Very interesting. They screwed up and then fixed
it. Would a larger company (not staffed entirely with techies) be
able to do as well? Take the time to read the rest of this article…
Here’s an example of how to timely detect
and disclose a breach transparently.
Halloween Security Breach
By Sean Blanchfield
PageFair security breach has been resolved – here is what you need to know.
Update 1 – 21:30 GMT November 1, 2015
Core Facts
If you are a publisher using our free analytics service, you have good reason to be very angry and disappointed with us right now. For 83 minutes last night, the PageFair analytics service was compromised by hackers, who succeeded in getting malicious javascript to execute on websites via our service, which prompted some visitors to these websites to download an executable file. I am very sorry that this occurred and would like to assure you that it is no longer happening.
The attack was sophisticated and specifically targeted against PageFair, but it is unacceptable that the hackers could gain access to any of our systems. We identified the breach immediately, but it still took over 80 minutes to fully shut it down. During this time, visitors to websites owned by the publishers who have placed their trust in us were targeted by these hackers.
The damage was mitigated by our standard security practices, but the attackers still gained access. I want to take some time here to describe exactly what happened, how it may have affected some of your visitors, and what we are doing to prevent this from ever happening again.
We will update this post as we establish more facts.
As expected.
A caution from the Daily
Mail:
In the past week, many pensioners have told the Daily Mail how they have fallen victim to conmen pretending to be from TalkTalk. They often claim to be offering compensation for the data breach before asking for victims’ bank account details.
Last night a senior cyber-crime officer warned: ‘The fraudsters look for victims in their 60s, 70s, 80s and 90s. Some of the conmen have call centre training which means they sound genuine when they call up pretending to be from a telecoms company.
If you know someone who might be at risk, do give
them a heads up about this. It’s not uncommon to see criminals use
stolen data to try to phish for more, but it’s worth a reminder.
(Related) Could this be the result of the
TalkTalk breach? Customers using the same password on both systems?
Would customers be on both at the same time? Perhaps they quit
TalkTalk and opened accounts on Vodafone?
Almost
2,000 Vodafone customers 'open to fraud'
Criminals used customer
details gained from "an unknown source" to try
to access accounts between Wednesday and Thursday, the company said.
The telecommunications giant said 1,827 customers
had their accounts accessed, with criminals potentially gaining their
names and some bank details.
But it
insisted its systems had not been breached.
… Vodafone said its security protocols had
been "fundamentally effective", but the criminals had
potentially gained customers' names, their mobile phone numbers, bank
sort codes and the last four digits of their bank account numbers.
… The BBC's technology correspondent Rory
Cellan-Jones said the email
addresses and passwords criminals used to try to access Vodafone
accounts appeared to have been bought on the dark web. [This
makes it look like there was a breach. Bob]
Maybe it's me, but I don't see much of a change
here. Perhaps an increase in resources devoted to cybersecurity as
new technologies are adopted, but the boards I worked with always
seemed to understand the risks of IT.
Cybersecurity:
The changing role of audit committee and internal audit
by Sabrina
I. Pacifici on Nov 1, 2015
Deloitte:
“Among the most complex and rapidly evolving issues companies must
contend with is cybersecurity. With the advent of mobile technology,
cloud computing, and social media, reports on major breaches of
proprietary information and damage to organisational IT
infrastructure have also become increasingly common, thus
transforming the IT risk landscape at a rapid pace. International
media reports on high-profile retail breaches and the major discovery
of the Heartbleed security vulnerability posing an extensive systemic
challenge to the secure storage and transmission of information via
the Internet have shone a spotlight on cybersecurity issues.
Consequently, this has kept
cybersecurity a high priority [Not
a new or increased priority Bob]
on the agenda of boards and audit committees…”
No liability here, by statute.
Megan Newquist reports:
Imagine a burglar stalking his victims and taking pictures of their cars in parking lots, knowing their whereabouts and then breaking into their homes.
Eden Prairie police say that’s exactly what 45-year-old David William Pollard was doing, but they didn’t know how until he was arrested leaving a Minnetonka home on April 14.
[…]
Inside Pollard’s car that night, police found a slew of stolen property. In addition, police say they uncovered how Pollard was able to find his victims – through a subscription-based online account that allowed him to look up individuals by their license plate numbers.
Read more on WDAZ.
[From
the article:
5 EYEWITNESS NEWS created an account on the
website in question and searched a co-worker's license plate number.
The results included his date of birth, name, address, make and model
of car and even his vehicle’s identification number.
… DPS claims it took action against the bulk
data purchaser who was re-selling this information to the website in
question in 2006. It claims the purchaser’s access was terminated.
But our investigation revealed the license plate data on that
website was updated as recently as Dec. 31, 2011. Our employee whose
license plate number was checked purchased the vehicle in 2009, three
years after DPS claims it terminated the particular purchaser’s
access to bulk data purchases.
… The Department of Public Safety stopped
selling this personal information in bulk on Jan. 1. But unless
you’ve moved or purchased a new car, your information is still out
there for anyone to find.
Removing hoods is probably good. Unless of
course, they point to the wrong people. Or someone starts targeting
them with 'sticks and stones.' Will they recognize that someone is
on an “enemies list” rather than a membership list?
Samburaj Das reports:
Anonymous has made good on its threat to expose KKK members on the internet to reveal phone numbers and emails of alleged KKK members.
Activist collective Anonymous has long had a feud with members of the radical Ku Klux Klan. There is a history there. Recently, Anonymous threatened to dox a thousand members of the KKK, unhooding them publicly in cyberspace.
Read more on Hacked.com.
So far, there have been three pastes, all linked
from @YourAnonNews’ Twitter account. The first paste contains two
email addresses associated and 10 phone numbers without names or
additional details. The second paste contains an 800- phone number,
10 phone numbers without names, and another email address. The third
paste contains more phone numbers and 21 email addresses, the
majority of which are on .ru domains.
Note that not all the phone numbers are registered
to individuals, but one of the numbers DataBreaches.net checked using
reverse phone lookup was reported to be associated with the KKK by
someone on 800Notes.com who reported getting a call from the number
which he described as KKK
– “threatening.”
Some of the information in the pastes does not
appear to be new, as at least one number checked by DataBreaches.net
had been leaked before following Ferguson with the individual’s
full name, address, credit card details, etc.
Note: In a fourth paste that actually preceded the
three noted above, “Amped Attacks” (@sgtbilko420 on Twitter)
released the names of nine politicians – four U.S. Senators and
five mayors – whose email addresses showed up in KKK databases he
claims to have hacked. Amped Attacks does not provide their email or
postal addresses, or phone numbers, and the basis for him declaring
them part of KKK or a supporter of them is that he can seemingly come
up with no reason for their email to be in a KKK database unless
they’re a member or a support.
In addition to the paste, Amped Attacks has also
taken down some KKK sites, with evidence provided in his
tweet stream. In one tweet, he declared that he is not part of
Anonymous but respects #OpKKK.
I expected much more from South Korea but then
these decisions are made by politicians not techies.
Child
monitoring app pulled in S Korea
… South
Korea mandated in April that all children's phones must be monitored.
However, the regulator said the decision to
suspend the app had been made prior to the release of a damning
report about its security.
The KCC told news agency AP that the decision had
been made because of the abundance of free apps now available.
Smart Sheriff had been downloaded hundreds of
thousands of times inside the country and was created by a group of
telecoms companies known as the Korean Mobile Internet Business
Association (Moiba).
Two reports issued, one
by the University of Toronto and the
other by software auditing firm Cure53, described Smart Sheriff's
security as "catastrophic".
The report authors found that children's personal
details were not stored securely and that the parental filters
applied were easy to disable.
"Smart Sheriff is the kind of babysitter that
leaves the doors unlocked and throws a party where everyone is
invited," said independent researcher Colin Anderson, who worked
on the report, at the time.
So much for yesterday's “easy to understand”
privacy policy…
Snapchat
reassures users that photo messages are still totally private
Photo-messaging app Snapchat has reassured users
that their photos will not be stored on its servers after changes to
its privacy policy caused widespread confusion.
The Venice, California-based company published
a blog post on Sunday clarifying changes that were made to its
Privacy Policy and Terms and Services last week. Photos shared
through Snapchat disappear after the recipient has viewed them, but
users have been fretting that the updates allowed Snapchat to store
photos and share them with advertisers.
Photo messages "are automatically deleted
from our servers once we detect that they have been viewed or have
expired", just as they were before, Snapchat said. It does not
stockpile pictures, and never has.
I'm not sure this is how I would teach lawyers to
code, but I'll pass it along anyway.
Coding For
Lawyers – Open Source
by Sabrina
I. Pacifici on Nov 1, 2015
V. David Zvenyach – “What?
Lawyers and Coding? It’s true. Lawyers can code. In
fact, if you’re a lawyer, the truth is that it’s easier than you
think. I am a lawyer, and a coder.1
In the course of two years, I have gone from knowing essentially
nothing to being a decent coder in several languages. This
book is intended to drastically shorten that time for others who,
like me, decide that they want to learn to code. Why this book? One
thing that I discovered, when learning to code, is that there are
surprisingly few freely available books on the basics of
coding, books that assume you know nothing about coding,
books that assume you went to law school because you didn’t like
numbers. And, we need more lawyers who code…”
Not being one for “binge TV watching” I could
see myself doing some serious binge reading. Especially as books
become as cheap as I am. This points you to an interesting article.
The Cost of
Used Books Plummets as Availability Swells
by Sabrina
I. Pacifici on Nov 1, 2015
New York Times – A
Penny for Your Books By Dan Nosowitzoct, October 26, 2015: “…in
recent years, my bookshelves have swelled. Old John le Carré and
Donald E. Westlake and Lawrence Block titles are easier than ever to
find online, along with pretty much every other book published in the
last century. They’re all on Amazon, priced incredibly low, and
sold by third-party booksellers nobody has ever heard of… In 2014,
publishers sold just over 2.7 billion books domestically, for a total
net revenue of just under $28 billion, a larger profit than in the
preceding two years, according to the Association
of American Publishers. There were just over 300,000 new titles
(including re-releases) published in the United States in 2013. The
book industry may not be as strong as it once was, but it’s still
enormous, and generates a considerable amount of surplus product each
year.”
[From
the article:
Enter the penny booksellers. There are dozens of
sellers — Silver Arch Books, Owls Books, Yellow Hammer Books and
Sierra Nevada Books — offering scores of relatively sought-after
books in varying conditions for a cent. Even including the standard
$3.99 shipping, the total sum comes out to several dollars cheaper
than what you’d pay at most brick-and-mortar used-book stores.
No comments:
Post a Comment