s NPR affiliate, WUFT, Eve Rosen digs into recent audits performed by the state's Auditor General around whether schools are properly monitoring employee access to student data, like Social Security numbers. At least one third of administrators - even school bus drivers - had access even though they didn't need it to do their jobs, one audit found. "More than 22,000 employees or contractors had access to these records. Nearly half of those employees had their access revoked after the auditors showed up to review the school districts, colleges or universities," the story reads. If any of these schools suffered a breach, they could ultimately face an uphill battle when it comes to incident response. It's worth nothing that in the event of a breach, the Florida Information Protection Act of 2014, or FIPA, reduced the time period for reporting a breach from 45 days to 30.
4. 51 companies tell Congress it's time to tackle data privacy by Jon Fingas
It's becoming increasingly unlikely there'll be any movement on it this year but a group of CEOs, many including technology companies, urged Congress to get busy drafting a comprehensive consumer data privacy law. CEOs at 51 different companies, including Qualcomm, Mastercard, Ford Motor, and AT&T urged House and Senate leaders to pass a law that strengthens protections for consumers and establishes a national privacy framework. “The United States has been a global leader in technology and data-driven innovation and now has the opportunity to lead on consumer data privacy for the benefit of all consumers, companies and commerce. We stand ready to work with you,“ the letter reads.
5. Chinese professor accused of Huawei-related fraud asks why case was moved to Brooklyn by Karen Freifeld
A case we wrote about on our blog was scheduled to start up this week - but almost didn't. According to Reuters, the judge at the courthouse in Brooklyn, U.S. District Court Judge Ann Donnelly, was uncertain why the case was in her courtroom to begin with. ICYMI: The suspect, Bo Mao, was arrested in Texas last month after purportedly misleading a company, based in California, in order to steal trade secrets for Huawei. Donnelly, for what it's worth, is the judge presiding over another Huawei case - the one where it's being alleged the company misled banks about its business in Iran. Donnelly eventually relented; prosecutors suggested to the judge the transfer motion contained grand jury information - applicable to the transfer and possibly Brooklyn -and will be shared whenever it goes public