Friday, September 08, 2017
Almost everyone has been hacked. What will you do about it?
Equifax, one of the three major consumer credit reporting agencies, said on Thursday that hackers had gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers and driver’s license numbers.
… “This is about as bad as it gets,” said Pamela Dixon, executive director of the World Privacy Forum, a nonprofit research group. “If you have a credit report, chances are you may be in this breach. The chances are much better than 50 percent.”
Criminals gained access to certain files in the company’s system from mid-May to July by exploiting a weak point in website software, according to an investigation by Equifax and security consultants. The company said that it discovered the intrusion on July 29 and has since found no evidence of unauthorized activity on its main consumer or commercial credit reporting databases.
… “On a scale of 1 to 10 in terms of risk to consumers, this is a 10,” said Avivah Litan, a fraud analyst at Gartner.
… Last year, identity thieves successfully made off with critical W-2 tax and salary data from an Equifax website. And earlier this year, thieves again stole W-2 tax data from an Equifax subsidiary, TALX, which provides online payroll, tax and human resources services to some of the nation’s largest corporations.
Cybersecurity professionals criticized Equifax on Thursday for not improving its security practices after those previous thefts, and they noted that thieves were able to get the company’s crown jewels through a simple website vulnerability.
“Equifax should have multiple layers of controls” so if hackers manage to break in, they can at least be stopped before they do too much damage, Ms. Litan said.
Potentially adding to criticism of the company, three senior executives, including the company’s chief financial officer, John Gamble, sold shares worth almost $1.8 million in the days after the breach was discovered. The shares were not part of a sale planned in advance, Bloomberg reported.
… Equifax has created a website, www.equifaxsecurity2017.com, to help consumers determine whether their data was at risk.
… Beyond compromising the personal data of millions of consumers, the breach also poses a potential national security threat. In recent years, Chinese nation-state hackers have breached insurers like Anthem and federal agencies, siphoning detailed personal and medical information. These hackers go wide in their assaults in an effort to build databases of Americans’ personal information, which can be used for blackmail or future attacks.
Again? Same thing every election cycle?
Software to capture votes in upcoming national election is insecure
The Chaos Computer Club is publishing an analysis of software used for tabulating the German parliamentary elections (Bundestagswahl). The analysis shows a host of problems and security holes, to an extent where public trust in the correct tabulation of votes is at stake. Proof-of-concept attack tools against this software are published with source code.
Might be amusing to try this in my Computer Security class.
EU Defense Ministers Put to Test in Mock Cyberattack
A major cyberattack targets European Union military structures, with hackers using social media and "fake news" to spread confusion, and governments are left scrambling to respond as the crisis escalates.
This was the scenario facing a gathering of EU defence ministers in Tallinn on Thursday as they undertook a exercise simulating a cyber assault on the bloc -- the first mock drill of its kind at such a senior level in Europe.
... NATO now considers cyberspace to be a conflict domain alongside that of air, sea and land.
… "We are not creating programmers from the ministers but we want them to understand that these quickly developing situations could demand quick political decisions -- that's the idea of the exercise," Estonian Defence Minister Juri Luik said.
- 'Exciting' exercise -
Estonian officials said the aim was to improve ministers' understanding of the kinds of target that could be hit by a cyberattack, the effects such an attack could have and how they could respond -- as well as the need for clear, coordinated communication with the public on what can be a complex issue.
German Defence Minister Ursula von der Leyen said the two-hour exercise was "extremely exciting".
"The adversary is very, very difficult to identify. The attack is silent, invisible... it is cost-effective for the adversary because he does not need an army, but only a computer with internet connection," she said.
A hack-the-hackers project for my Digital Forensics students: get copies of these tools and find a way to detect or block them.
Shadow Brokers Release Tool Used by NSA to Hack PCs
The hacker group calling itself Shadow Brokers continues to release tools and exploits allegedly stolen from the U.S. National Security Agency (NSA), including a sophisticated espionage platform that can be used to take full control of targeted computers.
In the past year, Shadow Brokers has apparently tried to make a significant amount of money by offering to sell various tools and exploits used by the Equation Group, a cyber espionage actor linked by researchers to the NSA.
After several failed attempts, the Shadow Brokers’ latest offer involves monthly leaks for which interested parties have to pay a fee ranging between 100 Zcash (roughly $24,000) and 16,000 Zcash (roughly $3.8 million) -- older dumps can be acquired for a few hundred Zcash while the price of future dumps will increase exponentially. An analysis of their cryptocurrency addresses showed that the hackers have made at least tens of thousands of dollars from the monthly dump service.
With the September release, announced on Wednesday, Shadow Brokers informed interested entities that they will offer two dumps every month, and that Monero digital currency is no longer accepted.
Now here is a thankless job…
What North Korea thinks about Trump — according to the man who interprets his tweets for Kim Jong Un
… Pak Song Il, the North Korean tasked with interpreting US politics, statements, and military posture, told Osnos during a trip to Pyongyang that Trump had thrown him for a loop.
"When he speaks, I have to figure out what he means, and what his next move will be," Pak said. "This is very difficult."
"He might be irrational — or too smart. We don’t know," Pak said.
News Use Across Social Media Platforms 2017
As of August 2017, two-thirds (67%) of Americans report that they get at least some of their news on social media – with two-in-ten doing so often, according to a new survey from Pew Research Center.
… For the first time in the Center’s surveys, more than half (55%) of Americans ages 50 or older report getting news on social media sites. That is 10 percentage points higher than the 45% who said so in 2016. Those under 50, meanwhile, remain more likely than their elders to get news from these sites (78% do, unchanged from 2016).
Too good to be true? A follow-up.
MoviePass Bungles Its First Big Test With Subscribers To Its $9.95/Month Service
Movie ticket subscription purveyor MoviePass is off to a rocky start, with delays in delivering membership cards to new subscribers and a significant number of customers complaining that a buggy app is preventing them from getting in to the movies they were expecting to see.
… on Thursday the New York City-based ticket subscription service advised via a mass email titled “Important MoviePass Updates” that it would not be delivering membership cards to new paying subscribers within the ‘5-7 days business days’ period that it had promised upon receiving their initial $9.95 payments.
The email explained: “Though our processing facility has increased production, there is currently a 2-3 week delay in card delivery.” The communique cited “unprecedented demand” as the cause of the problem.
… Google Play Store data indicates that the MoviePass app has been downloaded over 100,000 times. Of the 2,500 users who have rated the app, approximately half gave it the lowest possible rating of one star out of five. I took it upon myself to check out the app, and after less than a minute of experience with it I found myself frustrated and feeling that those scathing reviews were well justified.
The first thing the app does is demand access to the user's smartphone files and photos, as well as the ability to track their location. If a user declines to provide MoviePass with what appears to be unlimited access to their private information, the app immediately freezes them out of the service, even though they have paid for it.
Robot law. (I wonder if this would improve student averages too?)