Friday, December 11, 2015

Fast response, but not detected internally.
WP Engine Resets Passwords After Data Breach
Popular WordPress hosting service WP Engine informed customers this week that their credentials may have been compromised in a security breach.
Only few details have been provided about the incident as the investigation, conducted in collaboration with law enforcement and a “leading” cybersecurity firm, is ongoing. WP Engine became aware of the breach on December 9 and customers were first notified later that day.
Many have complained about the lack of details from WP Engine, particularly regarding the way passwords were stored. The company has promised to share information about the data breach as soon as it’s available.

Failure to encrypt.
Jett Goldsmith writes:
A security vulnerability affecting 16 companies worldwide, including Air Canada, the CN Tower, and the San Diego Zoo, has potentially revealed the unencrypted credit card data of hundreds of thousands of customers, according to a report by threat detection firm Wandera.
Read more on Neowin.
Over on Wandera’s blog, they write:
Today, Wandera announced the discovery of the CardCrypt security flaw affecting sixteen companies, including four major airlines – Air Canada*, easyJet*, AirAsia and Aer Lingus*. Each of the companies has been failing one of the most basic of security requirements by not fully encrypting the traffic to the payment portion of their mobile web site or app. This means that customers who use these services unknowingly may have had their credit card information sent ‘in the clear’, and have been at risk of having that information stolen.
* UPDATE: We are pleased to say we have learned that easyJet, Chiltern Railways, San Diego Zoo, CN Tower, Aer Lingus and Air Canada have now confirmed there is no ongoing issue. We will continue to assist others in trying to swiftly resolve this issue.
Reportedly, it was not just credit card numbers that were leaking in some cases:
What information was exposed?
Every one of the companies has exposed the full credit card number unencrypted. All of the companies, except for Air Canada, also exposed the CVV number. But the CardCrypt flaw is not limited to just this information. Alarmingly, the amount of additional information that was exposed by some of the companies has been significant and included card expiration date, full name, billing address, email addresses and even passport information.
Read more on Wandera.

Yeah, but they will shop online anyway.
AMSTERDAM – December 10, 2015 – Nearly two-thirds (64%) of consumers surveyed worldwide say they are unlikely to shop or do business again with a company that had experienced a breach where financial information was stolen, and almost half (49%) had the same opinion when it came to data breaches where personal information was stolen. This is according to a recent global survey by Gemalto (Euronext NL0000400653 GTO), the world leader in digital security, titled “Broken Trust: ‘Tis the Season to Be Wary”, which surveyed 5,750 consumers in Australia, Brazil, France, Germany, Japan, United Kingdom and United States.

Should we really expect good management from OPM?
Tal Koppan reports:
The federal agency that had more than 21 million Americans’ personal information stolen in a massive hack is once again in congressional cross-hairs — this time for improperly doling out taxpayer dollars to protect those Americans after the data breach.
The Office of Personnel Management’s inspector general released a report this month, made public Thursday, finding that the agency improperly handled its contract award to a company hired to protect the identities of the first 4 million federal employees affected by the breach, which has been blamed on China.
Read more on WPTZ.

The least impactive nugget of data gathered by the candidates is your phone number so they can make way too many automated phone calls urging you to vote for them. This kind of research simply helps them tailor their lies.
Harry Davies reports:
Ted Cruz’s presidential campaign is using psychological data based on research spanning tens of millions of Facebook users, harvested largely without their permission, to boost his surging White House run and gain an edge over Donald Trump and other Republican rivals, the Guardian can reveal.
A little-known data company, now embedded within Cruz’s campaign and indirectly financed by his primary billionaire benefactor, paid researchers at Cambridge University to gather detailed psychological profiles about the US electorate using a massive pool of mainly unwitting US Facebook users built with an online survey.
Read more on The Guardian.

Does the FBI have the tools to identify terrorists by reading the plaintext messages they send? Isn't that what the big fuss over NSA's bulk interception was about?
Lawmakers: No evidence San Bernardino shooters used encryption
Lawmakers on Thursday said there was no evidence yet the two suspected shooters used encryption to hide from authorities in the lead-up to last week's San Bernardino, Calif., terror attack that killed 14 people.
… But that hasn’t ruled out the possibility, Burr and others cautioned.
… The recent terror attacks in San Bernardino and Paris have shed an intense spotlight on encryption.
While no evidence has been uncovered that either plot was hatched via secure communications platforms, lawmakers and federal officials have used the incidents to resurface an argument that law enforcement should have guaranteed access to encrypted data.

(Related) It's not like there are no tools for terrorists. But most of these actors are minimally trained amateurs. If they are identified and stopped, no big deal. They are just cannon fodder.
Sadly Rachman reports:
Computer scientists at the Massachusetts Institute of Technology (MIT) have developed a new SMS text messaging system that is untraceable and apparently even more secure than the Tor anonymity network, in order to create truly anonymous communications.
Read more on TreeAngle.

Perspective. Why would we expect corporations (or terrorists) to be more concerned about security than the courts? (Note that publishing a list of weaknesses give hackers a roadmap.)
Nick Cahill reports:
Despite a 2013 audit revealing significant information security flaws, the Judicial Council of California hasn’t improved its control systems and remains “unacceptably” at risk for data breaches, according to a follow-up audit.
The council’s case management records and human resources data are specifically jeopardized because of its failure to implement recommendations from the original audit, the state auditor said Thursday. The audit also criticized the council for a lack of urgency in setting a timeline for implementing better controls.
Read more on Courthouse News.

My Cayman Islands bank account is about to get a lot of deposits, because I have a phone book and I know how to use it!
Latest Google Wallet update lets you send money using just a phone number

For the gamers in my Spreadsheet class.
6 Iconic Games Recreated in Microsoft Excel

Because conversions are useful in many applications. To and from PDFs for example.
The Complete Microsoft Office File Converter Guide

Perspective. So now you can wait until you are down to your last couple of six-packs before re-ordering.
Amazon Starts One-Hour Booze Delivery in Manhattan
… One-hour delivery costs $7.99, and two-hour service is free, Amazon said. Prime Now, a one-hour delivery service available only to Prime members, is available in 23 cities such as Dallas, Chicago, and Nashville.

No comments: