Turbotodd

Ruminations on tech, the digital media, and some golf thrown in for good measure.

Archive for the ‘cybersecurity’ Category

Facebook Security Flaw

leave a comment »

The New York Times is reporting that Facebook said today an attack on its computer network led to the exposure of information from nearly 50 million of its users.

Facebook said it discovered the breach earlier this week, “finding that attackers had exploited a feature in Facebook code that allowed them to take over user accounts.”

The Times reports that Facebook said it did not know the origin or identity of the attackers, nor had it fully assessed the scope of the attack, and is in the beginning stages of its investigation.

Here’s Facebook’s detailed explanation of the exploit and the actions it says it has taken:

Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.

Here is the action we have already taken. First, we’ve fixed the vulnerability and informed law enforcement.

Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.

Third, we’re temporarily turning off the “View As” feature while we conduct a thorough security review.

This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.

The Times goes went on to write that:

One of Facebook’s most significant challenges has been convincing its users that it is responsible enough to handle the incredible wealth of data the company handles. More than 2 billion people use Facebook every month, and another two billion separately use WhatsApp, a messaging app owned by Facebook, and Instagram, the Facebook-owned popular photo-sharing app.

You know the drill.  Check your password, change it, etc ad nauseum ad infinitum.

Written by turbotodd

September 28, 2018 at 12:22 pm

Posted in 2018, cybersecurity

Tagged with , ,

Apple AR Acquisition

leave a comment »

Happy Thursday.

Reuters is reporting that Apple has acquired a startup focused on making lenses for augmented reality glasses, a sign that Apple has ambitions to make a wearable device that would superimpose digital information on the real world.

The company, Akonia, could not be immediately reached for comment, according to Reuters. it reports the company was founded in 2012 by a group of holography scientists and had originally focused on holographic data storage before pivoting to creating displays for AR glasses.

Neither the purchase price nor the date of the acquisition was revealed, although one executive in the AR industry said the Akonia team had become “very quiet” over the past six months.

Reuter’s suggests that this acquisition is the first clear indication about Apple might handle one of the most daunting challenges in AR hardware: producing crystal clear optical displays thin and light enough to fit in the glasses similar to everyday frames with images bright enough for outdoor use and suited to mass manufacturing at a relatively low price.

Meanwhile, from The Verge we learn that Google’s Titan Security key set — which includes a USB key, a Bluetooth key, and various connectors — is now available to we mere mortals for only $50.

The Titan keys work as a second factor for a number of services, including Google Cloud customers, Facebook, Dropbox, and GitHub. But as The Verge points out, they’re built particularly for Google account logins, and, specifically, the Advanced Protection Program announced last October.

The Verge writes that “Because the keys verify themselves with a complex handshake rather than a static code, they’re far more resistant to phishing attacks than a conventional confirmtion code. The key was initially designed for internal Google use, and has been in active use within the company for more than eight months.”

Google has also indicated the production process makes the keys more resistant to supply chain attacks, because the firmware is sealed permanently Into a secure element hardware chip at production time in the chip production factory. Google says that the chip used is designed to resist physical attacks aimed at extracting firmware and secret key material.

Anything to keep the very bad people away from my data.

Written by turbotodd

August 30, 2018 at 9:49 am

The Cost of New Breaches

leave a comment »

Earlier this week IBM Security released the results of a global study examining the full financial impact of a data breach on a company’s bottom line. 

Overall, the report found that the hidden costs in data breaches — lost business, negative impact on reputation and employee time spent on recovery — are difficult and expensive to manage. One-third of the cost of “mega breaches” (1 million lost records or more) were derived from lost business.

So what was the average cost of a data breach globally? $3.86 million, which was up 6.4 percent from their 2017 report.

Based on in-depth interviews with nearly 500 companies that experienced a data breach, the study analyzes hundreds of cost factors surrounding a breach, from technical investigations and recovery, to notiifications, legal and regulatory activities, and cost of lost business and reputation.

This year, the study also calculated those “mega breach” costs, projecting that those involving lost records ranging from 1 million to 50 million cost companies between $40 million and $350 million respectively.

Some other sound bytes:

  • Average cost of a data breach of 1 million compromised records is nearly $40 million dollars
  • At 50 million records, estimated total cost of a breach is $350 million dollars
  • The vast majority of these breaches (10 out of 11) stemmed from malicious and criminal attacks (as opposed to system glitches or human error)
  • The average time to detect and contain a mega breach was 365 days – almost 100 days longer than a smaller scale breach (266 days)

You can download the 2018 Cost of a Data Breach Study here.

Written by turbotodd

July 13, 2018 at 10:14 am

The Spy Who Tracked Me

with one comment

This is a juicy headline from Bloomberg: U.K. Reveals its First Major Cyber-Attack Was Against IS

GCHQ isn’t typically known for advertising its very-much-behind-the-scenes-on-the-down-low headline making when it comes to espionage, cyber or otherwise.

But according to this Bloomberg report, Britain “carried out its first major cyber-attack in 2017, disrupting Islamic State’s communications and propaganda for much of the year.”

“This is the first time the U.K. has systematically and persistently degraded an adversary’s online efforts as part of a wider military campaign,” [GCHQ Director Jeremy] Fleming told a cybersecurity conference in Manchester, England, “Did it work? I think it did.”

Fleming (great last night for a spy head, right?) also mentioned Russia in his comments:

The use of a nerve agent against former double agent Sergei Skripal, he said, “demonstrates how reckless Russia is prepared to be, how little the Kremlin cares for the international rules-based order.” Russia “widely uses its cyber capabilities,” Fleming said, “blurring the boundaries between criminal and state activity” and deploying “industrial-scale disinformation to sway public opinion.”

Written by turbotodd

April 12, 2018 at 12:59 pm

Atlanta’s Cyber Attack

leave a comment »

In case you hadn’t heard or read, the city of Atlanta has been hamstrung by a ransomware attack that began last Thursday.

The New York Times’ Alan Blinder and Nicole Perlroth provided an update yesterday.  The key facts thus far:

  • This was one of the most “sustained and consequential cyberattacks ever mounted against a major American city.”
  • It “laid bare once again the vulnerabilities of governments as they rely on computer networks for day-to-day operations.”
  • The attackers, the “SamSam” hacking crew, locked up the city’s files, and gave the city a week to pay ~ $51,000 in ransom via Bitcoin.
  • While the attack didn’t impact Atlanta’s 911 calls or wastewater treatment, “other arms of city government have been scrambled for days.” 
  • But the Atlanta Municipal Court has been unable to validate warrants, police officers have been writing reports by hand, and the city has stopped taking employment applications.
  • Dell SecureWorks and Cisco Security are working to restore the city’s systems, and the city’s mayor, Keisha Lance Bottoms, has not yet indicated whether the city would pay the ransom.

The Times also cited a 2016 survey of CIOs for jurisdictions across the country found that obtaining ransom was the “most common purpose of cyberattacks on a city or county government, accounting for nearly one-third of all attacks.”

In the meantime, many of Atlanta’s core public services are being delivered by that trusty and dependable standby, pen and paper.

If you’re interested in learning more about how to contend with ransomware, IBM Incident Response Services published this “Ransomeware Response Guide (Registration required).” 

Written by turbotodd

March 28, 2018 at 10:02 am

Saudi Cyber

leave a comment »

Don’t miss this doozy of a story from The New York Times’ Nicole Perlroth and Clifford Krauss about last year’s cyberattack in Saudi Arabia.

The executive summary: Last August, a petrochemical plant in Saudi Arabia was struck by a cyberassault that intended to sabotage the firm’s operations and trigger an explosion.

The only thing that prevented the explosion was a mistake in the attackers’ computer code. 

For cyber warriors on the front line, it’s a must read.

On the flip side, Google recently released its “Android Security 2017 Year in Review” report earlier today, and it cited that 60.3 percent of Potentially Harmful Apps were detected via machine learning.

As reported by VentureBeat, its detection is done by a service called Google Play Protect, which is enabled on over 2 billion devices (running Android 4.3 and up) to constantly scan Android apps for malicious activity.

In other words, artificial intelligence and machine learning are the future of cyber monitoring, and the future has already arrived.

Speaking of the future and cybersecurity, at next week’s IBM Think 2018 conference in Las Vegas, you’ll be able to tune in to over 100 sessions LIVE via the IBM UStream. 

Be sure to check out the schedule here, and to case the cyber keynote from 12:30-1:10 PST on Tuesday, March 20th, entitled “Ready for Anything: Build a Cyber Resilient Organization.”

Written by turbotodd

March 15, 2018 at 10:16 am

KRACK

leave a comment »

I just got back from chasing a little white ball around the Texas Hill Country for a week.

Upon my return, I discovered the wonderful news about the KRACK attack (who comes up with these names??!).

First, the Equifax breach, now this.

If you’re not familiar, the KRACK exploit has to do with a serious weakness discovered in the WPA2 protocol (wifi).

According to a rundown in Ars Technica, the exploit allows attackers within range of vulnerable device or access points to intercept passwords, emails, and other data presumed to be encrypted. In some cases, the report goes on, it could allow perpetrators to inject ransomware or other malicious content into a website a client is visiting.

You can learn more details about the exploit and fallout here.

FYI, it won’t help to change your wifi password. Microsoft has issued a Windows patch for the exploit, Mac has beta fixes in developer releases of iOS, macOS, tvOS and watchOS, and Android is expected to have a fix in the coming weeks.

Now, on to the more positive news. Yesterday, IBM announced a new blockchain banking solution that will help financial institutions address the processes of universal cross-border payments, designed to reduce the settlement time and lower the cost of completing global payments for businesses and consumers.

TechCrunch captures the current situation and the blockchain remedy:

Currently, international transactions take days, if not weeks, to be completed. Frustration with that has seen services like TransferWise rise, but, great as they are, they remain solutions for savvy consumers or small businesses rather than all. A blockchain solution for banks addresses the root cause, and it could minimize the potential for errors thanks to the ledger-based system while also providing transparency and flexibility to banks. In one example, IBM said its service could be used to connect a farmer in Samoa with a buyer based in Indonesia, while covering more than just the payment itself. “The blockchain would be used to record the terms of the contract, manage trade documentation, allow the farmer to put up collateral, obtain letters of credit, and finalize transaction terms with immediate payment, conducting global trade with transparency and relative ease,” it said.
– via TechCrunch

Very cool stuff.

If you’re not yet on the blockchain, you can learn more here.

Written by turbotodd

October 17, 2017 at 8:32 am

%d bloggers like this: