Every technology that believes it is “new”
thinks first about “selling features.” Why no one considers
security a selling feature is beyond me. “Always bet on ignorance
and intellectual laziness!”
Why VTech
Breach is So Bad - and So Avoidable
The data
breach involving Hong Kong toymaker VTech highlights a growing
concern over manufacturers selling
many more devices
that are Internet-connected, yet apparently failing to safeguard
those devices – and related information that gets
collected and stored – against even the most rudimentary types of
online attacks
… The apparent severity of the breach at
VTech, which reported an annual revenue of $1.9
billion earlier this year, has continued to increase since the
company first confirmed Nov. 27 that it had been breached, with the
latest count of breach victims hitting 11.2 million people. In its
most recent breach
notification, released Dec. 2, the company says that on Nov. 14,
"an unauthorized party accessed VTech customer data"
connected with the databases and servers behind these services:
… Hong Kong's privacy commissioner, as well as
attorneys general in multiple U.S. states, have said they are probing
the breach.
(Related) Those who do not study history
security best practices are doomed to repeat it.
More
Trouble For VTech -- Kids Tablet Is 'Easy' To Hack
VTech is having a quite abysmal week following a
hack that exposed data on 6.4 million children and 4.8 million
adults. Not only has its stock price dipped to a year low, security
researchers have found two glaring vulnerabilities in its InnoTab Max
tablet for kids, and it is
refusing to answer questions on whether it even has a security team.
Ken Munro, who heads up consultancy Pen Test
Partners, discovered the issues with the InnoTab within a day. It
was simple to find the flaw because
it’s been known for more than two years.
… There have been numerous signs VTech hasn’t
paid enough attention to security. First, the hack itself, according
to a Vice
Motherboard report, was perpetrated with an
age-old technique – SQL
injection – that firms should be prepared for. It was storing
most data, including children’s images and chat messages with
parents, in unencrypted fashion. Its website was not protected with
SSL web encryption. And its Android application used by parents to
chat with their children was said to be vulnerable.
The continuing joy of data breaches.
Target in
$39.4 million settlement with banks over data breach
Target Corp has agreed
to pay $39.4 million to resolve claims by banks and credit unions
that said they lost money because of the retailer's late 2013 data
breach.
The settlement filed on
Wednesday resolves class-action claims by lenders seeking to hold
Target responsible for their costs to reimburse fraudulent charges
and issue new credit and debit cards.
… Target reached a
similar accord with MasterCard in April, but it was rejected the next
month when card issuers deemed the sum too low.
… Earlier this
year, Target agreed to pay Visa Inc card issuers as much as $67
million over the breach and reached a $10 million settlement with
shoppers. The latter accord won court approval last month.
Last week, Target said
it had spent $290 million related to the breach, and expected
insurers to reimburse $90 million. It still faces shareholder
lawsuits, as well as probes by the Federal Trade Commission and state
attorneys general, over the breach.
Almost exactly what my Computer Security students
concluded would happen. Perhaps this is easier than giving their
hackers a bad performance review?
If I knew emojis, I’d include one for “highly
skeptical” to accompany this story. Ellen Nakashima reports:
The Chinese government recently arrested a handful of hackers it says were connected to the breach of Office of Personnel Management’s database earlier this year, a mammoth break-in that exposed the records of more than 22 million current and former federal employees.
The arrests took place shortly before a state visit in late September by President Xi Jinping, and U.S. officials say they appear to have been carried out in an effort to lessen tensions with Washington.
The identities of the suspects — and whether they have any connection to the Chinese government — remain unclear.
Read more on Washington
Post.
For my Forensics students.
Orin Kerr writes:
On Tuesday, the 11th Circuit handed down a new computer search decision, United States v. Johnson, that both sharpens and deepens the circuit split on how the private search doctrine of the Fourth Amendment applies to computers. Johnson isn’t a likely candidate for Supreme Court review. But it does leave the private search doctrine in computer searches ripe for Supreme Court review in other cases working their way through the courts.
Read more on The
Volokh Conspiracy.
[From
the article:
Because the Fourth Amendment applies only to the
government and its agents, the Fourth Amendment is not triggered when
private parties not associated with the government conduct searches.
When a private party conducts a search and finds evidence of crime,
the private party often goes to the police and voluntarily shows the
police what she has found. The Supreme Court uses what I have called
the “private-search reconstruction” doctrine to regulate what the
police are allowed to see without a warrant. The police can
reconstruct the private party search, seeing what the private party
saw, but they can’t exceed the search the private party conducted.
On to the important legal question: When a private
party searches a computer, sees a suspicious file and reports the
finding to the police, what
kind of government search of the computer counts as merely
reconstructing the private search and what kind of search counts as
exceeding the private search?
… In 2005, the
5th Circuit ruled that the entire computer was searched. In
2012, the
7th Circuit agreed with the 5th Circuit that the entire computer
was searched. In May, the
6th Circuit handed down a ruling concluding that the unit should
be data or the file, so that government observation of anything not
actually viewed by the private party exceeds the scope of the private
search.
The new case, Johnson, also adopts the
data or file approach — thus deepening the 2-1 split into a 2-2
split.
I doubt this is what Belgium had in mind.
Facebook
will block Belgians without accounts from access to its content
Facebook has outlined its plans to follow a court
ruling in Belgium requiring it not to track people who do not have
accounts on the social networking website.
The company said it was giving the details ahead
of the order being served on it by the Belgian Privacy Commission,
which is expected later this week.
Among the steps Facebook plans to take is to
require people without Facebook accounts in Belgium to create
accounts and log in to the social networking website before they can
see its publicly available pages and other content, the company said.
"Today, anyone can see Facebook pages for
small businesses, sports teams, celebrities and tourist attractions
without logging into Facebook—typically found using a search
engine," a Facebook spokesman said in an email.
… The dispute largely hinges around Facebook's
use of a special cookie called 'datr' that it claims helps it
distinguish between legitimate and illegitimate visits to its
website, and identifies browsers and not individuals. Facebook
claims that by using the security cookie it protected Belgian people
from more than 33,000 takeover attempts in the past month.
I think they have a point! (Do we need a division
of marketers?)
The ‘Soft
Power’ War ISIS Doesn’t Want
For too long, ISIS’ digital influence in social
media has gone largely unchecked. We have failed to match their
commitment to content, imagery, emotion and reach. (President Obama
describes them as “killers with good social media” who recruit in
“far flung” places.) In the wake of the Paris attacks and our
response, ISIS has “upped” their online game of intimidation and
terror.
… In the first 24 hours following the attacks
on Paris, there were hundreds of thousands of celebratory tweets from
supporters of ISIS. An estimated 50,000 Twitter accounts — each
having thousands of followers — streamed photo essays, audio,
video, news bulletins and theological writings.
Remarkably, there was no organized response from
the West or majority of Muslim countries.
If you don't want to do something, don't say you
will!
… Internet provider Cox Communications is
facing a
lawsuit from BMG Rights Management which accuses the ISP of
failing to terminate the accounts of subscribers who frequently
pirate content.
BMG claimed that Cox gave up its DMCA safe harbor
protections due to this inaction, something District Court Judge Liam
O’Grady agreed
on last week in a summary judgment.
… “The record conclusively establishes that
before the fall of 2012 Cox did not implement its repeat infringer
policy. Instead, Cox
publicly purported to comply with its policy, while privately
disparaging and intentionally circumventing the DMCA’s
requirements,” the memorandum (pdf)
reads.
Let the debate begin!
Google
Calls Out EFF Over Bogus Claims That It Snoops On Students With Its
Chromebooks
… "EFF bases this petition on evidence
that Google is engaged in collecting, maintaining, using, and sharing
student personal information in violation of the 'K-12 School Service
Provider Pledge to Safeguard Student Privacy' (Student Privacy
Pledge), of which it is a signatory,” alleged the EFF in its
initial FTC complaint.
Google takes such allegations very seriously, and
has thus responded to every claim brought forth by the EFF. “While
we appreciate the EFF’s focus on student data privacy, we are
confident that our tools comply with both the law and our promises,
including the Student Privacy Pledge, which we signed earlier this
year,” said Jonathan Rochelle, the Director of Google Apps for
Education.
With respect to Google Apps for Education Core
Services (GAFE), Rochelle asserts that all student data stored is
“only used to provide the services themselves” and that student
data isn’t used for advertising purposes, nor are ads served to
students.
For my students. See, It's not just the big guys.
Use it just to annoy the FBI director?
Encrypted
messaging app Signal now available for desktops
The much-lauded encryption app Signal has launched
a beta program for a desktop version of the app, which will run
through Google's Chrome browser.
Signal Desktop is Chrome app that will sync
messages transmitted between it and an Android device, wrote Moxie
Marlinspike, a cryptography expert who had helped develop Signal, in
a blog post
on Wednesday.
… Signal Desktop won't be able to sync
messages with iPhone just yet, although there are plans for iOS
compatibility, Marlinspike wrote. It also won't support voice
initially.
Signal, which is free, has stood out in a crowded
field of encrypted messaging applications, which are notoriously
difficult to engineer, and has
been endorsed by none other than former U.S. National Security Agency
contractor Edward Snowden. [Paid
endorsement? Bob]
… Open Whisper Systems itself can't see the
plain text of messages or get access to phone calls since it
doesn't store the encryption keys.
Signal is open source, which allows developers to
closely inspect its code.
Local news.
Uber is
partnering with Enterprise Rent-A-Car, and—as the slogan
goes—they’ll pick you up! By “they” I mean the poor schmucks
who sign up to pay around $1000 a month to work for Uber.
The pilot program, which launched
in Denver, gives people
access to a discounted rental car at $210 a week, plus taxes and
fees.
… In addition to the base payments, drivers
will have to pay a $500 refundable deposit and a $40 sign-up fee. If
they go over 2800 miles a month (90 miles a day) there’s also an
additional $0.25 per mile fee tacked on.
Perspective.
Amazon
Dominated 36% of Online Black Friday Sales, Says Slice
Slice
Intelligence, which gathers e-commerce data from receipts linked
to its Slice
package tracking app, tells TechCrunch that Amazon dominated
online Black Friday sales, accounting for 35.7 percent in e-commerce
spending on November 27. A distant second, Best Buy brought in 8.23
percent of total online revenue, followed by Macy’s at 3.38
percent, Walmart at 3.35 percent and Nordstrom at 3.11 percent.
For my students… Please.
Quickly
Improve Your Handwriting with These Fantastic Resources
No comments:
Post a Comment