Summary:
The SEC requires that publicly traded companies file information about their plans and finances. The website for doing this is called "Edgar". Some of the information is for the SEC only and contains confidential and personal information. At some point, the SEC realized that the information was not properly protected, and "cyber threat actors" accessed the data, perhaps gaining information useful for making illegal profits. The SEC feels that it should do better going forward.

Summary:
The GAO noted that the SEC's failure to encrypt data at rest posed a serious security vulnerability, but the SEC ignored the warnings and even closed its cybersecurity unit. The Edgar site held data that should have been encrypted, and the data breach might have been prevented if the GAO advice had been heeded. Closing the barn door in the wake of the theft will require about $1.6 billion next year, accoring to SEC Chair Jay Clayton.

Summary:
Many White House figures have fallen victim to a British citizen who specializes in sending emails with a fake "From" address and eliciting personal replies. Jared Kushner's lawyer, Abbe Lowell, was a recent target, and she responded to an email that appeared to come from Kushner. Her reply went back to the prankster who happily published it.

Summary:
A security firm found that more than 4% of the Mac computers in its survey were running outdated versions of firmware, even though the OS was current. For some reason, the automatic update of the firmware was not done. Apple is committed to fixing the problem. The firm suggests that Windows machines might suffer from a similar problem.

Summary:
A new digital assistant from Mattel is an Amazon Alexa with a subsystem designed to interact with children. It comes with a wireless camera with an encrypted video stream. The device conveniently keeps track of a baby's sleep cycles, sings to them, and plays games. Of course, it automatically orders diapers and formula as needed.

Summary:
The Campaign for a Commercial-Free Childhood finds Mattel's baby smart monitor to be a terribly bad idea. Mattel's chief product officer hopes that children will form emotional ties to the device, although the effect of this on childhood development is completely unknown. The AI-based device plays games and collects information and uses it for marketing.

Summary:
Mattel hired a new hired chief technology officer in July, and he announced that the company would not release the Aristotle device because it did not "fully align with Mattel's new technology strategy". The executive director of the Campaign for a Commercial-Free Childhood applauded the decision, saying that children have a right to privacy.

Summary:
Testifying to the House Energy and Commerce Committee, the former chief executive of Equifax apologized for a massive data leak of personal information of millions of consumers. The problem was the result of one employee failing to heed security warnings. One might wonder why the privacy of so many consumers, who had no control over Equifax's collection of their information, rested on the shoulders of a single employee.

Summary:
Voting technology varies greatly from state to state, but the hacks and attempted hacks from 2016 have caused states to re-examine the security of their equipment and methods. The US Election Assistance Commission (EAC) and the Department of Homeland Security have guidelines and direct assistance programs that are seeing increased interest from states. Many states are dealing with equipment that is 15 years old and needs replacement, but this is an expensive task. The EAC chairman suggested that consumer-owned equipment could be used as soon as the 2020 election.

Summary:
The Wall Street Journal reported that modifications to the popular Kaspersky anti-virus software caused it to search for specific keywords in user files, and those modifications required help from Kaspersky itself. This seems to dispel the notion that the Russian government made the modifications by modifying copies of the software through hacking. Although German officials are not worried about Kaspersky, US intelligence agencies reportedly observed the software detecting classified information.

Summary:
In 2014 Israeli operatives hacked into Kaspersky Labs corporate systems, and they remained undetected until mid-2015. In the wake of this situation, Kaspersky has accused Israel of using its software to try to spy on information related to meetings with Iran about its nuclear capabilities and information about NSA. Israel has said that it observed the Russian government using Kaspersky systems for spying on the US. Whatever the truth may be, it seems that Kaspersky A/V is often used for spying operations.

Summary:
The website Politifact was somehow turned into a way to cause visitors to have their computers turned into a data mining operation for a hash chain based digital currency. Visitors found their CPUs running at full capacity after visiting the website, and it was common to find several instances of the software running simultaneously. This is an example of the complexity of web technology, as Politifact was uncertain about the source of the software and speculated that it might have come from a third-party ad provider.

Summary:
This technical paper describes a serious flaw in the WiFi protocol that had gone undetected for 14 years. In brief, an attacker on the network can cause the protocol to return to an earlier state, and this allows the attacker to decrypt traffic. The attacker needs no special privileges to exploit the vulnerability. It is interesting to note that the protocol had been "proven" to be secure.

Summary:
North Korea is said to have six thousand people working in cybersecurity offsensive operations, and they are improving their skills steadily. Only a small spelling error prevented them from looting the Bangladesh Central Bank (presumably through the SWIFT banking network). Their goals are to wreak havoc and become wealthy through cybertheft, ransomware, and extortion.

Summary:
A number of digital identity cards, including Estonian nation ID cards, are less than highly secure due to a bug in a commonly used software library. The RSA security algorithm is a clever use of large numbers and arithmetic, and if used properly, it is highly secure. However, the arithmetic can be too complicated for energy and memory constrained devices, such as smart cards. It seems that the code for generating keys utilized some shortcuts, and researchers have found that the result is that the all important private key bears a less than random relation to the public key. As a result, hackers could impersonate the card holders.

Summary:
School districts around the US have been shocked to receive messages threatening to harm students and staff through release of personal information or even to inflict violence unless a ransom was paid. This has disrupted the schools and caused a great deal of worry. The attacks originate from outside the US by a group called Dark Overlord. It's unclear why the Dark Overlord began targeting schools but someone from the hacking group told the Daily Beast they are "escalating the intensity of our strategy in response to the FBI's persistence in persuading clients away from us."

Summary:
Josh Powell was suspected of killing his wife. He killed his two sons and himself. Investigators have long sought to read the contents of his computer hard drive in the hope that it might provide information about the fate of his wife. Two Utah companies have spent four years running software to guess the decryption keys that protect the hard drive contents. They have broken the "first level" of encryption used by the app "True Crypt", but they realize that they cannot break the second level without more computing resources.

Summary:
Russian hackers who tried to interfere in the US presidential election in 2016 were a busy bunch. They targeted thousands of people and organizations of interest to the Kremlin. The company Secureworks slightly turned the tables on the organization behind the hacking software (Fancy Bear) when Secureworks discovered a list of some of their phishing targets online.

Summary:
A Polish researcher with a penchant for misconfigured Internet servers found that personal information about 50,000 Australian government and public-sector employees was exposed to the world through Amazon AWS S3 storage. This is an all too common mistake by the customers of the Amazon service. Apparently there is some confusion about the security settings. Customers might be confused about the term "authorized user" for S3, or they might not have a clear idea of what their settings are. The service is convenient, but the security risks require some detailed attention.

Summary:
A US Senate bill aimed at limiting NSA's ability to spy on US phone data failed to advance after a year of debate. According to the article, the domestic phone surveillance has not thwarted any terrorist attacks, but many Republican senators felt that the potential of deterrance overrode any civil liberties considerations.

Summary:
Do Americans voluntarily give up some privacy when they dial a number on a cell phone? That is the subject of a case before the Supreme Court. Law enforcement currently has warrantless access to called numbers, but in today's world, the "phone company" owns a huge amount of personal data about people's communication and movements. Does law enforcement engage in unreasonable search when it demands this information? The court will rule on this basic privacy issue.

Summary:
What does the US government do when it discovers a vulnerability in a computer system or app? You can find out by reading Vulnerabilities Equities Policy and Process for the United States Government for yourself. The policy and process have been secret for many years, but now the Equities Review Board has released the information. The head of the ERB is an NSA employee.