Palantir got hacked!
If you read the gripping tale of an ultra-secret, presumably hyper-secure, intelligence agency-friendly, third-most-valuable-unicorn startup getting utterly “dominated” by hackers that BuzzFeed published Friday, and your takeaway was—gasp!—how could such a company get so utterly compromised, then you were misled. (The company had hired white hat hackers, mind you—aka the good kind.)
Here’s the trite truth: Most penetration testing consultancies claim near 100% success rates when attempting to crack open corporate networks. Red teams (attackers) nearly always defeat blue teams (defenders). That Palantir succumbed to the cyber squad it hired specifically to discover its vulnerabilities is no surprise. That’s how it goes.
The ease of breaching data is a problem that plagues companies everywhere—not unique to Palantir. In fact, one could argue that Palantir should be praised for conducting such proactive testing—as not every company does—and for having an “excellent” response, as the organization called in to conduct the hack said. Nice work, PALs. Patch up and keep at it.
In reading the account, you may have missed the most important paragraph, tucked away among others breathlessly describing the assault. Here it is:
Virtually every company is vulnerable to hacks, to varying degrees. In recent years, red teams generally have had a high success rate in getting deep inside of companies’ networks, and they virtually always find at least some security flaws, according to an industry source. That Palantir did a red team exercise shows that it wanted to identify and repair any such flaws. The Veris report notes multiple strengths in Palantir’s defenses, including an “excellent” response by its security staff.
Why single out this one company? As a reporter, I get it. The implication is that if Palantir can be hacked, then A) anyone can be hacked and B) it probably has been hacked already—especially considering the highly confidential government work they handle as well as the persistence of the United States’ adversaries. Even a company as locked down as Palantir has holes.
(What’s most worrisome: where did that leaked pentest report come from?)
To BuzzFeed’s credit, the story does an excellent job detailing how hackers can make their way around a computer network, hopping from node to node, compromising accounts and servers, and escalating an attack along the way. Still it does a disservice in blasting a firm for taking the very measures it should to learn about and fix its weaknesses.
Anyway, that’s my two cents. Have a great weekend, folks; and a happy Father’s Day to whom it applies. More news below.
Robert Hackett
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’sdaily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
THREATS
Blue Coat sells to Symantec. Bain Capital, the investment firm that acquired the cybersecurity firm Blue Coat for $2.4 billion a year ago, decided to sell it to the aging antivirus software giant for $4.65 billion this week. Instead of prepping for an initial public offering, as had been planned, the company's CEO, Greg Clark, will assume control of Symantec. (Fortune)
Devastating hack hits Ether. The world's second-most highly valued cryptocurrency suffered a devastating blow on Friday. Hackers stole more than $50 million worth of Ether, a digital money brother to Bitcoin, from the coffers of a promising project known as the Decentralized Autonomous Organization, a leaderless venture capital firm run by anyone who wanted to get involved. The fate of the project—and Ether—is uncertain. (New York Times)
Democratic National Committee plundered. Hackers broke into the computer network of the Democratic National Committee and stole the party's opposition research on Republican presidential candidate Donald Trump, among other documents. Most experts believe Russia sponsored the attack, though an online persona dubbed "Guccifer 2.0"—a nod to another notorious political hacker—claimed responsibility. (Fortune, Fortune, Gawker)
Pentagon ends bug bounty. The Department of Defense concluded its bug bounty program on Friday. Hackers that participated in the crowdsourced cybersecurity program found more than 138 valid and unique vulnerabilities in the government branch's public facing website. The Pentagon paid out $71,200 in rewards. (Defense Department)
Anonymous retaliates for Orlando attack. A team of hackers led by the national security-oriented online persona "WauchulaGhost" hacked 250 pro-ISIS Twitter accounts. The crew replaced the terrorist sympathizers' content with pro-LGBT media as a statement against the shooting in an Orlando nightclub. (Fortune)
Microsoft fixes terrible security flaw. The tech giant dished out $50,000 to a hacker for reporting a software bug that allowed attackers to take total control of Windows-based computers. Yang Yu, director of Chinese media giant Tencent's security lab, discovered the vulnerability, dubbed "BadTunnel." Microsoft issued a patch to fix the problem, which affected the company's Internet browsers, on Tuesday. (Fortune)
By the way, the #opsec fail of the week goes to...Snapchat CEO Evan Spiegel! Congrats, Evan—nice shades.
Share today's Data Sheet with a friend:
http://fortune.com/newsletter/datasheet/
Looking for previous Data Sheets? Click here.
ACCESS GRANTED
Fortune's Benjamin Snyder explains why dozens of State Department officials are unhappy with the way America has addressed the Syrian Civil War.
Dozens of State Department employees have endorsed an internal document that advocates U.S. military action to pressure Syria’s government into accepting a cease-fire and engaging in peace talks, officials said Thursday. The position is at odds with U.S. policy.
The “dissent channel cable” was signed by about 50 mostly mid-level department officials who deal with U.S. policy in Syria, according to officials who have seen the document. It expresses clear frustration with America’s inability to halt a civil war that has killed perhaps a half-million people and contributed to a worldwide refugee crisis, and goes to the heart of President Barack Obama’s reluctance to enter the fray.
Obama called for regime change early on in the conflict and threatened military strikes against Syrian forces after blaming President Bashar Assad for using chemical weapons in 2013. But Obama only has authorized strikes against the Islamic State and other U.S.-designated terror groups in Syria. Read the rest on Fortune.com.
FORTUNE RECON
ONE MORE THING
Don't use these words when emailing Goldman Sachs. A leaked document reveals a number of words and phrases that set off compliance alarms at the investment bank. Some of the triggers include: "bad to worse," "cover our losses," and pretty much anything involving a cuss word. (Fortune, CNBC)
