Thursday, August 09, 2018

Too clever for their own good. “It’s a lot easier if we don’t bother with all that security stuff.”
Security Flaws On Comcast’s Login Page Exposed Customers’ Personal Information
Comcast Xfinity inadvertently exposed the partial home addresses and Social Security numbers of more than 26.5 million customers, according to security researcher Ryan Stevenson, who discovered the security flaws. Two previously unreported vulnerabilities in the high-speed internet service provider’s online customer portal made it easy for even an unsophisticated hacker to access this sensitive information.
After BuzzFeed News reported the findings to Comcast, the company patched the flaws.
… One of the flaws could be exploited by going to an “in-home authentication” page where customers can pay their bills without signing in. The portal asked customers to verify their account by choosing from one of four partial home addresses it suggested, if the device was (or seemed like it was) connected to the customer’s home network. If a hacker obtained a customer’s IP address and spoofed Comcast using an "X-forwarded-for" technique, they could repeatedly refresh this login page to reveal the customer’s location. That’s because each time the page refreshed, three addresses would change, while one address, the correct address, remained the same.
… In the second vulnerability that Stevenson discovered, a sign-up page through the website for Comcast’s Authorized Dealers (sales agents stationed at non-Comcast retail locations) revealed the last four digits of customers’ Social Security numbers. Armed with just a customer’s billing address, a hacker could brute-force (in other words, repeatedly try random four-digit combinations until the correct combination is guessed) the last four digits of a customer’s Social Security number. Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct Social Security number is inputted into the form.




The Terminator is a hacker!
IBM Demonstrates DeepLocker AI Malware at Black Hat
IBM will detail at Black Hat USA here on Aug. 8 a new class of attacks dubbed DeepLocker that uses artificial intelligence to bypass cyber-security protections.
With DeepLocker, IBM researchers will demonstrate an evasive attack vector that has been developed as a proof of concept. According to IBM, DeepLocker can be used to keep ransomware or other malware hidden from traditional security tools. IBM's goal with the presentation is not to promote fear about AI, but rather to help organizations start to think about how attackers can use AI and how to minimize risks.
"DeepLocker malware is fundamentally different from any other malware we are aware of. It uses AI to hide a malicious application in benign payloads," Marc Ph. Stoecklin, principal research scientist and manager of Cognitive Cybersecurity Intelligence at IBM Research, told eWEEK. "With AI, we can conceal and hide the condition of when the malicious payload is being unlocked, making it almost impossible to reverse-engineer."




We’re studying computer law this week.
From Hunton Andrews Kurth:
On August 3, 2018, California-based Unixiz Inc.(“Unixiz”) agreed to shut downits “i-Dressup” website pursuant to a consent order with the New Jersey Attorney General, which the company entered into to settle charges that it violated the Children’s Online Privacy Protection Act (“COPPA”) and the New Jersey Consumer Fraud Act. The consent order also requires Unixiz to pay a civil penalty of $98,618.
The charges stemmed from a 2016 data breach in which hackers compromised more than 2.2 million unencrypted usernames and passwords, including those associated with over 24,000 New Jersey residents’ accounts. The New Jersey Attorney General alleged that Unixiz had actual knowledge that the i-Dressup website (which allowed users to “dress, style and make-up animated characters in various outfits” and featured children’s games) had collected the personal information of over 10,000 children and failed to obtain verifiable parental consent for such collection, in violation of COPPA.




My students are amazed to learn I don’t own a SmartPhone.
Department of Homeland Security-funded research by Virginia-based security firm Kryptowire has allegedly discovered major security flaws in numerous phones, according to a report on cybersecurity site Fifth Domain.
According to the report, DHS Science and Technology Directorate program manager Vincent Sritapan said at the Black Hat conference in Las Vegas that the vulnerabilities have been discovered in phones carried by all four major carriers: Verizon, AT&T, T-Mobile, and Sprint. The exact nature of the vulnerabilities were not released, though they allegedly can take control of a targeted device:
The vulnerabilities are built into devices before a customer purchases the phone. Researchers said it is not clear if hackers have exploited the loophole yet.
Department of Homeland Security officials declined to say which manufacturers have the underlying vulnerabilities.
Millions of users in the U.S. are likely at risk, a source familiar with the research said, although the total number is not clear.


(Related) The world, she is a-changing! I can’t get back into the country without a laptop for TSA to browse, now I can’t get into a Broncos’ game without a SmartPhone!
Broncos switch to mobile-only tickets: 4 things you need to know
Anyone going to a game at Broncos Stadium at Mile High will need to use mobile entry to get into the game. The team said it made the change as a way to reduce counterfeiting and fraud, and to make it easier and quicker to enter the stadium.

There will be no paper tickets

Broncos 365 app

Single-game and season tickets will only be available in the Broncos 365 app which is available for Apple and Android devices. If you don’t have an Apple or Android device, you can use your smartphone’s browser to log into your account and access your tickets.

Parking passes need to be printed

The Broncos say that printed parking passes help police and parking attendants ensure smoother entry and exit from the parking lots.




Concept. Probably much easier than, but very similar in concept to finding bad guys in the Superbowl crowd.
This robot uses AI to find Waldo, thereby ruining Where’s Waldo




Perspective.
YouTube is about to pass Facebook as the second biggest website in US, according to new study
In the competition to be top website, Facebook may cede its runner-up position to YouTube in the next two to three months, according to a new study shared with CNBC by market research firm SimilarWeb.
The five websites receiving the most traffic in the U.S. in the last several years have been Google, Facebook, YouTube, Yahoo and Amazon, in that order. However, Facebook has seen a severe decline in monthly page visits, from 8.5 billion to 4.7 billion in the last two years, according to the study. Although Facebook's app traffic has grown, it is not enough to make up for that loss, the study said.
… The study projects that Amazon will take over Yahoo's ranking in the next two to three months.
However, none of the bottom four of the top five comes close to Google. Although it has seen some decline in website traffic thanks to app use and voice search, it saw approximately 15 billion visits in July 2018, the study said. The others were all below 5 billion, according to the report.




I may get to teach Excel this Quarter.
Meet the 15-year-old who's the Microsoft Excel world champion (which is a real thing)
… Yes, there is an annual championship that challenges competitors on their knowledge of Microsoft Office applications — and no, your self-proclaimed proficiency in Microsoft listed under the "special skills" section of your resume probably won't make the cut.
Students between ages 13 and 22 spend months — sometimes years — preparing for the championship, working their way up through placement tests, regional and national competitions in three Microsoft categories: Word, Excel and PowerPoint.


No comments: