Friday, June 29, 2018

A good update.
Massive data leak could affect nearly all American adults, security researcher says
… No evidence has surfaced that anyone with malicious intent actually obtained the Exactis data. That makes it different from the Equifax hack, which was a cyberattack on the company’s data.
… Troia told Wired he was curious about the security of ElasticSearch, which the magazine described as “a popular type of database that’s designed to be easily queried over the internet using just the command line.” When he did a search on the database, he found the Exactis database, which was unprotected. He said he also told the Federal Bureau of Investigation about his findings. [Much more likely to get the company moving… Bob]
… The information leaked by Exactis did not include Social Security numbers like the Equifax breach did. But it did include some general financial information, Troia said Thursday.
“When I looked myself up, I found the name of my mortgage lender, the value class of my home and whether or not I had certain kind of credit card,” Troia said.

The Elastic Stack
Built on an open source foundation, the Elastic Stack lets you reliably and securely take data from any source, in any format, and search, analyze, and visualize it in real time.

A much smaller breach. Note that they suggest this is only a “possible” breach, but definitely say it is “limited in scope.” Someone told them about the breach, they did not detect it.
Adidas Warns Millions of U.S. Customers About a Potential Data Breach
Adidas has warned millions of U.S. customers of a potential data breach.
The athletic-wear company announced in a press release on Thursday that an “unauthorized party” claims to have acquired customer data from its U.S. website. According to a preliminary investigation conducted by outside data security firms and law enforcement, the leaked data is believed to be limited in scope.
… Adidas first became aware of the security issue on June 26, but did not say when the breach occurred.
“We are alerting certain consumers who purchased on about a potential data security incident. At this time this is a few million consumers,” a spokesperson told Bloomberg.

Another miss-handled breach?
Bank says Ticketmaster knew of breach months before taking action
Ticketmaster UK announced on its site yesterday that it identified malicious malware on June 23rd that had affected nearly five percent of their customers, allowing an unknown third-party access to customers’ names, email addresses, telephone numbers, payment details and login information between February 2017 and June 23rd, 2018.
… But, according to U.K. digital bank Monzo, Ticketmaster was informed of the breach in April.
In a statement released by its Financial Crime team today, Monzo describes the events from its perspective.
… On April 12th, Monzo says it expressed its concerns directly to Ticketmaster and that the company said it would “investigate internally.” In the week to follow, Monzo received several more Ticketmaster-related fraud alerts and made the decision to replace roughly 6,000 compromised cards over the course of April 19th and 20th, without mentioning Ticketmaster.
During that same period, Ticketmaster told Monzo that its completed internal investigation had shown no evidence of a breach.
This puts Ticketmaster in an awkward position, because under the 2018 General Data Protection Regulations (GDPR), companies are required to report information of a breach within 72 hours. Not 76 days.

A third-party breach.
Facebook’s race to prove it’s a good and trustworthy company over the last few months kicked off when it was revealed that a quiz app sold user data to a political firm. Now, a different quiz app is getting some heat. A researcher discovered that a third-party app called NameTests left the data of 120 million Facebook users exposed to anyone who happened to find it.
… On Wednesday, De Ceukelaire described the process of reporting a flaw in the website behind the quiz app to Facebook’s newly founded Data Abuse Bounty program. Having never personally used a quiz app, De Ceukelaire started looking at the apps his friends on Facebook had installed. He elected to take his first quiz through the NameTests app. As he started tracing how his data was being handled, he noticed that NameTest’s website was fetching his information from the URL “” His personal data was held in a JavaScript file that could easily be requested by any website that knew to ask.
… De Ceukelaire wrote, “depending on what quizzes you took, the javascript could leak your Facebook ID, first name, last name, language, gender, date of birth, profile picture, cover photo, currency, devices you use, when your information was last updated, your posts and statuses, your photos and your friends.” He made a video of a dummy website he set up to take advantage of the flaw if you’d like to see how it works in practice.
The NameTest vulnerability may have been a simple mistake or an example of negligence, but it’s certainly a visceral example of how little oversight Facebook has over user data as it floats out to the world across thousands of apps.

If you are the Computer Security manager, you may be an insider.
Equifax Engineer Who Designed Breach Website Charged With Insider Trading
… In August 2017, Bonthu was asked to participate in Project Sparta, which Bonthu's bosses described as a major project for one of the company's clients who suffered a major breach that exposed details of over 100 million users.
Unknown to Bonthu, that client was Equifax itself, which a month prior discovered that it was hacked and an intruder stole details for over 145.5 million US and international users.
… SEC investigators say that Bonthu concluded on his own that the secret client in Project Spart was Equifax itself.
Using this information, the SEC says Bonthu used his wife's brokerage account to sell Equifax stock and eventually made more than $75,000, a return of more than 3,500% on his initial investment.

A non-breach for my Computer Security students to consider.
The Federal Communications Commission just settled an investigation into AT&T 911 outages from last year, hitting the telecom company with a $5.25 million fine. The FCC’s Enforcement Bureau made the announcement on Thursday, stating that “such preventable outages are unacceptable.”
Aside from the fine—which is really a drop in the bucket for the billion-dollar behemoth—AT&T must also make changes and enhancements to its systems to mitigate and soften the blow of future outages, as well as “regularly file compliance reports with the FCC.”
… The two AT&T 911 outages investigated by the FCC, which occurred on March 8 and May 1 of 2017, lasted about five hours and 47 minutes, respectively. Around 12,600 users were unable to complete 911 calls during the March outage, with 2,600 failed 911 calls during the May outage.
“The FCC’s investigation also found that, during the March outage, the company failed to quickly, clearly, and fully notify all affected 911 call centers,” [Remember, the phones are out… Bob] the news release states.

The GDPR era is beginning, as expected, in California.
California just passed one of the toughest data privacy laws in the country
… The California Consumer Privacy Act of 2018 is set to dramatically change how businesses handle data in the most populous state. Companies that store personal information — from major players like Google and Facebook, down to small businesses — will be required to disclose the types of data they collect, as well as allow consumers to opt out of having their data sold. The bill, which passed both chambers unanimously, was signed later in the day by Gov. Jerry Brown.
The legislation, which is similar to Europe’s new GDPR protections, is the result of a last-minute attempt to head off a ballot measure that would have brought a slightly different set of privacy rules to the state. The just-passed bill does not fully reproduce the initiative — it would, among other differences, require the disclosure of only the “category” of a third-party that receives personal information, instead of the identity of the third-party itself. But the legislation was close enough that the campaign for the ballot measure agreed to pull its proposal if the bill was signed into law by the deadline to withdraw today.
Perhaps most importantly, passing the privacy rules as legislation allows lawmakers to more easily change them, while a ballot measure would be more difficult to amend. The law is set to come into effect at the start of 2020, giving the tech industry an opportunity to address its grievances.

Probably won’t solve everything, but it’s a start.
Twitter launches its Ads Transparency Center, where you can see ads bought by any account
… Twitter says that with this tool, you should be able to search for any Twitter handle and bring up all the ad campaigns from that account that have run for the past seven days. For political advertisers in the U.S., there will be additional data, including information around billing, ad spend, impressions per tweet and demographic targeting.
Everyone should be able to access the Ads Transparency Center, no login required.

Another small step on Amazon’s path to world domination.
Buying PillPack would have cost Walmart about $700 million. Not buying it wiped $3 billion off the stock
Walmart was the lead buyer for months in talks to buy online pharmacy start-up PillPack. But Amazon swooped in, ultimately making a higher offer of around $1 billion. Losing that deal ended up costing Walmart about $2.3 billion, at least in terms of market value. Here's how.
According to a person familiar with the discussions, Walmart's original offer was just over $700 million, but Walmart dallied in closing the deal because of regulatory concerns. Meanwhile, Amazon had already been interested, then ramped up talks after CNBC's April report that PillPack was in acquisition talks.
After the news was announced on Thursday by the two companies, Walmart's stock took a tumble, along with the largest drug supply chains. The company lost $1.03 between Wednesday's close and Thursday's close, falling from $86.89 to $85.86. That loss, multiplied by 2,950,844,393 shares outstanding based on their 10-Q from earlier this month, yields a loss in market value of $3.04 billion.

Walgreens, CVS and Rite-Aid lose $11 billion in value after Amazon buys online pharmacy PillPack
Rite Aid plunged 11.1 percent, Walgreens Boots Alliance sank 9.9 percent and CVS Health fell 6.1 percent, respectively. The three companies collectively lost approximately $11 billion in market value on Thursday alone. Conversely, Amazon shares rose nearly 2.5 percent, adding more than $19.8 billion in market value.

(Related) Brilliant or wacky? Either way, it points out how difficult it must be for new businesses to enter this market.
Analyst: Google should give everyone in U.S. a free Home Mini speaker to stop Amazon
… Arguably what’s at stake, as conversational AI grows more reliable and robust, is who gets to act as a portal to streaming video services, streaming audio, web searches, shopping, and someday a bevy of in-home services.
… That’s also why Morgan Stanley analyst Brian Nowak told Marketplace today that Google parent company Alphabet should buy every household in the United States a $49 Home Mini smart speaker. At a price of $3.3 billion, doing so could help the company compete with Amazon and return profits five times over in retail search gains.

When Mark Zuckerberg said, “Move fast and break things,” he probably didn’t mean break the law.
Read more at:
Bird scooters arrive in downtown Milwaukee, but city attorney says they're illegal to use on streets, sidewalks
The Bird scooters that landed in downtown Milwaukee this week need to be returned to the cage and cannot be legally operated on city streets or sidewalks, a city attorney says.
… "BIRD’s Motorized Scooters may NOT be lawfully operated on any public street or sidewalk in the City of Milwaukee," he wrote.
Riders of the scooters could be issued a $98.80 citation and could also be cited for operating while intoxicated if they have been drinking, he wrote.

No comments: