Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 19 hours 32 min ago

Quest Diagnostics, One of the Biggest Blood Testing Providers In US, Says Up To 12 Million Patients May Have Had Info Stolen

Mon, 06/03/2019 - 16:50
JustAnotherOldGuy writes from a report via NBC New York: Did your personal, medical, or financial data just get hacked? Quest Diagnostics, one of the biggest blood testing providers in the country, warned Monday that nearly 12 million of its customers may have had personal, financial and medical information breached due to an issue with one of its vendors. In a filing with securities regulators, Quest said it was notified that between Aug. 1, 2018 and March 30, 2019, someone had unauthorized access to the systems of AMCA, a billing collections vendor. "The information on AMCA's affected system included financial information (e.g., credit card numbers and bank account information), medical information and other personal information (e.g., Social Security Numbers)," Quest said in a filing.

Apple Still Has Problems With Stopping Synthetic Clicks

Mon, 06/03/2019 - 06:07
Synthetic events remain a big security hole for macOS in spite of Apple's recent efforts to prevent malicious applications from abusing this feature. From a report: Speaking at the second edition of the Objective by the Sea security conference that was held in Monaco over the weekend, Patrick Wardle, a well-known Apple security expert, has revealed a zero-day impacting Apple's macOS operating system, including the new version launched today. The zero-day is a bypass of the security protections that Apple has put in place to prevent unauthorized access to synthetic events. Synthetic events are a macOS mechanism that allows applications to automate mouse clicks and keyboard input. It was created for the sake of automation and can be used via either the Core Graphics framework or the AppleScript scripting language. [...] For almost two years now, Wardle has been looking at Apple's countermeasures aimed to prevent the abuse of synthetic events. He previously showed two methods[1, 2] of bypassing Apple's synthetic events protections, so much so that Apple decided last year to block access to synthetic events by default. But over the weekend, Wardle disclosed a new way of bypassing these latest protections, once again. "It's the gift that keeps giving," Wardle told ZDNet via email. "And actually gets more and more valuable as Apple adds more protections (privacy and security mechanisms) that can be 'allowed' by a single synthetic click." The new technique is possible because of the Transparency Consent and Control (TCC) system. Wardle says the TCC contains a compatibility database in the form of a file named AllowApplications.plist. This file lists apps and app versions that are allowed to access various privacy and security features, including synthetic events.

To Protect Secrets, US Won't Charge Assange Over Exposing CIA Tools, Reports Politico

Sun, 06/02/2019 - 14:25
Some interesting news from Politico. America's Justice Department will still prosecute Julian Assange for allegedly assisting Chelsea Manning, and for 17 counts of violating the Espionage Act -- but "has decided not to charge Julian Assange for his role in exposing some of the CIA's most secret spying tools, according to a U.S. official and two other people familiar with the case." It's a move that has surprised national security experts and some former officials, given prosecutors' recent decision to aggressively go after the WikiLeaks founder on more controversial Espionage Act charges that some legal experts said would not hold up in court. The decision also means that Assange will not face punishment for publishing one of the CIA's most potent arsenals of digital code used to hack devices, dubbed Vault 7. The leak -- one of the most devastating in CIA history -- not only essentially rendered those tools useless for the CIA, it gave foreign spies and rogue hackers access to them... [P]rosecutors were worried about the sensitivity of the Vault 7 materials, according to an official familiar with the deliberations over whether to charge Assange. Broaching such a classified subject in court risks exposing even more CIA secrets, legal experts said.

Should Companies Abandon Their Password Expiration Policies?

Sun, 06/02/2019 - 10:34
In his TechCrunch column, software engineer/journalist Jon Evans writes that last month "marked a victory for sanity and pragmatism over irrational paranoia." I'm talking about Microsoft finally -- finally! but credit to them for doing this nonetheless! -- removing the password expiration policies from their Windows 10 security baseline... Many enterprise-scale organizations (including TechCrunch's owner Verizon) require their users to change their passwords regularly. This is a spectacularly counterproductive policy. To quote Microsoft: "Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives... If a password is never stolen, there's no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem... If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they haven't implemented modern mitigations, how much protection will they really gain from password expiration...?" Perfect security doesn't exist. World-class security is hard. But decent security is generally quite accessible, if you faithfully follow some basic rules. In order to do so, it's best to keep those rules to a minimum, and get rid of the ones that don't make sense. Password expiration is one of those. Goodbye to it, and good riddance. Instead the column recommends password managing software to avoid password re-use across sites, as well as two-factor authentication. "And please, if you work with code or data repositories, stop checking your passwords and API keys into your repos." But if your company still has a password expiration policy, he suggests mailing Microsoft's blog post to your sys-admin. "They will ignore you at first, of course, because that's what enterprise administrators do, and because information security (like transportation security) is too often an irrational one-way ratchet because our culture of fear incentivizes security theater rather than actual security -- but they may grudgingly begin to accept that the world has moved on."

NLNet Funds Development of a Libre RISC-V 3D CPU

Sun, 06/02/2019 - 08:34
The NLNet Foundation is a non-profit supporting privacy, security, and the "open internet". Now the group has approved funding for the hybrid Libre RISC-V CPU/VPU/GPU, which will "pay for full-time engineering work to be carried out over the next year, and to pay for bounty-style tasks." Long-time Slashdot reader lkcl explains why that's significant: High security software is irrelevant if the hardware is fundamentally compromised, for example with the Intel spying backdoor co-processor known as the Management Engine. The Libre RISCV SoC was begun as a way for users to regain trust and ownership of the hardware that they legitimately purchase. This processor will be the first of its kind, as the first commercial SoC designed to give users the hardware and software source code of the 3D GPU, Video Decoder, main processor, boot process and the OS. Shockingly, in the year 2019, whilst there are dozens of SoCs with full source code that are missing either a VPU or a GPU (such as the TI OMAP Series and Xilinx ZYNQ7000s), there does not exist a single commercial embedded SoC which has full source code for the bootloader, CPU, VPU and GPU. The iMX6 for example has etnaviv support for its GPU however the VPU is proprietary, and all of Rockchip and Allwinner's offerings use either MALI or PowerVR yet their VPUs have full source (reverse engineered in the case of Allwinner). This processor, which will be quad core dual issue 800mhz RV64GC and capable of running full GNU/Linux SMP OSes, with 720p video playback and embedded level 25fps 3D performance in around 2.5 watts at 28nm, is designed to address that imbalance. Links and details on the Libre RISC-V SoC wiki. The real question is: why is this project the only one of its kind, and why has no well funded existing Fabless Semiconductor Company tried something like this before? The benefits to businesses of having full source code are already well-known.

The Invention of USB, 'The Port That Changed Everything'

Sun, 06/02/2019 - 07:34
harrymcc shares a Fast Company article about "the generally gnarly process once required to hook up peripherals" in the late 1990s -- and one Intel engineer who saw the need for "one plug to rule them all." In the olden days, plugging something into your computer -- a mouse, a printer, a hard drive -- required a zoo of cables. Maybe you needed a PS/2 connector or a serial port, the Apple Desktop Bus, or a DIN connector; maybe a parallel port or SCSI or Firewire cable. If you've never heard of those things, and if you have, thank USB. When it was first released in 1996, the idea was right there in the first phrase: Universal Serial Bus. And to be universal, it had to just work. "The technology that we were replacing, like serial ports, parallel ports, the mouse and keyboard ports, they all required a fair amount of software support, and any time you installed a device, it required multiple reboots and sometimes even opening the box," says Ajay Bhatt, who retired from Intel in 2016. "Our goal was that when you get a device, you plug it in, and it works." It was at Intel in Oregon where engineers made it work, at Intel where they drummed up the support of an industry that was eager to make PCs easier to use and ship more of them. But it was an initial skeptic that first popularized the standard: in a shock to many geeks in 1998, the Steve Jobs-led Apple released the groundbreaking first iMac as a USB-only machine. The faster speeds of USB 2.0 gave way to new easy-to-use peripherals too, like the flash drive, which helped kill the floppy disk and the Zip drive and CD-Rs. What followed was a parade of stuff you could plug in: disco balls, head massagers, security keys, an infinity of mobile phone chargers. There are now by one count six billion USB devices in the world. The article includes a thorough oral history of USB's development, and points out there's now also a new reversible Type-C cable design. And USB4, coming later this year, "will be capable of achieving speeds upwards of 40Gbps, which is over 3,000 times faster than the highest speeds of the very first USB." "Bhatt couldn't have imagined all of that when, as a young engineer at Intel in the early '90s, he was simply trying to install a multimedia card."

Is Facebook Already Working On An Encryption Backdoor?

Sat, 06/01/2019 - 23:34
Horst Seehofer, Germany's federal interior minister, wants to require encryption companies to provide the government with plain text transcripts. One security expert says Facebook is already working on a way to make it happen. An anonymous reader quotes his remarks in Forbes: The reality is that at its annual conference earlier this month, Facebook previewed all of the necessary infrastructure to make Germany's vision a reality and even alluded to the very issue of how Facebook's own business needs present it with the need to be able to covertly access content directly from users' devices that have been protected through end-to-end encryption... While it was little noticed at the time, Facebook's presentation on its work towards moving AI-powered content moderation from its data centers directly onto users' phones presents a perfect blueprint for Seehofer's vision. Touting the importance of edge content moderation, Facebook specifically cited the need to be able to scan the unencrypted contents of users' messages in an end-to-end encrypted environment to prevent them from being able to share content that deviated from Facebook's acceptable speech guidelines. This would actually allow a government like Germany to proactively prevent unauthorized speech before it is ever uttered, by using court orders to force Facebook to expand its censorship list for German users of its platform. Even more worryingly, Facebook's presentation alluded to the company's need to covertly harvest unencrypted illicit messages from users' devices without their knowledge and before the content has been encrypted or after it has been decrypted, using the client application itself to access the encrypted-in-transit content. While it stopped short of saying it was actively building such a backdoor, the company noted that when edge content moderation flagged a post in an end-to-end encrypted conversation as a violation, the company needed to be able to access the unencrypted contents to further train its algorithms, which would likely require transmitting an unencrypted copy from the user's device directly to Facebook without their approval. Could this be the solution Germany has been searching for? The article warns that by "sparking the idea of being able to silently harvest those decrypted conversations on the client side, Facebook is inadvertently telegraphing to anti-encryption governments that there are ways to bypass encryption while also bypassing the encryption debate."

A German Minister Wants To Ban End-to-End Chat Encryption

Sat, 06/01/2019 - 06:34
An anonymous reader quotes the Next Web: According to Spiegel Online, the country's Federal Interior Minister, Horst Seehofer, wants encrypted messaging services like WhatsApp and Telegram to provide chat logs in plain text to the authorities. Since these services come with end-to-end encryption, the companies will have to break the encryption and provide a backdoor to give access to the texts. Wired adds that "This is obviously incompatible with end-to-end encryption, used by services such as Signal, WhatsApp and Telegram and, if passed, such a law would effectively ban secure encryption for instant messaging." Some commenters on Bruce Schneier's site suggest this is just political grandstanding. An analysis from the Carnegie Endowment for International Peace, a foreign policy think tank, argues that this would be a major change from Germany's stance on encryption over the last two decades: Instead of focusing on regulating encryption itself, Germany has worked to enable its security agencies to conduct hacking. It has even passed a legal framework tailored to government hacking operations... The legal debate eventually led to a landmark supreme court ruling emphasizing the government's responsibility for the integrity of information technology systems. The conversation is far from over, with some supreme court cases still pending in regard to recent legislation on the lawful hacking framework.

Russian Military Moves Closer To Replacing Windows With Astra Linux

Sat, 06/01/2019 - 05:00
An anonymous reader quotes a report from ZDNet: Russian authorities have moved closer to implementing their plan of replacing the Windows OS on military systems with a locally-developed operating system named Astra Linux. Last month, the Russian Federal Service for Technical and Export Control (FSTEC) granted Astra Linux the security clearance of "special importance," which means the OS can now be used to handle Russian government information of the highest degree of secrecy. Until now, the Russian government had only used special versions of Windows that had been modified, checked, and approved for use by the FSB. Astra Linux is a Debian derivative developed by Russian company RusBITech since 2008, the report says. "RusBITech initially developed the OS for use in the Russian private market, but the company also expanded into the local government sector, where it became very popular with military contractors."

Google Struggles To Justify Why It's Restricting Ad Blockers In Chrome

Fri, 05/31/2019 - 16:10
An anonymous reader quotes a report from Vice News: Google has found itself under fire for plans to limit the effectiveness of popular ad blocking extensions in Chrome. While Google says the changes are necessary to protect the "user experience" and improve extension security, developers and consumer advocates say the company's real motive is money and control. In the wake of ongoing backlash to the proposal, Chrome software security engineer Chris Palmer took to Twitter this week to claim the move was intended to help improve the end-user browsing experience, and paid enterprise users would be exempt from the changes. Chrome security leader Justin Schuh also said the changes were driven by privacy and security concerns. Adblock developers, however, aren't buying it. uBlock Origin developer Raymond Hill, for example, argued this week that if user experience was the goal, there were other solutions that wouldn't hamstring existing extensions. "Web pages load slow because of bloat, not because of the blocking ability of the webRequest API -- at least for well crafted extensions," Hill said. Hill said that Google's motivation here had little to do with the end user experience, and far more to do with protecting advertising revenues from the rising popularity of adblock extensions. The team behind the EFF's Privacy Badger ad-blocking extension also spoke out against the changes. "Google's claim that these new limitations are needed to improve performance is at odds with the state of the internet," the organization said. "Sites today are bloated with trackers that consume data and slow down the user experience. Tracker blockers have improved the performance and user experience of many sites and the user experience. Why not let independent developers innovate where the Chrome team isn't?"

Microsoft Warns 1 Million Computers Are Still Vulnerable To Major Windows Security Exploit

Fri, 05/31/2019 - 15:30
Earlier this month, Microsoft revealed a major Windows security vulnerability that could see a widespread "wormable" attack that spreads from one vulnerable computer to the next. "While Microsoft has released patches for Windows systems, even for older server and Windows XP machines, recent reports have revealed there are at least 1 million systems connected to the internet that can be attacked," reports The Verge. "Microsoft is confident that an exploit exists for this vulnerability," warns Simon Pope, director of incident response at Microsoft's Security Response Center (MSRC). "It's been only two weeks since the fix was released and there has been no sign of a worm yet. This does not mean that we're out of the woods." From the report: Pope notes that it was nearly two months after the release of patches for the previous EternalBlue exploit when WannaCry attacks began, and despite having 60 days to patch systems, a lot of machines were still infected. The EternalBlue exploit was leaked publicly, allowing hackers to create malware freely. This new BlueKeep flaw hasn't yet been publicly disclosed, but that doesn't mean there won't be malware. "It is possible that we won't see this vulnerability incorporated into malware," says Pope. "But that's not the way to bet."

New York Schools Will Test Facial Recognition On Students Despite Objections From State

Fri, 05/31/2019 - 13:30
An anonymous reader quotes a report from BuzzFeed News: A New York school district will move forward with its facial recognition pilot program next week, despite an explicit order from the New York State Education Department that it wait until a standard for data privacy and security for all state educational agencies is finalized. On Friday, the Lockport school district said it was "confident" that the data collection policy for its facial recognition system was sound enough that it could begin testing it on campuses June 3. "[State Education Department] representatives previously communicated to the District their recommendation that the System not become operational until the dialogue between the District and SED with regard to student data security and privacy is complete," the statement, sent by district director of technology Robert LiPuma to BuzzFeed News, said. "However, the District's Initial Implementation Phase of the System (which will commence June 3, 2019 and continue through August 31, 2019) will not include any student data being entered into the System database or generated by the System." Reached by phone, JP O'Hare, a representative of the New York State Education Department, would not say whether the department knew Lockport planned to go ahead with its facial recognition test in spite of the department's request for a delay. Lockport said that its facial recognition system should not be a privacy concern because it "does not compile information on and track the movements of all District students, staff and visitors." Instead, the system is "limited to identifying whether an individual whose photograph has been entered into the System database is on District property (i.e., is visible on one of the District's security cameras)." But it also said the individuals who may be entered into the database included those who are prohibited from being on District property, "such as suspended students or staff."

Following US Huawei Ban, China Threatens Own Blacklist For Foreign Firms

Fri, 05/31/2019 - 06:00
Odds of the U.S. and China cooling off their trade war further diminished on Friday after the world's most populous nation said it would create a list of "unreliable" foreign firms of its own. From a report: Gao Feng, a spokesman of China's commerce ministry, said today that the nation will create an "entity list" that will include, in part, foreign companies that have stopped or curtailed their businesses with Chinese firms. "Foreign enterprises, organizations or individuals that do not comply with market rules, deviate from a contract's spirit or impose blockades or stop supplies to Chinese enterprises for non-commercial purposes, and seriously damage the legitimate rights and interests of Chinese enterprises, will be included on a list of 'unreliable entities,'" he was quoted as saying by state-owned local media. The retaliation comes weeks after the U.S. Commerce Department enlisted Huawei and 68 affiliates in an entity list over national security concerns, thereby requiring American companies to take approval from the government before conducting business with Chinese firms.

Advanced Linux Backdoor Found In the Wild Escaped AV Detection

Thu, 05/30/2019 - 16:50
Researchers have discovered an advanced piece of Linux malware that has escaped detection bypasses antivirus products and appears to be actively used in targeted attacks. Ars Technica reports: HiddenWasp, as the malware has been dubbed, is a fully developed suite of malware that includes a trojan, rootkit, and initial deployment script, researchers at security firm Intezer reported on Wednesday. At the time Intezer's post went live, the VirusTotal malware service indicated Hidden Wasp wasn't detected by any of the 59 antivirus engines it tracks, although some have now begun to flag it. Time stamps in one of the 10 files Intezer analyzed indicated it was created last month. The command and control server that infected computers report to remained operational at the time this article was being prepared. Some of the evidence analyzed -- including code showing that the computers it infects are already compromised by the same attackers -- indicated that HiddenWasp is likely a later stage of malware that gets served to targets of interest who have already been infected by an earlier stage. It's not clear how many computers have been infected or how any earlier related stages get installed. With the ability to download and execute code, upload files, and perform a variety of other commands, the purpose of the malware appears to be to remotely control the computers it infects. That's different from most Linux malware, which exists to perform denial of service attacks or mine cryptocurrencies. Some of the code appears to be borrowed from Mirai, while other code has similarities to other established projects or malware including the Azazel rootkit, the ChinaZ Elknot implant, and the recently discovered Linux variant of Winnti, a family of malware that previously had been seen targeting only Windows.

Apple, Google and WhatsApp Condemn GCHQ Proposal To Eavesdrop on Encrypted Messages

Thu, 05/30/2019 - 06:40
Tech giants, civil society groups and Ivy League security experts have condemned a proposal from Britain's eavesdropping agency as a "serious threat" to digital security and fundamental human rights. From a report: In an open letter to GCHQ (Government Communications Headquarters), 47 signatories including Apple, Google and WhatsApp have jointly urged the U.K. cybersecurity agency to abandon its plans for a so-called "ghost protocol." It comes after intelligence officials at GCHQ proposed a way in which they believed law enforcement could access end-to-end encrypted communications without undermining the privacy, security or confidence of other users. Details of the initiative were first published in an essay by two of the U.K.'s highest cybersecurity officials in November 2018. Ian Levy, the technical director of Britain's National Cyber Security Centre, and Crispin Robinson, GCHQ's head of cryptanalysis (the technical term for codebreaking), put forward a process that would attempt to avoid breaking encryption. The pair said it would be "relatively easy for a service provider to silently add a law enforcement participant to a group chat or call."

Gmail's Confidential Mode Will Be On By Default For G Suite Users Starting June 25th

Wed, 05/29/2019 - 17:25
Google's new confidential mode is rolling out to G Suite users and will be turned on by default starting on June 25th. Personal account holders have been able to use this feature since Gmail's mid-2018 redesign, but Gmail users at work have not. "Confidential mode is a powerful tool that will come in handy at work if you send messages containing sensitive details," reports The Verge. "It lets you set an expiration date for your message, which cuts off access when that day arrives. While the message is available, recipients won't be able to forward your message to others, copy its contents, or download it, and the sender can revoke access at any point. To add another layer of security, you can set the message to only unlock after the recipient types in an SMS verification code that's sent to their phone number." Slashdot reader shanen reacts: Apparently the Google of supreme evil has decided they need to try to force this confidential-mode email down people's throats. I think that's actually a gigantic business opportunity for Outlook, assuming they actually want to offer a superior email system. The fundamental premise of confidential mode is "We want to communicate with you, but we don't trust you," and my fundamental response is GFY. The ONLY thing I want is an option to reject all confidential-mode email. (However, I'm sure Microsoft is too evil to offer that option because they don't trust their own employees and have to eat their own poison dog food.) (Well, actually there are several other improvements I want from email, such as a bounce for no-reply email.)

Nuke Retirements Could Lead To 4 Billion Metric Tons of Extra CO2 Emissions, Says IEA

Wed, 05/29/2019 - 16:02
An anonymous reader quotes a report from Ars Technica: A report released today by the International Energy Agency (IEA) warns world leaders that -- without support for new nuclear power or lifetime extensions for existing nuclear power plants -- the world's climate goals are at risk. "The lack of further lifetime extensions of existing nuclear plants and new projects could result in an additional four billion tonnes of CO2 emissions," a press release from the IEA noted. The report is the IEA's first report on nuclear power in two decades, and it paints a picture of low-carbon power being lost through attrition (due to the retirement of aging plants) or due to economics (extremely cheap natural gas as well as wind and solar undercutting more expensive nuclear power for years in some regions). Around the world, 452 nuclear reactors provided 2,700 terawatt-hours (TWh) of electricity in 2018. This makes nuclear a significant source of low-carbon energy on a global level. While 11.2 gigawatts (GW) of nuclear power were connected to the grid last year, all of the new capacity was located in China or Russia. "Without additional nuclear, the clean energy transition becomes more difficult and more expensive -- requiring $1.6 trillion of additional investment in advanced economies over the next two decades," IEA says. "Critically, a major clean energy shortfall would emerge by 2040, calling on wind and solar PV to accelerate deployment even further to fill the gap."

Huawei Asks Court To Declare US Government Ban Unconstitutional

Wed, 05/29/2019 - 10:05
Huawei is stepping up its fight against American bans. From a report: The tech giant has motioned for a summary judgment in its lawsuit to invalidate Section 889 of the 2019 National Defense Authorization Act, arguing that it violates the "Bill of Attainder, Due Process and Vesting" clauses of the US Constitution. The law explicitly bans Huawei by name despite "no evidence" of a security risk, Huawei's Song Liuping said, and bans third-party contractors who buy from Huawei even when there's no link to the US government. The company also preemptively tried to dismiss claims that there are facts up for dispute. This is a simple "matter of law," according to lead counsel Glen Nager.

Flipboard Says Hackers Stole User Details

Wed, 05/29/2019 - 08:42
Flipboard, a news aggregator service and mobile news app, notified users this week of a security incident during which hackers had access to internal systems for more than nine months. From a report: In a series of emails seen by ZDNet that the company sent out to impacted users, Flipboard said hackers gained access to databases the company was using to store customer information. Flipboard said these databases stored information such as Flipboard usernames, hashed and uniquely salted passwords, and in some cases, emails or digital tokens that linked Flipboard profiles to accounts on third-party services. The good news appears to be that the vast majority of passwords were hashed with a strong password-hashing algorithm named bcrypt, currently considered very hard to crack.

'We're Not Being Paranoid': US Warns Of Spy Dangers Of Chinese-Made Drones

Wed, 05/29/2019 - 06:40
Drones have become an increasingly popular tool for industry and government. But the Department of Homeland Security is warning that drones manufactured by Chinese companies could pose security risks, including that the data they gather could be stolen. From a report: The department sent out an alert on the subject on May 20, and a video on its website notes that drones in general pose multiple threats, including "their potential use for terrorism, mass casualty incidents, interference with air traffic, as well as corporate espionage and invasions of privacy." "We're not being paranoid," the video's narrator adds. Most drones bought in the U.S. are manufactured in China, with most of those drones made by one company, DJI Technology. Lanier Watkins, a cyber-research scientist at Johns Hopkins University's Information Security Institute, said his team discovered vulnerabilities in DJI's drones. "We could pull information down and upload information on a flying drone," Watkins said. "You could also hijack the drone." The vulnerabilities meant that "someone who was interested in, you know, where a certain pipeline network was or maybe the vulnerabilities in a power utilities' wiring might be able to access that information," he noted.