One Article Review
| Source |  SecurityWeek |
|---|---|
| Identifiant | 544138 |
| Date de publication | 2018-03-27 05:59:03 (vue: 2018-03-27 05:59:03) |
| Titre | Canadian Firm Linked to Cambridge Analytica Exposed Source Code (Recyclage) |
| Texte | Source code belonging to Canada-based digital advertising and software development company AggregateIQ has been found by researchers on an unprotected domain. The exposed files appear to confirm reports of a connection between AggregateIQ and Cambridge Analytica, the controversial firm caught in the recent Facebook data scandal. On March 20, Chris Vickery of cyber risk company UpGuard stumbled upon an AggregateIQ subdomain hosting source code for the company's tools. The files, stored using a custom version of the code repository GitLab, were accessible simply by providing an email address. The exposed information included the source code of tools designed for organizing information on a large number of individuals, including how they are influenced by ads, and tracking their online activities. The files also contained credentials that may have allowed malicious actors to launch damaging attacks, UpGuard said. The nature of the exposed code is not surprising considering that the firm is said to have developed tools used in political campaigns around the world, including in the United States and United Kingdom. AggregateIQ has been linked by the press and a whistleblower to Cambridge Analytica, a British political consulting and communications firm said to be involved in the presidential campaigns of Donald Trump and Ted Cruz, and the Brexit “Vote Leave” campaign. Cambridge Analytica recently came under fire after it was discovered that it had collected information from 50 million Facebook users' profiles and used it to create software designed to predict and influence voters. Facebook has suspended the company's account after news broke, but the social media giant has drawn a lot of criticism, both from customers and authorities. According to some reports, AggregateIQ was originally launched with the goal of helping Cambridge Analytica and its parent company SCL Group. In a statement published on its website over the weekend, AggregateIQ denied reports that it's part of Cambridge Analytica or SCL. It has also denied signing any contracts with the British firm and being involved in any illegal activity. However, there appears to be some evidence that Cambridge Analytica owns AggregateIQ's intellectual property, and the files discovered by UpGuard also seem to show a connection. For example, two of the AggregateIQ projects whose source code was exposed contained the string “Ripon,” which is the name of Cambridge Analytica's platf |
| Notes | |
| Envoyé | Oui |
| Condensat | 2018 access analytica bay cambridge canadian ciso code conference cyber data enforcement exposed firm forum half ics identity incident industry law linked links management moon news oct protection register response security source sponsored strategy tags: tracking usa |
| Tags | Guideline |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | SecurityWeek |
|---|---|
| Identifiant | 513761 |
| Date de publication | 2018-03-14 18:02:05 (vue: 2018-03-14 18:02:05) |
| Titre | U.S. Energy Firm Fined $2.7 Million Over Data Security Incident |
| Texte | An energy firm in the United States has been fined $2.7 million over a data security incident that resulted in the exposure of critical cyber assets. The North American Electric Reliability Corporation (NERC) revealed last month that an unnamed power company had agreed to pay the massive penalty and take action to avoid future leaks. The affected entity has not been named, but the penalty notice published by NERC provides some details about the incident and clarifies that while the energy firm agreed to pay the fine, it neither admitted nor denied violating Critical Infrastructure Protection (CIP) NERC reliability standards. The incident, which has been assigned a risk rating of “serious,” involved a third-party contractor that improperly copied data from the energy firm to its own network. Despite receiving training, the contractor failed to comply with the company's information protection program. A security researcher discovered that the contractor allowed anyone to access the data without a username or password. According to NERC, more than 30,000 records were exposed, including critical cyber assets (CCAs), IP addresses, and server host names. The information was available online for 70 days. E&E News, which first reported on the fine, pointed out that one suspect is Pacific Gas and Electric (PG&E), a California-based natural gas and electric utility that exposed a lot of information back in 2016. Researcher Chris Vickery, who at the time worked for MacKeeper, discovered a misconfigured database containing information on 47,000 computers, servers, virtual machines and other devices. PG&E initially said the data was fake, but later admitted that a vendor had exposed its records. Many of the details mentioned in the NERC document match the PG&E incident. Vickery told E&E that PG&E had him delete the data and sign an affidavit, which is exactly what the NERC document describes. SecurityWeek has reached out to PG&E for comment and will update this article if the company responds. Following the significant cyberattacks that hit Ukraine a few years ago, the energy sector in the United States has been taking steps to prevent such incidents. The U.S. Energy Department announced recently its intention to invest over $20 million in cybersecurity projects, and the launch of the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) |
| Notes | |
| Envoyé | Oui |
| Condensat | 2018 access bay ciso compliance data energy fined firm forum half ics identity incident industry links management million moon news over protection register response scada security sponsored strategy tags: |
| Tags | |
| Stories | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.