Wednesday, October 11, 2017

Designed to be hacked?
T-Mobile website bug let hackers steal data with a phone number
Up until last week, a T-Mobile website had a serious security hole that let hackers access user's email addresses, accounts and a phone's IMSI network code, according to a report from Motherboard. Attackers only needed your phone number to obtain the information, which could be used in social engineering attacks to commandeer your line, or worse.
The security research who discovered the hole, Karan Saini from startup Secure7, notes that anyone could have run a script to scrape the data of all 76 million T-Mobile users and create a searchable database.
… T-Mobile said in a statement that "we were alerted to an issue that we investigated and fully resolved in less than 24 hours. There is no indication that it was shared more broadly."
… However, an anonymous hacker disputes T-Mobile's claim that the bug wasn't shared broadly, telling Motherboard that "a bunch of SIM swapping kids had [the hack] and used it for quite a while." They could have exploited the data to "socially engineer," or basically con, T-Mobile technicians into handing over replacement SIMs by pretending they're the owners of the line. Motherboard also discovered a YouTube video dated August 6th that describes exactly how to execute the hack.

Beware of any system that defaults to “No Protection!”
Accenture Exposed Data via Unprotected Cloud Storage Bucket
Consulting and technology services giant Accenture inadvertently exposed potentially sensitive information by leaving it unprotected in four Amazon Web Services (AWS) S3 buckets.
The cloud storage containers were discovered on September 17 by Chris Vickery of cyber resilience company UpGuard and they were secured a couple of days later after Vickery notified Accenture of his findings.

An Equifax update. Seems like a lot of disputes to me.
Equifax breach included 10 million US driving licenses
10.9 million US driver's licenses were stolen in the massive breach that Equifax suffered in mid-May, according to a new report by The Wall Street Journal. In addition, WSJ has revealed that the attackers got a hold of 15.2 million UK customers' records, though only 693,665 among them had enough info in the system for the breach to be a real threat to their privacy. Affected customers provided most of the driver's licenses on file to verify their identities when they disputed their credit-report information through an Equifax web page. That page was one of the entry points the attackers used to gain entry into the credit reporting agency's system.

Security concerns and a few potential solutions.
IoT and the Effects of Other Emerging Tech in the Workplace
Technology professionals are gathered here at Spiceworld in Austin, Texas, Spiceworks' annual conference, to share their tips and tricks on making their CIOs happy, ensuring their end-users satisfied, and more importantly, keeping their IT operations up and running. But these days, no discussion about IT is complete without mentioning effects that the Internet of Things (IoT), artificial intelligence (AI) and other emerging technologies are having on the workplace.
The industry has high hopes for these next-generation technologies.
In June, IDC forecast that spending on IoT devices and services would balloon to nearly $1.4 trillion in 2021. Recently, technology research firm Tractica predicted that the AI market will reach $43.5 billion by 2024.
… But first, IT professionals are laser-focused on the security implications of adding IoT, AI and augmented and virtual reality (AR, VR) solutions to their IT environments. Expecting to get hacked, William Brown, information security officer at Engaging Solutions, an Indianapolis, Ind. IT consulting firm, takes zero chances.
As a precautionary measure, Brown's team places IoT devices on a guest network, preventing attackers from reaching deep into the main network and accessing sensitive data. Additionally, he advises his fellow IT professionals to make sure their IoT vendors stick to their patch schedules. "If you don't patch, there's a bot waiting out there waiting," he warned.

An update.
A judge ordered the web hosting company DreamHost to redact identifying information about visitors to a website used to coordinate a protest during President Trump’s inauguration, imposing further limits on an extensive warrant obtained by the Justice Department that initially aimed to collect visitors’ IP addresses.
Chief Judge Robert E. Morin of the Superior Court of D.C. had previously ordered DreamHost to turn over information about the operators of the website, The Justice Department alleged that the site was used to privately communicate plans for a riot, and that it needed the IP addresses of the millions of visitors to the site in order to discover who had incited the violence. After resistance from DreamHost, the Justice Department narrowed the scope of its request.
In an order issued today, Morin said that the government would need to submit a report explaining the minimization procedures it would use when searching DreamHost’s data—in short the government would need to explain why it needs everything it needs. Only then would Morin allow the DoJ to review redacted data, and the government would again have to provide the court with its justification for removing any redactions.

Similar thinking to the “Walmart puts groceries in your ‘fridge” idea. Is this just a small extension of the “we trade privacy for convenience” trend?
Report: Amazon Testing In-Trunk Deliveries
Don't have a front porch or a doorman? In the future, you may be able to receive packages from Amazon inside your home or the trunk of your car.
CNBC on Tuesday reported that the online retail giant is "in advanced talks" with the smart license plate maker Phrame about a new trunk delivery idea.
Phrame makes a device that fits around your license plate and turns it into a "military strength lockbox for your keys" that can be accessed with your permission using an accompanying app, according to the company's website. [Would there be a lot of call for this other than Amazon, Walmart, et. al.? Bob]

(Related). Of course, Amazon wants to enter your home too.
Amazon to develop a smart doorbell to deliver packages inside your home

An update you might have missed.
Footage ‘tells the truth,’ Utah nurse says after the SLC officer who arrested her was fired
Salt Lake City Police Chief Mike Brown has fired one officer and demoted another in response to the July 26 arrest of University Hospital nurse Alex Wubbels, according to records obtained by The Salt Lake Tribune.
Detective Jeff Payne, who arrested Wubbels, was fired Tuesday. Payne’s watch commander the day of the confrontation, Lt. James Tracy, was demoted to police officer III effective Wednesday, according to the documents signed by Brown and sent to the men.
Brown’s decision is the culmination of an internal affairs investigation that began a day after the confrontation between Wubbels and Payne. The probe ultimately found that both officers had violated a number of department policies.

This would be a rather significant change.
Britain considers regulating Facebook and Google as news publishers
Britain is considering classifying and regulating Facebook and Google as news publishers, rather than platforms.
… Consultancy group Enders Analysis says 6.5M British internet users get most of their news from Facebook.

For my students.
Amazon launches $5.49 monthly Prime Student subscription in the U.S
… For students, however, Amazon has offered a 50 percent discount on the annual subscription, meaning those in an eligible two- or four-year program in the U.S. would only pay $49 for the year.
… Amazon is attempting to lure more students on board with a $5.49 monthly subscription plan bundled into a free six-month trial offer. So basically anyone with an .edu email address can get Amazon Prime totally free for six months, after which they can elect to remain on the plan without committing to a full year’s subscription.

For my Spreadsheet students.
Working in Excel spreadsheets is all about saving time. You don’t want to have any slowdowns in your workflow that decrease your productivity. To that end, you’ve hopefully set up your own Excel keyboard shortcuts and know the best ways around the software.
There’s a small but useful change you can make to how the Enter button functions. Out of the box, pressing Enter will move the highlighted box down by one cell. But if you prefer, you can change this so Enter moves the selected box one cell to the right instead.
Though it’s a bit unnatural, you can also set this to Up or Left if you prefer. In fact, if you uncheck the After pressing Enter box, you can completely disable Enter‘s functionality. With this unchecked, pressing Enter does nothing.

For my students who enter the Great Pumpkin contest.

No comments: