Tag Archive for Breach

| July 7, 2018
Comments Off on RIP Yahoo Messenger

RIP Yahoo Messenger

Do yRIP Yahoo Messengerou remember Yahoo Messenger? It was popular in the late ’90s and early 2000s when there were only two messengers to communicate with your friends and family. Well … the remnants of Yahoo nee Verizon recently announced the end of Yahoo Messenger. Verizon (VZ)/Yahoo announced that they will disable the Yahoo Messenger service after July 17th, 2018. (rb- yes Yahoo Messenger was still a thing – in the face of Apple‘s (AAPL) FaceTime, Telegram, Snapchat, and Facebook‘s (FB) WhatsApp).

According to the Oath website, YIM had 122.6 million users at its peak. In the FAQ announcing the shutdown, Yahoo said, “We know we have many loyal fans who have used Yahoo Messenger since its beginning  … As the communications landscape continues to change over, we’re focusing on building and introducing new, exciting communications tools that better fit consumer needs.” If you’re looking for a Messenger replacement from Yahoo, they recommend Squirrel, which is in closed beta and by invite only. But why?

YIM leaves a dubious security legacy, as all “free” web products do. In 2007 there were reports that up to 75%  of the users in Yahoo Messenger were SPAMBots. In 2010 all Yahoo systems and customer email accounts were hacked by the Chinese military in “Operation Aurora.” In Operation Aurora the Chinese also attacked Adobe (ADBE)Dow Chemical, Google (GOOG) Juniper Networks (JNPR)Morgan Stanley, Northrop Grumman (NOC)Rackspace (RAX), and Symantec (SYMC).

In 2014 The Guardian reported that The British intelligence agency Government Communications Headquarters (GCHQ)’s secret mass surveillance program Optic Nerve and National Security Agency (NSA) were indiscriminately collecting still images from Yahoo webcam streams from millions of mostly innocent Yahoo webcam users, among other things creating a database for facial recognition for future use. Optic Nerve takes a still image from the webcam stream every 5 minutes. Also in 2014 Yahoo was also hit by a hack that affected around 500 million people.

mass surveillanceIn September 2016, The New York Times reported that Yahoo’s security team, had pressed for Yahoo to adopt end-to-end encryption sometime between 2014 and 2015, but senior leadership resisted, “…because it would have hurt Yahoo’s ability to index and search message data.”

In 2017 Yahoo announced that all of its customer’s accounts were compromised. Allegedly Yahoo did not detect the full extent of the 2013 hack until  4 years later. In 2017, Yahoo announced that all 3 billion accounts were compromised.

YouYahoo can download your chat history for the next 6 months at this download request site. Yahoo will email your chats to you. If you have anything you want to save from Yahoo Messenger, it’s a good idea to get a copy, because users will be unable to sign in to the service after July 17th.

rb-

YIM is not the first long-standing chat app to shut down – AOL Instant Messenger shut down December 15, 2017. But Yahoo Messenger was one of the few old-school messaging services left.

Related article

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , ,
| December 30, 2015
Comments Off on Target Wish List Leaking Your Data

Target Wish List Leaking Your Data

Target Wish List Leaking Your DataThe holiday shopping season has not been merry for mega-mart Target. You would think the mega-retailer that leaked info on 110 million customers would learn how to keep their customers’ info secure but NOOOO. The anti-virus firm AVAST has discovered the Target (TGT) Wish List app is leaking your data, your personally identifiable information (PII).

Data leakThe Avast Blog says that if you created a Christmas wish list using the Target app it is leaking your data.  it might be accessible to more people than you want to actually receive gifts from. The Target app keeps a database of users’ wish lists, names, addresses, and email addresses.

Alarmingly, for a firm that has privacy issues, the Target app’s backend interface is not secured. This allowed the database to be accessed over the Internet. The author reports that the Application Program Interface (API) is easily accessible over the Internet. An API is a set of conditions where if you ask a question it sends the answer. Also, the Target API does not require any authentication. The only thing you need to parse all the data automatically is to figure out how the user ID is generated. Once you have that figured out, all the data is served to you on a silver platter in a JSON file.

Leaking your data

while developers investigate

The JSON file that the AVAST researchers requested from Target’s API leaked lots of interesting data. The leaked data included: users’ names, email addresses, shipping addresses, phone numbers, the type of registries, and the items on the registries. The AVAST researchers did not store any PII, but they did aggregate data from 5,000 inputs for statistical analysis.

The AVAST researchers took the sample and looked at which some of the data they got. It included; brands, states the Target app users are from, and the most common names of people using Target’s app.

Leasked info

This appears to be a classic case of security by obfuscation. The app developers created the online API for data that is uploaded by Target. They also set up a separate API in tandem so that the retail chain could download and process the uploaded data – but without any security measures in place.

Target has reached a $39.4 million settlementIn a post on Ars Technica, a Target spokesperson said that it has suspended elements of the app while developers investigate. Hopefully, this should mean that the data-leaking has stopped while the backend has been disabled.

In other Target data breach news FierceITSecurity reports that Target has reached a $39.4 million settlement with banks and credit unions over claims they lost millions of dollars as a result of the massive 2013 data breach at the retailer. The massive data breach at Target exposed the credit and debit card numbers of 40 million customers to hackers and personal information on another 70 million.

The settlement, if accepted, will resolve class-action lawsuits by the banks and credit unions seeking reimbursement for fraudulent charges and issuing new cards. Of the $39.4 million, $20.25 million will be paid to banks and credit unions, and $19.11 million will be paid to reimburse MasterCard card issuers.

cautionary taleThis follows settlements that Target reached with Visa card issuers for $67 million and with customers for $10 million. Target estimated that the breach so far has cost it $290 million, with insurers picking up $90 million, according to a filing with the Securities and Exchange Commission last week. Target is not out of the woods yet. It still has to deal with shareholder lawsuits and a probe by the Federal Trade Commission and state attorneys general related to the data breach.

Fred Donovan at FierceITSecurity says Target is a cautionary tale for any enterprise. Despite handling billions of dollars in credit card transactions, the retailer did not have one person responsible for IT security at the time of the breach. While it had a network security system in place, it did not have IT security personnel skilled enough to recognize an alarm the system set off months before Target discovered the breach.

rb-

Cash is king, especially at Target.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| February 12, 2015
Comments Off on 25% of Employees Access Past Employers Work Docs

25% of Employees Access Past Employers Work Docs

25% of Employees Access Past Employers Work Doc'sMore than 25% of file-sharing service users report still having access to work documents from their previous employer, according to a “Rogue Cloud in Business” survey of 2,000 U.S. adults by Harris Interactive for Egnyte, an enterprise file-sharing platform provider.

uncontrolled file-sharingAccording to FierceITSecurity, the survey highlights the security risks uncontrolled file-sharing practices pose to the work place from these practices are obvious. An Egnyte presser claims The survey results illustrate a major exposure for today’s businesses when it comes to the transfer and storage of data through unapproved and insecure cloud-only file-sharing services.

The new survey uncovers deep issues around the rogue usage of consumer-based cloud services and illustrates the need for IT to deploy a secure enterprise-grade solution that meets the file-sharing needs of employees while protecting sensitive business data from the risks associated with insecure file sharing through the cloud

The survey found that:

  • easy to take sensitive business documents51% agree that collaborating on file-sharing services (such as Dropbox and YouSendIt) is secure for work documents;
  • 46% agree that it would be easy to take sensitive business documents to another employer;
  • 41% agree that they could easily transfer business-sensitive data outside the company using a file-sharing service;
  • 38% have used file-sharing services have transferred sensitive files on an unapproved file-sharing service to someone else at least once; 10% have done it 6 or more times;
  • 31% agree that they would share large documents that are too big for email through a file-sharing service without checking with their IT departments;
  • 27% of file-share service users report still having access to documents from that previous employer.

mobile users are willing to bypass IT policiesAnother report from Workshare paints a grimmer picture for those of us tasked with protecting a firm’s intellectual property. The report titled “Workforce Mobilization” shows the true extent to which mobile users are willing to bypass IT policies and use unsanctioned applications to share large files and collaborate on documents outside of the office.

  • 72% of workers are using free file-sharing services without authorization from their IT departments.
  • 62% of knowledge workers use their personal devices for work.
  • 69% of these workers also use free file sharing services to collaborate and access shared documents.
  • At companies with fewer than 500 employees only 24% of employees using authorized file sharing solutions.

Robert Hamilton, director of information risk management at Symantec (SYMC) in Mountain View, CA also told FierceCIO a continued threat to the company’s data comes from employees who feel like they live in a “finder’s keepers” environment.

Not encouraging

The results of the survey report, entitled “What’s Yours Is Mine,” were not encouraging to IT security professionals and IT management. According to the Symantec survey of employees:

  • "finder's keepers" environment68% of their company doesn’t take proper steps to protect sensitive work information;
  • 56% do not believe it is a crime to use a competitor’s trade secrets;
  • 40% download work files to personal devices;
  • 40% plan to use old company information in a new job role.

Symantec’s Hamilton told FierceCIO:

Employees are taking increasing amounts of data outside the company, and most people do not believe using corporate data for themselves is wrong … The attitude is that ownership lies with the person that created it, not with the company that employs them.

rb-

All three of these firms sell products they claim that can stop a firm’s intellectual property from leaking out through public file-sharing services. But before you engage any firm, some basic steps should be taken.

  1. Develop a technology acceptable use policy.
  2. Include public file-sharing services in the AUP.
  3. Incorporate the AUP in the staff handbook, and make sure staff sign it before they are given network access.
  4. Train staff on the risks associated with using public file sharing services for sharing corporate documents. Risks include HIPAA violations, PII release, Malware, PCI-DSS violations, and Government “Snooping.” Only then –
  5. Engage a service provider to implement an enterprise-approved alternative to the free file-sharing services.
What's Your is Mine

Symantec Infographic

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , ,
| December 4, 2014
Comments Off on Privacy for Drivers

Privacy for Drivers

Privacy for DriversFord Motor Company (F) Global Marketing Director Jim Farley touched off a privacy storm when he told an audience at the Consumer Electronics Show that the automaker is tracking their travels thanks to their in-car navigation systems. He told the crowd in Las Vegas that the automaker tracks driver behavior, “We know everyone who breaks the law, we know when you’re doing it.

automaker are tracking travelsThe auto manufacturers have installed “black boxes” on most modern cars. The black boxes are capable of tracking, gathering, and storing vehicle information. In fact, the Fed has proposed that such tracking technology become standard equipment on all cars.

Privacy firestorm

Even though Ford quickly backed down from Mr. Farley’s claims, the comments created a privacy firestorm. As a result, TheDetroitBureau.com reports that privacy advocates accelerated increased pressure on manufacturers to reveal what info that collects on “black box’s” they’re doing with the personal data they do collect – and put limits on how it can be used.

black-boxes are capable of tracking, gathering and storing vehicle information.

In response, a group of 19 automakers has gotten together to lay down some ground rules, which they hope will assuage fears about the accessibility and use of the material. According to the article, the makers say the information won’t be given to government officials or law enforcement agencies without a court order, sold to insurance companies or other companies without their permission.

The automakers agreeing to the “rules,” which they submitted to the Federal Trade Commission, include Aston Martin, BMW, Chrysler (STLA),  Ferrari, Ford, General Motors (GM), Honda (HMC) Hyundai, Kia, Maserati, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen, and Volvo.

Self-imposed data collection “rules”

Future carThe author speculates that the automakers are willing to abide by the self-imposed “rules” because they believe actual laws could become onerous. Sen. Edward Markey, D-MA is skeptical of the impact of the “rules.” He called them “an important first step,” but said it remains unclear “how auto companies will make their data collection practices transparent beyond including the information in vehicle manuals.”

Senator Markey noted that the automakers did not offer consumers an opt-out option for whether sensitive information is collected in the first place. He plans to legislate an answer. He said in a statement, “I will call for clear rules — not voluntary commitments — to ensure the privacy and safety of American drivers is protected,” Markey said in a statement.

The automakers also committed to “implement reasonable measures” to protect personal information from unauthorized access. Privacy experts are concerned that in recent years many vehicles have had a variety of GPS and mobile communications technology built into them.

Cloud securityThe TheDetroitBureau explains these devices record and sends all types of information which privacy advocates are afraid the data could be used by the government against the owners of vehicles. Some worry that many three-letter agencies and law enforcement will use data from the device to track citizens. Marc Rotenberg, executive director of the Electronic Privacy Information Center said that legislation is needed to ensure automakers don’t back off their self-imposed “rules” when they become inconvenient. He said,

You just don’t want your car spying on you. That’s the practical consequence of a lot of the new technologies that are being built into cars.

Pop-up ads on in-car touch screens

The black boxes now installed in new vehicles could also be a safety issue for drivers. The article speculates that the rising level of interactivity of cars could open the door for pop-up ads in cars. These automakers’ “rules” do not end the possibility that Pop-up ads could appear on the touch screens of cars, trucks, and SUVs as folks are motoring down the road.

One loophole in the guidelines identified in the blog, if customers agree at the time they buy the car, they could receive messages from advertisers who want to target motorists based on their location and other personal data according to the author. Some safety advocates are concerned about pop-up ads possibly popping up on in-car touch screens while drivers are behind the wheel. Henry Jasny of Advocates for Highway and Auto Safety warned the Associated Press.

There is going to be a huge amount of metadata that companies would like to mine to send advertisements to you in your vehicle … We don’t want pop-up ads to become a distraction.

rb-

Who is listeningThe road to hell is paved with good intentions and full of pot-holes. I covered Cisco’s try at monetizing driver data here. Industry officials say they want to assure their customers that the information that their cars stream from the vehicle’s computers to automakers (or Feds) via OnStar. Sync, Automatic, In-Drive, or Car-Net won’t be handed over to authorities without a court order, sold to insurance companies, or used to bombard them with ads for pizza, gas stations, or other businesses they drive past, without their permission.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Cars | Tags: , , , , , , , , , , , , , , , ,
| November 25, 2014
Comments Off on Encryption on the Internet Primer

Encryption on the Internet Primer

Encryption on the Internet PrimerI spoke to several of my mother’s friends the other day. They were all worried about being on the web. Kudos to these ladies for being connected at all (they are in their 70’s and 80’s), They also get a gold star for being alert enough to recognize that something on the ol’ Intertubes has changed recently.

Data theftThey hear that their information is being stolen at the banks and stores they frequent. One neighbor lady even said she was worried but the government stealing her data. I explained to the group that I too am concerned about how it seems everyone on the web is under attack lately.

I gave them the usual pointers. Don’t trust anything on the web.  Have someone (not me!) help keep their anti-malware and systems up to date. And use encryption if possible.

Navajo Code Talkers

Of course, none of my mother’s neighbors had heard of encryption. I explained to the ladies that encryption means changing a message so that anybody who heard the message would not understand it unless they knew how the message was changed. I used the example of Ig-pay Atin-lay.

  • An-cay ou-yay eak-spay Ig-pay Atin-lay? = Can you speak Pig Latin?
  • I-way ave-hay a-way ecret-say = I have a secret.

 

Then of course I was outsmarted. One of the wNavajo Code Talkers during World War IIomen chimed out, Oh like the Navajo Code Talkers during World War II. (Next time I will start with the smart answer and then go to the Pig-Latin.)  These ladies lived through the shhesh,

So that got me thinking, what does the end-user really need to know about encryption? Sure there are PKI’s, Salted hashes, Block-ciphers, and …. none of which mean anything to the end-user.

What users need to know about encryption

Miguel Leiva-Gomez at MakeTechEasier.com recently explained what beginners need to know about encryption. He says that encryption is a practice in cryptography where a piece of data is obfuscated (manipulated) in a mathematically predictable way. The manipulation makes it very difficult to recover its contents. The author says it is like my pig-Latin example, but much more complex. The mathematical equations used to encrypt (and decrypt/decode) things are called cryptographic algorithms.

These cryptographic algorithms are needed because hackers are getting smarter and sneakier. They’re compromising databases left and right. To protect your data from attacks system owners should use these algorithms to mathematically jumble up all your personal data Jumbling the data (encrypting) making it difficult (if not completely impossible) for a hacker to steal your data from that database. Mr. Gomez claims that encryption basically protects you from intrusion. If a hacker manages to break into a database and take your passwords, it would be reading something like “EAFC49BF4B496090EA2B7CA51674589” instead of “Mary_$mith.”

The article calls the jumbled-up text like “EAFC49BF4B496090EA2B7CA51674589” at the end of every algorithm is called a ciphertext. The decrypted equivalent is known as plaintext. These are very important words to remember when discussing cryptography.

The author explains that there are two ways that the plaintext “Mary_$mith” gets turned into the ciphertext to “EAFC49BF4B496090EA2B7CA51674589” and then back to plaintext “Mary_$mith.” The first method is called a symmetric algorithm:

Symmetric algorithms use a key to Symmetric algorithm:encrypt and decrypt data. The key is basically the “x” that will solve for “y” in the mathematical algorithm. The length of the key and some other properties of the algorithm determine its “difficulty.” The more difficult an algorithm is, the more difficult it is to crack it. A difficult algorithm requires immense amounts of computing power to crack. The kind of horsepower that is usually out of reach from run-of-the-mill hackers. More sophisticated attacks might use computer clusters to decipher your data. Even then, some symmetric algorithms might thwart these attacks.

Asymmetric (public key) algorithms.The second-way plaintext gets turned into the ciphertext and then back to plaintext are called Asymmetric (public key) algorithms. Asymmetric algorithms split the key into two pieces. The first is a public one (usually stored in the server). The second piece is a private one (usually stored in your computer by software). Mr. Gomez writes that asymmetric algorithms get their strength from this particular technique since a hacker will not be able to read the contents of your data even if he gets his hands on the public key (it’s only half the key).

rb-

In the end, no algorithm is created equally. All of them have some flaw or another that will be discovered in the future, so it’s difficult to know what services you should rely on.

The best advice is still the oldest advice. Look for URLs that start with HTTPS and have a little green lock in the URL line. This means some part of the connection is encrypted with Secure Socket Layer (SSL) an Asymmetric (public key) algorithm. The Internet is on the verge of a move to a more secure Asymmetric algorithm called Transport Layer Security (TLS) 

That’s why the age-old advice to keep your PC up to date is critical for keeping your personal data safe.

Related articles
  • Navajo, Pawnee Code Talkers remembered on Veterans Day (KOB.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
« Older Entries