Wednesday, April 25, 2018

Cheap at twice the price?
$35 Million Penalty for Not Telling Investors of Yahoo Hack
US securities regulators on Tuesday announced that Altaba will pay a $35 million penalty for not telling them hackers had stolen Yahoo's "crown jewels."
The 2014 breach blamed on Russian hackers affected hundreds of millions of Yahoo accounts, with stolen 'crown jewel' data including usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions, according to the Securities and Exchange Commission.
While Yahoo discovered the data breach quickly, it remained mum about it until more than two years later when it was being acquired by telecom giant Verizon Communications, the SEC case maintained.
Although Yahoo is no longer an independent company -- its financial holdings are in a separate company now called Altaba -- Verizon has continued to operate the Yahoo brand, including its email service and a variety of news and entertainment websites.
In addition to the 2014 breach, a hack the previous year affected all three billion Yahoo user accounts, according to findings disclosed by Verizon after the acquisition.
Yahoo, which was once one of the leading internet firms, sold its main online operations to Verizon last year in a deal valued at $4.48 billion.
The purchase price was cut following revelations of the two major data breaches at Yahoo.

If it’s encrypted, it must be valuable?
Attacks on Encrypted Services
Encryption is one of the most basic necessities in the security arsenal. It’s what makes it possible for banks to offer online banking and funds transfers, or for consumers to make purchases online using their credit or debit cards. It’s what protects the public’s online interaction with government agencies or health care providers. It should surprise no one, however, that encrypted services are prime targets of DDoS attacks. Such services enable access to a wealth of personal, confidential and financial data. Identity thieves and cyber criminals can have a field day if they succeed in breaking web service encryption.
According to NETSCOUT Arbor’s 13th Annual Worldwide Infrastructure Security Report (WISR), attacks targeting encrypted web services have become increasingly common in recent years. Among enterprise, government and education (EGE) respondents, 53 percent of detected attacks targeted encrypted services at the application layer. And 42 percent of respondents experienced attacks targeting the TLS/SSL (Transport Layer Security/Secure Socket Layer) protocol governing client-server authentication and secure communications. Among service providers, the percentage seeing attacks targeting secure web services (HTTPS) rose significantly over the previous year, from 52 percent to 61 percent.

(Related) This is a One Time Pad.
… “It’s just a random three-digit number that corresponds to a sign and then we have 10 different cards with random numbers,” Iannetta said. “As soon as they [the MASN broadcast] zoomed in… we heard about it and switched cards immediately. We switched to a different card with a whole new set of numbers. There’s no way to memorize it. There’s a random-number generator spitting out a corresponding number [for the cards], and the coaches have the same cards.”
In explaining the process, Iannetta said he’ll look toward the dugout see a coach use his fingers to send in the three-digit code and then look on his card for the corresponding call. It could be a throw over to first or nothing, no action. Iannetta said three-digit codes are never repeated in-game for the same call.
“If I get ‘1-4-3,’ and it’s a throw over to first base, we’ll never use ‘1-4-3’ again to throw over,” Iannetta said. “There will never be repetition… It’s pretty impossible to steal signs if you use the system we are using.”

Very “James Bond.” Not research an amateur would undertake. Which intelligence service wanted this laptop enough to “show off” their hack?
Hotel Rooms Around the World Susceptible to Silent Breach
In 2003, researchers from F-Secure were attending a security conference in Berlin – specifically, the ph-neutral hacker conference – when a laptop was stolen from a locked hotel room.
More to the point, however, there was no sign of the door being forced, nor any indication from the electronic locking system's logs that anyone had entered the room in their absence.
F-Secure researchers told SecurityWeek, "Our guy was working on some really interesting and specific stuff; and, yes, it would absolutely have been of interest to any 3, 4 or 5 letter agency in many different nation-states."
With this background it is not surprising that the researchers started to investigate the locking system. Specifically, they were looking for a Vision by VingCard vulnerability that could be exploited without trace – and eventually they found one. It took thousands of hours work over the last 15 years examining the system and looking for the tiniest errors of logic.
In summary, with any existing, old or expired keycard to any room on the system, it is possible to generate a master key that can be used to gain entry to any of the hotel rooms without leaving a trace on the system. An attacker could book a room and then use that keycard as the source; or could even read the data remotely by standing close to someone who has a card in a pocket -- in a hotel elevator, for example.

Start ‘em young!
More than 1 million children in the United States were affected by identity theft last year, according to a new study highlighting what’s easily the most overlooked demographic impacted by breaches of personally identifiable information.
The study, released Tuesday by Javelin Strategy & Research, claims that in 2017, more than $2.6 billion in losses may be attributed to incidents of identity theft involving children. The out-of-pocket cost to families is estimated at over $540 million.
… The study, which was funded by theft-protection service Identity Guard, also found a “strong connection” between children who are bullied and those affected by fraud. Kids bullied online are nine times more likely to have their identities stolen, researchers found.

I’ve been telling (and telling and telling) my Computer Security students that management often does not know what is happening. How could anyone miss this?
Fajita heist: Texas man sentenced to 50 years for stealing $1.2 million worth of food
Gilberto Escamilla, 53, was employed at the Darrel B. Hester Juvenile Detention Center in San Benito, Texas, until August 2017 — when it was discovered that he had been placing orders for fajitas using county funds and then selling them for his own profit since December 2008, according to Cameron County Court filings.
… According to The Brownsville Herald, Escamilla's scheme unraveled last August after a delivery driver with Labatt Food Service phoned the detention center to give kitchen employees a heads up that an 800-pound delivery of fajitas had arrived.
Employees immediately thought the delivery to be suspicious as minors at the detention center are not served fajitas, however the delivery driver insisted that had been delivering fajitas to the detention center's kitchen for the past nine years.

More on Facebook, et. al.
From the better-late-than-never dept.
For readers who are interested and may have missed what’s occurring with the Facebook breach, Cambridge Analytica, SCL, SCL Canada, and AggegatedIQ (AIQ) in Canada, there have been some remarkable meetings and testimony occurring that are worth watching. The latest was testimony by Zackary Massingham, Chief Executive Officer, AIQ, and Jeff Silvester, Chief Operating Officer, AIQ.
As the AIQ CEOs were giving their testimony and stating they have replied to all of the questions the UK ICO asked of them, someone, apparently from the UK ICO, texted the committee in real time to state what they were stating isn’t true and stated why it wasn’t true. It was a ball dropper as the committee read the text out loud in real time to the CEOs.
You can watch the 2-hour video from the Standing Committee on Access to Information, Privacy and Ethics (ETHI) and their investigation into the “Breach of Personal Information Involving Cambridge Analytica and Facebook” here (meeting 101):
Click on the green icon labeled, “Watch on ParlVu”, for the video.
On the 26th of April, the investigation continues Starring Professors Colin J. Bennett, Thierry Giasson and Mozilla. You will be able to watch it from this link (meeting 102):
All previous meetings from this investigation, including the testimony from Chris Vickery, can be streamed by going to the following web page and by expanding the meeting dates (meetings 99 to 101 as of writing):

Just because it’s a lot of money.
Apple and Donohoe clear final hurdle for repayment of €13bn disputed tax bill
Apple will place the first tranche of its €13 billion Irish tax bill in an escrow account next month following the signing of a legal agreement between the Government and the US tech giant.
It is anticipated that Apple will make a series of unspecified payments into the account starting in May with the full amount expected to be recovered by the end of September.
… When interest is added the final figure could reach €15 billion but the Department of Finance said it was not possible to calculate the interest until all the money had been recovered.
… Both Apple and the Government are appealing the ruling on the grounds that Apple’s tax treatment was in line with Irish and European Union law.

A Privacy resource.
New on LLRX – Pete Recommends – weekly highlights on cyber security issues – April 23 2018
Via LLRXPete Recommends – weekly highlights on cyber security issues – April 23 2018 – Privacy and security issues impact every aspect of our lives – home, work, travel, education, health/medical, to name but a few. On a weekly basis Pete Weiss highlights articles and information that focus on the increasingly complex and wide ranging ways our privacy and security is diminished, often without our situational awareness.

How AI might be used.
New Product of the Year? Law Librarians Pick AI Research Tool from Bloomberg Law
A legal research tool that uses artificial intelligence to help legal researchers quickly find key language critical to a court’s reasoning has been selected by the American Association of Law Libraries as winner of its 2018 New Product Award.
AALL cited Points of Law, a tool developed by Bloomberg Law, for its ability to provide researchers with a court decision’s legal points and to identify legal precedents.
As I explained in my review of Points of Law last September, as a researcher scrolls through a court opinion, the tool highlights the essential language in the opinion, making it easier for the researcher to browse through the key discussion points and enabling the researcher to more quickly get the gist of the key holdings.
For each point of law within a case, a pop-up shows the top three cases cited in support of it.

Explaining BlockChain.
MIT Explainer: What is a blockchain?
  • “What is it? A public, permanent, append-only distributed ledger.
  • What’s that? A mathematical structure for storing data in a way that is nearly impossible to fake. It can be used for all kinds of valuable data.
  • Where did it come from? “I’ve been working on a new electronic cash system that’s fully peer-to-peer, with no trusted third party.” These are the words of Satoshi Nakamoto, the mysterious creator of Bitcoin, in a message sent to a cryptography-focused mailing list in October 2008. Included was a link to a nine-page white paper describing a technology that some are now convinced will disrupt the financial system…”

Know the players!
Senate confirms Trump's pick for NSA, Cyber Command
Lt. Gen. Paul Nakasone was unanimously confirmed by voice vote to serve as the "dual-hat" leader of both the National Security Agency and U.S. Cyber Command.

A tool for looking at Instagram’s data on you.
Instagram launches “Data Download” tool to let you leave
Instagram’s “Data Download” feature can be accessed here or through the app’s privacy settings. It lets users export their photos, videos, archived Stories, profile, info, comments, and non-ephemeral messages, though it can take a few hours to days for your download to be ready.

(Related) Hacking Instagram.

A guide for my students.

For coding tips when writing your own?

Dilbert’s fool-proof system for avoiding bad reviews?

No comments: