Podcasts about us cert

Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today we are going to discuss how nation state conflict and sponsored cyberattacks can affect us as non-combatants, and what we should be doing about it.  Even if you don't have operations in a war zone, remember cyber has a global reach, so don't think that just because you may be half a world away from the battlefield that someone is not going to reach out and touch you in a bad way.  So, listen for what I think will be a fascinating episode, and please do us a small favor and give us a "like" or a 5-star review on your favorite podcast platform -- those ratings really help us reach our peers.  It only takes a click -- thank you for helping out our security leadership community. I'm not going to get into any geopolitics here; I'm going to try to ensure that this episode remains useful for quite some time.  However, since the conflict in Ukraine has been ongoing for over two hundred days, I will draw examples from that. The ancient Chinese military strategist Sun Tzu wrote: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.  If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.  If you know neither the enemy nor yourself, you will succumb in every battle.” That's a little more detailed than the classic Greek aphorism, "know thyself," but the intent is the same even today.  Let me add one more quote and we'll get into the material.  Over 20 years ago, when he was Secretary of Defense, Donald Rumsfeld said: "As we know, there are known knowns; there are things we know we know.  We also know there are known unknowns; that is to say we know there are some things we do not know.  But there are also unknown unknowns—the ones we don't know we don't know.  And if one looks throughout the history of our country and other free countries, it is the latter category that tends to be the difficult ones. So, knowledge seems extremely important throughout the ages.  Modern governments know that, and as a result all have their own intelligence agencies.  Let's look at an example.  If we go to the CIA's website, we will see the fourfold mission of the Central Intelligence Agency: Collecting foreign intelligence that matters Producing objective all-source analysis Conducting effective covert action as directed by the President Safeguarding the secrets that help keep our nation safe. Why do we mention this?  Most governments around the world have similar Nation State objectives and mission statements.  Additionally, it's particularly important to understand what is wanted by "state actors" (note, I'll use that term for government and contract intelligence agents.). What are typical goals for State Actors?  Let's look at a couple: Goal 1: Steal targeting data to enable future operations.  Data such as cell phone records, banking statements or emails allow countries to better target individuals and companies when they know that identifying information.  Additionally, targeting data allows Nation state organizations to understand how individuals are connected.  This can be key when we are looking for key influencers for targets of interest.  All targeting data should not be considered equal.  Generally, Banking and Telecom Data are considered the best for collecting so be mindful if that is the type of company that you protect.  State Actors target these organizations because of two factors:The Importance of the Data is the first factor.  If one party sends a second party an email, that means there is a basic level of connection.  However, it's not automatically a strong connection since we all receive emails from spammers.  If one party calls someone and talks for 10 minutes to them on a phone call, that generally means a closer connection than an email.  Finally, if one party sends money to another party that either means a really strong connection exists, or someone just got scammed. The Accuracy of the Data is the second factor.  Many folks sign up for social media accounts with throw away credentials (i.e., fake names and phone numbers).  Others use temporary emails to attend conferences, so they don't get marketing spam when they get home.  However, because of Anti Money Laundering (or AML) laws, people generally provide legitimate data to financial services firms.  If they don't, then they risk not being able to take the money out of a bank -- which would be a big problem. A second goal in addition to collecting targeting data, is that State Actors are interested in collecting Foreign Intelligence.  Foreign Intelligence which drives policy-making decisions is very impactful.  Remember, stealing secrets that no one cares about is generally just a waste of government tax dollars.  If governments collect foreign intelligence on sanctioned activity, then they can inform policy makers on the effectiveness of current sanctions, which is highly useful.  By reporting sanctioned activity, the government can know when current sanctions are being violated and when to update current sanctions.  This can result in enabling new intelligence collection objectives.  Examples of this include:A country may sanction a foreign air carrier that changes ownership or goes out of business.  In that case, sanctions may be added against different airlines.  This occurred when the US sanctioned Mahan Air, an Iran's airline.  Currently the US enforces sanctions on more than half of Iran's civilian airlines. A country may place sanctions on a foreign bank to limit its ability to trade in certain countries or currencies.  However, if sanctioned banks circumvent controls by trading with smaller banks which are not sanctioned, then current sanctions are likely ineffective.  Examples of sanctioning bank activity by the US against Russia during the current war with Ukraine include:On February 27th sanctions were placed against Russian Banks using the SWIFT international payment systems On February 28th, the Russian Central Bank was sanctioned On March 24th, the Russian Bank Sberbank CEO was sanctioned On April 5th, the US IRS suspended information exchanges with the Russian tax authorities to hamper Moscow's ability to collect taxes. On April 6th, the US sanctioned additional Russian banks. These sanctions didn't just start with the onset of hostilities on 24 February 2022.  They date back to Russia's invasion of Crimea.  It's just that the US has turned up the volume this time. If sanctions are placed against a country's nuclear energy practices, then knowing what companies are selling or trading goods into the sanctioned country becomes important.  Collecting information from transportation companies that identify goods being imported and exported into the country can also identify sanction effectiveness. A third goal or activity taken by State Actors is covert action.  Covert Action is generally intended to cause harm to another state without attribution.  However, anonymity is often hard to maintain.If we look at Russia in its previous history with Ukraine, we have seen the use of cyber attacks as a form of covert action.  The devastating NotPetya malware (which has been generally accredited to Russia) was launched as a supply chain attack.  Russian agents compromised the software update mechanism of Ukrainian accounting software M.E. Doc, which was used by nearly 400,000 clients to manage financial documents and file tax returns.  This update did much more than the intended choking off of Ukrainian government tax revenue -- Maersk shipping estimates a loss of $300 million.  FedEx around $400 million.  The total global damage to companies is estimated at around $10 billion. The use of cyberattacks hasn't been limited to just Russia.  Another example is Stuxnet.  This covert action attack against Iranian nuclear facilities that destroyed nearly one thousand centrifuges is generally attributed to the U.S. and Israel. Changing topics a little bit, we can think of the story of two people encountering a bear. Two friends are in the woods, having a picnic.  They spot a bear running at them.  One friend gets up and starts running away from the bear.  The other friend opens his backpack, takes out his running shoes, changes out of his hiking boots, and starts stretching.  “Are you crazy?” the first friend shouts, looking over his shoulder as the bear closes in on his friend.  “You can't outrun a bear!”  “I don't have to outrun the bear,” said the second friend.  “I only have to outrun you.” So how can we physically outrun the Cyber Bear? We need to anticipate where the Bear is likely to be encountered.  Just as national park signs warn tourists of animals, there's intelligence information that can inform the general public.  If you are looking for physical safety intelligence you might consider:The US Department of State Bureau of Consular Affairs.  The State Department hosts a travel advisory list.  This list allows anyone to know if a country has issues such as Covid Outbreaks, Civil Unrest, Kidnappings, Violent Crime, and other issues that would complicate having an office for most businesses. Another example is the CIA World Factbook.  The World Factbook provides basic intelligence on the history, people, government, economy, energy, geography, environment, communications, transportation, military, terrorism, and transnational issues for 266 world entities. Additionally you might also consider data sources from the World Health Organization and The World Bank If we believe that one of our remote offices is now at risk, then we need to establish a good communications plan.  Good communications plans generally require at least four forms of communication.  The acronym PACE or Primary, Alternate, Contingency, and Emergency is often usedPrimary Communication: We will first try to email folks in the office. Alternate Communication: If we are unable to communicate via email, then we will try calling their work phones. Contingency Communication: If we are unable to reach individuals via their work phones, then we will send a Text message to their personal cell phones. Emergency Communication: If we are unable to reach them by texting their personal devices, then we will send an email to their personal emails and next of kin. Additionally, we might purchase satellite phones for a country manager.  Satellite phones can be generally purchased for under $1,000 and can be used with commercial satellite service providers such as Inmarsat, Globalstar, and Thuraya.  One popular plan is Inmarsat's BGAN.  BGAN can usually be obtained from resellers for about $100 per month with text messaging costing about fifty cents each and calls costing about $1.50 per minute.  This usually translates to a yearly cost of $1,500-2K per device.  Is $2K worth the price of communicating to save lives in a high-risk country during high political turmoil?  Let your company decide.  Note a great time to bring this up may be during use-or-lose money discussions at the end of the year. We should also consider preparing egress locations.  For example, before a fire drill most companies plan a meetup location outside of their building so they can perform a headcount.  This location such as a vacant parking lot across the street allows teams to identify missing personnel which can later be communicated to emergency personnel.  If your company has offices in thirty-five countries, you should think about the same thing, but not assembling across the street but across the border.  Have you identified an egress office for each overseas country?  If you had operations in Ukraine, then you might have chosen a neighboring country such as Poland, Romania, or Hungary to facilitate departures.  When things started going bad, that office could begin creating support networks to find local housing for your corporate refugees.  Additionally, finding job opportunities for family members can also be extremely helpful when language is a barrier in new countries. If we anticipate the Bear is going to attack our company digitally, then we should also look for the warning signs.  Good examples of this include following threat intelligence information from: Your local ISAC organization.  ISAC or Information Sharing Analysis Centers are great communities where you can see if your vertical sector is coming under attack and share your experiences/threats.  The National Council of ISACs lists twenty-five different members across a wide range of industries.  An example is the Financial Services ISAC or FS-ISAC which has a daily and weekly feed where subscribers can find situational reports on cyber threats from State Actors and criminal groups. InfraGard™ is a partnership between the Federal Bureau of Investigation and members of the private sector for the protection of US Critical Infrastructure.  Note you generally need to be a US citizen without a criminal history to join AlienVault offers a Threat Intelligence Community called Open Threat Exchange which grants users free access to over nineteen million threat indicators.  Note AlienVault currently hosts over 100,000 global participants, so it's a great place to connect with fellow professionals. The Cybersecurity & Infrastructure Security Agency or CISA also routinely issues cybersecurity advisories to stop harmful malware, ransomware, and nation state attacks.  Helpful pages on their websites include the following:Shields Up which provides updates on cyber threats, guidance for organizations, recommendations for corporate Leaders and CEOs, ransomware responses, free tooling, and steps that you can take to protect your families. There's even a Shields Technical Guidance page with more detailed recommendations. CISA routinely puts out Alerts which identify threat actor tactics and techniques.  For example, Alert AA22-011A identifies how to understand and mitigate Russian State Sponsored Cyber Threats to US Critical Infrastructure.  This alert tells you what CVEs the Russian government is using as well as the documented TTPs which map to the MITRE ATT&CK™ Framework.  Note if you want to see more on the MITRE ATT&CK mapped to various intrusion groups we recommend going to attack.mitre.org slant groups. CISA also has notifications that organizations can sign up for to receive timely information on security issues, vulnerabilities, and high impact activity. Another page to note on CISA's website is US Cert.  Here you can report cyber incidents, report phishing, report malware, report vulnerabilities, share indicators, or contact US Cert.  One helpful page to consider is the Cyber Resilience Review Assessment.  Most organizations have an IT Control to conduct yearly risk assessments, and this can help identify weaknesses in your controls. Now that we have seen a bear in the woods, what can we do to put running shoes on to run faster than our peers?  If we look at the CISA Shield Technical Guidance Page we can find shields up recommendations such as remediating vulnerabilities, enforcing MFA, running antivirus, enabling strong spam filters to prevent phishing attacks, disabling ports and protocols that are not essential, and strengthening controls for cloud services.  Let's look at this in more detail to properly fasten our running shoes. If we are going to remediate vulnerabilities let's focus on the highest priority.  I would argue those are high/critical vulnerabilities with known exploits being used in the wild.  You can go to CISA's Known Exploited Vulnerabilities Catalog page for a detailed list.  Each time a new vulnerability gets added, run a vulnerability scan on your environment to prioritize patching. Next is Multi Factor Authentication (MFA).  Routinely we see organizations require MFA access to websites and use Single Sign On.  This is great -- please don't stop doing this.  However, we would also recommend MFA enhancements in two ways.  One, are you using MFA on RDP/SSH logins by administrators?  If not, then please enable immediately.  You never know when one developer will get phished, and the attacker can pull his SSH keys.  Having MFA means even when those keys are lost, bad actor propagation can be minimized.  Another enhancement is to increase the security within your MFA functionality.  For example, if you use Microsoft Authenticator today try changing from a 6 digit rotating pin to using security features such as number matching that displays the location of their IP Address.  You can also look at GPS conditional policies to block all access from countries in which you don't have a presence. Running antivirus is another important safeguard.  Here's the kicker -- do you actually know what percentage of your endpoints are running AV and EDR agents?  Do you have coverage on both your Windows and Linux Server environments?  Of the agents running, what portion have signatures updates that are not current?  How about more than 30 days old.  We find a lot of companies just check the box saying they have antivirus, but if you look behind the scenes you can see that antivirus isn't as effective as you think when it's turned off or outdated. Enabling Strong Spam Filters is another forgotten exercise.  Yes, companies buy solutions like Proofpoint to secure email, but there's more that can be done.  One example is implementing DMARC to properly authenticate and block spoofed emails.  It's the standard now and prevents brand impersonation.  Also please consider restricting email domains.  You can do this at the very top.  Today, the vast majority of legitimate correspondents still utilize one of the original seven top-level domains:  .com, .org, .net, .edu, .mil, .gov, and .int, as well as two-letter country code top-level domains (called ccTLDs).  However, you should look carefully at your business correspondence to determine if communicating with all 1,487 top-level domains is really necessary.  Let's say your business is located entirely in the UK.  Do you really want to allow emails from Country codes such as .RU, .CN, and others?  Do you do business with .hair, or .lifestyle, or .xxx?  If you don't have a business reason for conducting commerce with these TLDs, block them and minimize both spam and harmful attacks.  It won't stop bad actors from using Gmail to send phishing attacks, but you might be surprised at just how much restricting TLDs in your email can help.  Note that you have to be careful not to create a self-inflicted denial of service, so make sure that emails from suspect TLDs get evaluated before deletion. Disabling Ports and Protocols is key since you don't want bad actors having easy targets.  One thing to consider is using Amazon Inspector.  Amazon Inspector has rules in the network reachability package to analyze your network configurations to find security vulnerabilities in your EC2 Instances.  This can highlight and provide guidance about restricting access that is not secure such as network configurations that allow for potentially malicious access such as mismanaged security groups, Access Control Lists, Internet Gateways, etc. Strengthening Cloud Security- We won't go into this topic too much as you could spend a whole talk on strengthening cloud security.  Companies should consider purchasing a cloud security solution like Wiz, Orca, or Prisma for help in this regard.  One tip we don't see often is using geo-fencing and IP allow-lists.  For example, one new feature that AWS recently created is to enable Web Application Firewall protections for Amazon Cognito.  This makes it easier to protect user pools and hosted UIs from common web exploits. Once we notice there's likely been a bear attack on our peers or our infrastructure, we should report it.  This can be done by reporting incidents to local governments such as CISA or a local FBI field office, paid sharing organizations such as ISAC, or free communities such as AlienVault OTX. Let's walk through a notional example of what we might encounter as collateral damage in a cyberwar.  However, to keeps this out of current geopolitics, we'll use the fictitious countries Blue and Orange. Imagine that you work at the Acme Widget Corporation which is a Fortune 500 company with a global presence.  Because Acme manufactures large scale widgets in their factory in the nation of Orange, they are also sold to the local Orange economy.  Unfortunately for Acme, Orange has just invaded their neighboring country Blue.  Given that Orange is viewed as the aggressor, various countries have imposed sanctions against Orange.  Not wanting to attract the attention of the Orange military or the U.S. Treasury department, your company produces an idea that might just be crazy enough to work.  Your company is going to form a new company within Orange that is not affiliated with the parent company for the entirety of the war.  This means that the parent company won't provide services to the Orange company.  Additionally, since there is no affiliation between the companies then the legal department advises that there will not be sanction evasion activity which could put the company at risk.  There's just one problem.  Your company has to evict the newly created Orange company (Acme Orange LLC) from its network and ensure it has the critical IT services to enable its success. So where do we start?  Let's consider a few things.  First, what is the lifeblood of a company?  Every company really needs laptops and Collaboration Software like Office 365 or GSuite.  So, if we have five hundred people in the new Acme Orange company, that's five hundred new laptops and a new server that will host Microsoft Exchange, a NAS drive, and other critical Microsoft on premises services. Active Directory: Once you obtain the server, you realize a few things.  Previous Acme admin credentials were used to troubleshoot desktops in the Orange environment.  Since exposed passwords are always a bad thing, you get your first incident to refresh all passwords that may have been exposed.  Also, you ensure a new Active Directory server is created for your Orange environment.  This should leverage best practices such as MFA since Orange Companies will likely come under attack. Let's talk about other things that companies need to survive: Customer relations management (CRM) services like Salesforce Accounting and Bookkeeping applications such as QuickBooks Payment Software such as PayPal or Stripe File Storage such as Google Drive or Drop Box Video Conferencing like Zoom Customer Service Software like Zendesk Contract Management software like DocuSign HR Software like Bamboo or My Workday Antivirus & EDR software Standing up a new company's IT infrastructure in a month is never a trivial task.  However, if ACME Orange is able to survive for 2-3 years it can then return to the parent company after the sanctions are lifted. Let's look at some discussion topics. What IT services will be the hardest to transfer? Can new IT equipment for Acme Orange be procured in a month during a time of conflict? Which services are likely to only have a SaaS offering and not enable on premises during times of conflicts? Could your company actually close a procurement request in a one-month timeline? If we believe we can transfer IT services and get the office up and running, we might look at our cyber team's role in providing recommendations to a new office that will be able to survive a time of turmoil. All laptops shall have Antivirus and EDR enabled from Microsoft. Since the Acme Orange office is isolated from the rest of the world, all firewalls will block IP traffic not originating from Orange. SSO and MFA will be required on all logins Backups will be routinely required. Note if you are really looking for effective strategies to mitigate cyber security incidents, we highly recommend the Australian Essential Eight.  We have a link in our show notes if you want more details. Additionally, the ACME Orange IT department will need to create its own Incident Response Plan (IRP).  One really good guide for building Cyber Incident Response Playbooks comes from the American Public Power Association.  (I'll put the link in our show notes.)  The IRP recommends creating incident templates that can be used for common attacks such as: Denial of Service (DoS) Malware Web Application Attack (SQL Injection, XSS, Directory Traversal, …) Cyber-Physical Attack Phishing Man in the middle attack Zero Day Exploit This Incident Response Template can identify helpful information such as Detection: Record how the attack was identified Reporting: Provide a list of POCs and contact information for the IT help desk to contact during an event Triage: List the activities that need to be performed during Incident Response.  Typically, teams follow the PICERL model.  (Preparation - Identification - Containment - Eradication - Recovery - Lessons Learned) Classification: Depending on the severity level of the event, identify additional actions that need to occur Communications: Identify how to notify local law enforcement, regulatory agencies, and insurance carriers during material cyber incidents.  Additionally describe the process on how communications will be relayed to customers, employees, media, and state/local leaders. As you can see, there is much that would have to be done in response to a nation state aggression or regional conflict that would likely fall in your lap.  If you didn't think about it before, you now have plenty of material to work with.  Figure out your own unique requirements, do some tabletop exercises where you identify your most relevant Orange and Blue future conflict, and practice, practice, practice.  We learned from COVID that companies that were well prepared with a disaster response plan rebranded as a pandemic response plan fared much better in the early weeks of the 2020 lockdown.  I know my office transitioned to remote work for over sixty consecutive weeks without any serious IT issues because we had a written plan and had practiced it.  Here's another one for you to add to your arsenal.  Take the time and be prepared -- you'll be a hero "when the bubble goes up."  (There -- you've learned an obscure term that nearly absent from a Google search but well-known in the Navy and the Marine Corps.) Okay, that's it for today's episode on Outrunning the Bear.  Let's recap: Know yourself Know what foreign adversaries want Know what information, processes, or people you need to protect Know the goals of state actors:steal targeting data collect foreign intelligence covert action Know how to establish a good communications plan (PACE)Primary Alternate Contingency Emergency Know how to get out of Dodge Know where to find private and government threat intelligence Know your quick wins for protectionremediate vulnerabilities implement MFA everywhere run current antivirus enable strong spam filters restrict top level domains disable vulnerable or unused ports and protocols strengthen cloud security Know how to partition your business logically to isolate your IT environments in the event of a sudden requirement. Thanks again for listening to CISO Tradecraft.  Please remember to like us on your favorite podcast provider and tell your peers about us.  Don't forget to follow us on LinkedIn too -- you can find our regular stream of low-noise, high-value postings.  This is your host G. Mark Hardy, and until next time, stay safe. References https://www.goodreads.com/quotes/17976-if-you-know-the-enemy-and-know-yourself-you-need https://en.wikipedia.org/wiki/There_are_known_knowns  https://www.cia.gov/about/mission-vision/  https://www.cybersecurity-insiders.com/ukraines-accounting-software-firm-refuses-to-take-cyber-attack-blame/  https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/  https://www.nationalisacs.org/member-isacs-3  https://attack.mitre.org/groups/  https://data.iana.org/TLD/tlds-alpha-by-domain.txt  https://www.publicpower.org/system/files/documents/Public-Power-Cyber-Incident-Response-Playbook.pdf 

Security expert, Roselle Safran, joins hosts Jerich Beason& Whitney McCollum have come together after realizing more people know more about “The Queen's Crown Jewels” than those that are vital to their company.  How do you determine which are those precious systems that are the bare minimum & mission-critical to operate, generate revenue, or contain the In some industries these could mean life or death.  Where do you invest most to protect the organization? The analogy is pondered – No one breaks into a bank to steal the posters.  These experts take a deep dive into what the legal team and board must know about the crown jewels of an organization.  Roselle explains how taking the manual processes, biases, and opinions out of the equation with technology that assesses what your crown jewels are is becoming important to large organizations that have many assets, revenue streams, and layered dependencies.  Once you know what your crown jewels are you can properly assess the risk, manage that risk, protect the crown jewels, and know where you must be most resilient.  What input should legal have on risk?  Who in the organization ultimately owns the risk? The CEO? The board? Who determines the risk appetite? Who communicates it down through the organization? Where does the CISO fall into ownership versus managing risk?  Learn about risk appetite, the tolerance of risk by leadership, and aligning acceptance of risks with business goals.  The conversation closes with a great thought, “Just like an investigator tracking down the bad guys, start where the money is and you will find the crown jewels.”Note: “The statements of the guest speakers and hosts in this podcast should not be construed as legal advice.  They represent their views only and not those of Epiq or their respective employers.” BIOGRAPHYRoselle Safran is the CEO and Founder of KeyCaliber, a technology startup that enables cybersecurity, risk, and infrastructure teams to identify their critical cyber assets automatically and continuously to effectively manage cyber risk and ensure cyber resilience. The first cybersecurity startup that she founded, Uplevel Security, was acquired by McAfee.  Before becoming an entrepreneur, Roselle spent a decade as a cybersecurity practitioner and leader. She led cybersecurity operations at the Executive Office of the President during the Obama Administration, directing tactical measures and strategic initiatives for protecting and defending the White House's network. Prior she managed analysis teams at the Department of Homeland Security's US-CERT. Roselle earned her Bachelor of Science in Engineering degree from Princeton University. Find us on LinkedIn, Twitter, Facebook, and Instagram or email us at cyberside@epiqglobal.com.

India is offering a Rs. 76,000 crore ($10 billion) package to global semiconductor companies to create a comprehensive ecosystem for chip design, packaging and manufacturing, Economic Times reports. The funding, which will be provided over six years, is expected to bring in investments of up to Rs 1.7 lakh crore ($22 billion), India's Minister for Electronics and Information Technology Ashwini Vaishnaw told ET. The minister hopes that India's strong software and chip design ecosystem will attract global semiconductor companies. The government will not just provide infrastructure support, but also fast track clearances. Approvals are expected for a large chip manufacturing facility in the next four to six months, according to ET. Tiger Global is backing fintech startup CreditBook. It marks the New York-headquartered hedge fund and VC firm's first investment in Pakistan, TechCrunch reports. Among two-year-old CreditBook's founders is Imam Jamall, one of the few women founders in Pakistan. Other investors include Firstminute Capital, Banana Capital, VentureSouq, Ratio Ventures, i2i Ventures. Angel investors Sriram Krishnan and Julian Shapiro have also joined the $11 million pre-Series A round. The software vulnerability discovered last week in Log4J, a popular open-source library, could be one of the worst, Wired reports, citing cybersecurity experts. The combination of severity, simplicity, and pervasiveness of the Log4J library has the security community rattled, Wired says in its report. “It is by far the single biggest, most critical vulnerability ever,” Amit Yoran, CEO of cybersecurity firm Tenable and founding director of US-CERT—the organisation responsible for coordinating the public-private response to digital threats in the US—told Wired in an interview. Expect Log4J exploits, which have so far been limited to crypto miners and some malware, to escalate into the realms of serious ransomware attacks, the Wired warns. Facebook's parent company Meta has alerted 50,000 users of Facebook and Instagram that their accounts were spied on by commercial “surveillance-for-hire” schemes around the globe, The Verge reports. The users, located in more than 100 countries, were targeted by seven entities, according to an update posted on Meta's news page on Thursday. Targets included journalists, dissidents, critics of authoritarian regimes, families of opposition, and human rights activists. The surveillance was uncovered in a months-long investigation in which Meta identified spying groups and removed them from the platform. Spotify has acquired another podcast technology company, Whooshkaa, an Australia-based all-in-one platform for hosting, managing, distributing, promoting, monetising and measuring podcasts, the world's largest music streaming company said in a blogpost. Whooshkaa offers radio broadcasters a specialised tool that makes it simple to turn their existing audio content into on-demand podcast content. Spotify plans to soon integrate this technology into its Megaphone suite. TranZact, a startup offering a SaaS-based digital transformation tool for SMEs has raised $7 million in Series A funding, the company said in a press release. The funding was led by San Francisco-based Tribe Capital with participation from Prime Venture Partners, Gemba Capital and existing investor Kae Capital. Several noted angel investors also participated.

In today's Cyber Security Matters episode, Dominic Vogel and Christian Redshaw are joined by Josh Goldfarb, Director of Product Management at F5.   Josh has a diverse background as a developer and coder. He has consulted and advised several clients in both the public and private sectors at strategic and tactical levels.    Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT), where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensic capabilities for US-CERT.   

This week on the podcast, we'll discuss an alert from US-CERT and the FBI that details an "imminent threat" to hospitals and other healthcare facilities, as well as some recently disclosed critical vulnerabilities in a popular healthcare records software. After that, we'll give you your (hopefully) last dose of election security news with some election related hacking from the past week.

Boston bans face recognition, bad passwords.Boston bans facial recognition123456 is still the most popular passwordiOS 14 catches Linked-In, Tik Tok, and others red handed!US-CERT notes two Emergency Windows UpdatesHackerOne shares their top 10 public bug bounty programsSony launches PlayStation bug bounty program with rewards of $50K+F5 Networks patches a highest-severity vulnerabilityWe invite you to read our show notes at https://www.grc.com/sn/SN-774-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: WWT.COM/TWIT LastPass.com/twit barracuda.com/securitynow

Boston bans face recognition, bad passwords.Boston bans facial recognition123456 is still the most popular passwordiOS 14 catches Linked-In, Tik Tok, and others red handed!US-CERT notes two Emergency Windows UpdatesHackerOne shares their top 10 public bug bounty programsSony launches PlayStation bug bounty program with rewards of $50K+F5 Networks patches a highest-severity vulnerabilityWe invite you to read our show notes at https://www.grc.com/sn/SN-774-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: WWT.COM/TWIT LastPass.com/twit barracuda.com/securitynow

Boston bans face recognition, bad passwords.Boston bans facial recognition123456 is still the most popular passwordiOS 14 catches Linked-In, Tik Tok, and others red handed!US-CERT notes two Emergency Windows UpdatesHackerOne shares their top 10 public bug bounty programsSony launches PlayStation bug bounty program with rewards of $50K+F5 Networks patches a highest-severity vulnerabilityWe invite you to read our show notes at https://www.grc.com/sn/SN-774-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: WWT.COM/TWIT LastPass.com/twit barracuda.com/securitynow

Boston bans face recognition, bad passwords.Boston bans facial recognition123456 is still the most popular passwordiOS 14 catches Linked-In, Tik Tok, and others red handed!US-CERT notes two Emergency Windows UpdatesHackerOne shares their top 10 public bug bounty programsSony launches PlayStation bug bounty program with rewards of $50K+F5 Networks patches a highest-severity vulnerabilityWe invite you to read our show notes at https://www.grc.com/sn/SN-774-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: WWT.COM/TWIT LastPass.com/twit barracuda.com/securitynow

Boston bans face recognition, bad passwords.Boston bans facial recognition123456 is still the most popular passwordiOS 14 catches Linked-In, Tik Tok, and others red handed!US-CERT notes two Emergency Windows UpdatesHackerOne shares their top 10 public bug bounty programsSony launches PlayStation bug bounty program with rewards of $50K+F5 Networks patches a highest-severity vulnerabilityWe invite you to read our show notes at https://www.grc.com/sn/SN-774-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: WWT.COM/TWIT LastPass.com/twit barracuda.com/securitynow

Boston bans face recognition, bad passwords.Boston bans facial recognition123456 is still the most popular passwordiOS 14 catches Linked-In, Tik Tok, and others red handed!US-CERT notes two Emergency Windows UpdatesHackerOne shares their top 10 public bug bounty programsSony launches PlayStation bug bounty program with rewards of $50K+F5 Networks patches a highest-severity vulnerabilityWe invite you to read our show notes at https://www.grc.com/sn/SN-774-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: WWT.COM/TWIT LastPass.com/twit barracuda.com/securitynow

Boston bans face recognition, bad passwords.Boston bans facial recognition123456 is still the most popular passwordiOS 14 catches Linked-In, Tik Tok, and others red handed!US-CERT notes two Emergency Windows UpdatesHackerOne shares their top 10 public bug bounty programsSony launches PlayStation bug bounty program with rewards of $50K+F5 Networks patches a highest-severity vulnerabilityWe invite you to read our show notes at https://www.grc.com/sn/SN-774-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: WWT.COM/TWIT LastPass.com/twit barracuda.com/securitynow

Boston bans face recognition, bad passwords.Boston bans facial recognition123456 is still the most popular passwordiOS 14 catches Linked-In, Tik Tok, and others red handed!US-CERT notes two Emergency Windows UpdatesHackerOne shares their top 10 public bug bounty programsSony launches PlayStation bug bounty program with rewards of $50K+F5 Networks patches a highest-severity vulnerabilityWe invite you to read our show notes at https://www.grc.com/sn/SN-774-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: WWT.COM/TWIT LastPass.com/twit barracuda.com/securitynow

Boston bans face recognition, bad passwords.Boston bans facial recognition123456 is still the most popular passwordiOS 14 catches Linked-In, Tik Tok, and others red handed!US-CERT notes two Emergency Windows UpdatesHackerOne shares their top 10 public bug bounty programsSony launches PlayStation bug bounty program with rewards of $50K+F5 Networks patches a highest-severity vulnerabilityWe invite you to read our show notes at https://www.grc.com/sn/SN-774-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: WWT.COM/TWIT LastPass.com/twit barracuda.com/securitynow

Boston bans face recognition, bad passwords.Boston bans facial recognition123456 is still the most popular passwordiOS 14 catches Linked-In, Tik Tok, and others red handed!US-CERT notes two Emergency Windows UpdatesHackerOne shares their top 10 public bug bounty programsSony launches PlayStation bug bounty program with rewards of $50K+F5 Networks patches a highest-severity vulnerabilityWe invite you to read our show notes at https://www.grc.com/sn/SN-774-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: WWT.COM/TWIT LastPass.com/twit barracuda.com/securitynow

Boston bans face recognition, bad passwords.Boston bans facial recognition123456 is still the most popular passwordiOS 14 catches Linked-In, Tik Tok, and others red handed!US-CERT notes two Emergency Windows UpdatesHackerOne shares their top 10 public bug bounty programsSony launches PlayStation bug bounty program with rewards of $50K+F5 Networks patches a highest-severity vulnerabilityWe invite you to read our show notes at https://www.grc.com/sn/SN-774-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: WWT.COM/TWIT LastPass.com/twit barracuda.com/securitynow

This week, Doug wraps up all the shows across our network, including the Show News, Bunny Lebowski's toes, STAMINA, RAMSAY, and US-Cert Vulnerabilities!   Show Notes: https://wiki.securityweekly.com/SWNEpisode34 Visit https://www.securityweekly.com/swn for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, Doug wraps up all the shows across our network, including the Show News, Bunny Lebowski's toes, STAMINA, RAMSAY, and US-Cert Vulnerabilities!   Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://wiki.securityweekly.com/SWNEpisode34

This week, Doug wraps up all the shows across our network, including the Show News, Bunny Lebowski's toes, STAMINA, RAMSAY, and US-Cert Vulnerabilities!   Show Notes: https://wiki.securityweekly.com/SWNEpisode34 Visit https://www.securityweekly.com/swn for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

Sponsor by SEC Playground Music by https://www.bensound.com/ --- Support this podcast: https://anchor.fm/chillchillsecurity/support

Fxmsp may have breached three anti-virus companies. US-CERT and CISA warn against a new North Korean malware tool being used by Hidden Cobra: they’re calling it “ElectricFish.” A changing of the guard at Symantec. Former Facebook insiders call for breaking up the company and for more regulation. Facebook disagrees about the breakup, but says it likes the idea of regulation. Two indictments are unsealed--one for leaking classified information, the other for the Anthem breach. Johannes Ullrich shares some vulnerabilities involving tools from Google. Verizon DBIR coauthor Alex Pinto shares this year’s key findings.

In today's podcast we hear that US-CERT is warning of a North Korean RAT. Researchers find vulnerable WPA2 handshake implementations. A sales call results in inadvertent data exposure. Notes on Black Hat: circumspection, hype, barkers, and artificial intelligence. Russia braces for US sanctions and promises retaliation. South Korea will reorganize its Cyber Command. The PGA is hit with ransomware. Guests are Andrei Soldatov and Irina Borogan, authors of the book The Red Web. 

In today's podcast we hear that LifeLock gets locked down—probably no harm done, maybe. US-CERT warns of active campaigns against ERP applications. Ad blockers may be doubling as spyware. A new RAT gnaws away at corporate HR departments. Underminer shows that exploit kits aren't obsolete after all. NSA gets a bad report from its IG. Congress worries over Russian infrastructure reconnaissance and influence operations. Iran's OilRig and Leafminer remain active regional threats. Joe Carrigan from JHU ISI on infosec pros reusing passwords. Guest is Jessica Ortega from SiteLock, discussing how having social media icons on your website increases the odds of falling victim to attacks.   For links to stories in today's podcast check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/July/CyberWire_2018_07_26.html

If you are an American adult, there is a good chance that criminals now have the ability to match your name and social security number, greatly increasing your risk of becoming a victim of identity fraud. In this episode, hear highlights from Congressional hearings about the Equifax breach that exposed the personal information of 145.5 million Americans as we explore the key role that credit reporting companies play in our society. Please Support Congressional Dish Click here to contribute using credit card, debit card, PayPal, or Bitcoin Click here to support Congressional Dish for each episode via Patreon Mail Contributions to: 5753 Hwy 85 North #4576 Crestview, FL 32536 Thank you for supporting truly independent media! Bills H.J.Res.111: Providing for congresional disapproval under chapter 8 of title 5, United States Code, of the rule... H.R. 624: Social Security Number Fraud Prevention Act of 2017 H.R. 2622 (108th): Fair and Accurate Credit Transactions Act of 2003 Additional Reading Blog Post: The USS senate is preventing companies like Equifax being held accountable for major screw-ups by Tim Fernholz, Quartz Media, October 24, 2017. Article: The IRS gave Equifax a $7.25 million contract, and a congressman thought it was a joke from The Onion by Aaron Mark, Slate, October 4, 2017. Article: Equifax suffered a hack almost five months earlier than the date it disclosed by Michael Ray, Anita Sharpe, & Jordan Robertson, Bloomberg Technology, September 19, 2017. Article: The Equifax data breach: What to do by Seena Gressin, Federal Trade Commission, September 8, 2017. Article: Wells Fargo uncovers up to 1.4 million more fake accounts by Matt Egan, CNN Money, August 31, 2017. Article: Wells Fargo forced unwanted auto insurance on borrowers by Gretchen Morenson, The New York Times, July 27, 2017. Blog Post: U.S. cities with the best & worst credit scores by Mike Brown, Lend EDU, April 12, 2017. Article: Two major credit reporting agencies have been lying to consumers by Gillian B. White, The Atlantic, January 4, 2017. Report: CFPB orders TransUnion and Equifax to pay for deceiving consumers in marketing credit cores and credit products, CFPB, January 3, 2017. Article: Class-action suits target Experian over T-Mobile breach by Andrew Blake, The Washington Times, November 11, 2015. Article: The long, twisted history of your credit score by Sean Trainor, Time, July 22, 2015. Publication: Data point: Credit invisibles by Kenneth P. Brevoort, Philipp Grimm, & Michelle Kambara, CPFB, May 2015. Blog Post: 4 things to do when your credit score reaches 'good' or 'excellent' by Simple.Thrifty.Living, Huffpost, April 14, 2015 Article: What's the difference between a fraud alert, credit freeze, & credit lock? by STAFF, Lexington Law, January 26, 2015. Article: Revealed: One in four of the UK's top companies pay no tax while we give them millions in credits by Alex Hawkes and Simon Watkins, The Mail, March 2, 2013. Article: The high cost of a 'free credit report' by Stephanie Clifford, The New York Times, August 4, 2008. Article: Credit scores - what you should know about your own by Malgorzata Wozniacka & Snigdha Sen, Frontline, November 23, 2004. Publication: An overview and history of credit reporting by Mark Furletti, Discussion Paper, June 2002. Article: Witness says credit bureaus invade privacy and asks curb by Roy Reed, New York Times, March 13, 1968. References Bill Actions Tracking: H.J.Res.111 Credit Report Website: https://www.annualcreditreport.com/index.action Experian: ChoiceScore Info FTC Consumer Response Center: A summary of your rights under the Fair Credit Reporting Act Identity Theft Website: https://identitytheft.gov/ Open Secrets: Experian Client Profile Summary Open Secrets: Trans Union Corp Client Profile Summary Senate Vote Summary: H.J.Res.111 Sound Clip Sources Senate Session: US senate approves disaster relief bill; Senate; October 24, 2017. 3:57:20 Sen. Sherrod Brown (OH): Studies show that Wall Street and other big companies win 93 percent of the time in arbitration. Ninety-three percent of the time in arbitration the companies win. No wonder they are fighting like hell. No wonder they have lobbied this place like we have never seen. No wonder every Wall Street firm is down here begging their Senators to stand strong with Wall Street and pass this CRA, pass this resolution to undo the rule stopping forced arbitration. 4:05:00 Sen. Mike Crapo (ID): The real issue is whether we will try to force the resolution of disputes in financial resolution into class action lawsuits. This is a question about whether we should force dispute resolution mechanisms into class actions. In fact, let me read the actual language of the rule that we are debating. It doesn’t say anything about forced arbitration clauses. In fact, the rule doesn’t stop arbitration clauses in contracts. It stops protections in arbitration clauses against class action litigation. Let’s read what the actual rule says: The CFPB rule prohibits a company from relying in any way on a predispute arbitration agreement with respect to any aspect of a class action that concerns any consumer financial product or service. In other words, the entire purpose of this rule is to promote class action litigation and to stop arbitration resolution when there is a dispute. Hearing: Equifax Sen Banking Hearing; Senate Judiciary Committee, Subcommittee on Privacy, Technology, and the Law; October 4, 2017. Witness: Richard Smith: Former Chairman & CEO of Equifax 27:20 Sen. Chuck Grassley (IA): Additionally, we must appreciate that fact that not all data breaches are the same. The information and risk of harm can greatly vary from one breach to another. For example, the past breaches at Target and Neiman Marcus, which this committee held a hearing to examine, involved financial information such as credit and debit cards. Of course, this is information that absolutely must be protected and secured. If it falls in the wrong hands, it can create a lot of problems for individuals. But in the Equifax data breach, I think that’s different. It’s important that consumers and policymakers recognize this distinction because the threat landscape has changed. The information hackers obtained or gained access to in the Equifax breach is the most sensitive personal information used by thieves to commit identity theft. So, we should let that sink in very definitely. A credit card number or bank account information can be changed with a phone call, but you can’t change your social security number and your date of birth. Anyone who’s ever applied for a loan, a credit card, a job, or opened a bank account knows you have to provide a social security number, date of birth to verify your identity. Thus, if someone has this information they can do the same and take over your identity. They can become you. And you won’t know it happened until it’s too late. 38:30 Sen. Jeff Flake (AZ): In your testimony before the House yesterday, you stated that Equifax’s “traditional business model is with companies, not with 400 million consumers.” What portion of Equifax’s business is consumer facing? Richard Smith: Mr. Chairman, roughly 10% of our revenues around the world come from what we call B to C—business to consumer. Flake: That’s 10%. Then, what is the main source of Equifax’s revenue stream? Smith: The vast majority, the remaining, is largely doing analytics, insights, and providing solutions to banks, telecommunications companies, credit card issuers, insurance companies, and the like around the world. Flake: So, if only 10% of the revenue is consumer facing, what is the company’s incentive for keeping consumer data secure when it has no meaningful interaction or limited meaningful interaction with the accountability of consumers? Smith: We are clearly viewed as a trusted steward of that information, and losing that information violates the trust and confidence not only of the consumer but also of the companies we do business with as well. 1:01:52 Sen. Patrick Leahy (VT): You spent a lot of money lobbying against as consumer-protection act that might require you to notify consumers immediately in such breaches. Are you still going to fight and still spend hundreds of thousands of dollars to stop that kind of a consumer-protection bill from going through? Richard Smith: Senator, I can tell you as a company we do have a government-relations team. In the scheme of things, it’s relatively small. We’re a company with expenses of well over $2 billion. I think our entire lobbying budget, which includes association fees, is a million dollars or less. Leahy: I could care less what your budget is for lobbying. The fact is you opposed legislation that might require notifying consumers, might actually give consumers the ability to respond when they’ve been hurt. Are you going to—is Equifax going to continue to fight consumers’ right to know? Smith: One, I’m unaware of that particular lobbying effort you’re referring to. I can talk to the company, but I’m unaware of that particular lobbying effort. Leahy: It was in your report that you have to file on your lobbying expenses. 1:03:30 Sen. Mazie Hirono (HI): Do consumers have the right to find out what kind of information data brokers like Equifax has on them? Richard Smith: Do they have the right? Hirono: Yeah, yes. Can they call Equifax up and say, what do you have on me? Smith: Every consumer has the right to a free credit report from us, from the industry, and that credit report would detail all the information that the credit file would have on them. Hirono: But that’s just their credit, but you have a lot of other information on everybody besides just their credit information, do you not? Smith: Yes, we do. Hirono: So, if—and my understanding is that you get all this information free. You don’t pay anybody for the information you gather on 145 million people, which is more than one out of three people in our entire country. Smith: It’s largely free. There are exceptions, obviously, but this business, as you know, we’re 118 years old. We’re part of a federally regulated ecosystem that enables consumers to get access to credit. Hirono: Yes. Smith: So that data’s there, and it’s used at their consent, by the way. Regardless of the type of data we have—if it’s your employment data or your income data or your credit data—that data can only be accessed if you as a consumer give the consent for someone to access that. Hirono: How does one give consent— Smith: If you— Hirono: —if you’re selling the information that you have on them? Smith: So, if you as a consumer go to your bank and want to get a credit card, for example, when you sign a contract with the bank for the credit card, you’re allowing the bank the access to approve your credit, in this particular case, to give you the best rate and the best line. 1:17:52 Sen. Richard Blumenthal (CT): Can you guarantee this committee that no consumer will ever be required to go to arbitration? Richard Smith: I cannot, sir. Blumenthal: Why? Smith: Well, one, I’m no longer with the company. I can talk to the management team. Blumenthal: Well, that’s what I mean by the designated fall guy. You know, you’re here, you can’t speak for the company. I’m interested in looking forward. How will consumers be protected? Will arbitration be required of them? Will they be compensated for the sense of security that has been lost? Will there be a compensation fund? Will there be insurance against that kind of loss? And I’m talking about a compensation fund that applies to them because of that loss of privacy. These kinds of questions, which you’re unable to answer because you’re no longer with the company, are as profound and important as any investigative effort looking back, and I recognize you’re here without the authority to make these decisions, but I think someone from the company has to make them. Hearing: Equifax Senate Banking; Senate Banking Committee; October 4, 2017 Witness: Richard Smith: Former Chairman & CEO of Equifax 6:03 Sen. Sherrod Brown (OH): But security doesn’t generate short-term profits. Protecting consumers apparently isn’t important to your business model, so you gather more and more information, you peddled it to more and more buyers. For example, you bought a company called TALX so you could get access to detailed payroll information—the hours people worked, how much they were paid, even where they lived—7,000 businesses. You were hacked there, too, exposing the workers of one proud Ohio company—400,000 workers at Kroger—and an unknown number of people’s information to criminals who used it to commit tax fraud. 26:35 Sen. Ben Sasse (NE): Your organization has committed to providing identity-monitoring services for the next year, but I’m curious about whether or not Equifax and your board have deliberated. Do you think your responsibility ends in one year, in two years, in five years, in 10 years; and if you think it ends at some point, have you tried to think about the goodwill and balance sheet impact of all this? How can you explain to an American whose identity might be stolen later because of this breach why your responsibility would ever end? Does it end? Richard Smith: I understand the question. And it extends well beyond a year, Senator. The first step we took was the five services we mentioned to the chairman a minute ago, which gets the consumer through one year. The ultimate control for security for a consumer is going to the lifetime lock. The ability for a consumer to lock down his or her file, determine who they want to have access for life— Sasse: But isn’t this—just to interrupt—isn’t that about people who might be breached in the future. I’m talking about the 145 million whose data has already been stolen. Does your responsibility end, or what do you think your legal obligations are to them? Smith: I think the combination of the five services we’re offering combined with the lifetime lock is a good combination of services. Sasse: I actually think the innovation of some of the stuff you proposed for the big three going forward is quite interesting, but why does any of that five really do much for the data that’s already been stolen? Smith: Senator, again, the combination of the five offerings today plus the lifetime lock we think is the best offering for the consumer. Sasse: Okay, I don’t think you’ve really answered the question about whether or not you’re exposure legally ends for the 145 million. 29:13 Sen. Ben Sasse (NE): I want to open, at least, the allegations that Equifax executives engaged in insider trading relating to knowledge of this cyber breach. One of the clearest times in definitions of insider trading occurs when a business executive trades their company stock because of confidential knowledge that they have gained from their job. I’m sure you can imagine why Americans are very mad about the possibility that this occurred here. While insider trading is going to be discussed a lot more later in this hearing, I wish you could just very quickly give us a timeline of the first steps. When did Equifax first learn of the May 2017 breach, and when did you inform the FBI of that breach? Richard Smith: Thank you. I’ll answer as quickly as I can. We notified the FBI cybersecurity forensic team and outside global law firm on August 2. At that time, all we saw was suspicious activity. We had no indication, as I said in my oral testimony, of a breach at that time. You might recall that the three individuals sold stock on August 1 and 2. We did not have an indication of a breach until mid- to late August. Sasse: So you’re saying that those three executives—Mr. Chairman, I’ll stop—you’re saying those three executives had no knowledge of a breach on August 1 or 2. Smith: To the best of my knowledge, they had no knowledge and they also followed our protocol to have their stock sales cleared through the proper channels, which is our general counsel. 32:00 Sen. Jon Tester (MT): Let’s fast forward to the 29th of July, and you learned for the first time that your company has been hacked—don’t know how big the hack is, but it’s been hacked—and it was preceded by this notification from US-CERT. Three days after, as Senator Sasse pointed out, you had three high-level execs sell $2 million in stock. That very same day, you notified the FBI of the breach. Can you tell me if your general counsel was held accountable for allowing this stock sale to go forward? Or did he not know about the breach. Richard Smith: Senator, clarification: On the 29th and 30th, a security person saw suspicious activity, shut the portal down on the 30th. There was no indication of a breach at that time. The internal forensics began on the 30th. On the 2nd we brought in outside cyber experts—forensic auditors, law firm, and the FBI. The trades took place on the 1st and the 2nd. At that time, the general counsel, who clears the stock sales, had no indication—or to the company—of a security breach. Tester: Well, I’ve got to tell you something, and this is just a fact, and it may have been done with the best of intentions and no intent for insider trading, but this really stinks. I mean, it really smells really bad. And I guess smelling bad isn’t a crime. But the bottom line here is that you had a hack that you found out about on the 29th. You didn’t know how severe it was. You told the FBI about the breach. On that same day, high-level execs sell $2 million worth of stock, and then you do some investigation, evidently, and you find out at the end of the month that—or, at least, by the first part of September—that this is a huge hack, and you finally notify the public. And as was pointed out already in this committee, these are people that didn’t ask for your service. You’ve gathered it. And now it’s totally breached. And then, as Senator Sasse said, what’s the length of exposure here, and you said, we’ll be doing these five things. That’s proactive, and I think we can all applaud those efforts. But I’ve got to tell you, that doesn’t do a damn thing for the people who have had their identity stolen and their credit rating stolen. So let me ask you this: So their credit rate goes up a little bit, and they go buy a house for 250,000 bucks on a 30-year note, and it costs them 25 grand. Are you liable for that? Smith: Senator, I understand your anger and your frustration. We’ve apologized for the breach, we’ve done everything in our power to make it right for the consumer, and we think these services we’re offering is a right first step. 53:57 Sen. Elizabeth Warren (MA): In August, just a couple of weeks before you disclosed this massive hack, you said—and I want to quote you here—“Fraud is a huge opportunity for us. It is a massive, growing business for us.” Now, Mr. Smith, now that information for about 145 million Americans has been stolen, is fraud more likely now than before that hack? Richard Smith: Yes, Senator, it is. Warren: Yeah. So the breach of your system has actually created more business opportunities for you. For example, millions of people have signed up for the credit-monitoring service that you announced after the breach—Equifax is offering one year of free credit monitoring—but consumers who want to continue that protection after the first year will have to pay for it, won’t they, Mr. Smith. Smith: Senator, the best thing a consumer could do is get the lifetime lock. Warren: I’m asking you the question. You’re offering free credit monitoring, which you say is worth something, and you’re offering it for only one year. If consumers want it for more than one year, they have to pay for it. Is that right? Smith: Yes, Senator. But the most, the best thing a consumer can do is the lock product. It’s better than monitoring. Warren: Okay, but, they’re going to have to pay after one year if they want your credit monitoring, and that could be a lot of money. So far, seven and a half million people have signed up for free credit monitoring through Equifax since the breach. If just one million of them buy just one more year of monitoring through Equifax at the standard rate of $17 a month, that’s more than $200 million in revenue for Equifax because of this breach. But there’s more. LifeLock, another company that sells credit monitoring, has now seen a 10-fold increase in enrollment since Equifax announced the breach. According to filings with the SEC, LifeLock purchases credit monitoring services from Equifax; and that means someone buys credit monitoring through LifeLock, LifeLock turns around and passes some of that revenue directly along to Equifax. Is that right, Mr. Smith? Smith: That is correct. Warren: That’s correct. Okay. The second Equifax announced this massive data breach, Equifax has been making money off consumers who purchased their credit monitoring through LifeLock. Now, Equifax also sells products to businesses and government agencies to help them stop fraud by potential identity thieves. Is that right, Mr. Smith? Smith: Yes, Senator. There’s one clarification. You’d mentioned the LifeLock relationship— Warren: Uh-huh. Smith: —which was accurate. At the same time, the majority of that revenue we normally generate is direct to consumer. We’ve shut that down. We’re no longer selling consumer product directly. Warren: I’m sorry. My question is, every time somebody buys through LifeLock—and they’ve seen a 10-fold increase since the breach—you make a little more money. We actually called the LifeLock people to find this out. So, I asked you the question, but I already know the answer. It’s true. You’re making money off this. So, let me go to the third one. Equifax sells products to businesses and government agencies to help them stop fraud by potential identity thieves, right? Smith: To the government, yes. Not to the business. Warren: You don’t sell to businesses? Just small businesses? Smith: We sell business, but it’s not to prevent fraud. That’s not the primary focus or business. Warren: But to stop identity theft, you don’t have any products that you’re touting for identity-theft purposes? Smith: Senator, all I’m saying is the vast majority we do for businesses is not fraud. Warren: Look, you’ve got three different ways that Equifax is making money, millions of dollars, off its own screw up, and meanwhile, the potential costs to Equifax are shockingly low. Consumers can sue, but it turns out that the average recovery for data breaches is less than $2 per consumer, and Equifax has insurance that could cover some big chunk of any potential payment to consumers. So, I want to look at the big picture here. From 2013 until today, Equifax has disclosed at least four separate hacks in which it compromised sensitive personal data. In those four years, has Equifax’s profit gone up? Mr. Smith? Smith: Yes, Senator. Warren: Yes, it has gone up, right? In fact, it’s gone up by more than 80% over that time. You know, here’s how I see this, Mr. Chairman. Equifax did a terrible job of protecting our data because they didn’t have a reason to care to protect our data. The incentives in this industry are completely out of whack. Because of this breach, consumers will spend the rest of their lives worrying about identity theft. Small banks and credit unions will have to pay to issue new credit cards, businesses will lose money to thieves, but Equifax will be just fine. Heck, it could actually come out ahead. Consumers are trapped, there’s no competition, nowhere else for them to go. If we think Equifax does a lousy job protecting our data, we can’t take our data to someone else. Equifax and this whole industry should be completely transformed. Consumers—not you—consumers should decide who gets access to their own data. And when companies like Equifax mess up, senior executives like you should be held personally accountable, and the company should pay mandatory and severe financial penalties for every consumer record that’s stolen. Mr. Chairman, we’ve got to change this industry before more people are injured. 1:22:00 Sen. John Kennedy (LA): It just seems incongruent to me that you have my information—you don’t pay me for it; you don’t have my permission — you make money collecting that information, selling it to businesses — and I think you do a service there; don’t misunderstand me — and you also come to me—you can’t run your business without me; my data is the product that you sell — and you also offer me a premium service to make sure that the data you’re collecting about me is accurate. I mean, I don’t pay extra in a restaurant to prevent the waiter from spitting in my food. You understand my concern? Richard Smith: I understand your point, I believe, but another way to think about that is the monitoring part that you’re referring to, Senator? Kennedy: Uh-huh. Smith: In the future, it’s far less required if you as a consumer have the ability to freeze, or lock as we call it, and unlock your file. And that is free for life. Kennedy: But it’s not just the freeze part. What if you had bad information about me? Have you ever—has an agency ever had bad information about you, and you had to go through the process of correcting it? Smith: Yes, Senator. There’s a process that if— Kennedy: It’s a pain in the elbow, isn’t it. I mean, the burden’s kind of on – you have my data, which you haven’t paid me for. You’re earning a good living, which I don’t deny you. I believe in free enterprise. I think this is a very clever business model you’ve come up with. But you’re earning your money by selling my data, which you get from me and don’t pay me for, to other people, but if the data is wrong that you have about me, I would think you would want to make it as easy as possible to correct it, not as hard as possible. Smith: I understand your point, and it’s an important point for the entire industry to make the process as consumer-friendly as possible if there’s an error on your utility bill, if there’s an error on your bank bill, your credit card statement, to work with consumers to make— Kennedy: Well, can you commit to me today that Equifax is going to set up a system where a consumer who believes that Equifax has bad information about him can pick up the phone and call a live human being with a beating heart and say, here’s this information you have about me that you’re selling to other people—you’re ruining my credit, and it’s not true, and I want to get it corrected. How are you going to correct it, what information do you need from me to prove that it’s incorrect, and when are you going to get back to me, and give me your name and phone number so I can call you. Smith: Senator, I understand your point. There is a process that exists today. More than half— Kennedy: Yeah, and it’s difficult, Mr. Smith. Smith: Be more than happy to get the company to reach out to your staff, explain what we do, and what we’re doing to improve that process. I hear you. Hearing: House Equifax CEO Hearing; House Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection; October 3, 2017 Witness: Richard Smith: Former Chairman & CEO at Equifax 5:13 Rep. Jan Schakowsky (IL): The Equifax data breach was massive in scale: 145.5 million American victims as of yesterday. I would call it shocking, but is it really? We have these under-regulated, private, for-profit credit reporting agencies collecting detailed personal and financial information about American consumers. It’s a treasure trove for hackers. Consumers don’t have a choice over what information Equifax or, for example, TransUnion or Experian, have collected, stored, and sold. If you want to participate in today’s modern economy; if you want to get a credit card, rent an apartment, or even get a job often, then a credit reporting agency may hold the key. Because consumers don’t have a choice, we can’t trust credit reporting agencies to self-regulate. It’s not like when you get sick at a restaurant and decide not to go there anymore. Equifax collects your data, whether you want to have it collected or not. If it has incorrect information about you, it’s really an arduous process—I’ve tried it—to get it corrected. When it comes to information security, you are at the mercy of whatever Equifax decides is right; and once your information is compromised, the damage is ongoing. Given vast quantities of information and lack of accountability, a major breach at Equifax, I would say, would be predictable if not inevitable. I should really say breaches. This is the third major breach Equifax has had in the past two years. From media reports and the subcommittee’s meeting with Equifax officials after the breach, it’s clear to me that the company lacked appropriate policies and practices around data security. This particular breach occurred when hackers exploited a known vulnerability that was not yet patched. It was months later before Equifax first discovered the breach, and it was another several weeks before Equifax shared news with consumers, this committee, the Federal Trade Commission, and the Consumer Financial Protection Bureau. Senior officials at the company are saying they weren’t immediately aware that the breach occurred, and yet, by the way, there were executives who sold over a million dollars in stock just days after the breach was discovered but, yet, not reported. And for a lot of Americans, that just doesn’t pass the smell test. 22:45 Richard Smith: We know now that this criminal attack was made possible because of combination of human error and technological error. The human error involved the failure to apply a software patch to our dispute portal in March of 2017. Technological error involved a scanner which failed to detect that vulnerability on that particular portal. Both errors have since been addressed. On July 29 and July 30, suspicious activity was detected, and a team followed our security-incident protocol. The team immediately shut down the portal and began our internal security investigation. On August 2, we hired top cybersecurity, forensic, and legal experts, and at that time, we notified the FBI. At that time, to be clear, we did not know the nature or the scope of the incident. It was not until late August that we concluded that we had experienced a major breach. 47:53 Rep. Frank Pallone (NJ): All right, during your tenure at Equifax, you expanded the company’s business into packaging and selling other people’s data, and in that August 17 speech, you explained that having free data with a gross margin of profit of about 90% is—and I quote—“a pretty unique model.” And I get that this unique model is a good deal for Equifax, but can you explain how it’s a good deal for consumers? Richard Smith: Thank you, Congressman. I think I understand the question. Our industry has been around for a number of years, as you know. In fact, Equifax is a 118-year-old company. We’re part of a federally regulated ecosystem that enables consumers to get access to credit when they want access to credit and, hopefully, at the best rates available to them at that time. So we’re very vital to the flow of economy, not just in the U.S. but around the world. Pallone: All right, I want to turn to what Equifax is offering consumers in the wake of this breach, specifically the free credit-lock service that is supposed to be introduced next year. We’ve been told that this free credit-lock service could require consumers to consent to Equifax sharing or selling the information it collects from the service to third parties with whom the individual already has a business relationship for marketing or other purposes. Is that true? Smith: This product will be a web-enabled, mobile-enabled application that will allow a consumer at a time he or she, if they decide they want access to credit, can simply toggle on, toggle off that application to give the bank, credit card issuer, auto lender, access to their credit file to approve their loan. Pallone: Well, by agreeing to use the Equifax’s lock service, will consumers also be opting in to any additional marketing arrangements, either via Equifax or any of its partners? Smith: Congressman, we’re trying to change the paradigm. What I mean by that is, this will be in an environment viewed as a service, a utility, not a product. But we know cross-selling, upselling, or any products available to the consumer, when they go to get and sign up for the lock product, it’s a service to them, and that’s the only product—this service they’ll be able to get. Pallone: Will Equifax give consumers an easy and free method to choose not to share their data in this way, even if the consumer already has a business relationship with the third party? Smith: Yeah, Congressman, I’d envision as this evolves over time, the consumer will have the ability to invite into their world who they want to have access and who they do not. It’ll be their choice, their power, not ours, to make that decision. Pallone: Now, last week, the interim CEO announced that by January 31 of 2018 Equifax would make locking and unlocking of a person’s Equifax credit report free forever. A credit-report lock is already included in TrustedID Premier and other services like credit monitoring and identity-theft insurance. Will that still end after one year? Smith: Congressman, a couple of differences. Number one, the product we offer today for consumers protects the consumer at the same-level protection they’d get January 31. The difference is, today is a browser-enabled product, or service; the 31 of January it’ll be an application, much simpler and easier for the consumer to use. The protection is largely the same. So they get this free service when they sign up for one year. At the end of the one year, effective January 31 of 2018, it goes into the new lock product. Pallone: I guess the difference, other than not expiring, between the credit-report lock that is part of TrustedID Premier and the credit-locking tool that will be available in January, why not just extend the freeze program? Smith: There’s a difference between the freeze product, which came to pass with FACTA back in 2003, passed into law in 2004, that is now governed by state laws in all states, and it’s a cumbersome process for a consumer. In many cases, some states require you to mail in your request for a freeze and that we must mail you a PIN, so your ability to get access to credit when you want credit is encumbered. A consumer could go to a car dealer or to a bank to get a credit card, forget his or her PIN on a freeze product, have to go back home, look for the PIN, mail the PIN in, so it’s a cumbersome process. The lock product we’re offering today is a big step forward; lock product for the 31 of January is an even further step forward. 53:00 Rep. Joe Barton (TX): Mr. Smith, what’s the market value of Equifax? What’s your company worth, or your former— Richard Smith: Congressman, last time I checked it’s somewhere close to 13 billion. Barton: Thirteen billion. I’m told by my staff that this latest data breach was about 143 million people. Is that right? Smith: We were informed yesterday from the company that is typical in a forensic audit, there was some slight movement and the numbers adjusted. Press release came out from the company last night. It’s 145.5. Barton: A hundred—well, okay, I appreciate your accuracy there. But under current law, you’re basically required to alert each of those that their account has been hacked, but there’s really no penalty unless there is some sort of a lawsuit filed and the Federal Trade Commission or state attorney general files a class-action lawsuit against your company. So you really only notify—you’re just required to notify everybody and say so sorry, so sad. I understand that your company has to stay in business, has to make money, but it would seem to me that you might pay a little bit more attention to security if you had to pay everybody whose account got hacked a couple thousand bucks or something. What would the industry reaction be to that if we passed a law that did that? Smith: Congressman, I understand your question. I think the path that we were on when I was there and the company’s continued is the right path, and that’s a path, a line that the consumers to control the power of who and when accesses a credit file going forward, taking the— Barton: Well, a consumer can’t control the security of your system. Smith: That is true, sir, but they can control— Barton: And your security people knew there was a problem, and according to staff briefings that I’ve been a part of, they didn’t act in a very expeditious fashion until the system had already been hacked. And, I mean, you’re to be commended for being here. I don’t think we subpoenaed you. I think you appeared voluntarily, which shows a commendable amount of integrity on your part, but I’m tired of almost every month there’s another security breach, and it’s okay, we have to alert you. I checked my file to see if I was one of the ones that got breached, and apparently I wasn’t. I don’t know how I escaped, but I didn’t get breached, but my staff person did, and we looked at her reports last night, and the amount of information that’s collected is way beyond what you need to determine if she (audio glitch) for a consumer loan. Basically, her entire adult history, going back 10 years, everywhere she’s lived, her name, her date of birth, her social security number, her phone numbers, her addresses, her credit card, student loans, security-clearance applications for federal employment, car insurance, even employment history of jobs that she worked when she was in high school. That’s not needed to determine whether she’s worthy of getting a five-thousand-dollar credit card loan or something. And now it’s all out in the netherworld of whoever hacked it. I can’t speak for anybody but myself, but I think it’s time at the federal level to put some teeth into this and some sort of a per-account payment—and, again, I don’t want to drive credit bureaus out of business and all of that, but we could have this hearing every year from now on if we don’t do something to change the current system. 58:42 Rep. Ben Lujan (NM): Will Equifax be willing to pay for this freeze at Experian and TransUnion for consumers whose information was stolen? Richard Smith: You’re referring to the freeze or the lock? Lujan: You said they’re the same, so… Smith: Yeah, right now we offer a free lock product, as you know, for one year, and then a free lifetime lock product for life, starting January 31, 2018. Smith: And that also extends to Experian and TransUnion? Smith: No, sir, it does not. Lujan: Would Equif—let me repeat the question. Will Equifax be willing to pay for that freeze, for that lock, at Experian and TransUnion for consumers whose information was stolen by it—through Equifax? Smith: Congressman, the company’s come out with what they feel is a comprehensive five different services today and a lifetime lock. I would encourage, to be clear, I would encourage TransUnion and Experian to do the same. It’s time we change the paradigm, give the power back to the consumer to control who accesses his or her credit data. It’s the right thing to do. Lujan: Okay, I’m down to limited time, Mr. Smith. I apologize. I’ll take that as a no that Equifax will not pay for Experian and TransUnion consumers. 1:26:09 Rep. Debbie Dingell (MI): Why do consumers have to pay you to access their credit report? Why should that data not be free? Richard Smith: Congresswoman, the consumer has the ability to access the credit report for free from each of the three credit reporting agencies once a year, and you combine that with the ability to lock your credit file for life for free. Again, it’s a step forward. 2:00:40 Rep. Larry Bucshon (IN): Is it possible people who never signed up or used Equifax directly could have been impacted by the breach? Richard Smith: Yes, Congressman. Bucshon: Okay, so how does Equifax get the information on people who’ve never directly associated with Equifax at all? I mean, I’m not familiar with that. Smith: Yeah, we get it from banks, telecommunications companies, credit card issuers, so on and so forth. Bucshon: So just like we go to apply for a loan, they send you the information, because they want to get a data—they want to get the information on my credit rating, for example. Smith Correct. As I define it, we are part of the federally regulated ecosystem— Bucshon: Yeah. Smith: —that enables banks to loan money to consumers. Bucshon: Right. So, it’s up to the banks, at that point, to notify the individual which credit agencies they’re utilizing to assess their credit risk? Or is it up to the credit agencies? Smith: Traditionally, the contributors of data—in that case, Congressman, the banks would give their data to all three. That’s the benefit of the system is you get a holistic view of an individual’s credit risk. Bucshon: Yeah. My point is, I guess, because a lot of people I talk to back in Indiana, southern Indiana, have no idea who Equifax is, right? And many of those people have applied for home loans and other things. And a matter of fact, probably at some point you have their information, but they may or may not have been notified who sent the information to them—probably the bank or other agency—and that’s something I think that is also maybe an issue, that people don’t understand or have not been told who is being used to assess their credit risk and, hence, something like this happens, they have no idea whether or not their information has been compromised. Smith: I understand your point. Bucshon: Yeah. 2:09:20 Rep. Gene Green (TX): Mr. Smith, Equifax customers or businesses who purchase data and credit reports on consumers, the American public is essentially Equifax’s product. How many times per year on average does Equifax sell access to a given individual’s credit file to a potential creditor, and how much do they make every time they sell it? Richard Smith: If I understand the question, Congressman, we take the data that is given to us by the credit ecosystem of the U.S., add analytics to it, and then when a consumer wants credit—again, through a credit card, home loan, a car—the bank then comes to us for that data and for that analytics, and we charge them for that. **Green: Okay. Well, the question was, how many times does Equifax receive payment for that individual credit file? Every time—if my local car dealer contacts Equifax, and so they pay a fee to Equifax for that information. Smith: Yes, Congressman. If you as an individual want to go to that car dealership and get a loan for a car, they come to us or to competitors, and when they take your data, access your data, we do get paid for it, correct. 2:47:40 Richard Smith: If there’s one thing I’d love to see this country think about is the concept of a social security number in this environment being private and secure, I think it’s time as a country to think beyond that. What is a better way to identify consumers in our country in a very secure way, and I think that way is something different than an SSN, a date of birth, and a name. 2:56:28 Rep. Jan Schakowsky (IL): What if I want to opt out of Equifax? I don’t want you to have my information anymore. I want to be in control of my information. I never opted in, I never said it was okay to have all my information, and now I want out. I want to lock out Equifax. Can I do that? Richard Smith: Congresswoman, that requires a much broader discussion around the rules of credit reporting agencies because that data, as you know today, doesn’t come from the consumer; it comes from the furnishers, and the furnishers provide that data to the entire industry. Schakowsky: No, I understand that. And that’s exactly where we need to go, to a much larger discussion, because most Americans really don’t know how much information, what it is that you have it, and they never said okay. Video: Circle Jerk, YouTube, December 3, 2015 Hearing: Credit Privacy Hearing; Senate Commerce, Science, and Transportation Committee; December 18, 2013 Witnesses: Tony Hadley: Senior VP of Government Affairs and Public Policy at Experian 47:13 Sen. Jay Rockefeller (retired) (WV): So, Mr. Hadley, what does your company—or why does it single out and sell lists of economically vulnerable groups like immigrants, widows, and military personnel? 48:03 Tony Hadley: Thank you, Senator. We would be very concerned if lenders were using that information for scamming purposes, too. And we have processes and procedures in place to ensure that nobody gains access to that score for that purpose. Now— Sen. Jay Rockefeller: And how does that work? Hadley: We have an onboarding system by which we take on a client that gets our information to know who they are, and we also have a mail-piece review process to know what they’re going to offer the consumer. And if it’s anything that looks discriminatory or predatory, we will not provide our list to them. Now— Rockfeller: And this is your self-regulation. Hadley: This is our self-regulation under DMA standards. So if we were to violate that, we’d be in violation of our self-regulatory standards as well as our contractual standards with our clients. Now, what’s important here is that there are somewhere between 45 and 50 million Americans who are outside the mainstream of the credit markets in the United States. These are underbanked, underserved consumers who financial institutions cannot reach through credit scoring and credit report. They don't have financial identities or a big enough or even the presence of a credit file in order to bring them into the mainstream of financial markets. But that doesn't mean that they don't need access to financial services. So banks use this data to try to reach out to consumers who they can help to empower them, not to scam them. We don't want to do business with financial institutions who are trying to scam people, only to empower them. And this is their best way to find those individuals who are outside the mainstream—immigrants; new to credit, like recent college graduates, exactly what we’re talking about here—to give them an offer, an invitation to apply, so that then they can make an eligibility determination regarding that application under the Fair Credit Reporting Act. But this is marketing literature, not eligibility determination. Rockefeller: Who— Hadley: Can I add to that for you? Rockefeller: Not entirely. Can you tell me which are the companies that buy this ChoiceScore product from you? We’ve asked you that. Hadley: Yeah. They would be banks and financial institutions and members of the financial community. Rockefeller: That’s what’s called a general answer. Hadley: Yeah. I can't tell you who our clients are. That’s a proprietary list of ours. It’s like our secret ingredient. The ones who would want that most are our competitors. And our counsel has informed me that they don't believe that our ability to give that to you can be shielded from disclosure through the rules of the Senate. If we thought they could be—for example, under a law enforcement action, where it could be shielded and protected from FOIA or other disclosures, we could do that, but not under the situation—under the rules of the Senate. And we’re very sorry about that, but we just simply can't do that. Our counsel won't let us. 1:25:49 Sen. Claire McCaskill (MO): The case, Mr. Hadley, of Experian and Superget. You purchased the company Court Ventures in 2012, in the spring of 2012. For more than a year after the time you purchased this company that had all this data, you were taking monthly wire transfers from Singapore, and your company did nothing. And as it turns out, those wire transfers were coming from a man in Vietnam who specialized in identity theft and was marketing the information that you owned to criminals to ruin people's lives. So my first question to you is, you were quoted as saying, “We would know who was buying this.” You were getting wire transfers from Singapore on a monthly basis, and no one bothered to check to see who that was? Hadley: Now, I want to be clear that this was not Experian marketing data; this was Experian authentication data. So it’s under a different company, a different use. So that’s just—I want you to know that it’s not marketing data. McCaskill: I don't understand the distinction. I think it’s a distinction— Jay Rockefeller: Nor do I. McCaskill: —without a difference. I believe it was data that you owned, Experian owned. You’d purchased this data from Court Scan, and they had, in fact— Hadley: No. Let me clarify. McCaskill: —sold it to someone else. Hadley: Yeah, let me clarify that for you, because we’ve provided a full response to that question to the Committee, and it’s part of the eight submissions that we’ve given. And I do have to say that it’s an unfortunate situation, and the incident is still under investigation by law enforcement agencies. So I’m really extremely limited in what I can say publicly about it, but I do want to say this. The suspect in the case obtained data controlled by a third party—that was U.S. Info Search. That was not an Experian company—through a company we bought, Court Ventures— McCaskill: Okay. Let— Hadley: —prior to the time that we acquired that company. And to be clear, no Experian data was ever accessed in that deal. McCaskill: Well, I understand what you’re saying. Here’s what happened: You had U.S. Info Search— Hadley: No, we did not own— McCaskill: No, no; I’m— U.S. Info Search existed, and Court Ventures existed. Hadley: And they had a partnership. McCaskill: —they decided, for commercial reasons, to make more money, to combine their information. Hadley: To resell their information. McCaskill: And so they had a sharing agreement, those two companies, correct? Hadley: Right, right. McCaskill: Okay. So these two companies had a sharing agreement. Then you bought one of those companies. Hadley: Court Ventures. McCaskill: Correct. So now you owned it. Now you stood in their place. Are you a lawyer? Hadley: I’m not a lawyer, but I understand we stood in their place, right. McCaskill: Are there any lawyers on the panel? Okay; she’ll back me up. You stand in their place when you buy this. So now you’re there. Now, you said in your earlier testimony, we would know who was buying this. So you now are part of their transactions. Hadley: During— McCaskill: And you were receiving the benefit of these monthly wire. Hadley: So, during the due-diligence process, we didn't have total access to all the information we needed in order to completely vet that. And by the time we learned about the malfeasance, I think nine months had expired. The Secret Service came to us, told us of the incident, and we immediately began cooperating with the Secret Service to bring this person to justice. McCaskill: Okay. Hadley: And we’re continuing to cooperate with law enforcement in that realm. This was—we were a victim and scammed by this person. McCaskill: Well, I would say the people who had all their identity stolen were the victims. Hadley: And we know who they are, and we’re going to make sure that they’re protected. There’s been no allegation that any harm has come, thankfully, in this scam. McCaskill: Okay. Hadley: And we’ve closed that down, and— Rockefeller: Let Senator McCaskill continue. Hadley: —and we’ve modified our processes to ensure that [unclear]— Rockefeller: Let Senator McCaskill continue. McCaskill: Okay. So let's talk about that process. This person got—this man who they lured to Guam to arrest and who is now facing criminal charges in New Hampshire, they posed as an American-based private investigator. What is your vetting process when people want to buy your stuff? Hadley: That would’ve been Court Ventures who would have vetted that prior to our acquisition. McCaskill: Okay, but I’m talking about now, you. What is your vetting process? Hadley: Right now, before we would allow acc—first, let me say that that person would have not gained access to Experian or this data if they had gone through our vetting processes prior to the acquisition. McCaskill: And what would’ve stopped him? Hadley: We would’ve known who that company is. We would’ve had a physical onsite inspection of that company. We would’ve known who that business is and what that business's record is. We would’ve known exactly why they wanted that data and for what purposes. And that would have been enshrined in our contract. And we would’ve known the kinds of systems they have in place to protect the data that they gained. Those are all incumbent upon us under the Gramm-Leach- Bliley Act and the FCRA. McCaskill: Well, listen, I understand that this was not a crime that began under your watch. Hadley: Thank you. McCaskill: But you did buy the company, and you did keep getting the wire transfers from Singapore, and the only reason you ever questioned them is because the Secret Service knocked on your door. I don't know how long those wire transfers from Singapore would’ve gone on until you caught them. I don't have confidence that it would’ve stopped at all. So I guess what my point is here, I maybe do not feel as strongly as others on this panel that behavioral marketing is evil. I believe behavioral marketing is a reality, and, frankly, the only reason we have everything we have on the Internet for free is because of behavioral marketing. So I don't see behavioral marketing as an evil into itself. What I do see is some desperate need for Congress to look at how consumers can get this information, what kind of transparency is there, and whether or not companies that allow monthly wire transfers into their coffers from Singapore from a criminal who is trying to rip off identity theft, whether or not they should be held liable for no due diligence on checking those wire transfers from Singapore until the Secret Service knocked on their door. And that’s what I think we need to be looking at. And I don't think there’s enough—I mean, I know that some of my friends on the other side of the aisle, you say trial lawyers, and they break out in a sweat. But the truth is that if there was some liability in this area, it would be amazing how fast people could clean up their act. And, unfortunately, in too many instances there’s not clear liability because we haven't set the rules of the road. Video: FreeCreditReport.com all 9 commercials, YouTube, October 3, 2009. Hearing: Credit Scoring System; House Financial Services Subcommittee on Oversight and Investigations; July 30, 2008. Witnesses: Thomas Quinn: Vice President of Global Scoring at Fair Isaac Business Consulting Stan Oliai: Experian Decision Analytics Consulting Senior Vice President Chet Wiermanski: Transunion Credit Services Analytical Systems Vice President Richard Goerss: Equifax Credit Services Chief Privacy Officer Evan Hendricks: Privacy Times Publisher and Editor 26:42 Thomas Quinn: A FICO score is a three-digit number ranging from 300 to 850, where the higher the score, the lower the risk. Lenders use the score, along with other information, to decision the request for credit, set the credit line and pricing terms. Creating the FICO score model requires two samples of credit reports, two years apart, for the same randomly selected depersonalized set of consumers provided by one of the national credit reporting agencies. Those credit factors found to be most powerful and consistent in predicting credit performance, individually and in combination, form the basis for the complex mathematical algorithm which becomes the score. The traditional FICO score model evaluates five broad types of data elements from the consumer credit report. These include, and listed in order of importance, previous credit payment history, about 35 percent contribution; level of outstanding debts, about 30 percent contribution; length of credit history, 15 percent contribution; pursuit of new credit, 10 percent contribution; and mix of type of credit, about 10 percent contribution. FICO scores were first introduced to the marketplace in 1989 and have been consistently redeveloped and updated throughout the years to ensure their predictive strength. 34:00 Stan Oliai: A credit score is a numerical expression of risk of default, based on a credit report. The score is produced by a mathematical formula created from a statistical analysis of a large representative sample of credit reports. The formula is typically called a “model.” The credit score is calculated by the model, using only information in the credit report. These reports include the following types of information: The credit account history—such as was the account paid, was it paid on time, how long has the account been open, and what’s the outstanding balance; the type of account—is it a mortgage, is it an installment, is it revolving; the public record information—liens, judgments, bankruptcies, for example; inquiries in the credit file that represent applications for new credit and other consumer-initiated transactions. A credit report does not include information such as income or assets. It also does not include demographic information such as race or ethnicity. Demographic factors are not used in the calculation of a credit score. 35:05 Stan Oliai: Regulatory oversight of credit scores is accomplished through routine bank examinations for compliance, with a number of laws that govern fair lending, such as the Equal Credit Opportunity Act. This makes sense because the lender chooses the scoring model to assist in this proprietary underwriting process. The lender is ultimately responsible for demonstrating to regulators that the scoring model it has chosen complies with the lending laws. 46:20 Chet Wiermanski: There is strong evidence to suggest that consumers would benefit from the increased reporting of nontraditional credit information. For example, consumers with thin credit files and, in particular, minorities, immigrants, young and old, all experience a net benefit from full-file reporting by energy companies and telecommunication providers. Consumers with impaired credit histories also obtain a net benefit from full-file reporting by these companies. We are presently engaged in a follow-up study to learn more about the impediments to full-file reporting faced by the utilities and telecommunication industry. It may be very well that Congress may have a role to play in removing roadblocks to encourage voluntary full-file reporting. 2:01:30 Richard Goerss: There are a lot of thing—different activities—that a consumer can do to protect themselves if they feel they are victims or might be victims of identity theft. Certainly, one of the things that they can do is to place a fraud alert on their credit file. They can receive a free disclosure of their credit file to see if there has been any inappropriate activity or inquiry to their credit file. They can provide an identity-theft report and identify the account information that they feel, or that they say, was opened fraudulently. And under the requirements of the FACT Act, the consumer reporting agencies are going to delete that information, and the consumer reporting agency that receives that identity theft with the information-removal request is going to refer it to the other two consumer reporting agencies, who are also going to remove that information. 2:24:30 Evan Hendricks: Right now, you take it for granted that we know about credit scores, but you have to remember it was, like, 12 years ago, in the mid-1990's, when credit scores started being widely used. They were a complete secret; the industry did not even acknowledge their existence. Then, when they found out about it and reporters like Michelle Singletary of the Washington Post started reporting on it, then they would not disclose the score to you. So, California led the way with a state law, and now we have the FACT Act, which means that you can get one—you can buy a credit score for a fair and reasonable price. 2:54:55 Rep. Jackie Speier (CA): We call these credit reporting agencies or credit bureaus, which gives the average consumer the impression that they are dealing with some federal entity, when in fact they are not—we heard this afternoon they’re private or publicly traded companies—and yet this information is so critical, and to Mr. Barrett's comments, who suggested that the consumer needs to be educated, needs to know what goes into their FICO score and what they can do to improve their FICO score, we can't give those kinds of answers, because, for all intents and purposes, it is a proprietary formula. It’s sort of like secret sauce; we don't know what it is. Now, there’s something wrong when the government can't articulate what should be considered in a FICO score. Cover Art Design by Only Child Imaginations Music Presented in this Episode Intro & Exit: Tired of Being Lied To by David Ippolito (found on Music Alley by mevio)

Configuring AOL account in MS Mail, configuring HD Flow wireless gateway, Pokemon Go and VPN usage (sporatically blocked), Profiles in IT (Guglielmo Marconi, long distance radio pioneer) WiFi routers hacked by CIA for years (using CherryBlossum hack), Website of the Week (Internet Storm Center, monitors malicious web traffic), US CERT warning (North Korea cyberattacks on the rise), Amazon buys Whole Foods (cyber is invading brick and mortar, grocers beware), computer printers embed hidden tracking codes in output (includes serial number, print date and time), Russia attempted to hack state voting systems (penetration failed in all cases), Bots are coming (get ready for first robotic empathy crisis). This show originally aired on Saturday, June 17, 2017, at 9:00 AM EST on WFED (1500 AM).

Configuring AOL account in MS Mail, configuring HD Flow wireless gateway, Pokemon Go and VPN usage (sporatically blocked), Profiles in IT (Guglielmo Marconi, long distance radio pioneer) WiFi routers hacked by CIA for years (using CherryBlossum hack), Website of the Week (Internet Storm Center, monitors malicious web traffic), US CERT warning (North Korea cyberattacks on the rise), Amazon buys Whole Foods (cyber is invading brick and mortar, grocers beware), computer printers embed hidden tracking codes in output (includes serial number, print date and time), Russia attempted to hack state voting systems (penetration failed in all cases), Bots are coming (get ready for first robotic empathy crisis). This show originally aired on Saturday, June 17, 2017, at 9:00 AM EST on WFED (1500 AM).

Russians at it again, Microsoft and Adobe updates, PoS breaches, US-CERT throws TLS shade, epilepsy tweet stalking, Tesla's billion, lip-reading AI, autonomous BMWs, Fiber Lasers, taxing robots, Green Zones and Red Zones, AI disruption of healthcare, discovery, recommendations, and aphorisms, and more… Support the show: https://danielmiessler.com/support/ See omnystudio.com/listener for privacy information.

Uptake (https://uptake.com/) . Prior to Uptake, Nicholas was the Vice President of Global Services at Trustwave (https://www.trustwave.com/home/) where he led more than 2000 incident response and forensic investigations globally, ran thousands of ethical hacking & application security tests for clients, and conducted bleeding-edge security research to improve Trustwave's products. Before Trustwave, Nick ran the security consulting practices at VeriSign, & Internet Security Systems. In 2004, he drafted an application security framework that became known as the Payment Application Best Practices (PABP). In 2008, this framework was adopted as a global standard called Payment Application Data Security Standard (PA-DSS). As a speaker, he has provided unique insight around security breaches, malware, mobile security and InfoSec trends to public ( OWASP (https://www.owasp.org/) ) & private audiences (Including DHS, US-CERT, Interpol, United States Secret Service) throughout the world. Nick's research has been featured by media including: The Washington Post, eWeek, PC World, CNET, Wired, Network World, Dark Reading, Fox News, USA Today, Forbes, Computerworld, CSO Magazine, CNN, The Times of London, NPR, Gizmodo, Fast Company, Financial Times & The Wall Street Journal. Nick is also the creator of The Cavalry (https://www.iamthecavalry.org/about/overview/) movement. In this interview we discuss his early start with computers, what is a hacker, developing a methodology for penetration testing, how he developed the SpiderLabs name, analytics and automation, when you should evaluate opportunities, moving past the fear of public speaking, his personal "drink-a-different-beer-a-day" contest, research and public disclosure of vulnerabilities, how to secure Internet connected devices, where he recruits talent, and much more. I hope you enjoy this discussion. Please leave your comments below! Where you can find Nick: LinkedIn (https://www.linkedin.com/in/c7five) Twitter (https://twitter.com/c7five) THOTCON (http://thotcon.org/) I am the Cavalry (https://www.iamthecavalry.org/about/overview/)

In today's podcast, we hear about how an international police action swept up youths shopping for DDoS tools. Russian banks sustain a mild, easily parried DDoS attack. Mirai gets trickier. US-CERT warns against vulnerabilities in home routers. Popcorn Time ransomware says it's doing good by doing bad, but few will be deceived. US opens an investigation after the Intelligence Community concludes that Russian services tried to throw the US election away from Clinton and toward Trump. Emily Wilson from Terbium labs describes the markets for drugs and pharmaceuticals on the dark web. And North Korea says they didn't do it, you tantrum-throwing conservative puppet regime, you.

In today's podcast we discuss a warning from US-CERT and Onapsis against some old but active SAP vulnerabilities. Pawn Storm is back, and active against German political targets. DDoS-for-hire is proving lucrative, as is ransomware. Joe Carrigan from Johns Hopkins University Information Security Institute explains what you should do when you get suspicious-looking email. IBM speaks with us about their cyber security plans for their Watson AI.

On March 31st, 2016 the US Computer Emergency Readiness Team or US-CERT released alert TA 16-091A titled “Ransomware and Recent Variants”. Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it. Already in 2016, destructive ransomware variants such as Locky and Samas were observed infecting the computers of individuals and businesses – even hospitals and healthcare facilities. The purpose of this Alert is to provide further information on ransomware, its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate against ransomware. References: https://en.wikipedia.org/wiki/Ransomware_(malware) https://www.us-cert.gov/ncas/alerts/TA16-091A 

ControlTalk NOW — Smart Buildings VideoCast and Podcast for week ending November 22, 2015 announces the 2015 ControlTrends Awards Finalists! Cybersecurity SITREP from SmartCore’s Fred Gordy, who invites the ControlTrends Community to use SmartCore’s free on-line Criticality and Threat Assessment survey. US-CERT’s I3C Public Service Announcement and Cyber attack update; Lynxspring’s Onyxx E2E Solution; Sierra Monitor Corporation’s Telecom Site Case Study; FIN Stack Lunch ‘n Learn; and Therese Sullivan writes about the CoRE Tech Silicon Valley event and the slow adoption rate of Smart Building technology. EasyIO Certification Training in December at Cochrane Supply, MI. With our latest EASYIO 32-bit range of DDC products, you can now build your Automation solutions from top to bottom, with various OPEN programming tools. With the EASYIO range of IP DDC Controllers, now available and selling worldwide. 30 Minutes with Lynxspring Webinar Series – Professional Services – New Onyxx Products. The 30 Minutes with Lynxspring Webinar Series continues on Wednesday, November 18th, at 12:00 PM CST. Session 6 – Lynxspring’s New Onyxx Products. Overview: Our IoT world increases the number of smart equipment, systems, and devices — creating tremendous intelligence at the edge. Announcing SmartCore’s Free, Online Criticality and Threat Assessment (CATA). Online Assessment at NO CHARGE to you! SmartCore has developed an online assessment tool that gives building and portfolio management a high level assessment of each building free of charge. Contact info@smartcore.com to receive your assessment link. SmartCore will translate your answers to this short survey into a Threat Assessment Scorecard as well as a prescriptive Cyber Risk Mitigation Plan that we can help you implement to strengthen your defense against attacks. Congratulations to the 2015 ControlTrends Awards Finalists! (JavaScript is needed to display this video player! The voting for the 2015 ControlTrends Awards will begin shortly. Please register to vote! Building Automation VAV Controller of the Year Manufacturer or Product: Neptronic, Distech, Delta Controls, Johnson Controls, KMC SimplyVAV, Honeywell Spyder, and Prolon. Sierra Monitor Corporation Case Study on Telecom Site Remote Monitoring. Telecom Site Remote Monitoring: The telecommunications industry includes regional operating companies, traditional long distance carriers, wireless carriers, and cable and satellite service providers; they all deliver voice, data, and video services. Sierra Monitor Corporation shares its extensive expertise about this universal, yet challenging application. Internet Crime Complaint Center The Internet Crime Complaint Center (IC3) has issued an alert warning that law enforcement personnel and public officials may be at an increased risk of cyber attacks. In addition to doxing (the act of gathering and publishing individuals’ personal information without permission), threat actors have been observed compromising the email accounts of officers and officials. These target groups should protect their online presence and exposure. Stromquist Company Hosting Lunch ‘n Learns for FIN Stack. Our Authorized FIN Distributor Stromquist is hosting two free informational Lunch ‘n Learns. The first is at their Atlanta office Thursday Nov 19th from 12:00 – 1:00 EDT, and will be available also remotely via live stream at ControlTrends The sesond session will be at Orlando office Tuesday November 24 from 12:00 – 1:00 EDT. Therese Sullivan Puts the Full Court Press on CoRE Tech’s Silicon Valley Message: ‘Just Do It.’ (By therese554) Smart Building technology isn’t being adopted at the pace expected. Why aren’t more property owners getting off the sidelines? Chicago Bulls Basketball star Michael Jordan inspired a lot of sports watchers to become sports Do-ers in the 1980s and 90s. And, of course, there was the ‘Sneaks.’ Can tech-firm smart building All Stars be as motivating? Are their methods and tools a fit for the rest of us? ControlTalk NOW Special Guest: SmartCore’s Director of Cybersecurity expert Fred Gordy. Fred is responsible for the technology strategy and cyber security for control systems. Fred’s portfolio includes projects military bases, internet data centers, national retail chains, an international media company, REIT’s, and research labs. Fred has contributed and/or been featured in the Wall Street Journal, CNBC, Fox, HPAC Engineering, Retrofit Magazine, Building Context, Healthcare Facilities Today, and BOMA FacilitiesNet. The post ControlTalk NOW — Smart Buildings VideoCast and Podcast for Week Ending November 22, 2015 appeared first on ControlTrends.

ControlTalk Now: The Smart Building Podcast October 5, 2014 is sponsored by Siemens, nominated for over 10 ControlTrends Awards. Siemens offers a complete technical infrastructure portfolio for building automation, energy efficiency, fire safety, security, total building solutions and market-specific solutions in buildings and public places. ControlTrends Around the World: Norway. We caught up with Hoist Energy’s Tommy Hagenes and Runar Solli at the 2014 EASY IO World Conference in Madrid, Spain. Hoist Energy is one of Norway’s most prolific building automation controls systems integrators. Thanks to Tommy and Runar for sharing their insights on smart buildings and controls integration in Norway, including the vital role EASY IO is playing in Norway. DGLux5 Training at Their New — Oakland, CA Headquarters! October 22nd-24th 2014. DGLogik, Inc. invites you to an enhanced DGLux5 Training at the new headquarters in Oakland, CA. This 3-day training course takes place from October 22-24, 2014. Our DGLux5 training provides new lectures, new exercises, and new hands-on labs designed to provide a comprehensive understanding of the basic principles, concepts and knowledge necessary to develop and support applications using DGLux5. In addition, this new training will allow all users to walk-away with a functional application template for their future use. Register now! ControlTrends Around The World: Australia. The EASY IO world conference in Madrid, Spain, allowed us to connect with the very best smart building controls professionals from around the globe. In this video we catch up with Chris Schneider. Chris, along with his team at Open BMCS, created a programming software tool that allows savvy building automation controls integrators a powerful alternative to more expensive options. The Open BMCS software is a great way to program and configure your EASY IO controllers. How easy is it to use the Open BMCS software? Click here to see Open BMCS training videos. Be sure to check Chris out at the 2014 ControlTrends Awards and the 2014 AHR Show in Chicago. Honeywell WEBs-AX Security Sales Training – LIVE STREAM. Honeywell Niagara-AX Framework Shellshock Update — US-CERT Alert, TA14-268A: On Thursday, September 25, 2014 US-CERT published an alert, TA14-268A, regarding a critical vulnerability in the GNU Bourne-Again Shell (Bash), the common command-line shell used in many Linux/UNIX operating systems and Apple’s Mac OS X. After a thorough review of Honeywell products, we want to reassure our customers that no versions of NiagaraAX Framework software or any other Honeywell products are affected by the Shellshock bug. Automated Buildings’ October Release: Auomated Diagnostics & Analytics: We were looking for a theme for our October issue and we polled the industry about articles featuring occupant productivity and how our industry has an amazing interaction with productivity within a building. Although all agreed that this was very true and a very powerful relationship, the general feeling was we need to keep working on how to shape occupant productivity into a real measured variable for our industry before we can include it in our ROI payback calculation. ControlTrends People: Laura Kevitt: Meet Laura Kevitt! Laura, heads up national accounts for Honeywell’s ECC Building Automation Group. But as those of us who are luckily enough to have worked with Laura know, she is a technical virtuoso on Honeywell Access and Building Automation Controls. Laura is the control pros pro and I was lucky enough to catch up with her in Atlanta. The post ControlTalk Now: The Smart Building Podcast October 5, 2014 appeared first on ControlTrends.

Amit Yoran is the CEO of NetWitness and has been since November of 2006. Prior to NetWitness, he was appointed as Director of US-CERT and the National Cyber Security Division of the Department of Homeland Security. He was also previously the CEO and advisor to In-Q-Tel, the venture capital arm of the CIA. In this podcast he discusses the Kneber Botnet and cybersecurity issues with Denise Zheng.

Man Fights Back - Podcast #28 - Download MP3Alternate Download Link for Episode #28 - Download MP3Opening Clip:Ian Dury - "Hit Me With Your Rhythm Stick" [Video]MFB Opening ThemeOpening Comments:We're sick again!No Swine Flu shot for US!Roger from VZW is an ID10TMusic Break:One Mind - "Walking on Water"Fortune Cookie Message of the Week:"Flattery will go far tonight." - "In Bed" - Wiser ManTechnology News:Shrimp's Eye Points Way to Better DVDsDevices With Lithium Batteries Pose a Fire Risk for Airlines ...Ed's iPod Touch game rant...Firefox gains 30 million users in eight weeks...Andrew's Firefox rant...US-CERT warns about free BlackBerry spyware appMusic Break:Adler Santonio - "Stuck With Me"National News:Obama declares swine flu a national emergencyVideo: Homeland Security Could Block Websites During Swine Flu PandemicF-16s Prepared to Shoot Down Wayward Northwest PlaneMSM: Marc Faber, Dollar Will Eventually Go to Value of ZeroControversial Private 'Police' Force Quits Effort to Take Over Montana JailMusic Break:Don Pedigo - "Mama's Wedding Gown"Message from Don:Hey everyone, I recently submitted a music video to CMT's music city madness contest.Over 1000 entries and I am one of the 64 finalists! I need your votes.Vote multiple times from now until Dec. 14th. Click on the link below; at the first screen hit vote (top left); next you will see pics of four artists, click the third one (Jimmy Wanye), then hit start and watch thead, then click on me (Don Pedigo), hit vote, then hit submit your votes onthe bottom left. I don't know why it's so complicated but, that's the way it is. My move to the next round is based on votes. Here's my BIG BREAK folks! Thank you for your time and spread the word!http://www.madness.cmt.com/Don Pedigowww.myspace.com/donpedigowww.facebook.com/don.pedigohttp://www.donpedigo.com/Music Mashup Trivia #19News Clip Break: No Agenda - clip from show # 131Indiana News:Indiana reports first human rabies death since 2006Music Break:TLT - "Losing Myself"Strange News:Gamer has bone to pick with online-shopping dogLebanese to Israel: Hands off our hummusOne-legged suspect caught with one stolen shoeMadoff Investor Said to Have Drowned Ending Music:Maya sky - "As it Happens"

Apple touch iPod, DOJ backs two-tiered Internet, Google Sky launched, Profiles in IT (Bill Yeager, inventor of the router), global web statistics (browsers, OS, traffic), Software Freedom Day, farm automatation to replace migrant workers, and US CERT session cooking warning. This show originally aired on Saturday, September 8, 2007, at 9:00 AM EST on Washington Post Radio (WTWP) Radio.

Apple touch iPod, DOJ backs two-tiered Internet, Google Sky launched, Profiles in IT (Bill Yeager, inventor of the router), global web statistics (browsers, OS, traffic), Software Freedom Day, farm automatation to replace migrant workers, and US CERT session cooking warning. This show originally aired on Saturday, September 8, 2007, at 9:00 AM EST on Washington Post Radio (WTWP) Radio.

Black Hat DC 2007 was supposed to be the venue for "RFID For Beginners", a talk on the basic mechanisms of operation used by RFID tags. Legal pressure forced the talk to be curtailed, with only 25% of the material being presented. The remainder was replaced with a Panel debate involving IOActive, US-CERT, ACLU, Blackhat, and Grand Idea Studio. After spending far too much time and money dealing with lawyers and consulting with some strategic allies, IOActive has made some relatively minor tweaks to the original presentation, which will be presented as the first part of this talk. The second part of the talk introduces Cloner 2.0. The first Cloner was designed to be as simplistic as possible, and succeeded at the cost of read range, flexibility, and overall sophistication. Cloner 2.0 aims to address these concerns with a significantly enhanced read range, a "passive" mode to sniff the exchange between tags and legitimate readers, multi-tag storage capability, multiple RF frontends and an enhanced software backend to support many different type of Proximity tags, and overall improvements in reliability and flexibility. While we won't be able to give you full schematics or the names of any vendors whose tags can be cloned, we will be including significant information (including useful snippets of source and circuit diagram fragments) that will allow you to more deeply understand the significant flaws in older RFID technologies. This talk will give you th information you need to make informed decisions about the use and mis-use of the most common RFID implementations available today. Abstract for the original "RFID for Beginners" talk: RFID tags are becoming more and more prevalent. From access badges to implantable Verichips, RFID tags are finding more and more uses. Few people in the security world actually understand RFID though; the "radio" stuff gets in the way. This presentation aims to bridge that gap, by delivering sufficient information to design and build a working RFID cloner based around a single chip - the PIC16F628A. Assuming no initial knowledge of electronics, I'll explain everything you need to know in order to build a working cloner, understand how it works, and see exactly why RFID is so insecure and untrustworthy. Covering everything from Magnetic Fields to Manchester Encoding, this presentation is suitable for anyone who is considering implementing an RFID system, considering hacking an RFID system, or who just wants to know a little more about the inductively coupled, ASK modulated, backscattering system known as RFID.

Black Hat DC 2007 was supposed to be the venue for "RFID For Beginners", a talk on the basic mechanisms of operation used by RFID tags. Legal pressure forced the talk to be curtailed, with only 25% of the material being presented. The remainder was replaced with a Panel debate involving IOActive, US-CERT, ACLU, Blackhat, and Grand Idea Studio. After spending far too much time and money dealing with lawyers and consulting with some strategic allies, IOActive has made some relatively minor tweaks to the original presentation, which will be presented as the first part of this talk. The second part of the talk introduces Cloner 2.0. The first Cloner was designed to be as simplistic as possible, and succeeded at the cost of read range, flexibility, and overall sophistication. Cloner 2.0 aims to address these concerns with a significantly enhanced read range, a "passive" mode to sniff the exchange between tags and legitimate readers, multi-tag storage capability, multiple RF frontends and an enhanced software backend to support many different type of Proximity tags, and overall improvements in reliability and flexibility. While we won't be able to give you full schematics or the names of any vendors whose tags can be cloned, we will be including significant information (including useful snippets of source and circuit diagram fragments) that will allow you to more deeply understand the significant flaws in older RFID technologies. This talk will give you th information you need to make informed decisions about the use and mis-use of the most common RFID implementations available today. Abstract for the original "RFID for Beginners" talk: RFID tags are becoming more and more prevalent. From access badges to implantable Verichips, RFID tags are finding more and more uses. Few people in the security world actually understand RFID though; the "radio" stuff gets in the way. This presentation aims to bridge that gap, by delivering sufficient information to design and build a working RFID cloner based around a single chip - the PIC16F628A. Assuming no initial knowledge of electronics, I'll explain everything you need to know in order to build a working cloner, understand how it works, and see exactly why RFID is so insecure and untrustworthy. Covering everything from Magnetic Fields to Manchester Encoding, this presentation is suitable for anyone who is considering implementing an RFID system, considering hacking an RFID system, or who just wants to know a little more about the inductively coupled, ASK modulated, backscattering system known as RFID.