Posts

Was Chrysler’s Vehicle Hacking Risk an SEC Disclosure Reportable Event?

[photo: K2D2vaca via Flickr]

[photo: K2D2vaca via Flickr]

Remember the data breach at JPMorgan Chase, exposing 76 million accounts to “hack-mapping“? Last October, JPMorgan Chase publicly disclosed the intrusion and exposure to investors in an 8-K filing with the Securities and Exchange Commission. The statement complied with the SEC’s CF Disclosure Guidance: Topic No. 2 – Cybersecurity.

Other companies whose customers’ data have been exposed also disclosed breaches in 8-Ks, including Target, TJX Companies, Heartland Payment, EMC and Google. (Firms NASDAQ, Citigroup and Amazon have not.)

Disclosure of known cybersecurity threats or attacks with potential material risks allows investors to make informed decisions. Stock share pricing will fluctuate and reflect the true market value once risk has been factored by investors — and not remain artificially high.

Fiat Chrysler America (FCA; NYSE:FCAU) has known for nearly a year about the risk that Chrysler vehicles could be hacked remotely, according to Fortune magazine Thursday.

Yet to date no filing with the SEC has been made, disclosing this specific cyber risk to investors, customers, and the public.

The SEC’s Disclosure Guidance, though, is just that — guidance. There aren’t any firm rules yet in place, and the guidance itself was published in October 2011. A lot has happened and changed about technology and cybersecurity risks since then; the guidance has not reflected the increasing threats and attacks to business’ data.

Nor does the SEC’s guidance distinguish between cybersecurity threats to service products (like banking services), versus hardlines or manufactured goods (like automobiles which offer software as an additional, non-essential feature). The software industry’s chronic security patching confuses any distinction; should software companies likewise include all security patches in their SEC filings, or continue as they have without doing so? It’s easy to see how revelations about Adobe Flash after Hacking Team was hacked have materially hurt Adobe and all companies relying on Flash — yet Adobe hasn’t released a statement at its website. (Only a statement addressing the 2013 threat to customer accounts is posted.)

Are financial services firms any more obligated than software firms? Are automobile companies, which claim ownership of on-board software, any more obligated than software companies? Read more

Internet Cats, Weaponized: US Defense Contractor Consulted on Targeted Network Injection Surveillance for Commercial Sales Abroad

[photo: liebeslakritze via Flickr]

[photo: liebeslakritze via Flickr]

First, a caveat: I would not click on the links embedded in the story I’m recommending (I’m this || close to swearing off embedded links forever). I don’t trust traffic to them not to be monitored or exploited.

But as Jeremy Scahill tweeted last evening, read this piece by WaPo’s Barton Gellman on malicious code insertion. This news explains recent changes by Google to YouTube once it had been disclosed to the company that exploits could be embedded in video content as CitizenLab.org explains:

“… the appliance exploits YouTube users by injecting malicious HTML-FLASH into the video stream. …”
“… the user (watching a cute cat video) is represented by the laptop, and YouTube is represented by the server farm full of digital cats. You can observe our attacker using a network injection appliance and subverting the beloved pastime of watching cute animal videos on YouTube. …”

The questions this piece shake loose are Legion, but as just as numerous are the holes. Why holes? Because the answers are ugly and complex enough that one might struggle with them. Gellman’s done the best he can with nebulous material.

An interesting datapoint in the first graf of the story is timing — fall 2009.

You’ll recall that Google revealed the existence of a cyber attack code named Operation Aurora in January 2010, which Google said began in mid-December 2009.

You may also recall news of a large batch of cyber attacks in July of 2009 on South Korean targets.

The U.S. military had already experienced a massive uptick in cyber attacks in 1H2009, more than double the rate of the entire previous year.

And neatly sandwiched between these waves and events is a visit by a defense contractor CloudShield Technologies engineer from California, to Munich, Germany with British-owned Gamma Group. Read more

The Chinese Turned Out My Lights (Maybe)

Remember that terrible blackout in 2003, that took power out from MI to NY and in between?

It was great fun here in Ann Arbor, for a little while. You could walk down the streets of the city and sushi merchants would come out and pretty much give their sushi away. We had an "apocalypse" barbecue that night, where everyone brought all the meat from their freezer or fridge and any alcohol that was cold, and consumed it in one big gluttonous barbecue. I had a non-electric land-line at the time and a gas stove and it was summer time, so I was pretty comfortable for the whole two-day affair. But it quickly turned our freeways heading west (where there was still power) into parking lots and those with electrical phones lost their communication and aside from the gluttony it was a big expensive mess.

Apparently, the Chinese did it.

Computer hackers in China, including those working on behalf of the Chinese government and military, have penetrated deeply into the information systems of U.S. companies and government agencies, stolen proprietary information from American executives in advance of their business meetings in China, and, in a few cases, gained access to electric power plants in the United States, possibly triggering two recent and widespread blackouts in Florida and the Northeast, according to U.S. government officials and computer-security experts.

One prominent expert told National Journal he believes that China’s People’s Liberation Army played a role in the power outages. Tim Bennett, the former president of the Cyber Security Industry Alliance, a leading trade group, said that U.S. intelligence officials have told him that the PLA in 2003 gained access to a network that controlled electric power systems serving the northeastern United States. The intelligence officials said that forensic analysis had confirmed the source, Bennett said. “They said that, with confidence, it had been traced back to the PLA.” These officials believe that the intrusion may have precipitated the largest blackout in North American history, which occurred in August of that year. A 9,300-square-mile area, touching Michigan, Ohio, New York, and parts of Canada, lost power; an estimated 50 million people were affected.

Read more