So, in theory, apart from having advance notice to patch their own systems, those agencies could exploit that zero-day vulnerability to hack into your data, before Microsoft gives you a chance to patch the flaw. And it’s not just Microsoft. According to the report, “thousands of [U.S.] technology, finance and manufacturing firms” are closely aligned with American national security agencies, passing them information such as vulnerability details and hardware and software specifications, and giving them access to overseas facilities and data.

In return, Bloomberg claims, the agencies give the companies information about foreign attacks on their systems. Google is cited as an example of this, with Sergey Brin allegedly having been invited to sit in on a secret intelligence briefing after an attack by Chinese hackers in 2010. Of course, the companies aren’t the only sources of useful flaws — security expert and activist Christopher Soghoian detailed late last year how some security researchers sell vulnerability information to governments for large sums of cash too. “This is the [U.S.] government buying a flaw without the intention of fixing it,” Soghoian explained in his Harvard University presentation. (Thanks to Jeff Ausloos for alerting me to that one.)

Backbone hacking

The Bloomberg report also notes claims recently made by NSA leaker Edward Snowden that the U.S. hacks network backbones in China and Hong King. Although the evidence for this “Blarney” program appears scantier than that for PRISM, the gist is that the scheme captures metadata from internet-connected devices such as computers and smartphones around the world, including OS version, Java software version and browser. Again, this would make it easier for the agencies to target and hack such devices.

On the domestic front, the piece also claims a security system called Einstein 3, which is meant to protect U.S. government systems, can “expose the private content of the emails under certain circumstances.”

Who’s the customer?

But it’s the claims about U.S. tech vendors and their apparently voluntary information exchange with the country’s spy agencies that will most bother governments and their public sector organizations around the world.

Microsoft spokesman Frank Shaw seemingly confirmed this cooperation in the Bloomberg article, saying the early release of vulnerability information helps to give the U.S. government an “early start” in protecting its systems. Other “trusted partners” reportedly include Intel’s security business McAfee, which apparently acts as a consultant of sorts to spy agencies wanting to know more about network architectures around the world.

There’s no suggestion that any of this data-sharing is illegal – but for many governmental customers around the world it will suggest that their vendors have undisclosed interests that don’t align with their own. For some in the U.S. tech industry, these revelations may turn out to be as damaging as PRISM, if not more so.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• In Q3, Big Data Meant Big Dollars
• Connected consumer first-quarter 2013: Analysis and outlook
• Cloud and data first-quarter 2013: analysis and outlook

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Cloud computing infrastructure: 2012 and beyond
• Forecasting the future cloud computing market
• Infrastructure Q1: IaaS Comes Down to Earth; Big Data Takes Flight

“Cyber threats are … probably as insidious and real a threat [as there is] to the United States, as well as China, by the way, and every nation,” Hagel said according to a Reuters report. Hagel talked to reporters while traveling to a security event in Singapore on Saturday where he will meet with Chinese representatives.

China has been fingered by many — including some in the U.S. government — as the source of recent cyber attacks on Defense Department contractors. In the most recent incident, the U.S. claims that Chinese hackers stole designs for key high-tech weapons designs including the Patriot missile, the FA-18 fighter jet; and the F-35 Joint Strike Fighter. China has repeatedly denied these charges. 

As GigaOM reported last week, paranoia around data security was fanned with the release of a new report (PDF) from the Commission on the Theft of American Intellectual Property which estimated that the theft of IP costs the U.S. economy $300 billion annually.

It would make sense that Hagel would want to shift focus to how both superpowers are at risk from cyber theft rather than publicly pointing the finger at China, which may be the largest foreign owner of U.S. government debt.. the largest holder of U.S. debt.

This story was updated at 2:47 p.m. PDT to show that China is not the biggest holder of U.S. debt, but may be the largest foreign holder of that debt. Some accounts have put Japan above China on that scale, however. In either case, China is a huge creditor.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• A near-term outlook for big data
• Will cloud computing push the BRIC market to the front?
• Dissecting the data: 5 issues for our digital future

The new features from HootSuite are meant for the company’s enterprise clients, which can take advantage of three different options: a “social media asset audit,” which tries to prevent weaknesses around shared passwords; alerts when suspicious activity happens on an account; and crisis management training to help people understand what to do in case of an emergency.

The package of products seems like an extremely smart idea from HootSuite, especially considering recent hacks, and they’ll be launching for the company’s enterprise clients immediately. But it does beg the question why Twitter itself doesn’t offer any of these services. The company finally rolled out two-factor authentication to users this month, which we wrote before was a much-needed feature. But the variety of services HootSuite will be offering show just how much more Twitter could do.

We’ve now seen strong indication that a hacked Twitter account can cause both incredible personal damage to individual users whose accounts are compromised, and have financial and security fallout when larger organizations like the AP are hacked. With tweets feeding into Bloomberg terminals and affecting the stock market, it’s clear that there is real value to made in breaching accounts.

Twitter itself acknowledges that it’s been slow to add these kinds of security features — at the D11 conference on Wednesday CEO Dick Costolo said, “we haven’t moved as quickly there as we wanted to.” But perhaps savvy moves from companies like HootSuite will give Twitter just the push it needs.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Frenemy mine: The pros and cons of social partnerships for online media companies
• Content monetization: News licensing and syndication still need marketplaces and infrastructure
• Survey: How apps can solve photo management

The feature, known as “two-factor” authentication, is already used by companies like Google and Apple and works by sending a pin code via text message to a user’s cell phone. Twitter has details and a tutorial video here.

The decision to add an extra security feature comes after hackers have repeatedly gained control of high profile Twitter feeds. The most prominent example occurred last month when hackers used the Associated Press’s account to say bombs had injured President Obama. The fake tweet roiled financial markets and led to calls for Twitter to improve its security features.

Attackers have also targeted CBS, the BBC and the Onion. The latter offered a candid account of how the hackers phished employees accounts and induced some of them, including a person with control over social media passwords to share log-in information.

Two factor authentication would likely have prevented those attacks because the attackers would have had to enter a password sent to the employee’s cell phone.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Connected world: the consumer technology revolution
• Survey: How apps can solve photo management
• Sector RoadMap: Social customer service in 2013

A LivingSocial representative confirmed the hack with us, and said that the company would be contacting the more than 50 million users who might have been affected, sending them emails explaining what happened and encouraging them to reset their passwords. The hack affected all of the company’s users except those in South Korea, Thailand, Indonesia, and the Philippines, since data for those users is stored on different servers.

The hack comes as large consumer web companies are increasingly facing scrutiny regarding their security measures. In February Twitter reported that hackers may have accessed data on 250,000 user accounts, and LinkedIn was sued over a hacking incident last summer that exposed more than six million consumer passwords.

In a statement, O’Shaughnessy explains how the company was hacked and how that will affect customers:

“We recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.

The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords — technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.”

Currently, visitors to LivingSocial’s website will notice a large red bar telling them to reset their passwords:

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Social first-quarter 2013: analysis and outlook
• Facebook’s IPO filing: ideas and implications
• NewNet Q4: Platform mania and social commerce shakeout

Many of these problems stem from the fact that the Fitbit uses plain HTTP in its communications, exposing usernames, passwords, and data to opportunistic attackers. A suite of tools to probe the Fitbit created by the researchers was able to capture data from any Fitbit tracker within a radius of 15 feet. Another type of attack they tested forced the Fitbit to attempt frequent data upload, draining the battery 21 times faster than with normal once a day uploading.

An additional problem the researchers identified is an absence of a data consistency check on the Fitbit and its associated online social network. For example, they were able to inject 12.6 million steps into a user account, which the system translated into only 0.02 miles traveled, based on the initial calibration to the user’s stride length. This kind of data injection could be exploited by cheats, people who don’t want to work for the badges and monetary rewards that are available to fitness over-achievers.

While such an attack on a given individual might seem far-fetched, hackers could be motivated to expose or misuse sensitive personal health data. The consequences of that exposure could be no more than embarrassment for the Fitbit’s owner, but the security and privacy ramifications could go much deeper for similarly vulnerable wireless devices used in larger settings by healthcare companies.

The researchers also highlighted a few more bizarre “mule” attacks, such as attaching the Fitbit to a spinning rope or a car wheel (you can “burn” about 350 calories in 20 minutes with the latter method).

To combat these attacks, they developed FitLock, a hacked together defense system that includes encryption. A data consistency check also verifies new uploads against stride length and basal metabolic rate so that number of steps, distance traveled, and calories burned correspond. According to the recently released research, this additional security results in a negligible increase in processing time of 37 ms, about 2.4 percent more than normal Fitbit overhead. They also propose an extra step to thwart mule attacks: using a smaller, more accurate GPS chip to tell whether location is not changing (rope attack) while steps are being taken, or when the location is changing far too much (wheel attack).

The attacks that are averted with FitLock are not unique to Fitbit or other sensing devices. Insulin pumps and cardiac defibrillators, for example, could be manipulated with the same methods, with much more dire consequences.

Disclosure: Fitbit is backed by True Ventures, a venture capital firm that is an investor in the parent company of GigaOM. Om Malik, founder of GigaOM, is also a venture partner at True.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• GigaOM Research highs and lows from CES 2013
• Analyzing the wearable computing market
• Connected world: the consumer technology revolution

In case you missed it, the AP’s Twitter account was suspended yesterday afternoon after the fake tweet — possibly posted by the Syrian army — caused a temporary shock to stock markets, which rely on news wires like the AP for up-to-date information.

On Wednesday morning, the AP announced its Twitter feed had returned and began tweeting ordinary news items (though initially forgetting to delete the hoax tweet):

The @AP Twitter account, which was suspended after being hacked, has been secured and is back up. Thank you for your patience. – @EricCarvin—
The Associated Press (@AP) April 24, 2013

Most of the account’s followers, however, appear to have disappeared. At the time of the hacking incident, the AP had nearly 2 million followers:

As of Wednesday morning at 9:30 ET, however, the AP account had fewer than 100,000 followers:

I’ve asked the AP for an explanation and am still waiting on a response. At this point,Twitter may be adding the followers back gradually; the 85,454 figure is almost double the number from earlier this morning.

Update: The AP says its social media editor ”was told by Twitter that it can take up to 24 hours for the follower count of a suspended account to return to normal.”

If the followers have indeed been wiped out, this would represent a serious blow for the AP. Like other news organizations, the AP relies heavily on social media outlets to disseminate its stories, and an organization’s (or person’s) number of Twitter followers can stand as proxy for influence.

The AP hacking incident has also led to calls for Twitter to introduce a security feature known as 2-step authentication.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

Twitter has since suspended the account and the AP issued the following statement: “Advisory: @AP Twitter account has been hacked. Tweet about an attack at the White House is false. We will advise more as soon as possible.”

The episode shows again, as it did during the Boston tragedy, the mischief that can occur as a result of huge number of people instantly relaying false information through false tweets. The Anonymous hacker news account, for instance, saw its reporting of the message retweeted almost 500 times:

Breaking: Two Explosions in the White House and Barack Obama is injured via @AP—
Anonymous (@YourAnonNews) April 23, 2013

In the last year, Twitter has become an essential news source not only for news outlets but for the financial community. This month, Bloomberg incorporated Twitter feeds into its terminals while the SEC gave companies the green light to use it for relating market moving news.

Update: The AP has since issued this tweet from a separate account associated with its political news outlet:

All, AP's Twitter accounts will be suspended until we can be assured of their security. Do not respond to any news posted by these accounts.—
AP Politics (@AP_Politics) April 23, 2013

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Content monetization: News licensing and syndication still need marketplaces and infrastructure
• The future of mobile: a segment analysis by GigaOM Pro
• Survey: How apps can solve photo management

Following the demise of one proposal, the Cyber Intelligence Sharing and Protection Act (CISPA), the Obama administration has taken new steps with an executive order and a policy strategy. The executive order draws a roadmap for sharing more of its information with the private sector, and the strategy shows the intent to do more on diplomatic and intelligence fronts.

The Microsoft and Zendesk hacks follow others in recent weeks at Apple, Facebook, the New York Times, the Wall Street Journal and the Washington Post. Twitter said people had attempted to hack the site. And the security company Mandiant released a report providing details on a Shanghai-based division of the People’s Liberation Army of China that has stolen “hundreds of terabytes of data from at least 141 organizations,” almost all of which have headquarters in countries where English is the native language. Hackers even found a way to build a lure for a spear-phishing attack out of one version of the report.

President Barack Obama, in his State of the Union address last week, acknowledged that American companies have been hacked and said the country must not “look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.” Obama’s executive order on cybersecurity, released on the same day as the president gave the speech, directs the government to release more, and more timely, information on cybersecurity threats. It calls for a framework for reducing “cyber risks” to critical infrastructure in the United States, and the framework will have to help owners and operators of that infrastructure manage the risk. In doing so, the government cannot pick one product or service as a cure-all; it claims to value a competitive marketplace. The order also mandates that owners or operators of critical infrastructure that could cause catastrophes if hacked will be confidentially contacted and be given a way to submit information to the federal government.

A week after the executive order, the Obama administration released a policy paper laying out steps for advancing cybersecurity. It says businesses should share best practices, and it states that the FBI and the State Department will do more to try to stop hacks of trade secrets. Elsewhere, it promises that several other federal agencies will continue to do what they have been doing toward that end.

Some people have argued that the executive order doesn’t do enough to improve cybersecurity. Then again, others like it much better than CISPA.

Regardless of what people think about it, the federal government’s efforts to respond to the hacks could prompt more companies to protect their own assets. It takes advantage of the good parts of CISPA but not the bad, which my colleague Derrick Harris has previously identified. And with news of more and more attacks coming to the fore, more companies could be inclined to try sharing information with the federal government for the purpose of the greater good. How bad could that be?

Oh, by the way, as a side effect of all of these attacks and the new federal policies, don’t be surprised to see more enterprises trying out security products that focus on infrastructure, such as Mandiant and Cylance, which I wrote about earlier this month. Look for more stealth-mode security startups jumping out of the shadows, too.

Feature image courtesy of Shutterstock user Tatiana Popova.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Connected consumer first-quarter 2013: Analysis and outlook
• A near-term outlook for big data
• Dissecting the data: 5 issues for our digital future