Darren Pauli reports:
Popular online cosmetics site Strawberrynet
has asked customers if a function that allows anyone to retrieve its
customers names, billing addresses, and phone numbers with nothing more than an
email address is a bug or a feature.
The bug was first disclosed
almost exactly a decade ago and resurfaced after security man Troy
Hunt reported the flaw to the company last Thursday.
The feature means customers are
able to checkout quickly by just putting their email address into a text entry
box. Doing so returns personal
information in cleartext, if the email address entered is already in
Strawberrynet’s records.
Read more on The
Register.
The firm seems to be a Hong Kong-registered business. Hong Kong has data protection standards. Worse, I don’t see how what they’re doing is
consistent with their privacy
& security assurances that personal data is kept confidential.
Maybe some consumer should file a complaint with the data
protection watchdog in Hong Kong. They’ve
really gotten more proactive in the past few years and they might have
something to say about this exposure of consumer information.
(Related) Troy shows us how this works.
Understanding account enumeration, the video tutorial edition
Low hanging fruit?
In the Bitcoin Era, Ransomware Attacks Surge
… Once considered
a consumer problem, ransomware has morphed to target entire networks of
computers at hospitals, universities and businesses. That has made it a far more serious and costly
threat. According to the U.S. Department
of Justice, ransomware attacks have quadrupled this year from a year ago, averaging 4,000
a day. Typical ransomware payments range
from $500 to $1,000, according to cyberrisk data firm Cyence Inc., but some
hackers have demanded as much as $30,000 an
attack that crippled a large portion of the hospital’s computer systems.
… The Federal
Bureau of Investigation said ransomware attacks cost victims $209 million in
the first three months of the year, including costs, such as lost productivity
and staff time to recover files, that is an average of about $333,000 an
incident, based on complaints that it has received. The total is up from $24 million for all of
2015, or about $10,000 an infection, the FBI said.
For my Computer Security students. Implications for breach reporting.
When organizations first become aware of a major problem
with a product or service, one with important consequences for consumers or the
environment, they face a dilemma. Should
they self-disclose the issue? Or should
they let sleeping dogs lie?
Ethically, the choice is simple. If management is aware of a problem, its moral
duty is to communicate openly and honestly to all stakeholders involved. In practice, however, organizations are
reluctant to communicate as long as an issue is internal in nature and the
extent of the crisis seems limited.
… How should
companies handle a crisis differently? Our research focuses on an alternative
approach, one that is referred to as “stealing thunder.” It involves self-disclosing crises and major
issues before media gets hold of the story. Earlier studies on stealing thunder have found that self-disclosing organizational crises
increases the credibility of organizational spokespersons. When an organization breaks the news about
incriminating events, these problems will also appear less severe. In addition, organizations that steal thunder are considered more reliable and consumers are more inclined to
continue purchasing their products. Our
recent study adds to these findings by examining if
self-disclosing an organizational crisis may be as effective as it is because
old news is considered no news. When
self-disclosing incriminating information, individuals will perceive the
subsequent negative publicity as old news, and hence, pay less attention to it.
Something for my Architecture and Computer Security
students.
The Internet of Things Is Here, and It Isn’t a Thing
… The killer app
of the Internet of Things isn’t a thing at all—it is services. And they are being delivered by an unlikely
cast of characters: Uber Technologies Inc., SolarCity Corp. ,
ADT Corp., and Comcast Corp. ,
to name a few. One recent entrant: the
Brita unit of Clorox Corp. ,
which just introduced a Wi-Fi-enabled “smart” pitcher that can re-order its own
water filters.
… Understanding
that most people want to solve problems without
worrying about the underlying technology [or security. Bob] was crucial, she says. “Early on, we found that if you called what we
do ‘home automation,’ people liked it but they would not spend money on it,”
Ms. McLaren says. “But if you called it
‘peace of mind’ and anchored it on home security, then people knew they need to
have that and would spend $35 to $45 a month on it.”
Are terrorists that naïve when it comes to technical
surveillance?
Belgium Called In The NSA To Help Catch Paris Attacker
The breakthrough in the manhunt for a key suspect in last
year’s attack on Paris that left 130 people dead only came when Belgian
officials asked the US National Security Agency (NSA) for help.
According to a Belgian counterterrorism officer and a
police investigator, they turned to the NSA in the search for Salah Abdeslam,
the sole surviving suspect from the attacks, after Belgian police spent four
futile months raiding apartments around Brussels as part of a Europe-wide
manhunt.
The two officers told BuzzFeed News that the Belgian
government asked the NSA for assistance in tracking the mobile phones of
several people attending a funeral of one of the other Paris attackers in early
March, in the hopes that they would lead police to Abdeslam. He was apprehended after a shoot-out in the
Belgian capital on March 18.
… The two
officials described a scene where a known associate of Abdeslam was filming the
funeral: “The guy is filming on a smartphone — that tells us he’s going to send
that file to someone, right?” the security service source said. “We had the NSA hit that phone very hard.”
Background for all my students?
Antitrust and Intellectual Property: A Brief Introduction
by Sabrina
I. Pacifici on Aug 21, 2016
Hylton, Keith N., Antitrust and Intellectual Property: A
Brief Introduction (August 19, 2016). Boston Univ. School of Law, Law and
Economics Research Paper No. 16-32. Available
for download at SSRN: http://ssrn.com/abstract=2826636
“Intellectual property law and antitrust have been
described as conflicting bodies of law,
and the reason is easy to see. Antitrust
law aims to protect consumers from the
consequences of monopolization. Intellectual property law seeks to enhance
incentives to innovate by granting
monopolies in ideas or expressions of ideas. The purpose of this chapter is to explore the
purported conflict between antitrust and intellectual property. The chapter is largely descriptive, and focuses
on current or developing litigation rather than historical controversies. Many of the modern examples of conflict can be
attributed to problems of classification.”
Wow! I didn’t know
that bail bondsmen set the levels of bail.
Perhaps we could release non-violent offenders with just one of those
ankle bracelets thingies. If they are
arrested for violent crimes, perhaps home detention – or White House
detention?
Obama Justice Department Joins The Fight Against America’s
Bail Industry
The Obama administration has joined the fight against the American bail industry, telling a
federal appeals court that bail practices that keep poor defendants locked up
because they cannot afford to purchase their freedom are unconstitutional.
… The brief marks
the first time DOJ has weighed in on the constitutional requirements of bail
systems in a federal appeals court.
… A lower federal
court had ruled earlier this year that “any bail or bond scheme that mandates
payment of pre-fixed amounts for different offenses to obtain pretrial release,
without any consideration of indigence or other factors, violates the Equal
Protection Clause.”
That ruling is being appealed by the city, and is also
opposed by the American Bail Coalition.
ABC claims that the plaintiff takes the “extreme position” that “any
defendant is entitled to immediate release based on an unverified
assertion of indigency,” and argues that bail is a “Liberty-Promoting
Institution As Old As The Republic.”
… Read the Justice Department’s amicus
curiae brief here.
The changing architecture of banking systems.
How Open Financial APIs Will Lead to Integrated Banking
If there were ever a time to develop a banking app it
would be now. It is estimated that a
quarter of the top 50 global banks will have a banking app store within the
next two years. A plethora of 3rd party
banking apps have emerged in recent years, causing trouble for slow-to-adapt
banks. Banking apps, and their
ecosystems, offer banks a multitude of new revenues streams, as well as help to
broaden partner and user bases. For
those less convinced of app viability, a cursory glance at market trends should
be convincing enough. Business is going
paperless, and those unwilling to accommodate customers needs will be left in
the dust. The people want quick,
accessible, and secure banking, and they want it now. In this article we will look into the future
of financial
APIs based on an article
recently written by Swaminathan Mahalingam.
For my IT Architecture students. Big Bix stores go high tech?
E-Commerce Initiatives Drive Wal-Mart Stores, Inc.'s Earnings
Higher
… global e-commerce sales increased 11.8% on a
constant-currency basis, as Wal-Mart continues to invest heavily in this area,
including its recent $3
billion deal for Jet.com.
(Related) Early buyouts – perhaps before we know they
work?
The Unicorn Hedge
… No, the next
bubble is NOT in tech where innovation and capital are never in short supply…
rather, the REAL bubble is
in far-too-generous P/E multiples and valuations of global public companies,
whose business models are being obliterated by startups and improved by orders
of magnitude. As more Fortune 500 CEOs
recognize and admit their vulnerability to disruption, expect them to hedge
their own public valuations by buying the very same unicorns that keep them
awake at night… Welcome to the
Unicorn Hedge.
Cashing out?
Lyft Reportedly Failed to Sell Itself to Apple, Amazon,
Google—and Uber
On Friday, The New York Times reported
that, in addition to murky negotiations with General
Motors, Lyft has broached acquisition talks with Apple, Amazon, Google,
Didi Chuxing—and even arch-rival Uber. The
talks and inquiries have taken place over the past several months, and (with
the possible exception of GM) they didn’t lead to an acquisition offer.
Lyft’s acquisition talks don’t necessarily suggest a
company under duress—Lyft has plenty of cash on hand, and an array of expansion
paths and strategic partners, including Didi and GM. But it does
highlight growing pressures in the ride-hailing sector (and in the maturing
tech sector more generally).
Oh, for businesses.
I thought this was for Bill Clinton.
Decision Matrix: What Is Is and How to Use It
No comments:
Post a Comment