Uber Hid Hack of 57 Million Users and Drivers

But hey, they paid the hackers to delete the data. (And if you can’t trust black-hat hackers…) Uber hid a hack that exposed data of 57 million users and drivers for more than a year

The hackers stole names and driver’s license numbers of around 600,000 drivers in the U.S., as well as rider names, email addresses and mobile phone numbers.

More sensitive data pertaining to users of Uber (credit card data, etc.) was NOT hacked. Those 600,000 drivers should have been notified last year.

Last year? That’s right. This hack was in October of 2016. But taking care of the drivers would have meant bad publicity. And like Uber cares about anything but Uber. They did can the chief of security who helped hide the breach.


Amazon Gets Internet of Things Wrong – Part 2

And you thought it was bad that Amazon Echo would let people hack into your home network. Amazon Key flaw could let a courier disable your Cloud Cam. So Amazon came up with a system to allow couriers to unlock your door and deliver packages inside house. What could go wrong?

Now, researchers from Rhino Security Labs have shown that it’s possible, under rare circumstances, to hack the camera so that everything looks fine while someone takes all your stuff.

The attack would work like this. A courier unlocks your door with their Key app, drops off the package and closes the door behind them. Rather than re-locking it, they then run a program on a custom-built device or laptop that spoofs the home’s router and disconnects the Cloud Cam from the network.

And keeping the camera disconnected from the network means that they are not being monitored. While they steal all your stuff.

Amazon is promising to “address the issue.” But really, this is the kind of thing that should have been done in INITIAL design. (Gee, you think we should consider all the ways that bad-actors might attack the system?) Idiots. (Part 1 is at this link.)

Schools Are a Repository of Data That is (mostly) Not Secure

Schools love to put stuff on the internet. Too bad they don’t love to make it secure. Security costs money, after all. Criminals make student data public in escalating demands for ransom.

Can someone explain to me why schools need to have students’ social security numbers? Because they’re not at risk enough for identity theft from other sources, apparently, because the schools DO have their SSNs. And now, so do the hackers.

When it was evident that the person or group sending the messages was after a ransom in exchange for not releasing student social security numbers, phone numbers and addresses, law enforcement officials began trying to negotiate with the cyber criminals over their demands.

And the media are shocked – shocked! – to discover that security cameras can be hacked. And they were in this case in Montana.

After a rash of attacks across the country, the FBI is asking school districts to make cyber security a priority.

Good luck with that. Schools can’t seem to make reading and writing a priority.

We have got to stop giving critical information – like Social Security Numbers – to people who do not need it. Like schools, or doctors, or whoever. Your bank and your employer and your brokerage need your SSN. I’m old enough to remember when it was not to be used for identification. But maybe after the Equifax debacle, none of it matters anymore. See my previous post on this topic here.

If Amazon and Google Can’t Get IoT Right, It Is Doomed

And why do so many CORPORATE networks, include an Amazon Echo? BlueBorne Vulnerability Also Affects 20Mil Amazon Echo and Google Home Devices

Armis says that 82% of the networks that use their security platform include an Echo. “Alexa, help me hack into the corporation!”

These things don’t get updated automatically? Maybe they do, maybe not. (Click through to see the details on Echo.)

Of course the easiest way to defeat BlueBorne is to turn off Bluetooth.

I know the dream of voice recognition and having smart everything sounds good, but the state of the art sucks right now.

Shipment of Guns Headed for Bass Pro Stolen

That’s right, an entire shipment of guns was stolen. (And it isn’t just 1 shipment.) Guns stolen from Springfield UPS facility were destined for Bass Pro, ATF says. (That is the Springfield, Missouri facility.)

The ATF is offering a reward. But I doubt there will be takers. Bass Pro is “Not commenting.”

UPS is also “not commenting.” But there is no video of the thieves in the UPS facility. So that says something.

The official reports are light on details, but Second City Cop is saying it is nearly 1000 guns. 600 pistols. A few hundred shotguns.

So how many laws will the Left want to pass to make my life difficult, and those 1000 guns (or whatever) have nothing to do with law-abiding gun owners? And do you think anything will happen to UPS, or the folks who wouldn’t cough up the money for better security?

As for the ongoing nature of this problem, consider this story from CBS Chicago. Gun Thefts Continue At Chicago Railyards « CBS Chicago (That is plural. “Thefts.”)

Continue reading

DHS Warns of Cyber Attack on Infrastructure

DHS LogoThis has been talked about since forever. So if this is an actual announcement that stuff is a problem, I’m guessing that attacks have probably started. U.S. warns public about attacks on energy, industrial firms

(Reuters) – The U.S government issued a rare public warning that sophisticated hackers are targeting energy and industrial firms, the latest sign that cyber attacks present an increasing threat to the power industry and other public infrastructure.

Like it or not, hackers are coming for everything they can get at. And corporations – everything from energy to IoT – have been completely stupid about the way they handle security. As I’ve said before, it is easy to put things on the internet; it is hard to do it correctly. And so it is never done correctly, because executives never want to pay money for something they don’t understand. And they never understand why they should care about security. (Witness things like Equifax, or Target, or Home Depot, or The Office of Personnel Management or NHS, or any of the other hacks that have made the news.)

That’s not to say that employees of those organizations need to wise up. (Phishing is still a thing in 2017? Really?).

U.S. authorities have been monitoring the activity for months, which they initially detailed in a confidential June report first reported by Reuters. That document, which was privately distributed to firms at risk of attacks, described a narrower set of activity focusing on the nuclear, energy and critical manufacturing sectors.

Just because you CAN put something on the internet, doesn’t mean you SHOULD put it on the public internet. (I think nuclear power should top that list!)

Dark Overlord Hacking Group Turns Attention to Schools

Because as mentioned, schools love to put sensitive data online, but can’t be bothered to secure it properly. Dark Overlord hacks schools across U.S., texts threats against kids

The hacking group responsible is the Dark Overlord, the group that leaked new Orange Is the New Black episodes because Netflix didn’t pay a ransom. The same group tried to sell millions of pilfered healthcare records and was responsible for other attacks such as on Gorilla Glue and an Indiana cancer service agency. Now, it is targeting schools and scaring the snot out of parents by sending personalized text messages threatening their kids.

Iowa, Montana, Texas, and Alabama have had schools that were targeted.

Why target schools? In part, it is because they have crappy security.

Schools had better get on it and batten down the security hatches because there is no excuse for their lax security.

If you don’t have the money for security, you shouldn’t be putting students’ data on the web. Probably shouldn’t do it in any case, but there you have it.