|
|
Cyber Daily: White-Hat Hackers Gain Legal Protection for Reporting Bugs to Federal Agencies | Warner Music Group E-commerce Sites Attacked
|
|
|
|
|
|
|
|
Good day. Federal cybersecurity officials this week ordered government agencies to make it easier for researchers to report bugs in their systems—and not prosecute them for doing so, WSJ Pro's James Rundle reports.
Other news: Warner Music Group says its e-commerce sites were hacked; U.S. pushes to expand collection of biometric data about immigrants; NSA phone surveillance program exposed by Edward Snowden ruled illegal.
Plus: A roundup of this week's Pro Cybersecurity coverage in our weekend reading section.
Readers, we are off Monday in observance of Labor Day in the U.S. We will be back Tuesday!
|
|
|
|
|
|
|
“It will be impracticable to determine in many cases when external
parties or researchers are proceeding in good faith and not engaging in criminal conduct.”
|
|
— The Education Department’s Office of Inspector General, on the motives of individuals who hunt for vulnerabilities on federal websites.
|
|
|
|
|
|
|
|
Christopher Krebs, director of the U.S. Cybersecurity and Infrastructure Security Agency, ordered executive-branch civilian federal agencies to establish formal systems for bug reporting. PHOTO: KEVIN LAMARQUE/REUTERS
|
|
|
|
Hackers acting in ‘good faith’ gain protections in Homeland Security order. A Sept. 2 directive from the Cybersecurity and Infrastructure Security Agency compels executive-branch civilian federal agencies, such as the Transportation Department, to create “vulnerability disclosure” policies.
The policies provide a formal process for security researchers to
report bugs they discover in public federal systems, which could allow hackers to infiltrate if left unchecked. While some agencies already have similar policies—with some even offering bounties to white-hat hackers for their findings—this is the first time a coordinated effort is being made across the federal government.
During the comment period, however, a number of government agencies pushed back on the provision against legal action. The Education Department’s Office of the Inspector General said blanket commitments not to prosecute are “ill-advised,” owing to the amount of work required to determine whether bug reporters are acting in good faith or trying to use the disclosure policy as a cover for nefarious purposes.
Security researchers sometimes shy away from reporting bugs because it can be difficult to figure out how to inform the government, CISA said in its directive. As well, researchers have little confidence that bugs will be fixed, and fear legal action may be taken against them by the very agencies they are trying to help, CISA said.
Read the full story.
|
|
|
|
|
|
|
|
|
|
Warner Music Group, whose Atlantic Records label includes singer-songwriter Lizzo, said its e-commerce websites were compromised starting in April. PHOTO: FREDERIC J. BROWN/AGENCE FRANCE-PRESSE/GETTY IMAGES
|
|
|
|
Warner Music Group e-commerce sites hacked. An unauthorized party compromised a number of U.S.-based e-commerce sites hosted and supported by a technology service provider for the music company. Warner Music said in a letter to customers that it can't identify whether information about specific individuals was stolen but said personal data entered on its sites between April 25 and Aug. 5 was at risk. This includes names, email addresses, physical addresses and payment-card details.
U.S. seeks to expand biometric data it collects from immigrants. The Department of Homeland Security said it would propose expanding the types of biometric information that immigrants may need to submit with their applications, possibly including iris scans, voice recordings and DNA samples. The proposal, due to be released within days, would allow the government to require that biometric data be submitted with any sort of immigration application, The Wall Street Journal reports. Currently, immigrants applying for visas, green cards or other immigration benefits that require background checks must submit fingerprints and photographs with their applications.
NSA surveillance program Edward Snowden exposed ruled illegal by federal court. The National Security Agency's program that eavesdropped on millions of phone calls of U.S. citizens was illegal and might have been unconstitutional, according to a federal appeals court in California, ThreatPost reports. The program, which has since been scaled down, might have violated the Fourth Amendment prohibiting unreasonable search and seizure, the court said. Mr. Snowden, a former intelligence contractor who resides in exile in Russia, exposed the program through leaked documents in 2013.
Related video: Snowden’s Plea for Pardon Hits Bipartisan Roadblock
PG&E Taps Technology Veteran to Oversee IT. PG&E has named information-technology veteran Ajay Waghray as senior vice president and chief information officer. Mr. Waghray will be responsible for overseeing the company’s information technology and cybersecurity functions and will manage its more than 1,200 IT employees.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
