Yahoo Has Reportedly Been Spying on Hundreds of Millions of Its Mail Users*
- Yahoo last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S.
- The company complied with a classified U.S. government directive, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI.
- Reuters was unable to determine what data Yahoo may have handed over, if any, and if intelligence officials had approached other email providers besides Yahoo with this kind of request.
- Yahoo CEO Marissa Mayer’s decision to obey the directive roiled some senior executives and led to the June 2015 departure of chief information security officer Alex Stamos, who now holds the top security job at Facebook.
- The demand to search Yahoo Mail accounts came in the form of a classified directive sent to the company’s legal team.
- U.S. phone and Internet companies are known to have handed over bulk customer data to intelligence agencies.
*Fortune, October 04, 2016
Cyber Security is Just Too Much Trouble For The General Public*:
- The National Institute of Standards and Technology (NIST), suggests that the public is suffering from “security fatigue.”
- NIST proposes a three point plan to ease security fatigue and help users improve their behavior when it comes to online security: limit the number of security decisions users make, make it simple to choose the right security action, and design for consistent decision making.
- The goal should be for doing the right thing to be the easy choice, and it being much harder to do the wrong thing.
- Our increased interconnectivity might open us up to more opportunities for attack, but the technology we have alongside us can play a significant part in making things simpler and safer.
- Password management software can be used to not just remember your login passwords, but also your PIN numbers and the answers to those impossible questions your bank sometimes asks about your mother’s French teacher’s maiden name.
- If we take the time to explain the benefits that secure practices bring, we can increase the chances that the public will embrace online safety.
*Source: Trip Wire, October 06, 2016
Your personal data is only worth $3.20 and that’s a problem*:
- Hackers broke into the UK ISP TalkTalk and stole the personal information of over 157,000 people.
- Among the records stolen were bank details, including sort codes and account numbers.
- The UK’s Information Commissioner’s Office (ICO) fined TalkTalk a record £400,000 (slightly more than $500,000); this was the largest amount any company has been fined after losing customer data.
- TalkTalk is a company with revenues of £1.795 billion ($2.25 billion), and the fine boils down to £2.50 (or $3.20) for each person caught up in the leak.
- These 157,000 victims are now at a heightened risk of falling victim to financial crime or phishing attacks; they now have to indefinitely monitor their credit for any irregularities.
- Are the fines imposed following breaches like this actually a punishment or are they becoming just another cost of doing business?
*Source: The Next Web, October 05, 2016
Google’s AI plans are a privacy nightmare*:
- Google CEO Sundar Pichai thinks we are now living in an “artificial intelligence first world.”
- Artificial intelligence is all the rage in Silicon Valley these days, as technology companies race to build the first killer app that utilizes machine learning and image recognition.
- Google’s new assistant, which debuted in the company’s new messaging app Allo, works like this: Simply ask the assistant a question about the weather, nearby restaurants, or for directions, and it responds with detailed information right there in the chat interface.
- Google’s artificial intelligence will only become smarter, faster, and more accurate.
- In order for artificial intelligence to function, your messages have to be unencrypted.
- Google offers state of the art encryption within its Allo messaging app, but if you turn it on, say goodbye to your fancy AI assistant.
- The security engineers at Google know, and cryptography experts agree, that automatic encryption is the best way to defend personal data and conversations from hackers and government surveillance.
- These new assistants are really cool, but at the end of the day we’re sacrificing the security and privacy of our data so that Google can develop what will eventually become a new revenue stream.
*Source: Gizmodo, October 04, 2016
Workers at fake Indian call centers posing as IRS officials*:.
- Indian police have arrested 70 people in relation to an alleged call center scam in the city of Mumbai, accusing them of being part of a scheme that connec more than $100,000 a day from U.S. citizens.
- Some 200 officers raided the reportedly bogus call centers, after an anonymous tip about an international phone scam.
- According to an Indian newspaper, alleged scammers duped Americans into giving out their bank details by pretending to be IRS officers.
- They would tell their targets that there were irregularities in their tax payments and that they could face up to three months in prison.
*Source: Time, October 06, 2016
Insider threats to data have gone up in past year*:
- A survey on insider leaks by cloud security company Bitglass reveals that one in three organizations interviewed has experienced insider attacks, with 56% saying they have gone up in the past one year.
- Privileged users pose the greatest security risk, 60% believed.
- A shift to new technologies, like cloud and mobile, has hiked insider risks, says the report, leaving 74% feeling vulnerable.
- The positive news from the research is that 64% of the organizations can now detect breaches within a week versus 42% last year.
- While 57% believe insider threats can be reduced by employee training, 52% indicated identity management solutions could help.
*Source: Dark Reading, October 03, 2016
Extending network security to include shadow it*:
- The increased use of personal digital devices and internet-based IT services in the workplace is causing headaches for security teams around the world.
- Dubbed ‘shadow IT’, it involves employees accessing corporate systems and data from their private phones or tablets, or making use of services such as Dropbox or Google Docs.
- For organizations, the trend is causing significant security problems.
- Shadow IT resources fly 'under the radar' of the IT department and so bypass the controls and measures put in place to secure the organisation's IT infrastructure.
- It might be convenient for them to share documents using Dropbox, but doing so means that data may no longer be protected.
- There is no way for the IT team to be sure that external platforms have sufficient security, and cyber criminals are routinely attacking third-party services.
- The shadow IT trend is not likely to disappear, so companies should find a way to track shadow IT services and create a culture of acceptance and protection.
*Source: CSO, October 05, 2016
“Kaspersky” releases decryption tool for polyglot ransomware*:
- Kaspersky has released a decryption tool for the Polyglot ransomware to assist victims in recovering their files without giving in and paying a fee.
- The cybersecurity firm launched the free tool, which is suitable for the Polyglot Trojan which is also known as MarsJoke, a strain which has been linked to attacks on government targets.
- Ransomware is a particularly nasty kind of malware which has hit the headlines over the past year after targeting victims including businesses, hospitals, and universities.
- Once the victim can no longer access their machine, a holding page informs them that they must pay a "fee" in return for a decryption key which will release their content back to them.
- Many types of ransomware will sit on the machine waiting for payment to be made, but Polyglot insists on a payment deadline and will delete itself if payment is not made – leaving behind a machine with encrypted files and no way to retrieve them.
- Kaspersky’s tool will decrypt the machines and unlock user data.
- If you are suffering from a different type of ransomware, check out the No More Ransom project to see which decryption tools are available.
*Source: ZD Net, October 04, 2016
FBI arrests NSA contractor for alleged code theft*:
- A National Security Agency contractor was recently arrested by the FBI.
- Investigators are currently researching the possible theft and disclosure of source code built to break into foreign government networks.
- The NSA contractor allegedly took classified code developed by the agency to access systems for nations including Russia, Iran, China, and North Korea, the report continues.
- Officials have reported some of the data he allegedly stole was dated.
- The Department of Justice announced the arrested suspect is Harold Thomas Martin III, and officials discovered US government documents containing classified information at his home.
- More than a month after his arrest, authorities cannot say with certainty whether Mr. Martin leaked the information or simply downloaded them.
*Source: The New York Times, October 05, 2016