This site is popular with geeks. (Includes a
screenshot of the code used.)
NewEgg
cracked in breach, hosted card-stealing code within its own checkout
The popular computer and electronics Web retailer
NewEgg has apparently been hit by the same payment-data-stealing
attackers who targeted TicketMaster UK and
British
Airways. The attackers, referred to by researchers as Magecart,
managed to inject
15 lines
of JavaScript into NewEgg's webstore checkout that
forwarded credit card and other data to a server with a domain name
that made it look like part of NewEgg's Web infrastructure. It
appears that
all Web
transactions over the past month were affected by the breach.
This is the firm that lost all your data,
remember?
Equifax
slapped with UK’s maximum penalty over 2017 data breach
Credit rating giant
Equifax
has been issued with the maximum possible penalty by the UK’s
data protection agency for last year’s massive data breach.
Albeit,
the
fine is only £500,000
because the loss of customer data occurred when the UK’s prior
privacy regime was in force — rather than the tough new data
protection law, brought in via the EU’s
GDPR,
which allows for maximum penalties of as much as 4% of a company’s
global turnover for the most serious data failures.
So, again,
Equifax
has managed to dodge worse consequences over the 2017 breach,
despite the hack resulting from its own internal process failings
after it failed to patch a server that was known to be vulnerable for
months — thereby giving hackers a soft-spot to attack and swipe
data on 147 million consumers.
… Reporting the
result
of its investigation, the ICO said
Equifax
contravened five out of eight data protection principles
of the Data Protection Act 1998 — including, failure to secure
personal data; poor retention practices; and lack of legal basis for
international transfers of UK citizens’ data.
“Equifax Ltd has received the highest fine
possible under the 1998 legislation because of the number of victims,
the type of data at risk and because
it
has no excuse for failing to adhere to its own policies and controls
as well as the law,” said information commissioner
Elizabeth
Denham in a statement.
An EPIC “I told you so?”
The Drug Enforcement Agency has released
to EPIC a new
FOIA production about the AT&T “Hemisphere” program.
Hemisphere is a massive call records database made available to
government agents by the nation’s largest telecommunication
company. AT&T
discloses to the government billions of detailed customer
phone records, including location data, without
judicial review. The new release to EPIC reveals that
both the FBI and CBP obtained access to these call details records.
EPIC filed
suitagainst the DEA in 2013 after the agency failed to respond to
EPIC’s FOIA
request for information about the Hemisphere program. EPIC
previously
argued that the names of other agencies with access to Hemisphere
records should be released. In June, the Supreme Court held in
Carpenter
v US that government access to location data is a search subject
to Fourth Amendment review. EPIC filed an amicus
brief in the Carpenter case.
This is another firm that has all your data.
Allocating resources to politicians rather than finding solutions
that work for everyone? Making a show of protecting elections
without having to spend too much money.
Facebook
Boosts Protections for Political Candidates
The social platform, which has taken various steps
towards
protecting
elections from abuse and exploitation on its platform, including
the
takedown
of fake pages and accounts involved in political influence
campaigns, is now
launching
new tools to defend candidates and campaign staff.
… The new pilot program is open for candidates
for federal or statewide office, as well as for staff members and
representatives from federal and state political party committees,
Facebook
announced.
The additional security protections can be added both to Pages and
to accounts.
To apply for the program, Page admins should head
to politics.fb.com/campaignsecurity. Once enrolled, they
will be able to add others from their campaign or committee.
(Related) Not quite there yet.
Inside
Facebook’s Election ‘War Room’
… an approximately 25-foot-by-35-foot
conference room is under
construction.
Thick cords of blue wiring hang from the ceiling,
ready to be attached to window-size computer monitors on 16 desks.
On one wall, a half-dozen televisions will be tuned to CNN, MSNBC,
Fox News and other major networks. A small paper sign with orange
lettering taped to the glass door describes what’s being built:
“War Room.”
Although it is not much to look at now, as of next
week the space will be Facebook’s headquarters for safeguarding
elections. More than 300 people across the company are working on
the initiative, but the War Room will house a team of about 20
focused on rooting out disinformation, monitoring false news and
deleting fake accounts that may be trying to influence voters before
elections in the United States, Brazil and other countries.
(Related) Politicians will demand better
protection that what firms offer the hoi palloi. Are they suggesting
that they have unprotected servers like Hillary Clinton’s?
Lawmaker:
US Senate, Staff Targeted by State-Backed Hackers
Foreign government hackers continue to target the
personal email accounts of U.S. senators and their aides — and the
Senate’s security office has refused to defend them, a lawmaker
says.
… the
senator said the Office of the Sergeant at Arms, which oversees
Senate security, informed legislators and staffers that it has no
authority to help secure personal, rather than official, accounts.
“This
must change,” Wyden wrote in the letter. “The November election
grows ever closer, Russia continues its attacks on our democracy, and
the Senate simply does not have the luxury of further delays.” A
spokeswoman for the security office said it would have no comment.
Why
does this headline read “plan to” rather than “already have?”
Perhaps a business opportunity?
Sophie Meunier reports:
If you look someone up on Facebook or
LinkedIn, you’ll be able to gather huge amounts of information
about them without them ever knowing. Until recently, nobody seemed
to think about the risks involved; it was just the way things were,
and if you didn’t get on board, you were left out from a whole
virtual world.
But thanks to the recent Facebook data
scandal and the introduction of the EU
GDPR (General Data Protection Regulation), more people seem to be
thinking twice about giving their information away so readily.
A survey
conducted by 3GEM and SAS in June 2018 found that 43% of
respondents wanted to remove their personal data from social media.
For
my Software Architects: How long should it take to patch a serious
flaw in your software?
Password
bypass flaw in Western Digital My Cloud drives puts data at risk
A security researcher has published details of a
vulnerability in a popular cloud storage drive after the company
failed to issue security patches for over a year.
Remco
Vermeulen found
a
privilege escalation bug in Western Digital’s My Cloud devices,
which he said
allows an
attacker to bypass the admin password on the drive, gaining “complete
control” over the user’s data.
The exploit works because drive’s web-based
dashboard doesn’t
properly check a user’s credentials before giving a
possible attacker access to tools that should require higher levels
of access.
The bug was “easy” to exploit, Vermeulen told
TechCrunch in an email, and was remotely exploitable if a My Cloud
device allows remote access over the internet — which
thousands
of devices do. He posted
a
proof-of-concept video on Twitter.
Vermeulen reported the bug over a year ago, in
April 2017, but said the
company stopped responding. Normally, security
researchers give 90 days for a company to respond, in line with
industry-accepted responsible disclosure guidelines.
Sic ‘em! If this is the public policy, what is
the intelligence community allowed to do?
US military
given more authority to launch preventative cyberattacks
The US military is taking a more aggressive stance
against foreign government hackers who are targeting the US and is
being granted more authority to launch preventative cyberstrikes,
according to a summary of the Department of Defense's new Cyber
Strategy.
The Pentagon is referring to the new stance as
"defend forward," and the strategy will allow the US
military "to disrupt or halt malicious cyber activity at its
source, including activity that falls below the level of armed
conflict."
The new military strategy, signed by Defense
Secretary James Mattis, also emphasizes an intention to "build a
more lethal force" of first-strike hackers.
… This new strategy provides a roadmap for the
military to wipe out the enemy computer network in a friendly
country, said Healey.
"It's extremely risky to be doing this,"
Healey told CNN on Tuesday. "If you loosen the rules of
engagement, sometimes you're going to mess that up."
… However, under the new strategy, US
offensive cyberattacks will not target civilian infrastructure,
because the US must abide by a UN agreement that prohibits "damaging
civilian critical infrastructure during peacetime."
(Related) Much less understood.
Shining a
Light on Federal Law Enforcement’s Use of Computer Hacking Tools
… As it stands, the public is largely in the
dark about how the government perceives the rules that govern its use
of these tools for law enforcement purposes. The Fourth Amendment
generally requires warrants based upon a finding of probable cause
before there is a search or seizure. But it is unclear whether and
when law enforcement agencies regard hacking techniques as being
subject to a warrant requirement, judicial authorization short of a
warrant, or no prior authorization at all. Further, little is known
about the internal rules that law enforcement agencies have adopted
to regulate the deployment of hacking techniques.
This is still a choice, there are many other
companies that do not require a tracker. What does this do for John
Hancock?
It will no longer be possible to buy a life
insurance policy from John Hancock – one of the largest insurers in
the US – without agreeing to use an activity tracker. This can be
either a wearable device like an
Apple
Watch or
Fitbit,
or a smartphone capable of logging activity, like an
iPhone.
The firm announced the change today for new
policies, with existing policies also adopting the requirement from
next year …
Reuters
reports that the company made the decision three years after making
so-called ‘interactive’ policies optional.
… As Reuters notes, the move could
have disturbing implications.
Privacy and consumer advocates have
raised questions about whether insurers may eventually use data to
select the most profitable customers, while hiking rates for those
who do not participate.
The insurance industry says that the law means it
can only hike premiums if it can show an increased risk, but it does
raise the question of how far this type of approach could go. Will
policyholders be penalised for walking through a sketchy area, logged
by the GPS in their device? What about an activity tracker logging a
strenuous hike as a risk factor? Or deciding that someone is cycling
or skiing dangerously fast? This could be the beginning of an
incredibly slippery slope.
Perspective.
Apple sold
43% of all phones priced above $400 globally in Q2, earned majority
of handset profits
… Apple's 62 percent share of profits
generated in Q2 was far ahead of Samsung's 17 percent, and was over
three times the profit share of China's Huawei, OPPO, Vivo and Xiaomi
put together. The remaining profits of more than 600 other handset
brands amounted to less than 1 percent.
… Above $800, Counterpoint stated that Apple
dominated with 88 percent of all sales being iPhones.
(Related)
Apple
Finishes Paying $15.3B in Back Taxes to Ireland, Prompting EU
Regulators to Drop Lawsuit