Too clever for their own good. “It’s a lot
easier if we don’t bother with all that security stuff.”
Security
Flaws On Comcast’s Login Page Exposed Customers’ Personal
Information
Comcast Xfinity inadvertently exposed the partial
home addresses and Social Security numbers of more
than 26.5 million customers, according to security researcher
Ryan Stevenson,
who discovered the security flaws. Two previously unreported
vulnerabilities in the high-speed internet service provider’s
online customer portal made it easy for even an unsophisticated
hacker to access this sensitive information.
After BuzzFeed News reported the findings to
Comcast, the company patched the flaws.
… One of the flaws could be exploited by going
to an “in-home authentication” page where customers can pay their
bills without signing in.
The portal asked customers to verify their account by choosing from
one of four partial home addresses it suggested, if the device was
(or seemed like it was) connected to the customer’s home network.
If a hacker obtained a customer’s IP address and spoofed Comcast
using an "X-forwarded-for"
technique, they could repeatedly refresh this login page to
reveal the customer’s location. That’s because each
time the page refreshed, three addresses would change, while one
address, the correct address, remained the same.
… In the second vulnerability that Stevenson
discovered, a sign-up page through the website for Comcast’s
Authorized Dealers (sales agents stationed at non-Comcast retail
locations) revealed the last four digits of customers’ Social
Security numbers. Armed with just a customer’s billing address, a
hacker could brute-force
(in other words, repeatedly try random four-digit combinations until
the correct combination is guessed) the last four digits of a
customer’s Social Security number. Because the
login page did not limit the number of attempts, hackers
could use a program that runs until the correct Social Security
number is inputted into the form.
The Terminator is a hacker!
IBM
Demonstrates DeepLocker AI Malware at Black Hat
IBM will detail at Black Hat USA here on Aug. 8 a
new class of attacks dubbed DeepLocker that uses artificial
intelligence to bypass cyber-security protections.
With DeepLocker, IBM researchers will demonstrate
an evasive attack vector that has been developed as a proof of
concept. According to IBM, DeepLocker can be used to keep ransomware
or other malware hidden from traditional security tools. IBM's goal
with the presentation is not to promote fear about AI, but rather to
help organizations start to think about how attackers can use AI and
how to minimize risks.
"DeepLocker malware is fundamentally
different from any other malware we are aware of. It uses AI to hide
a malicious application in benign payloads," Marc Ph. Stoecklin,
principal research scientist and manager of Cognitive Cybersecurity
Intelligence at IBM Research, told eWEEK. "With AI, we
can conceal and hide the condition of when the malicious payload is
being unlocked, making it almost impossible to reverse-engineer."
We’re studying computer law this week.
From Hunton Andrews Kurth:
On August 3, 2018, California-based Unixiz Inc.(“Unixiz”) agreed to shut downits “i-Dressup” website pursuant to a consent order with the New Jersey Attorney General, which the company entered into to settle charges that it violated the Children’s Online Privacy Protection Act (“COPPA”) and the New Jersey Consumer Fraud Act. The consent order also requires Unixiz to pay a civil penalty of $98,618.
The charges stemmed from a 2016 data breach in which hackers compromised more than 2.2 million unencrypted usernames and passwords, including those associated with over 24,000 New Jersey residents’ accounts. The New Jersey Attorney General alleged that Unixiz had actual knowledge that the i-Dressup website (which allowed users to “dress, style and make-up animated characters in various outfits” and featured children’s games) had collected the personal information of over 10,000 children and failed to obtain verifiable parental consent for such collection, in violation of COPPA.
Read more on their Privacy
& Information Security Law Blog.
My students are amazed to learn I don’t own a
SmartPhone.
Department of Homeland Security-funded research by
Virginia-based security firm Kryptowire has allegedly discovered
major security flaws in numerous phones, according to a report on
cybersecurity
site Fifth Domain.
According to the report, DHS Science and
Technology Directorate program manager Vincent Sritapan said at the
Black Hat conference in Las Vegas that the vulnerabilities have been
discovered in phones carried by all four major carriers: Verizon,
AT&T, T-Mobile, and Sprint. The exact nature of the
vulnerabilities were not released, though they allegedly can take
control of a targeted device:
The vulnerabilities are built into devices before a customer purchases the phone. Researchers said it is not clear if hackers have exploited the loophole yet.
Department of Homeland Security officials declined to say which manufacturers have the underlying vulnerabilities.
Millions of users in the U.S. are likely at risk, a source familiar with the research said, although the total number is not clear.
(Related) The world, she is a-changing! I can’t
get back into the country without a laptop for TSA to browse, now I
can’t get into a Broncos’ game without a SmartPhone!
Broncos
switch to mobile-only tickets: 4 things you need to know
Anyone going to a game at Broncos Stadium at Mile
High will need to use mobile
entry to get into the game. The team said it made the change as
a way to reduce
counterfeiting and fraud, and to make
it easier and quicker to enter the stadium.
There will be no paper tickets
Broncos 365 app
Single-game and season
tickets will only be available
in the Broncos 365 app which is available for Apple and Android
devices. If you don’t have an Apple or Android device, you can use
your smartphone’s browser to log into your account and access your
tickets.
Parking passes need to be printed
The Broncos say that
printed parking passes help police and parking attendants ensure
smoother entry and exit from the parking lots.
Concept. Probably much easier than, but very
similar in concept to finding bad guys in the Superbowl crowd.
This robot
uses AI to find Waldo, thereby ruining Where’s Waldo
Perspective.
YouTube is
about to pass Facebook as the second biggest website in US, according
to new study
In the competition to be top website, Facebook
may cede its runner-up position to YouTube in the next two to three
months, according to a
new study shared with CNBC by market research firm SimilarWeb.
The five websites receiving the most traffic in
the U.S. in the last several years have been Google, Facebook,
YouTube, Yahoo and Amazon,
in that order. However, Facebook has seen a severe decline in
monthly page visits, from 8.5 billion to 4.7 billion in the last two
years, according to the study. Although Facebook's app traffic has
grown, it is not enough to make up for that loss, the study said.
… The study projects that Amazon will take
over Yahoo's ranking in the next two to three months.
However, none of the bottom four of the top five
comes close to Google. Although it has seen some decline in website
traffic thanks to app use and voice search, it saw approximately 15
billion visits in July 2018, the study said. The others were all
below 5 billion, according to the report.
I may get to teach
Excel this Quarter.
Meet the
15-year-old who's the Microsoft Excel world champion (which is a real
thing)
… Yes, there is an annual championship that
challenges competitors on their knowledge of Microsoft Office
applications — and no, your self-proclaimed proficiency in
Microsoft listed under the "special skills" section of your
resume probably won't make the cut.
Students between ages 13 and 22 spend months —
sometimes years — preparing for the championship, working their way
up through placement tests, regional and national competitions in
three Microsoft categories: Word, Excel and PowerPoint.
No comments:
Post a Comment