Monday, November 02, 2015

Very interesting. They screwed up and then fixed it. Would a larger company (not staffed entirely with techies) be able to do as well? Take the time to read the rest of this article…
Here’s an example of how to timely detect and disclose a breach transparently.
Halloween Security Breach
By Sean Blanchfield
PageFair security breach has been resolved – here is what you need to know.
Update 1 – 21:30 GMT November 1, 2015
Core Facts
If you are a publisher using our free analytics service, you have good reason to be very angry and disappointed with us right now. For 83 minutes last night, the PageFair analytics service was compromised by hackers, who succeeded in getting malicious javascript to execute on websites via our service, which prompted some visitors to these websites to download an executable file. I am very sorry that this occurred and would like to assure you that it is no longer happening.
The attack was sophisticated and specifically targeted against PageFair, but it is unacceptable that the hackers could gain access to any of our systems. We identified the breach immediately, but it still took over 80 minutes to fully shut it down. During this time, visitors to websites owned by the publishers who have placed their trust in us were targeted by these hackers.
The damage was mitigated by our standard security practices, but the attackers still gained access. I want to take some time here to describe exactly what happened, how it may have affected some of your visitors, and what we are doing to prevent this from ever happening again.
We will update this post as we establish more facts.

As expected.
A caution from the Daily Mail:
In the past week, many pensioners have told the Daily Mail how they have fallen victim to conmen pretending to be from TalkTalk. They often claim to be offering compensation for the data breach before asking for victims’ bank account details.
Last night a senior cyber-crime officer warned: ‘The fraudsters look for victims in their 60s, 70s, 80s and 90s. Some of the conmen have call centre training which means they sound genuine when they call up pretending to be from a telecoms company.
If you know someone who might be at risk, do give them a heads up about this. It’s not uncommon to see criminals use stolen data to try to phish for more, but it’s worth a reminder.

(Related) Could this be the result of the TalkTalk breach? Customers using the same password on both systems? Would customers be on both at the same time? Perhaps they quit TalkTalk and opened accounts on Vodafone?
Almost 2,000 Vodafone customers 'open to fraud'
Criminals used customer details gained from "an unknown source" to try to access accounts between Wednesday and Thursday, the company said.
The telecommunications giant said 1,827 customers had their accounts accessed, with criminals potentially gaining their names and some bank details.
But it insisted its systems had not been breached.
… Vodafone said its security protocols had been "fundamentally effective", but the criminals had potentially gained customers' names, their mobile phone numbers, bank sort codes and the last four digits of their bank account numbers.
… The BBC's technology correspondent Rory Cellan-Jones said the email addresses and passwords criminals used to try to access Vodafone accounts appeared to have been bought on the dark web. [This makes it look like there was a breach. Bob]

Maybe it's me, but I don't see much of a change here. Perhaps an increase in resources devoted to cybersecurity as new technologies are adopted, but the boards I worked with always seemed to understand the risks of IT.
Cybersecurity: The changing role of audit committee and internal audit
by Sabrina I. Pacifici on Nov 1, 2015
Deloitte: “Among the most complex and rapidly evolving issues companies must contend with is cybersecurity. With the advent of mobile technology, cloud computing, and social media, reports on major breaches of proprietary information and damage to organisational IT infrastructure have also become increasingly common, thus transforming the IT risk landscape at a rapid pace. International media reports on high-profile retail breaches and the major discovery of the Heartbleed security vulnerability posing an extensive systemic challenge to the secure storage and transmission of information via the Internet have shone a spotlight on cybersecurity issues. Consequently, this has kept cybersecurity a high priority [Not a new or increased priority Bob] on the agenda of boards and audit committees…”

No liability here, by statute.
Megan Newquist reports:
Imagine a burglar stalking his victims and taking pictures of their cars in parking lots, knowing their whereabouts and then breaking into their homes.
Eden Prairie police say that’s exactly what 45-year-old David William Pollard was doing, but they didn’t know how until he was arrested leaving a Minnetonka home on April 14.
Inside Pollard’s car that night, police found a slew of stolen property. In addition, police say they uncovered how Pollard was able to find his victims – through a subscription-based online account that allowed him to look up individuals by their license plate numbers.
Read more on WDAZ.
[From the article:
5 EYEWITNESS NEWS created an account on the website in question and searched a co-worker's license plate number. The results included his date of birth, name, address, make and model of car and even his vehicle’s identification number.
… DPS claims it took action against the bulk data purchaser who was re-selling this information to the website in question in 2006. It claims the purchaser’s access was terminated. But our investigation revealed the license plate data on that website was updated as recently as Dec. 31, 2011. Our employee whose license plate number was checked purchased the vehicle in 2009, three years after DPS claims it terminated the particular purchaser’s access to bulk data purchases.
… The Department of Public Safety stopped selling this personal information in bulk on Jan. 1. But unless you’ve moved or purchased a new car, your information is still out there for anyone to find.

Removing hoods is probably good. Unless of course, they point to the wrong people. Or someone starts targeting them with 'sticks and stones.' Will they recognize that someone is on an “enemies list” rather than a membership list?
Samburaj Das reports:
Anonymous has made good on its threat to expose KKK members on the internet to reveal phone numbers and emails of alleged KKK members.
Activist collective Anonymous has long had a feud with members of the radical Ku Klux Klan. There is a history there. Recently, Anonymous threatened to dox a thousand members of the KKK, unhooding them publicly in cyberspace.
So far, there have been three pastes, all linked from @YourAnonNews’ Twitter account. The first paste contains two email addresses associated and 10 phone numbers without names or additional details. The second paste contains an 800- phone number, 10 phone numbers without names, and another email address. The third paste contains more phone numbers and 21 email addresses, the majority of which are on .ru domains.
Note that not all the phone numbers are registered to individuals, but one of the numbers checked using reverse phone lookup was reported to be associated with the KKK by someone on who reported getting a call from the number which he described as KKK – “threatening.”
Some of the information in the pastes does not appear to be new, as at least one number checked by had been leaked before following Ferguson with the individual’s full name, address, credit card details, etc.
Note: In a fourth paste that actually preceded the three noted above, “Amped Attacks” (@sgtbilko420 on Twitter) released the names of nine politicians – four U.S. Senators and five mayors – whose email addresses showed up in KKK databases he claims to have hacked. Amped Attacks does not provide their email or postal addresses, or phone numbers, and the basis for him declaring them part of KKK or a supporter of them is that he can seemingly come up with no reason for their email to be in a KKK database unless they’re a member or a support.
In addition to the paste, Amped Attacks has also taken down some KKK sites, with evidence provided in his tweet stream. In one tweet, he declared that he is not part of Anonymous but respects #OpKKK.

I expected much more from South Korea but then these decisions are made by politicians not techies.
Child monitoring app pulled in S Korea
South Korea mandated in April that all children's phones must be monitored.
However, the regulator said the decision to suspend the app had been made prior to the release of a damning report about its security.
The KCC told news agency AP that the decision had been made because of the abundance of free apps now available.
Smart Sheriff had been downloaded hundreds of thousands of times inside the country and was created by a group of telecoms companies known as the Korean Mobile Internet Business Association (Moiba).
Two reports issued, one by the University of Toronto and the other by software auditing firm Cure53, described Smart Sheriff's security as "catastrophic".
The report authors found that children's personal details were not stored securely and that the parental filters applied were easy to disable.
"Smart Sheriff is the kind of babysitter that leaves the doors unlocked and throws a party where everyone is invited," said independent researcher Colin Anderson, who worked on the report, at the time.

So much for yesterday's “easy to understand” privacy policy…
Snapchat reassures users that photo messages are still totally private
Photo-messaging app Snapchat has reassured users that their photos will not be stored on its servers after changes to its privacy policy caused widespread confusion.
The Venice, California-based company published a blog post on Sunday clarifying changes that were made to its Privacy Policy and Terms and Services last week. Photos shared through Snapchat disappear after the recipient has viewed them, but users have been fretting that the updates allowed Snapchat to store photos and share them with advertisers.
Photo messages "are automatically deleted from our servers once we detect that they have been viewed or have expired", just as they were before, Snapchat said. It does not stockpile pictures, and never has.

I'm not sure this is how I would teach lawyers to code, but I'll pass it along anyway.
Coding For Lawyers – Open Source
by Sabrina I. Pacifici on Nov 1, 2015
V. David Zvenyach – “What? Lawyers and Coding? It’s true. Lawyers can code. In fact, if you’re a lawyer, the truth is that it’s easier than you think. I am a lawyer, and a coder.1 In the course of two years, I have gone from knowing essentially nothing to being a decent coder in several languages. This book is intended to drastically shorten that time for others who, like me, decide that they want to learn to code. Why this book? One thing that I discovered, when learning to code, is that there are surprisingly few freely available books on the basics of coding, books that assume you know nothing about coding, books that assume you went to law school because you didn’t like numbers. And, we need more lawyers who code…”

Not being one for “binge TV watching” I could see myself doing some serious binge reading. Especially as books become as cheap as I am. This points you to an interesting article.
The Cost of Used Books Plummets as Availability Swells
by Sabrina I. Pacifici on Nov 1, 2015
New York Times – A Penny for Your Books By Dan Nosowitzoct, October 26, 2015: “…in recent years, my bookshelves have swelled. Old John le CarrĂ© and Donald E. Westlake and Lawrence Block titles are easier than ever to find online, along with pretty much every other book published in the last century. They’re all on Amazon, priced incredibly low, and sold by third-party booksellers nobody has ever heard of… In 2014, publishers sold just over 2.7 billion books domestically, for a total net revenue of just under $28 billion, a larger profit than in the preceding two years, according to the Association of American Publishers. There were just over 300,000 new titles (including re-releases) published in the United States in 2013. The book industry may not be as strong as it once was, but it’s still enormous, and generates a considerable amount of surplus product each year.”
[From the article:
Enter the penny booksellers. There are dozens of sellers — Silver Arch Books, Owls Books, Yellow Hammer Books and Sierra Nevada Books — offering scores of relatively sought-after books in varying conditions for a cent. Even including the standard $3.99 shipping, the total sum comes out to several dollars cheaper than what you’d pay at most brick-and-mortar used-book stores.

No comments: