Thursday, August 25, 2016

A word of caution for my gaming students.
Alex Walker reports:
Funcom, makers of The Secret World, The Longest Journey, Age of Conan and Anarchy Online, announced earlier this morning that their forums have been compromised and user data exposed.
In an announcement on their website, Funcom announced that the data breach for the four games above included encrypted passwords, user names and e-mail addresses.  “Even though passwords were encrypted, these can be cracked and should be considered compromised,” the company said.
According to the LeakedSource data breach monitoring hub, many of the forum passwords have already been cracked.  On the English forums for The Secret World alone, more than 81,000 passwords from nearly 228,000 users had been cracked.
Read more on Kotaku.

The problem is that people re-use passwords.
Hackers Steal 25 Million Accounts From Mail.Ru Domains
   LeakedSource, a service that allows users and businesses to check if their online accounts have been compromised, reported on Wednesday that cybercriminals obtained roughly 25 million username and password combinations from three different domains:, and  The affected domains host forums for games acquired by the Mail.Ru Group over the past years.
The passwords were stored as MD5 hashes with and without salts, which has allowed LeakedSource to easily crack millions of them.  The most common passwords appear to be 123456789, 12345678, 123456 and 1234567890.
   the many password reuse attacks detected recently by companies such as Facebook, GitHub, Reddit and Netflix show that even older credentials can be useful for malicious actors.

For my Computer Security students.  Be prepared to discuss ways to reduce this risk!
A press release about the financial sector that may be of interest to some readers:
CAMPBELL, CA–(Marketwired – Aug 25, 2016) – Bitglass, the total data protection company, today announced the availability of its Financial Services breach report, an analysis of all breaches in the sector since 2006, with data aggregated from public databases and government mandated disclosures.  The report reveals that leaks nearly doubled between 2014 and 2015, a growth trend on track to continue in 2016.  The nation’s largest banks have all suffered leaks at some point in the recent past.  In the first half of 2016 alone, five of the nation’s top 20 banks disclosed breaches.
The report also explores the most common causes of data leaks in the sector.  Led by lost and stolen devices at 25.3 percent of breach events, financial services organizations appear to struggle with data protection on managed and unmanaged devices.  While hacking accounted for a disproportionate number of individuals affected by financial services breaches, only one in five leaks were caused by hacking.  Other breaches were the result of unintended disclosures, malicious insiders, and lost paper records.
Key findings:
  • One in four breaches in the financial services sector over the last several years were due to lost or stolen devices, one in five were the result of hacking. Fourteen percent of leaks can be attributed to unintended disclosures and 13 percent to malicious insiders.
  • Five of the nation’s 20 largest banks have already suffered data breaches in the first half of 2016.
  • In 2015, 87 breaches were reported in the financial services sector, up from 45 in 2014. In the first half of 2016, 37 banks have already disclosed breaches.
  • Over 60 organizations suffered recurring breaches in the last decade, including most major banks.
  • JP Morgan Chase, the nation’s largest bank, has suffered recurring breaches since 2007. The largest breach event, the result of a cyberattack, was widely publicized in 2014 and affected an estimated 76 million U.S. households. Other breaches at JPMorgan were due to lost devices, unintended disclosures, and payment card fraud.
  • Of the three major credit bureaus, the 2015 Experian leak was the largest, affecting 15 million individuals. Equifax has also disclosed several recent breaches, including unauthorized accesses earlier this year that affected hundreds of thousands of individuals.
Download the full report:

For my Ethical Hacking students.
3 Ways Your Car Can Be Hacked by Cyber Criminals

You say relaxing
I say reneging
Let’s call the whole thing off      (Apologies to the Gershwins)
Relaxing Privacy Vow, WhatsApp to Share Some Data With Facebook
When Facebook bought the start-up WhatsApp in 2014, Jan Koum, WhatsApp’s co-founder, declared that the deal would not affect the digital privacy of his mobile messaging service’s millions of users.
   WhatsApp said on Thursday that it would start disclosing the phone numbers and analytics data of its users with Facebook.  It will be the first time the messaging service has connected people’s accounts to the social network to share information, as Facebook tries to coordinate information across its collection of businesses.

This is the world my Computer Security students will live in.  Still, I don’t think I’d call it a “Hackerpocalypse.”
Cybercrime damages expected to cost the world $6 trillion by 2021
Cybercrime will continue its stratospheric growth over the next five years, according to a recent report published by Cybersecurity Ventures. (Disclaimer: Steve Morgan is the Founder and CEO at Cybersecurity Ventures.)
While there are numerous contributors to the rise in cybercrime -- which is expected to cost the world more than $6 trillion by 2021, up from $3 trillion in 2015 -- the most obvious predictor is a massive expansion of the global attack surface which hackers target.

Data remains the primary hacker target. Microsoft predicts by 2020 data volumes online will be 50 times greater than today.  There are 111 billion lines of new software code being produced each year — which will include billions of vulnerabilities that can be exploited, according to research conducted by Secure Decisions.
Some media estimates peg the number of internet of things (IoT) devices to exceed 200 billion by 2020.
In a report last year, ABI forecasted that more than 20 million connected cars will ship with built-in software-based security technology by 2020 — and Spanish telecom provider Telefonica states by 2020, 90 percent of cars will be online, compared with just 2 percent in 2012.

Ignore Best Practices at your peril!
A push for the less-hackable car
The auto industry now has at least a couple of “best practices” guide for cybersecurity.
One, from the Automotive Information Sharing and Analysis Center (Auto ISAC), was released about a month ago, generated a flurry of stories that highlighted the group’s exhortations to automakers to start building security into their software from the ground up – from design through production.
Another is from Intel Security, which released a white paper earlier this month titled "Automotive Security Best Practices," a set of, “recommendations for building security into the design, fabrication and operation phases of the automotive production process,” according to McAfee blogger Lorie Wigle (McAfee was acquired by Intel in 2011).
   In a white paper titled "Commonalities in Vehicle Vulnerabilities," released earlier this month, the cybersecurity firm IOActive noted the breadth of the attack surface – data can enter vehicles through cellular radio, Bluetooth, Wifi, V2V radio, infotainment media, companion apps and Zigbee Radio.
   The problems have been increasingly apparent for several years now.  A report from the financial advisory firm Stout Risius Ross found that the percentage of vehicle recalls attributed to software problems tripled between 2011 and 2015.

An interesting, but probably inevitable evolution of hacker tech.  After all, communication is communication, no matter the technology. 
Android botnet relies on Twitter for commands
   One maker of Android malware is using Twitter to communicate with infected smartphones, according to security firm ESET.
   The malware routinely checks certain Twitter accounts and reads the encrypted posts to get its operating commands.
   “It’s extremely easy for the crooks to re-direct communications to another freshly created account,” he said.

Frequently Controversial Commission? 
David Balto reports:
The unique American right to privacy – the Constitutional right to be “secure in their persons, houses, papers, and effects” birthed as a direct response to the British crown’s unfettered “general warrant” rights to search colonial homes is so fundamental today that nary a politician will seek to question it.  The same can be said for our First Amendment’s freedom of speech and the Fifth Amendment’s guarantee of equal protection.
This is what makes so amazing how the FCC might be thumbing its nose at all three core principles in its latest “privacy rulemaking.”  And the noting of this came in a major broadside delivered by the most revered constitutional scholar of the day – Harvard Law School’s Laurence Tribe.
Read more on The Hill.

Looks like we’ll be seeing more Hulk Hogan-like lawsuits…
One of Peter Thiel's fellows created a new startup that will fund your lawsuit
   This summer, Forbes revealed that tech luminary Peter Thiel had secretly been backing Hulk Hogan's lawsuit against Gawker.  It was a wake-up call that people could fund a lawsuit bent on destroying a business — and that it's perfectly legal to do so.
A new startup, Legalist, is looking to make money from the practice of bankrolling lawsuits.  The startup plans to fund those that it calculates has a chance to win.
   In a presentation at Y Combinator's Demo Day on Tuesday, Shang argued that litigation funding is poised to become an "explosive asset class."  The startup has funded one lawsuit for $75,000 and expects a return of over $1 million once the case is over.  That money will then be reinvested in other lawsuits, and the process will repeat itself.
"It's a niche field that you don't really think about," Shang said.

Unusual to say the least.  (Who knew Treasury had a Blog?)
U.S. raises concerns over European tax probe involving American companies
The U.S. Treasury took the unusual step Wednesday of publishing a detailed critique of the European Commission’s investigations into alleged tax avoidance schemes by a group of U.S. firms, including Apple, Starbucks and Amazon.
Treasury said the commission’s probes into whether U.S. firms unfairly benefited from low corporate tax rates in Europe “undermine” agreements on international tax law and could hurt U.S. taxpayers.
“These investigations have major implications for the United States,” wrote Robert Stack, deputy assistant secretary for international tax affairs at Treasury, in a blog post explaining the agency’s position.

What is this worth to the people placing political ads? 
Facebook Tags Users As Liberal, Moderate Or Conservative: How You Can Check And How The Social Network Does It
   Facebook has come up with a system to determine a user's political leanings, based on his or her activity on the social network.  The labels are not hidden from users, though, as they can be checked by accessing an account's advertising preferences on Facebook.

Once upon a time, the US led the way…
The world’s first public self-driving taxi service hits Singapore roads today
The world’s first public trial of a self-driving car service has officially launched in Singapore today, as U.S. autonomous car startup NuTonomy beats Uber to the punch by a matter of days.

I keep searching for my Dutch ancestor’s rumored deed to everything south of the street by the wall.  (Yes, Wall Street)
The New York Public Library Digital Collections
by Sabrina I. Pacifici on Aug 24, 2016
“Explore 693,857 items digitized from The New York Public Library‘s collections.  This site is a living database with new materials added every day, featuring prints, photographs, maps, manuscripts, streaming video, and more.”

No comments: