In this week’s edition of The Security Ledger Podcast we talk with security researcher and data spelunker Chris Vickery of the firm UpGuard about his discovery of a data trove containing consumer profiles on 123 million American households. Also: there’s a tough new standard for handling federal data come January 1st in the form of NIST’s 800-171 standard. And: Katie Moussouris joins us back in the studio to talk about what the updated Wassenaar Arrangement means for security researchers.
The firm UpGuard last week reported on the discovery of a data trove containing consumer profiles on 123 million American households. (Given that the US Census Bureau counts only 126 million US households, that’s basically everyone.) The data, compiled by the firm Alteryx, included a mix of U.S. Census Data and consumer tracking data collected by the firm Experian. It’s just the latest massive data breach, following the hack of the credit rating firm Equifax that leaked sensitive information on 150 million consumers.
Drunk on Data
In our first segment this week, we speak with the security researcher who discovered all that data: Chris Vickery (@VickerySec) of the firm UpGuard. The discovery is just the latest by Vickery and UpGuard, who have made a practice of scanning unprotected cloud based systems for valuable data. Chris and I dig into the Alteryx link and try to answer the question of why so many sophisticated firms appear so clueless – or careless- about protecting sensitive data.
DOD Data Security Deadline
Some of the U.S.’s toughest data security standards in the US are set to take effect with the New Year. If you’re a company doing business with the Pentagon, the new standards are aimed squarely at you – and your business partners.
In our second segment, we invite Thomas Jones, a senior systems engineer at the firm Bay Dynamics about NIST’s 800-171 standard (PDF), how it will improve federal data security what it will mean for companies that do business with the US military.
Cyber Arms Control
Cyber weapons are a growing part of military arsenals around the world – from the US, Russia and China to North Korea and Iran. But efforts to restrict the trade in cyber weapons in recent years elicited howls of protest from technology firms in the US and EU when they risked outlawing a huge swath of legitimate security testing tools.
An updated version of that treaty, known as the Wassenaar Arrangement, was approved by 42 nations this month and includes good news for vulnerability researchers and information security firms: exemptions for the work of vulnerability researchers. In this week’s episode, we invite one of the experts who helped hammer out that language, Katie Moussouris of the firm Luta Security back into the studio to talk about the updated Wassenaar Arrangement and what comes next.