Cheap at twice the price?
$35 Million
Penalty for Not Telling Investors of Yahoo Hack
US
securities regulators on Tuesday announced that Altaba will pay a $35
million penalty for not telling them hackers had stolen Yahoo's
"crown jewels."
The
2014 breach blamed on Russian hackers affected hundreds of millions
of Yahoo accounts, with stolen 'crown jewel' data including
usernames, email addresses, phone numbers, birthdates, encrypted
passwords, and security questions, according to the Securities and
Exchange Commission.
While
Yahoo discovered the data breach quickly, it remained mum about it
until more than two years later when it was being acquired by telecom
giant Verizon Communications, the SEC case maintained.
… Although
Yahoo is no longer an independent company -- its financial holdings
are in a separate company now called Altaba -- Verizon has continued
to operate the Yahoo brand, including its email service and a variety
of news and entertainment websites.
… In
addition to the 2014 breach, a hack the previous year affected all
three billion Yahoo user accounts, according to findings disclosed by
Verizon after the acquisition.
… Yahoo,
which was once one of the leading internet firms, sold its main
online operations to Verizon last year in a deal valued at $4.48
billion.
The
purchase price was cut following revelations of the two major data
breaches at Yahoo.
If it’s encrypted, it must be valuable?
Attacks on
Encrypted Services
Encryption is one of the most basic necessities in
the security arsenal. It’s what makes it possible for banks to
offer online banking and funds transfers, or for consumers to make
purchases online using their credit or debit cards. It’s what
protects the public’s online interaction with government agencies
or health care providers. It should surprise no one, however, that
encrypted services are prime targets of DDoS attacks. Such services
enable access to a wealth of personal, confidential and financial
data. Identity thieves and cyber criminals can have a field day if
they succeed in breaking
web service encryption.
According to NETSCOUT Arbor’s 13th
Annual Worldwide
Infrastructure Security Report (WISR), attacks targeting
encrypted web services have become increasingly common in recent
years. Among enterprise, government and education (EGE) respondents,
53 percent of detected attacks targeted encrypted services at the
application layer. And 42 percent of respondents experienced attacks
targeting the TLS/SSL (Transport Layer Security/Secure Socket Layer)
protocol governing client-server authentication and secure
communications. Among service providers, the percentage seeing
attacks targeting secure web services (HTTPS) rose significantly over
the previous year, from 52 percent to 61 percent.
(Related) This is a One Time Pad.
… “It’s just a random three-digit number
that corresponds to a sign and then we have 10 different cards with
random numbers,” Iannetta said. “As soon as they [the MASN
broadcast] zoomed in… we heard about it and switched cards
immediately. We switched to a different card with a whole new set of
numbers. There’s no way to memorize it. There’s a random-number
generator spitting out a corresponding number [for the cards], and
the coaches have the same cards.”
In explaining the process, Iannetta said he’ll
look toward the dugout see a coach use his fingers to send in the
three-digit code and then look on his card for the corresponding
call. It could be a throw over to first or nothing, no action.
Iannetta said three-digit codes are never repeated in-game for the
same call.
“If I get ‘1-4-3,’ and it’s a throw over
to first base, we’ll never use ‘1-4-3’ again to throw over,”
Iannetta said. “There will never be repetition… It’s
pretty impossible to steal signs if you use the system we are using.”
Very “James Bond.” Not research an amateur
would undertake. Which intelligence service wanted this laptop
enough to “show off” their hack?
Hotel Rooms
Around the World Susceptible to Silent Breach
In
2003, researchers from F-Secure were attending a security conference
in Berlin – specifically, the ph-neutral hacker conference – when
a laptop was stolen from a locked hotel room.
More
to the point, however, there was no sign of the door being forced,
nor any indication from the electronic locking system's logs that
anyone had entered the room in their absence.
… F-Secure
researchers told SecurityWeek,
"Our guy was working on some really interesting and specific
stuff; and, yes, it would absolutely have been of interest to any 3,
4 or 5 letter agency in many different nation-states."
… With
this background it is not surprising that the researchers started to
investigate the locking system. Specifically, they were looking for
a Vision by VingCard vulnerability that could be exploited without
trace – and eventually they found one. It
took thousands of hours work over the last 15 years
examining the system and looking for the tiniest errors of logic.
… In
summary, with
any existing, old or expired keycard to any room on the system, it is
possible to generate a master key that can be used to gain entry to
any of the hotel rooms without leaving a trace on the system.
An attacker could book a room and then use that keycard as the
source; or could even read the data remotely by standing close to
someone who has a card in a pocket -- in a hotel elevator, for
example.
Start
‘em young!
More than 1 million children in the United States
were affected by identity theft last year, according to a new study
highlighting what’s easily the most overlooked demographic impacted
by breaches of personally identifiable information.
The study, released Tuesday by Javelin Strategy &
Research, claims that in 2017, more than $2.6 billion in losses may
be attributed to incidents of identity theft involving children. The
out-of-pocket cost to families is estimated at over $540 million.
… The study, which was funded by
theft-protection service Identity Guard, also found a “strong
connection” between children who are bullied and those affected by
fraud. Kids bullied online are nine times more likely to have their
identities stolen, researchers found.
I’ve
been telling (and telling and telling) my Computer Security students
that management often does not know what is happening. How could
anyone miss this?
Fajita
heist: Texas man sentenced to 50 years for stealing $1.2 million
worth of food
Gilberto Escamilla, 53, was employed at the Darrel
B. Hester Juvenile Detention Center in San Benito, Texas, until
August 2017 — when it was discovered that he
had been placing orders for fajitas using county funds and then
selling them for his own profit since December 2008,
according to Cameron
County Court filings.
… According to The
Brownsville Herald, Escamilla's scheme unraveled last
August after a delivery driver with Labatt Food Service phoned the
detention center to give kitchen employees a heads up that an
800-pound delivery of fajitas had arrived.
Employees immediately thought the delivery to be
suspicious as minors at the
detention center are not served fajitas, however the
delivery driver insisted that had been delivering fajitas to the
detention center's kitchen for the past nine years.
More on Facebook, et. al.
From the better-late-than-never
dept.
For readers who are interested and may have missed
what’s occurring with the Facebook breach, Cambridge Analytica,
SCL, SCL Canada, and AggegatedIQ (AIQ) in Canada, there have been
some remarkable meetings and testimony occurring that are worth
watching. The latest was testimony by Zackary Massingham, Chief
Executive Officer, AIQ, and Jeff Silvester, Chief Operating Officer,
AIQ.
As the AIQ CEOs were giving their testimony and
stating they have replied to all of the questions the UK ICO asked of
them, someone, apparently from the UK ICO, texted the committee in
real time to state what they were stating isn’t true and stated why
it wasn’t true. It was a ball dropper as the committee read the
text out loud in real time to the CEOs.
You can watch the 2-hour video from the Standing
Committee on Access to Information, Privacy and Ethics (ETHI) and
their investigation into the “Breach of Personal Information
Involving Cambridge Analytica and Facebook” here (meeting 101):
https://www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/meeting-101/notice
https://www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/meeting-101/notice
Click on the green icon labeled, “Watch on
ParlVu”, for the video.
On the 26th of April, the investigation continues
Starring Professors Colin J. Bennett, Thierry Giasson and Mozilla.
You will be able to watch it from this link (meeting 102):
https://www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/meeting-102/notice
https://www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/meeting-102/notice
All previous meetings from this investigation,
including the testimony from Chris Vickery, can be streamed by going
to the following web page and by expanding the meeting dates
(meetings 99 to 101 as of writing):
https://www.ourcommons.ca/Committees/en/ETHI/StudyActivity?studyActivityId=10044891
https://www.ourcommons.ca/Committees/en/ETHI/StudyActivity?studyActivityId=10044891
Just
because it’s a lot of money.
Apple and
Donohoe clear final hurdle for repayment of €13bn disputed tax bill
Apple
will place the first tranche of its €13 billion Irish tax bill in
an escrow account next month following the signing of a legal
agreement between the Government and the US tech giant.
It is anticipated that Apple will make a series of
unspecified payments into the account starting in May with the full
amount expected to be recovered by the end of September.
… When interest is added the final figure
could reach €15 billion but the Department of Finance said it was
not possible to calculate the interest until all the money had been
recovered.
… Both Apple and the Government are appealing
the ruling on the grounds that Apple’s tax treatment was in line
with Irish and European Union law.
A Privacy resource.
New on LLRX
– Pete Recommends – weekly highlights on cyber security issues –
April 23 2018
Via LLRX
– Pete
Recommends – weekly highlights on cyber security issues – April
23 2018 – Privacy and security issues impact every aspect of
our lives – home, work, travel, education, health/medical, to name
but a few. On a weekly basis Pete Weiss highlights
articles and information that focus on the increasingly complex and
wide ranging ways our privacy and security is diminished, often
without our situational awareness.
How AI might be used.
New Product
of the Year? Law Librarians Pick AI Research Tool from Bloomberg Law
A legal research tool that uses artificial
intelligence to help legal researchers quickly find key language
critical to a court’s reasoning has been selected by the American
Association of Law Libraries as winner of its 2018 New Product
Award.
AALL cited Points of Law, a tool developed by
Bloomberg Law, for
its ability to provide researchers with a court decision’s legal
points and to identify legal precedents.
As I explained in my review
of Points of Law last September, as a researcher scrolls through
a court opinion, the tool highlights the essential language in the
opinion, making it easier for the researcher to browse through the
key discussion points and enabling the researcher to more quickly get
the gist of the key holdings.
For each point of law within a case, a pop-up
shows the top three cases cited in support of it.
Explaining BlockChain.
MIT
Explainer: What is a blockchain?
Blockchain
– Where it came from, what it does, and how you make one by MIT
Technology Review Editors. April 23, 2018.
-
“What is it? A public, permanent, append-only distributed ledger.
-
What’s that? A mathematical structure for storing data in a way that is nearly impossible to fake. It can be used for all kinds of valuable data.
-
Where did it come from? “I’ve been working on a new electronic cash system that’s fully peer-to-peer, with no trusted third party.” These are the words of Satoshi Nakamoto, the mysterious creator of Bitcoin, in a message sent to a cryptography-focused mailing list in October 2008. Included was a link to a nine-page white paper describing a technology that some are now convinced will disrupt the financial system…”
Know the players!
Senate
confirms Trump's pick for NSA, Cyber Command
Lt. Gen. Paul Nakasone was unanimously confirmed
by voice vote to serve as the "dual-hat" leader of both the
National Security Agency and U.S. Cyber Command.
[The
General’s bio:
https://www.army.mil/article/199703/biography_lt_gen_paul_m_nakasone_commanding_general_us_army_cyber_command
A tool for looking at Instagram’s data on you.
Instagram
launches “Data Download” tool to let you leave
Instagram’s
“Data Download” feature can
be accessed here or through the app’s privacy settings. It
lets users export their photos, videos, archived Stories, profile,
info, comments, and non-ephemeral messages, though it
can take a few hours to days for your download to be ready.
(Related) Hacking Instagram.
A guide for my students.
For coding tips when writing your own?
Dilbert’s fool-proof system for avoiding bad
reviews?
No comments:
Post a Comment