Monday, August 22, 2016
A question for my Computer Security students.
Darren Pauli reports:
Popular online cosmetics site Strawberrynet has asked customers if a function that allows anyone to retrieve its customers names, billing addresses, and phone numbers with nothing more than an email address is a bug or a feature.
The bug was first disclosed almost exactly a decade ago and resurfaced after security man Troy Hunt reported the flaw to the company last Thursday.
The feature means customers are able to checkout quickly by just putting their email address into a text entry box. Doing so returns personal information in cleartext, if the email address entered is already in Strawberrynet’s records.
Read more on The Register.
The firm seems to be a Hong Kong-registered business. Hong Kong has data protection standards. Worse, I don’t see how what they’re doing is consistent with their privacy & security assurances that personal data is kept confidential.
Maybe some consumer should file a complaint with the data protection watchdog in Hong Kong. They’ve really gotten more proactive in the past few years and they might have something to say about this exposure of consumer information.
(Related) Troy shows us how this works.
Understanding account enumeration, the video tutorial edition
Low hanging fruit?
In the Bitcoin Era, Ransomware Attacks Surge
… Once considered a consumer problem, ransomware has morphed to target entire networks of computers at hospitals, universities and businesses. That has made it a far more serious and costly threat. According to the U.S. Department of Justice, ransomware attacks have quadrupled this year from a year ago, averaging 4,000 a day. Typical ransomware payments range from $500 to $1,000, according to cyberrisk data firm Cyence Inc., but some hackers have demanded as much as $30,000 an attack that crippled a large portion of the hospital’s computer systems.
… The Federal Bureau of Investigation said ransomware attacks cost victims $209 million in the first three months of the year, including costs, such as lost productivity and staff time to recover files, that is an average of about $333,000 an incident, based on complaints that it has received. The total is up from $24 million for all of 2015, or about $10,000 an infection, the FBI said.
For my Computer Security students. Implications for breach reporting.
When organizations first become aware of a major problem with a product or service, one with important consequences for consumers or the environment, they face a dilemma. Should they self-disclose the issue? Or should they let sleeping dogs lie?
Ethically, the choice is simple. If management is aware of a problem, its moral duty is to communicate openly and honestly to all stakeholders involved. In practice, however, organizations are reluctant to communicate as long as an issue is internal in nature and the extent of the crisis seems limited.
… How should companies handle a crisis differently? Our research focuses on an alternative approach, one that is referred to as “stealing thunder.” It involves self-disclosing crises and major issues before media gets hold of the story. Earlier studies on stealing thunder have found that self-disclosing organizational crises increases the credibility of organizational spokespersons. When an organization breaks the news about incriminating events, these problems will also appear less severe. In addition, organizations that steal thunder are considered more reliable and consumers are more inclined to continue purchasing their products. Our recent study adds to these findings by examining if self-disclosing an organizational crisis may be as effective as it is because old news is considered no news. When self-disclosing incriminating information, individuals will perceive the subsequent negative publicity as old news, and hence, pay less attention to it.
Something for my Architecture and Computer Security students.
The Internet of Things Is Here, and It Isn’t a Thing
… The killer app of the Internet of Things isn’t a thing at all—it is services. And they are being delivered by an unlikely cast of characters: Uber Technologies Inc., SolarCity Corp. , ADT Corp., and Comcast Corp. , to name a few. One recent entrant: the Brita unit of Clorox Corp. , which just introduced a Wi-Fi-enabled “smart” pitcher that can re-order its own water filters.
… Understanding that most people want to solve problems without worrying about the underlying technology [or security. Bob] was crucial, she says. “Early on, we found that if you called what we do ‘home automation,’ people liked it but they would not spend money on it,” Ms. McLaren says. “But if you called it ‘peace of mind’ and anchored it on home security, then people knew they need to have that and would spend $35 to $45 a month on it.”
Are terrorists that naïve when it comes to technical surveillance?
Belgium Called In The NSA To Help Catch Paris Attacker
The breakthrough in the manhunt for a key suspect in last year’s attack on Paris that left 130 people dead only came when Belgian officials asked the US National Security Agency (NSA) for help.
According to a Belgian counterterrorism officer and a police investigator, they turned to the NSA in the search for Salah Abdeslam, the sole surviving suspect from the attacks, after Belgian police spent four futile months raiding apartments around Brussels as part of a Europe-wide manhunt.
The two officers told BuzzFeed News that the Belgian government asked the NSA for assistance in tracking the mobile phones of several people attending a funeral of one of the other Paris attackers in early March, in the hopes that they would lead police to Abdeslam. He was apprehended after a shoot-out in the Belgian capital on March 18.
… The two officials described a scene where a known associate of Abdeslam was filming the funeral: “The guy is filming on a smartphone — that tells us he’s going to send that file to someone, right?” the security service source said. “We had the NSA hit that phone very hard.”
Background for all my students?
Antitrust and Intellectual Property: A Brief Introduction
by Sabrina I. Pacifici on Aug 21, 2016
Hylton, Keith N., Antitrust and Intellectual Property: A Brief Introduction (August 19, 2016). Boston Univ. School of Law, Law and Economics Research Paper No. 16-32. Available for download at SSRN: http://ssrn.com/abstract=2826636
“Intellectual property law and antitrust have been described as conflicting bodies of law, and the reason is easy to see. Antitrust law aims to protect consumers from the consequences of monopolization. Intellectual property law seeks to enhance incentives to innovate by granting monopolies in ideas or expressions of ideas. The purpose of this chapter is to explore the purported conflict between antitrust and intellectual property. The chapter is largely descriptive, and focuses on current or developing litigation rather than historical controversies. Many of the modern examples of conflict can be attributed to problems of classification.”
Wow! I didn’t know that bail bondsmen set the levels of bail. Perhaps we could release non-violent offenders with just one of those ankle bracelets thingies. If they are arrested for violent crimes, perhaps home detention – or White House detention?
Obama Justice Department Joins The Fight Against America’s Bail Industry
The Obama administration has joined the fight against the American bail industry, telling a federal appeals court that bail practices that keep poor defendants locked up because they cannot afford to purchase their freedom are unconstitutional.
… The brief marks the first time DOJ has weighed in on the constitutional requirements of bail systems in a federal appeals court.
… A lower federal court had ruled earlier this year that “any bail or bond scheme that mandates payment of pre-fixed amounts for different offenses to obtain pretrial release, without any consideration of indigence or other factors, violates the Equal Protection Clause.”
That ruling is being appealed by the city, and is also opposed by the American Bail Coalition. ABC claims that the plaintiff takes the “extreme position” that “any defendant is entitled to immediate release based on an unverified assertion of indigency,” and argues that bail is a “Liberty-Promoting Institution As Old As The Republic.”… Read the Justice Department’s amicus curiae brief here.
The changing architecture of banking systems.
How Open Financial APIs Will Lead to Integrated Banking
If there were ever a time to develop a banking app it would be now. It is estimated that a quarter of the top 50 global banks will have a banking app store within the next two years. A plethora of 3rd party banking apps have emerged in recent years, causing trouble for slow-to-adapt banks. Banking apps, and their ecosystems, offer banks a multitude of new revenues streams, as well as help to broaden partner and user bases. For those less convinced of app viability, a cursory glance at market trends should be convincing enough. Business is going paperless, and those unwilling to accommodate customers needs will be left in the dust. The people want quick, accessible, and secure banking, and they want it now. In this article we will look into the future of financial APIs based on an article recently written by Swaminathan Mahalingam.
For my IT Architecture students. Big Bix stores go high tech?
E-Commerce Initiatives Drive Wal-Mart Stores, Inc.'s Earnings Higher
… global e-commerce sales increased 11.8% on a constant-currency basis, as Wal-Mart continues to invest heavily in this area, including its recent $3 billion deal for Jet.com.
(Related) Early buyouts – perhaps before we know they work?
The Unicorn Hedge
… No, the next bubble is NOT in tech where innovation and capital are never in short supply… rather, the REAL bubble is in far-too-generous P/E multiples and valuations of global public companies, whose business models are being obliterated by startups and improved by orders of magnitude. As more Fortune 500 CEOs recognize and admit their vulnerability to disruption, expect them to hedge their own public valuations by buying the very same unicorns that keep them awake at night… Welcome to the Unicorn Hedge.
Lyft Reportedly Failed to Sell Itself to Apple, Amazon, Google—and Uber
On Friday, The New York Times reported that, in addition to murky negotiations with General Motors, Lyft has broached acquisition talks with Apple, Amazon, Google, Didi Chuxing—and even arch-rival Uber. The talks and inquiries have taken place over the past several months, and (with the possible exception of GM) they didn’t lead to an acquisition offer.
Lyft’s acquisition talks don’t necessarily suggest a company under duress—Lyft has plenty of cash on hand, and an array of expansion paths and strategic partners, including Didi and GM. But it does highlight growing pressures in the ride-hailing sector (and in the maturing tech sector more generally).
Oh, for businesses. I thought this was for Bill Clinton.
Decision Matrix: What Is Is and How to Use It