Monday, November 07, 2016

Yesterday, this was “less than 10,000.”  How the bank was hacked is unclear, but there is plenty of speculation.  (No doubt it will be Russians trying to influence the US election)
Tesco Shares Fall After Cyber Attack at its Online Banking Group Hits 40,000 Customers
   "Tesco Bank can confirm that, over the weekend, some of its customers' current accounts have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently," Tesco Bank CEO Benny Higgins said in a statement. 
Wholly-owned Tesco Bank, which has 136,000 current accounts, has frozen all online banking transactions from current accounts and said it would refund those which had money stolen.  Customers will be allowed to use cards to withdraw cash and to make payments, Higgins said.

Undue reliance on emails?  How would you prevent this from happening at your organization?  
Charles Lussier reports:
The top business manager for the East Baton Rouge Parish school system fell for an unsophisticated con, wiring $46,500 to someone who claimed via email to be Superintendent Warren Drake, even though the man himself was working in an office next door.
The school system on Thursday disclosed the fraud known as “phishing,” which occurred twice in May.  The details are outlined in a special audit, received late Thursday from the auditing firm Postlethwaite & Netterville, that examines what happened and suggests ways to prevent it from happening again.
Read more on The Advocate.

(Related)  Perhaps another procedure needs questioning?
It sounds like such a simple question that should have an obvious “yes” answer, but you might be surprised to see what happens when hackers taunt social media teams about hacks.  It’s an issue I’ve mentioned before:
NullCrew revealed that they had access to Bell’s server for months, and had disclosed that to them in a chat with Bell Support weeks ago.  A screenshot of the chat between NullCrew and Bell Support employee “Derek” shows that NullCrew was informing Bell that they were in possession of users’ information —, February 2, 2014.
If your business has a Twitter account, do those responsible for it know how to respond to tweets informing them of a data security breach?  —, August 24, 2015.
Last night, it happened again: a well-intentioned social media team on Twitter did not appear to understand that they were being told they had been hacked.  USAA’s Twitter team’s responses left people variously laughing at them, mocking them, or if they were a customer, worried for the security of their information.
Here was how the exchange began:
[Read the whole sorry mess.  Bob]

For my Smartphone using students.  Hackers have a great grasp of the obvious. 
Via The New York Times, hundreds of fake shopping apps have been hitting the App Store in the last few weeks, stealing recognizable brand names and logos, in an attempt to confuse App Store customers to download their counterfeit apps instead of the real thing.  The fraudsters are attempting to capitalize on the holiday shopping season.
   App Review fails to recognize most cases of trademark infringement (or it simply doesn’t look for such issues at all) which allows fake apps like these ones to appear in the App Store.
The fraudsters can then capitalize on their victims by encouraging customers to buy the ‘real’ branded products with credit cards, thereby stealing their financial information.  (Apps that sell physical goods are allowed to request users to provide payment details, bypassing the usual protections and safeguards of Apple’s sanctioned In-App Purchase system.)

“It’s a lightbulb!  We don’t need to secure it!” 
Hackers hijack Philips Hue lights with a drone
Surprise!  The Internet of Things is a security nightmare.  Anyone who was online a few weeks ago can attest to that.  The massive internet blackout was caused by connected devices, and new research from white-hat hackers expounds upon those types of vulnerabilities.  The target?  Philips Hue smart lightbulbs.  While they've been hacked in the past, Philips was quick to point out that it happening in a real-world situation would be pretty difficult.  Digital intruders would need to already be on your home network with a computer of their own -- the company claimed that directly attacking the lightbulbs wasn't exactly feasible.  But this new attack doesn't require that sort of access.
In fact, all it takes is tricking the bulbs into accepting a nefarious firmware update.  By exploiting a weakness in the Touchlink aspect of the ZigBee Light Link system (again!), the hackers were able to bypass the built-in safeguards against remote access.  From there, they "extracted the global AES-CCM key" that the manufacturer uses to encrypt and authenticate new firmware, the researchers write (PDF).
"The malicious firmware can disable additional downloads, and thus any effect caused by the worm, blackout, constant flickering, etc.) will be permanent."  What's more, the attack is a worm, and can jump from connected device to connected device through the air.  It could potentially knock out an entire city with just one infected bulb at the root "within minutes."

At least it won’t be in your pocket when it blows.
If you own a Samsung washing machine, then be afraid, be very afraid.  Samsung is being forced to recall 2.8 million of its washing machines due to the possibility of them shaking themselves apart.  Or, to put it another way, exploding.  Sound familiar?
Let’s not bury the lede here.  Samsung is recalling 2.8 million washing machines in the United States.  The voluntary recall, made in cooperation with the Consumer Product Safety Commission (CPSC), affects “certain top-load washers manufactured between March 2011 and current production dates”.

Model or anti-model?  What can we learn? 
China Adopts Cybersecurity Law Despite Foreign Opposition
   The Cyber Security Law was passed by the Standing Committee of the National People’s Congress, China’s top legislature, and will take effect in June, government officials said Monday.  Among other things, it requires internet operators to cooperate with investigations involving crime and national security, and imposes mandatory testing and certification of computer equipment. [No exploding phones in China?  Bob]   Companies must also give government investigators full access to their data if wrong-doing is suspected
   The fear among foreign companies is that requirements to store data locally and employ only technology deemed “secure” means local firms gain yet another edge over foreign rivals from Microsoft Corp. to Cisco System Inc.

I pass these on to all my students in the hope that they get filthy rich and remember who gave them the idea…
These guys built a $273 million startup from discarded computers and an almost secret source of seed money
Founded in 2010 by CEO Mohit Lad and CTO Ricardo Oliveira from their grad school work at UCLA, ThousandEyes helps ensure that when bits of the internet go down, companies can avoid being taken down too — even if the problem is on the internet and out of their control.
   And it all began with a bunch of computer servers that the founders scrounged out of big corporate electronics recycling bins and from a second-hand computer store in Sunnyvale known as Weird Stuff.
   "We could go to Sand Hill road and spend months trying to raise money, or we could try to build a product and really get it off the ground and get customers.  We chose the latter route and in hindsight it was one of the best decisions we made," Lad said.
Instead, they applied for a grant from the National Science Foundation.  That's such an unusual way to raise funds in the Valley that Lad wrote a blog post explaining it. 
"If you have an idea which is high risk, that has a lot of R&D, the NSF tends to like it," Lad told us. 

Suspiciouser and suspiciouser.  Note that “We haven’t changed our mind” is in some papers being reported as “Clinton exonerated!”  And I’ll wager that most of the emails had to do with preparing to campaign for president. 
James Comey: FBI has 'not changed its conclusions' on Clinton's email server since July decision
   A senior law enforcement official told NBC News that the FBI's review of the thousands of emails on the Anthony Weiner laptop concluded that nearly all were duplicates of emails previously seen by FBI agents investigating the email server.

Jumping the gun on “the election was rigged?”  There seems to be no hard evidence to support the headline.  But, did anyone not working for Trump actually look? 
Election Fraud in Broward County: Officials Caught Ballot Stuffing, Destroying Ballots
According to multiple sources and witnesses, Broward County Supervisor of Elections Brenda Snipes and employees are engaging in mass voter fraud in multiple forms
   It has been widely reported that black turnout in the state–and in other battleground states such as North Carolina and Ohio–is way down from 2012 levels.  In the past few days, the Clinton campaign and their Democratic surrogates have been touting “a surge” in turnout among black voters in Broward County, which is overseen by Snipes.  [Are ballots in Florida marked “Black Voter?”  How else would they know?  Bob] 
   Sources confirm Snipes was breaking the law and opened more than 153,000 ballots cast by mail in private, claiming employees were tearing up and disposing of those that were votes in support of Donald J. Trump.  The law prohibits the opening of ballots without the supervision of a canvassing board appointed to oversee and certify elections precisely because of this possibility.

Free is good!  Several, actually.
Visio may be the industry standard in the corporate world, but it comes with a huge drawback: it’s expensive ($299 for the standard version as of this writing).  Can’t afford that?  Then you’ll be happy to know that several open source alternatives exist for the low, low price of FREE.

Perhaps you could have the Billy Bass sing it for you?  (See yesterday’s blog)
Have you ever wanted to arrive home to a personal welcome?  With a Raspberry Pi and a few simple components, you can!  In this simple project we’ll use a reed switch to trigger a theme tune when a door is opened.  We shall be using a Raspberry Pi as the controller here, though you could use almost any other microcontroller for this project using the same circuit.

A Donald Trump inspired drone?

No comments: