After rewatching the early Star Wars films in anticipation of the latest theatrical release, I have reached a conclusion: the Galactic Empire is terrible at cybersecurity. (Don’t worry; I haven’t seen Rogue One: A Star Wars Story yet, so no spoilers.)
Fran Brown, a managing partner at the cybersecurity firm Bishop Fox, tipped me off in a whimsical blog post on his company’s website. His assessment points out a glaring oversight in the architecture of the Death Star’s software environment. In his view, the ultimate destruction of the doomsday device is attributable to poor network segmentation. Yes, really.
Consider the design of the Death Star’s IT systems. R2-D2, the franchise’s inquisitive bleep-blooping droid, repeatedly connects to the weapon’s open and unsecured ports and gains unrestricted access to sensitive data and operations. The robot runs amok, gleaning critical information about the station’s technology and secrets, like how to kill a pesky tractor beam’s power generator or the whereabouts of certain political prisoners (i.e. Princess Leia). R2’s work eventually allows the band of rebels—the same ones that later blow up the Death Star—to escape.
There are no firewalls, no authorization requirements, no security policies to speak of. “Plug in,” Jedi master Obi-Wan Kenobi orders the wheeled hacker inside a control room in Episode IV: A New Hope, “we should be able to interpret the entire imperial network!” Emphasis mine.
Either R2-D2 is the most sophisticated code-cracker in the galaxy, or the Empire failed to properly secure its computer network. Given how many organizations make similarly ruinous mistakes—look no further than Yahoo, which this week revealed that it suffered the largest data breach on record—I will hazard a guess that ordinary carelessness is to blame.
In the words of another Jedi master: Do, or do not. There is no try.
Robert Hackett
@rhhackett
robert.hackett@fortune.com
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’sdaily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
THREATS
Russia voted Trump. Despite reports of disagreement among federal agencies over Russia's intentions during the presidential election, bosses at the FBI and CIA and the Director of National Intelligence are in agreement, unnamed U.S. officials told the Washington Post. They believe that that Moscow sought to aid the campaign of GOP candidate Donald Trump, though Trump himself remains dismissive of the claim. After calling for a review of foreign influence operations as they pertain to the past three U.S. presidential elections, President Barack Obama also vowed to "take action" in response to the Kremlin's meddling. (Washington Post, NBC News)
Yahoo's record-breaking breach. The Internet giant disclosed the biggest data breach of all time, as far as anyone knows, this week. The theft of customer information took place in August 2013 and affects more than a billion accounts. Stolen data included names, email addresses, telephone numbers, hashed passwords, and security questions. Verizon is said to be seeking a discount on its possible acquisition. (Fortune, Reuters, Fortune)
J.P. Morgan bank robber apprehended. The Feds cuffed one of the alleged leaders of a criminal ring that robbed one of the United State's biggest banks of 83 million customer records in 2014. Joshua Aaron, one of people nine facing charges for the hack, also allegedly broke into E*Trade Financial and Scottrade. (Reuters)
Quest Diagnostics reveals breach. The medical lab company disclosed a breach affecting 34,000 customers this week. Hackers made off with health care data, such as lab results, by hacking a database of electronic records associated with the company's mobile app, called MyQuest by Care360. No financial information, including Social Security and payment card numbers, were stolen, Quest said. (Fortune)
Also, the New York Times'rundown of the evidence implicating Russian hackers for influencing the election is worth a read.
Share today's Data Sheet with a friend:
http://fortune.com/newsletter/datasheet/
Looking for previous Data Sheets? Click here.
ACCESS GRANTED
Fortune's Jeff John Roberts sat down with Cindy Cohn, executive director of the Electronic Frontier Foundation, for a discussion about online civil liberties in wake of the presidential election.
Cindy Cohn has a lot to do. The bespectacled 53-year-old civil rights lawyer has her hands full in her new job overseeing the digital advocacy work of the Electronic Frontier Foundation, a sort of ACLU for the tech set. Now there’s an extra sense of urgency.
Donations have doubled since the election as supporters turn to the EFF to defend the Internet during a Trump presidency. Even though the President-elect has yet to make formal policy pronouncements, his comments about surveillance and apparent hostility to the tech sector are causing many in Silicon Valley to fear the worst. Read more on Fortune.com.
FORTUNE RECON
Russian Email Hack Sounds Ridiculous But Is Totally Believable, by Mathew Ingram
Uber Security Head Warns Staff After Latest Tracking Controversy, by Jeff John Roberts and Kia Kokalitcheva
Evernote Is Backtracking on Its Controversial New Privacy Policy, by Jonathan Vanian
Twitter Pulls Data Access for Police Surveillance Tools, by David Z. Morris
Donald Trump Says He Doesn't Need Daily Intelligence Briefings Because He's a 'Smart Guy', by Mahita Gajanan
ONE MORE THING
Recommending a password manager. LastPass takes the crown as the best password manager on the market, according to the New York Times' product reviews site Wirecutter. The computer security tool, which generates and stores strong, unique passphrases, won out in a matchup against eight contenders including runner-ups 1Password and Dashlane. Offering most of its services for free pushed LastPass into the top spot. (Wirecutter)
