Branding

November 8, 2018 by Joseph Martin

Yahoo has the dubious honor of having been on the receiving end of the largest data breach in history. As a consequence, the company has recently agreed to pay $50 million in damages and provide free credit monitoring services to its impacted users.

The company actually suffered a pair of breaches in 2013 and in 2014, although this information was not disclosed by the company until 2016. All of the company’s 3 billion users were impacted, and more than 200 million of them saw losses arising from that breach.

The compromised data included: usernames, email addresses, dates of birth, security questions (and their answers) backup email addresses, and phone numbers exposed.

The particulars of the settlement are as follows:

Yahoo pays $50 million to users whose accounts were compromised

Yahoo pays $35 million in legal fees

People who paid for a $20 or $50 a year for a Yahoo Premium account will be eligible for a 25 percent refund

People who had their email accounts compromised will be compensated $25 per hour for the time they spent handling issues related to the breach. Although in this case, users with documentation will see their compensation limited to a maximum of fifteen hours, while users without documentation will be limited to a maximum of five hours of compensation

Any impacted user can request free credit monitoring, which the company will offer for two years

Verizon, which acquired Yahoo in 2017, will pay for half of the settlement cost. Meanwhile, Altaba (the company that arose from the remainder of the original Yahoo business) will pay the $35 million fine imposed by the US Securities and Exchange Commission for the company’s failure to disclose the breach to its investors.

It’s a landmark case, and once the deal gets final approval, notices will be emailed to affected account holders and published in People and National Geographic magazines.

Joseph Martin

President & CEO
I hope you enjoyed this article. My mission is to take your stress away from dealing with IT problems. Call (252) 565-1235 or send me a message at our contact us page if you have a question, comment or want help.

November 7, 2018 by Joseph Martin

As far as hackers are concerned, no target is safe. Not even the Girl Scouts.

Recently, one of the Girl Scouts’ official email accounts was accessed by an “unauthorized third party” and as a result, as many as 2,800 girl scouts in Orange County, California may have had their personal information compromised.

Gaining access to the account naturally gave the hacker access to every email sent from that account that had not already been deleted. When the breach was discovered, the Girl Scouts sent an email to every potentially impacted individual.

The email reads, in part, as follows:

“Some of the emails stored in this account, which included emails with dates as far back as 2014 through October 1, 2018, contained information about our members. Out of an abundance of caution, we are notifying everyone whose information was in this email account.”

Based on the information the account contained, compromised data varied widely from one person to the next. However, the data included details like email address, home address, health history information, insurance policy numbers and driver’s license details. In short, that’s more than enough information to steal an identity.

While this breach is not noteworthy for its scope and scale, it has been attracting a great deal of attention because it targeted children and young adults. Identity data belonging to this demographic is extremely attractive to hackers because it can often be monetized for months, if not years before red flags are raised.

Last year, more than a million children in the US were impacted by identity fraud. What’s worse, according to a report published by Javelin Strategy and Research, 60 percent of child identity fraud victims know the fraudster, compared with just 7 percent of adult victims.

The investigation is still ongoing, but if you live in Orange County, California, and have a child in the Girl Scouts, be on high alert.

Joseph Martin

November 7, 2018 by Joseph Martin

IBM has recently announced what is to be the largest open source acquisition in history. They’re buying Red Hat for a staggering $34 billion dollars. This, as the saying goes, changes everything.

IBM has lagged behind its competitors for years in the area of cloud computing. When the ink dries on this deal, they’ll move from a virtual non-entity in the market to the world’s #1 hybrid cloud provider.

If you’re a Red Hat supporter, don’t worry that the company is going away. The company is to retain its independence. Rather than being rolled into the corporate structure of IBM, it will be run as a distinct entity and will continue to be led by Red Hat’s current CEO, Jim Whitehurst. Red Hat’s headquarters, facilities and their corporate culture will all remain intact.

Whitehurst himself had this to say about the announcement:

“…Importantly, Red Hat is still Red Hat. When the transaction closes, as I noted above, we will be a distinct unit within IBM, and I will report directly to IBM CEO Ginni Rometty. Our unwavering commitment to open source innovation remains unchanged.

The independence IBM has committed to will allow Red Hat to continue building the broad ecosystem that enables customer choice and has been integral to open source’s success in the enterprise.”

At this point, most of the hurdles standing in the way of the acquisition have been cleared. All that remains is gaining Red Hat shareholder and regulatory approval, both of which are deemed likely. Assuming there are no unexpected wrinkles in the plan, the deal is expected to be finalized sometime during the second half of 2019.

IBM has long supported Linux and other open source initiatives, and this deal is unlikely to change that. That is one of the reasons the proposed deal is unlikely to meet much resistance from either Red Hat’s shareholders or governmental regulatory agencies.

Joseph Martin

October 22, 2018 by Joseph Martin

This hasn’t been a great month for two of the titans of tech. Both Apple and Microsoft have been plagued with bug-riddled updates to their operating systems. In Apple’s case, their new iOS 12 had to be patched just three weeks after its release because of all the bugs the company’s burgeoning user base discovered almost immediately after updating.

Unfortunately, the 12.0.1 patch seems to have created almost as many issues as it solved for some users. In particular, some users are reporting network and signal connectivity problems, leading to an increasing number of broken calls. It has created such a stir that it’s even caught the attention of national media.

A recent Forbes article had this to say:

“Since upgrading, owners of both new and old iPhones are finding their phones either don’t make or receive calls. Bluetooth connectivity, Wi-Fi and battery-related issues are again surfacing on an iOS generation which Apple has promoted as being all about efficiency, stability, and speed.”

We’re also seeing an interesting incarnation of the law of unintended consequences where iOS 12 is concerned. One of the things Apple did differently in this latest version of the OS was to reorganize how the OS recognizes people in your contacts list, referring to the Apple ID number.

Unfortunately, many users tended to group contacts under a common Apple ID (family under one, co-workers under another, and so on).

Recently, select users got a shock when they used iMessage to send a note to a friend and wound up sending it to a whole group, simply because iMessage uses the same Apple ID that now organizes your contacts. The company issued a quick patch to fix that, but as you might expect, it caused a fair amount of concern for the short period the but/unintended consequence existed.

All that to say, Apple is off to a rocky start with iOS 12. So far, at least, we’ve been underwhelmed. The promised speed, stability and efficiency isn’t being delivered.

Joseph Martin

October 17, 2018 by Joseph Martin

By now, almost everyone has heard of the Spectre and Meltdown security flaws that have been making headlines for more than a year. They’re serious flaws with dire implications for tens of millions of users around the world who have an intel-based PC.

The saga surrounding the fixes for these issues has been a long one and filled with twists and turns. Intel originally attempted to push a software fix to protect its chips, but the patch they issued was so flawed that the company requested users not install it and wait for a better, more reliable patch.

In time, that patch was issued, but unfortunately, the protection it offered carried a hefty price in the form of significant system slowdowns.

The longer-term solution was, of course, to re-engineer the chips themselves. Recently, Intel announced that some of their 9th Generation chips will come with built-in fixes to ward against both Spectre and Meltdown. Note the word “some.”

Specifically, the company’s new line of K-series chips, used in gaming CPU’s have been re-engineered to be resistant to those security flaws. Unfortunately, the X-Series (Xeon-class chips) don’t feature those security fixes.

The reason is that they’re based on the older Skylake-X architecture, and given that, the company is relying solely on software updates to protect those chips.

At a recent desktop press event, the company had this to say about the matter:

“…the new desktop processors include protections for the security vulnerabilities commonly referred to as ‘Spectre,’ ‘Meltdown,’ and ‘L1TF.’ These protections include a combination off the hardware design changes we announced earlier this year as well as software and microcode updates.”

Although Intel has been roundly criticized for its handling of the issues surrounding these flaws, this is undeniably a step in the right direction.

Joseph Martin

September 18, 2018 by Joseph Martin

In 2016, an unnamed US energy company left some 30,000 records (containing information about its security assets) exposed for more than two months (a total of 70 days), in violation of energy sector cyber security regulations. When the incident was initially reported, the name of the company was withheld.

That company has now agreed to a $2.7 million-dollar settlement, and its name has now been made public, along with some additional details about the incident.

Initially, the company admitted that they unintentionally exposed the database in question, but that it contained fake data. As the investigation into the matter continued, it became apparent that the data was not only real, but that it included hashed passwords for administrators that hackers could have easily reverse-engineered. PG&E subsequently reversed their fake data assertion.

The exposed data was found by independent security researcher Chris Vickery, who indicated at the time that the database contained details for some 47,000 computers, virtual machines, servers and other devices.

In addition to that a number of non-encrypted email passwords were found, along with 120 encrypted passwords. In Vickery’s words, “This would be a treasure trove for any hostile nation-state hacking group.”

According to the official NERC notice regarding the incident:

“The data was exposed publicly on the internet for 70 days. The usernames of the database were also exposed, which included cryptographic information of those usernames and passwords. Exposure of the username and cryptographic information could aid malicious attackers in using this information to decode passwords.”

Once PG&E was made aware of the problem, it took a server offline, which removed the exposed data. They also brought in third-party forensic experts to investigate, and as a result of that investigation, revised a number of their security policies.

Overall, the company’s handling of the matter was spotty at best, but in light of the record-setting fine, the hope is that we won’t see a similar instance of carelessness in the future.

Joseph Martin

September 17, 2018 by Joseph Martin

If you fly Air Canada and use their mobile app, it may be time to change your password. The company recently announced that between August 22nd and August 24th of this year, they detected “unusual log-in behavior,” and that a small fraction (some 20,000) of their 1.7 mobile app users may have had their data compromised as a result.

The company stressed that no credit card information was compromised, but that doesn’t make the breach much less damaging.

The exposed data included:

Customer name

Physical address

Email address

Phone number

Any information an individual customer added to his or her profile

Worst of all is the fact that passport numbers were also exposed. Using that information, a hacker could easily gain access to the countries that a person has been to, when the passport expires, country of residence, the flight numbers of any flights they’ve taken, their gender, birthday and more.

As is usually the case when events like this occur, Air Canada has apologized to their customers and has reached out to all of their potentially impacted users.

Even if you didn’t get a notification from Air Canada, it would be prudent to change your password as soon as possible.

The company has not released any details about exactly how the breach occurred, and the matter is still under investigation.

Note that in terms of scope and scale, this is a fairly small breach. The 20,000 users represents about 1 percent of the total user base. Even so, the data stolen has the potential to be quite damaging. Even after you change your password, since email addresses were compromised during the breach, be on the alert for phishing emails, as the group responsible may attempt to leverage the information they have to get even more.

Joseph Martin

September 10, 2018 by Joseph Martin

Do you own an iPhone 8? If so, you may have problems. Apple has recently reported that a small percentage of iPhone 8s “contain logic boards with a manufacturing defect.

Affected devices may experience unexpected restarts, a frozen screen, or won’t turn on.”

The company has isolated the defect to phones manufactured between September 2017 to March 2018, in Hong Kong, India, Japan, China, New Zealand, Macau, and the United States.

To find out if you’ve got one of the impacted iPhone 8s, head to the company’s website and use the tool they’ve placed there, entering your phone’s serial number. If your phone is one of the defective devices, Apple will repair it free of charge for up to three years after the sale.

Note, however, that some types of damage may incur fees to repair, specifically in the instance of a cracked screen or similar.

Apple’s handling of the issue has so far been quite good. They were quick to acknowledge the mistake and isolate it to a very specific frame of time, and equally quick to create a checking tool. Their repair policy is generous, as is the impressive three-year window.

It’s unfortunate that the manufacturing error occurred. However, the reality is that many companies would not have been as forthcoming as Apple has been, nor as generous with their repair policy.

Kudos to Apple for their handling of the issue. If you’re considering buying a new iPhone, don’t let this hiccup change your mind. Although the company isn’t perfect, you’ll find few companies that can top Apple in terms of taking care of their customers. There’s a reason their customers are more like fans, and companies of all shapes and sizes would do well to emulate Apple as best they can.

Joseph Martin

August 9, 2018 by Joseph Martin

A dark day for Lifelock, the Identity Theft Protection company. It has recently come to light that the company may have accidentally exposed their customers to additional attacks.

They recently fixed a vulnerability on their website that allowed anyone with a browser to index email addresses associated with their entire customer database. The vulnerability can even unsubscribe users from company communications designed to keep them safe and keep them apprised of changes they need to be aware of.

In addition to that, the vulnerability made it possible for hackers to initiate highly targeted phishing campaigns and create a convincing spoof of the Lifelock brand.

Symantec, which purchased Lifelock in late 2016, took the company’s website offline not long after being contacted by KrebsOnSecurity, which is how they became aware of the vulnerability.

Krebs was made aware of it by Nathan Reese, a freelance security consultant based out of Atlanta. Nathan put together a proof of concept script that was capable of downloading the email addresses of all 4.5 million of Lifelock’s customers and then presented it to Krebs.

Reece aborted his script after downloading 70 emails so as not to set off alarm bells at Lifelock, and had this to say about his discovery:

“If I were a bad guy, I would definitely target your customers with a phishing attack because I know two things about them. That they’re a LifeLock customer and that I have those customers’ email addresses. That’s a pretty sharp spear for my spear phishing right there. Plus, I definitely think the target market of LifeLock is someone who is easily spooked by the specter of cybercrime.”

He’s not wrong, so it’s good that Reece isn’t a bad guy.

There’s no evidence that any hackers were aware of the issue, or made off with any of Lifelock’s customer emails. However, given the existence of the now-patched flaw, it pays to be suspicious of any email that appears to be coming from Lifelock for the short to medium term, at least.

Joseph Martin

August 9, 2018 by Joseph Martin

Twitter has long had a reputation for being at the mercy of bots that have been used to sway public discourse and opinion.

Often, these bots are controlled via Twitter API apps that allow the authors to automate most of their actions, such as tweets, follows, and likes.

In the face of Facebook’s recent grilling before congress, Twitter has decided to take a more proactive stance, and has recently announced major changes to their policies.

The first part of the company’s statement to that effect reads as follows:

“Starting today, all new requests for access to Twitter’s standard and premium APIs are required to go through a new individual approval process.”

In addition to the newly announced approval process, the company moved decisively to cut off more than 143,000 apps they deemed to be in violation of the company’s terms of service.

The more robust approval process requires app developers to provide more information about themselves and the ultimate purpose of the apps they design. Additionally, Twitter has put a hard cap on the number of apps that developers can create and manage, which tops out at ten. If developers need to run more than that, they’ll need special permission from Twitter, and they’ll have to provide a compelling reason to justify the need.

Beginning September 10th, 2018, the company will be placing additional restrictions on every Twitter App which will control their use rates.

The new rate limits (per app) will be:

300 Tweets and Retweets per hour

1,000 likes per 24 hours

1,000 follows per 24 hours

15,000 direct messages per 24 hours

The company reserves the right to either remove or further restrict these limits for legitimate reasons.

On top of all that, Twitter has also modified its Twitter API support page to include an option for reporting “bad apps” that break one of the company’s policies. According to the company, the combined effect of all of these changes should “help cut down on the ability of bad actors to create spam on Twitter via their APIs.”

While it remains to be seen how effective these changes will be, kudos to Twitter for taking action.

Joseph Martin

Contact Info

Navigation