This was a wild week for news. Through all the bombardment of stories I picked a few that stuck out and I walked away with a new knowledge nugget. That’s the approach I take every day, no matter your profession, strive to learn one new thing a day. No matter how big or small, new knowledge is good knowledge. You never know when that one small item will be pulled out to help you in a future endeavor, when that client will ask the random question, or when project will introduce a new direction. Maybe that one piece could trigger a solution, or it could just improve your chances on Jeopardy.
Since this week was primarily focused on the United States’ elections it was difficult to stay focused on the Information Security industry, but I did and here are some of the things I learned this week.
Week ending 11/4/16
Yahoo May Have Known More About Their Breach Than What They Claimed
This year it was announced that Yahoo experienced a breach of 500 million accounts. In July 2016 a hacker claimed to have carried out the hack and Yahoo responded as if it was surprised and was researching the claim. In a recent SEC filing Yahoo states that employees knew of the hack back in 2014. Years before they addressed it publicly. What’s more troubling for Yahoo is during this time they were trying to arrange a sale to save the company, Verizon made and offer and Marissa Meyer (CEO) and the company said in a September SEC filing they were not aware of any breaches or IT problems. In reality the CEO knew about the breach in July 2016. Whoopise. Verizon is asking for a $1 BILLION discount on the sale.
When you look at this situation it goes to show the industry that breaches, discovery and reporting them publicly are fully in the control of those behind the scenes at the company. Yahoo sat on this for years, maybe trying to CYA, sweep it under the rug, ignore it and hope any potential buyers won’t find out about it. This Yahoo situation just shows us that the breaches that we know about are only the ones where the companies got caught or outed. How many have had breaches and kept quiet?
Source – https://techcrunch.com/2016/11/10/yahoo-admits-employees-discovered-hack-in-2014/?ncid=rss
The Internet Of Things Is A Malware Disaster Waiting To Happen
I have been critical of the Internet of Things explosion as of late. The rush to be first with the latest gadget and capitalize the market is sacrificing proper design and security considerations and I feel it’s going to be a disaster. There has already been an exploit of IOT devices to use them collaboratively in an attack mode. Unless something changes or forces changes there will be more like it. A research team released a POC study where they described taking over Internet enabled ‘Smart’ light bulbs. The study used a city infrastructure as the example and showed how light bulbs could be used to propagate malware and in turn be used maliciously. Light bulbs…
Just because you can make something talk over the Internet doesn’t mean you should. Not without far more stringent security protections built into them.
Until Recently It Was Illegal To Access Software In Devices You Owned
Staying on the Internet of Things topic, there has been a new ruling that now allows owners to access controlling systems on devices they own, even their cars. Techie gurus, DIY hobbyists, and security researchers would risk being sued by the manufacturers for accessing the software. Even for discovering security flaws. The manufacturers would pull out the Digital Millennium Copyright Act as their card to stop this. That prevented people from repairing known software flaws, altering the functionality of devices or announcing security flaws. That has now been lifted and for security researches this is a very positive development especially since the efforts put into security of IOT and software driven products is very mediocre.
Source – https://www.wired.com/2016/10/hacking-car-pacemaker-toaster-just-became-legal/
Facebook Buys Hacked Passwords From The Black Markets
Under the explanation of keep their users safe, Facebook said they buy hacked passwords on the Black Market. The idea is they then run comparisons to the encrypted passwords stored in Facebook and contacts users if their passwords are not secure enough. I suppose this is one proactive way to ensure stronger security across the site because history shows that is security is left to the users alone they will choose the easiest path. The easy path is generally the least secure. There is a difference between security and safety. You can build a secure site but the users can make themselves unsafe by taking certain actions, or not. I agree with Facebook that usernames and passwords are an antiquated security mechanism that needs an upgrade across the board.
I also find irony in this. Facebook my tout their security efforts but Facebook doesn’t care at all about your privacy. They are two different things. Remember, Facebook’s conception was to have no privacy, no groups, no cliques, no segregation and no secrets.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.