JRC Consulting Inc. Security & Training Division

"Missile Defense Test Launched From California Succeeds in Shootdown: Pentagon" Associated Press (03/25/19) In the first test of its kind, the Pentagon on Monday carried out a salvo intercept of an unarmed missile soaring over the Pacific, using two interceptor missiles launched from underground silos in southern California. Both interceptors zeroed in on the target a re-entry vehicle that had been launched 4,000 miles away atop an intercontinental-range missile, the Pen...tagon said. The interceptors were launched from Vandenberg Air Force Base in California, while the target missile was launched from the Reagan Test Site in the Marshall Islands. The system worked exactly as it was designed to do, said Air Force Lt. Gen. Samuel A. Greaves, director of the Missile Defense Agency. He said the test result demonstrates that we have a capable, credible deterrent against a very real threat. See more

"Facebook Left Millions of Passwords Readable by Employees" Associated Press (03/21/19) Facebook on Thursday disclosed that for years stored hundreds of millions of user passwords in a format that was accessible to its employees. The incident involved a wide swath of its users, though Facebook said no passwords were exposed externally, and it hasn’t found evidence of the information being abused. Facebook estimated it will notify hundreds of millions of Facebook Lite users, ...tens of millions of other Facebook users, and tens of thousands of Instagram users. The security lapse appears similar to others that have occurred at tech companies, including Twitter Inc., which asked 331 million users to change their passwords in May after discovering that one of its internal systems logged users’ unencrypted passwords. Password databases have become a prime target for cyber thieves, and hackers will often try a user’s stolen password to break into new sites. Most companies, including Facebook, monitor the internet for publicly released databases of passwords. Facebook Lite is a version designed for people with older phones or low-speed internet connections. It is used primarily in developing countries. Jake Williams, president of Rendition Infosec, said storing passwords in plain text is "unfortunately more common than most of the industry talks about" and tends to happen when developers are trying to rid a system of bugs. He said the Facebook blog post suggests storing passwords in plain text may have been "a sanctioned practice," although he said it's also possible a "rogue development team" was to blame. See more

"Facebook's Data Deals Probed for Possible Criminal Violations" New York Times (03/13/19) Federal prosecutors are conducting a criminal investigation into data deals Facebook made with some of the world's largest technology companies, including Amazon, Sony, and Microsoft. A grand jury in New York has subpoenaed records from at least two prominent makers of smartphones and other devices, according to insiders. The companies had entered into partnerships with Facebook, gaining access to the personal information of hundreds of millions of its users. The agreements allowed companies to see users' friends, contact information, and other data, sometimes without consent. Facebook has phased out most of the partnerships over the past two years.

"Car Alarms With Security Flaws Put 3 Million Vehicles at Risk of Hijack" TechCrunch (03/07/19) Popular car alarm systems built by Russian alarm maker Pandora and California-based Viper have fixed security vulnerabilities that allowed researchers to remotely track, hijack and take control of vehicles with the alarms installed. The systems were vulnerable to an easily manipulated server-side application programming interface (API), according to researchers at Pen Test Partner...s, a U.K. cybersecurity company. The API could be abused to take control of an alarm system’s user account, as well as the vehicle. The vulnerable alarm systems could be tricked into resetting an account password because the API was failing to check if it was an authorized request, allowing the researchers to log in. The researchers said some three million cars globally were vulnerable to the flaws. The researchers contacted both Pandora and Viper with a seven-day disclosure period, given the severity of the vulnerabilities. Both companies responded quickly to fix the flaws. Viper blamed a recent system update by a service provider for the bug and said the issue was "quickly rectified." See more

"Facebook Scolded for How it Protects User Phone Numbers for Security" USA Today (03/04/19) Facebook is facing backlash over how it protects user phone numbers when they provide them for security purposes. Jeremy Burge, who runs the website Emojipedia, recently posted a tweet claiming numbers added to use two-factor authentication a secure login process requiring two steps before accessing an account were now searchable. "For years Facebook claimed...adding a phone number... for 2FA was only for security. Now it can be searched and there's no way to disable that," Burge wrote. Burge said Facebook sets its default for phone number search to everyone, and there's no way to fully opt out. In a statement, Facebook said the settings for its "who can look me up" option are not new and "not specific" to two-factor authentication. It is not the first time Facebook has gotten into trouble for how it handles phone numbers used solely for two-factor authentication. Last fall, Facebook admitted it used phone numbers users offered for security to target them with ads. See more

"Disputed NSA Phone Program Is Shut Down, Aide Says" New York Times (03/05/19) The National Security Agency has stopped using a surveillance program in recent months that relied on bulk data collected from U.S. domestic phone records, according to a Republican congressional official. The program authorized under the USA Freedom Act, requires reauthorization at the end of the year and the Trump administration may not seek to extend it, according to Luke Murry, national securi...ty adviser to House Minority Leader Kevin McCarthy (R-Calif.). Intelligence agencies can use the technique on data obtained through other means, like collection from networks abroad, where there are fewer legal limits. But those approaches do not offer the same systematic access to domestic phone records. Congress ended and replaced the program with the U.S.A. Freedom Act of 2015, which will expire in December. Security and privacy advocates have been gearing up for a legislative battle over whether to extend or revise the program. "I'm actually not certain that the administration will want to start that back up," Murry said. He referred to problems that the National Security Agency disclosed last year. "Technical irregularities" had contaminated the agency's database with message logs it had no authority to collect, so officials purged hundreds of millions of call and text records gathered from American telecommunications firms. The agency declined to comment on Monday. See more

"Security Flaws in 4G and 5G Allow Snooping on Phone Users" Engadget (02/25/19) Security researchers have discovered security flaws in 4G and 5G that could be used to intercept phone calls and track someone's location. For example, the attack called Torpedo relies on a flaw in the paging protocol that notifies phones of incoming calls and texts. If someone starts and cancels several calls in a short period, they can send a paging message without alerting the device to a call. That not only lets someone track the device's location, but opens the door to two other attacks. Another attack called Piercer, lets someone determine the unique IMSI number attached to a user. The vulnerabilities potentially affect most any 4G or 5G network in the world. The flaws are not permanent, but fixes will take some time.

"Companies Quietly Install Gunfire-Detection Systems at U.S. Offices and Factories" MarketWatch (02/19/19) After a wave of workplace shootings, corporate executives are installing gunfire-detection systems in U.S. offices and factories; however, most don’t tell employees what the sensors are, for fear of alarming them. Shootings are so frequent now, people are starting to accept it, said Brink Fidler, who spent close to two decades in law enforcement in Nashville, and now ...runs his own active-shooter training company, Defend Systems. The more often these happen...the more people you have going, ‘We have to do something.’" The systems can be wired to alert police and send texts, calls, and desktop notifications to employees, flashing messages to tell workers how to respond in an emergency. Once the sensors detect a gunshot on a floor, the devices can track a gunmanintegrating with camera systemsas he moves through a building, in theory allowing police to zero in faster and neutralize the threat. Security experts said many companies do not explain to employees what the devices do because they fear someone will try to test them out by bringing a gun to work. Cloud computing company Rackspace in San Antonio, deployed 150 gunshot-detection sensors around its office in a converted shopping mall. You can’t install metal detectors at the doors and have guards patting people down, said Mark Terry, Rackspace’s director of global enterprise security. So what’s the next best thing? Toyota Motor Corp. installed the sensors at an auto plant in Kentucky, while pharmaceutical giant Allergan PLC and Corona beer maker Constellation Brands Inc. have put gunshot-detection systems at some offices and facilities. See more

"Protecting Your Workplace Against Active Shooters" EHS Today (02/12/19) Workplace violence is more likely to occur in places without policies or managers who understand what types of behaviors lead to a dangerous event. The value of early recognition, or seeing changes in an employee and addressing them, is the first step to preventing a violent workplace incident. Specifically, dramatic changes in behavior should be reported to a supervisor. For example, introverted worker...s that begin to voice their opinions in an aggressive manner, or an employee that is more extroverted and suddenly seems withdrawn, could potential plan a violent act. Gino Soave, Niles Industrial Coatings’ corporate safety director, says there are 12 particular behaviors that could lead to an act of workplace violence: temper tantrums; excessive absenteeism; decrease in productivity; testing limits; verbalizes negative action or harm; sabotage or theft; numbers and intensity of arguments rise; intense anger; social withdrawal; suicidal threats; and property destruction. In addition, every employee should have some kind of basic awareness training, and company policy for escalating behaviors should reiterate a no-tolerance policy. An effective basic training program should include preventing an incident, as well as situational awareness, survival training, and first aid techniques. See more

"Which Country has the Best Cybersecurity? It Isn’t the U.S." NextGov.com (02/12/19) The U.S. ranks fifth among 60 nations in a recent Comparitech.com cybersecurity study that measured a range of factors, including malware rates and cybersecurity-related legislation. The U.S. was beat out by Japan, France, Canada, and Denmark, with Ireland, Sweden, the U.K., the Netherlands, and Singapore rounding out the top 10 nations for best cybersecurity. The report found that the least cyber-secure country in the world was Algeria, in large part because it rated lowest in cyber legislation and highest in malware rates.

"Amazon Proposes Facial Recognition Guidelines to Policymakers" NextGov.com (02/08/19) Amazon offered Congress and other policymakers a set of guidelines regarding facial recognition technologiesof which it is one of the world’s foremost suppliers with its Rekognition software. In a blog post authored by Michael Plunke, vice president of global public policy for Amazon Web Services, the company acknowledged potential pitfalls and misuses of facial recognition tech but argued for open, honest and earnest dialogue among users, tech companies and policymakers as opposed to outright banning or condemning it. Some Amazon shareholders argued for the company to stop selling facial recognition software to the government in January due to potential violations of civil and human rights.

"Amazon Recorded Video Of A Seller's Face For Identification Purposes" BuzzFeed News (02/06/19) Amazon may be testing a seller verification program in which users record video of their faces to create accounts and sell goods on the site, an indication of the company's growing investment in facial recognition technology. An Amazon seller in Vietnam says he was prompted to take a five-second video of his face using his computer's webcam as he signed up for a seller profile, and... some Amazon seller consultants believe the company may be testing such a system to prevent the creation of multiple seller profiles. We will record a 5-second video of your face," an Amazon seller verification prompt viewed by this person and shared with BuzzFeed News reads. "The video will be encrypted and stored for identification purpose. To proceed, enable access to your webcam. The seller said he was not given an option to decline to submit a video of his face during the signup process. He also said he cannot find the video in his seller profile or a way to remove it. Share Facebook LinkedIn Twitter | Web Link DOE and FERC Mull Incentivizing Cybersecurity, Physical Security of Power and Gas Infrastructure From "DOE and FERC Mull Incentivizing Cybersecurity, Physical Security of Power and Gas Infrastructure" Power (02/19) Patel, Sonal Federal and state authorities want to incentivize cybersecurity and physical security in the power and natural gas sectors. The U.S. Department of Energy and Federal Energy Regulatory Commission (FERC) have scheduled a joint technical conference for Thursday, March 28, 2019, to discuss current and emerging cyber and physical security threats that assail energy infrastructure, and how federal and state authorities can facilitate investments to improve the cyber and physical security of energy infrastructure. In addition, the conference will discuss cyber and physical security best practices and mitigation strategies. The agencies decided to hold the conference due to identified threats against U.S. energy infrastructure, particularly the electric and natural gas sectors, FERC Chairman Neil Chatterjee said in a Feb. 4 press release. Those threats continue to grow and the responsibility for protecting our energy infrastructure is shared across industry as well as states and the federal government, he noted. For the U.S. government, a key concern is that the power sector does not have the intelligence-gathering capabilities to deal with the many cyber and physical threats to the grid.

"Millions of Bank Loan and Mortgage Documents Have Leaked Online" TechCrunch (01/23/19) A server security lapse has exposed more than 24 million financial and banking documents, representing tens of thousands of loans and mortgages from some of the biggest banks in the U.S. Independent security researcher Bob Diachenko found the data online. The server was running an Elasticsearch database, but it was not protected with a password, allowing anyone to access and read the mass...ive cache of documents. The database, which was likely exposed for two weeks, was shut down on January 15. The leak was traced back to Ascension, a data and analytics company for the financial industry, based in Fort Worth, Texas. Some of the files provide names, addresses, birth dates, Social Security numbers, and bank and checking account numbers, as well as details of loan agreements that include sensitive financial information, such as why the person is requesting the loan. "This information would be a gold mine for cybercriminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards," says Diachenko. See more