A good update.
Massive
data leak could affect nearly all American adults, security
researcher says
… No evidence has surfaced that anyone with
malicious intent actually obtained the Exactis data. That makes it
different from the Equifax hack, which was a cyberattack on the
company’s data.
… Troia told Wired he was curious about the
security of ElasticSearch, which the magazine described as “a
popular type of database that’s designed to be easily queried over
the internet using just the command line.” When he did a search on
the database, he found the Exactis database, which was unprotected.
He said he also told the
Federal Bureau of Investigation about his findings. [Much
more likely to get the company moving… Bob]
… The information leaked by Exactis did not
include Social Security numbers like the Equifax breach did. But it
did include some general financial information, Troia said Thursday.
“When I looked myself up, I found the name of my
mortgage lender, the value class of my home and whether or not I had
certain kind of credit card,” Troia said.
(Related)
The Elastic
Stack
Built on an open source foundation, the Elastic
Stack lets you reliably and securely take data from any source, in
any format, and search, analyze, and visualize it in real time.
A much smaller breach. Note that they suggest
this is only a “possible” breach, but definitely say it is
“limited in scope.” Someone told them about the breach, they did
not detect it.
Adidas
Warns Millions of U.S. Customers About a Potential Data Breach
Adidas has warned millions of U.S. customers of a
potential data
breach.
The athletic-wear company announced in a press
release on Thursday that an
“unauthorized party” claims to have acquired customer data
from its U.S. website. According to a preliminary investigation
conducted by outside data security firms and law enforcement, the
leaked data is believed to be limited in scope.
… Adidas first became aware of the security
issue on June 26, but did
not say when the breach occurred.
“We are alerting certain consumers who purchased
on adidas.com/US about a potential data security incident. At this
time this is a few million consumers,” a spokesperson told
Bloomberg.
Another miss-handled breach?
https://techcrunch.com/2018/06/28/bank-says-ticketmaster-knew-of-breach-months-before-taking-action/
Bank says
Ticketmaster knew of breach months before taking action
Ticketmaster
UK announced on its site yesterday that it identified malicious
malware on June 23rd that had affected nearly five percent of their
customers, allowing an unknown third-party access to customers’
names, email addresses, telephone numbers, payment details and login
information between February 2017 and June 23rd, 2018.
… But, according
to U.K. digital bank Monzo, Ticketmaster was informed of the
breach in April.
In
a statement released by its Financial Crime team today, Monzo
describes the events from its perspective.
… On April 12th, Monzo says it expressed its
concerns directly to Ticketmaster and that the company said it would
“investigate
internally.” In the week to follow, Monzo received several
more Ticketmaster-related fraud alerts and made the decision to
replace roughly 6,000 compromised cards over the course of April 19th
and 20th, without mentioning Ticketmaster.
During that same period, Ticketmaster
told Monzo that its completed internal investigation had shown no
evidence of a breach.
This puts Ticketmaster in an awkward position,
because under the 2018 General Data Protection Regulations (GDPR),
companies are required to report information of a breach within
72 hours. Not 76 days.
A third-party breach.
Facebook’s race to prove it’s a good and
trustworthy company over the last few months kicked off when it was
revealed that a quiz app sold user data to a political firm. Now, a
different quiz app is getting some heat. A researcher discovered
that a third-party app called NameTests left the data of 120 million
Facebook users exposed to anyone who happened to find it.
… On Wednesday, De Ceukelaire described
the process of reporting a flaw in the website behind the quiz app to
Facebook’s newly founded Data
Abuse Bounty program. Having never personally used a quiz app,
De Ceukelaire started looking at the apps his friends on Facebook had
installed. He elected to take his first quiz through the NameTests
app. As he started tracing how his data was being handled, he
noticed that NameTest’s website was fetching his information from
the URL “http://nametests.com/appconfig_user” His
personal data was held in a JavaScript file that could easily be
requested by any website that knew to ask.
… De Ceukelaire wrote,
“depending on what quizzes you took, the javascript could leak your
Facebook ID, first name, last name, language, gender, date of birth,
profile picture, cover photo, currency, devices you use, when your
information was last updated, your posts and statuses, your photos
and your friends.” He made a
video of a dummy website he set up to take advantage of the flaw
if you’d like to see how it works in practice.
The NameTest vulnerability may have been a simple
mistake or an example of negligence, but it’s certainly a visceral
example of how little oversight Facebook has over
user data as it floats out to the world across thousands of apps.
If you are the Computer Security manager, you may
be an insider.
Equifax
Engineer Who Designed Breach Website Charged With Insider Trading
… In August 2017, Bonthu was asked to
participate in Project Sparta, which Bonthu's bosses described as a
major project for one of the company's clients who suffered a major
breach that exposed details of over 100 million users.
Unknown to Bonthu, that client was Equifax itself,
which a month prior discovered that it was hacked and an intruder
stole details for over
145.5 million US and international users.
… SEC investigators say that Bonthu concluded
on his own that the secret client in Project Spart was Equifax
itself.
Using this information, the SEC says Bonthu used
his wife's brokerage account to sell Equifax stock and eventually
made more than $75,000, a return of more than 3,500% on his initial
investment.
A non-breach for my Computer Security students to
consider.
The Federal Communications Commission just settled
an investigation into AT&T
911 outages from last year, hitting the telecom company with a
$5.25 million fine. The FCC’s Enforcement Bureau made the
announcement on Thursday, stating that “such preventable
outages are unacceptable.”
Aside from the fine—which is really a drop in
the bucket for the billion-dollar
behemoth—AT&T must also make changes and enhancements to
its systems to mitigate and soften the blow of future outages, as
well as “regularly file compliance reports with the FCC.”
… The two AT&T 911 outages investigated by
the FCC, which occurred on March 8 and May 1 of 2017, lasted about
five hours and 47 minutes, respectively. Around 12,600 users were
unable to complete 911 calls during the March outage, with 2,600
failed 911 calls during the May outage.
“The FCC’s investigation also found that,
during the March outage, the
company failed to quickly, clearly, and fully notify all affected 911
call centers,” [Remember,
the phones are out… Bob] the news release states.
The GDPR era is beginning, as expected, in
California.
California
just passed one of the toughest data privacy laws in the country
… The California Consumer
Privacy Act of 2018 is set to dramatically change how businesses
handle data in the most populous state. Companies that store
personal information — from major players like Google and Facebook,
down to small businesses — will be required to disclose the types
of data they collect, as well as allow consumers to opt out of having
their data sold. The bill, which passed both chambers unanimously,
was signed later in the day by Gov. Jerry Brown.
The legislation, which is
similar to Europe’s new GDPR protections, is the result of a
last-minute attempt to head off a ballot measure that would have
brought a slightly different set of privacy rules to the state. The
just-passed bill does not fully reproduce the initiative — it
would, among other differences, require the disclosure of only the
“category” of a third-party that receives personal information,
instead of the identity of the third-party itself. But the
legislation was close enough that the campaign for the ballot measure
agreed to pull its proposal if the bill was signed into law by the
deadline to withdraw today.
Perhaps most importantly,
passing the privacy rules as legislation allows lawmakers to more
easily change them, while a ballot measure would be more difficult to
amend. The law is set to come into effect at the start of 2020,
giving the tech industry an opportunity to address its grievances.
Probably won’t solve everything, but it’s a
start.
Twitter
launches its Ads Transparency Center, where you can see ads bought by
any account
… Twitter says that with this tool, you should
be able to search for any Twitter handle and bring up all the ad
campaigns from that account that have run for the past seven days.
For political advertisers in the U.S., there will be additional data,
including information around billing, ad spend, impressions per tweet
and demographic targeting.
Everyone should be able to access the Ads
Transparency Center, no
login required.
Another small step on Amazon’s path to world
domination.
Buying
PillPack would have cost Walmart about $700 million. Not buying it
wiped $3 billion off the stock
Walmart was the lead buyer for months in talks to
buy online pharmacy start-up PillPack. But Amazon swooped in,
ultimately making a higher offer of around $1 billion. Losing that
deal ended up costing Walmart about $2.3 billion, at least in terms
of market value. Here's how.
According to a person familiar with the
discussions, Walmart's original offer was just over $700 million, but
Walmart
dallied in closing the deal because of regulatory concerns.
Meanwhile, Amazon had already been interested, then ramped up talks
after CNBC's April report that PillPack
was in acquisition talks.
After the news was announced on Thursday by the
two companies, Walmart's stock took a tumble, along with the largest
drug supply chains. The company lost $1.03 between Wednesday's close
and Thursday's close, falling from $86.89 to $85.86. That loss,
multiplied by 2,950,844,393 shares outstanding based on their 10-Q
from earlier this month, yields a loss in market value of $3.04
billion.
(Related)
Walgreens,
CVS and Rite-Aid lose $11 billion in value after Amazon buys online
pharmacy PillPack
… Rite
Aid plunged 11.1 percent, Walgreens
Boots Alliance sank 9.9 percent and CVS
Health fell 6.1 percent, respectively. The three companies
collectively lost approximately $11 billion in market value on
Thursday alone. Conversely, Amazon shares rose nearly 2.5 percent,
adding more than $19.8 billion in market value.
(Related) Brilliant or wacky? Either way, it
points out how difficult it must be for new businesses to enter this
market.
Analyst:
Google should give everyone in U.S. a free Home Mini speaker to stop
Amazon
… Arguably what’s at stake, as
conversational AI grows more reliable and robust, is who
gets to act as a portal to streaming video services,
streaming audio, web searches, shopping, and someday a bevy of
in-home services.
… That’s also why Morgan Stanley analyst
Brian Nowak told Marketplace today that Google parent company
Alphabet
should buy every household in the United States a $49 Home Mini smart
speaker. At a price of $3.3 billion, doing so could help the
company compete with Amazon and return profits five times over in
retail search gains.
When Mark Zuckerberg said, “Move fast and break
things,” he probably didn’t mean break the law.
Read more at:
https://www.brainyquote.com/quotes/mark_zuckerberg_453439
Bird
scooters arrive in downtown Milwaukee, but city attorney says they're
illegal to use on streets, sidewalks
The Bird scooters that landed in downtown
Milwaukee this week need to be returned to the cage and cannot be
legally operated on city streets or sidewalks, a city attorney says.
… "BIRD’s Motorized Scooters may NOT be
lawfully operated on any public street or sidewalk in the City of
Milwaukee," he wrote.
Riders of the scooters could be issued a $98.80
citation and could also be cited for operating while intoxicated if
they have been drinking, he wrote.
No comments:
Post a Comment