Inside | Real news, curated by real humans
Inside Security

Inside Security (Jul 9th, 2018)

Sending out breach notifications is a difficult process. Do you send out emails to every customer, even those that aren’t affected? Or just to the ones that are part of the breach? Your customers might get these emails in their spam folder or ignore them. Maybe it is better to send out postal letters. I have noted several breaches this week and show their different approaches, from Macy’s and ExxonMobil to Timehop. The latter was the most specific about what happened, why it happened, and what they are doing about the breach. Timehop also placed a banner notice on the top of its homepage to make sure as many people as possible saw it, so kudos to Timehop for its transparency.

-- David Strom, editor of Inside Security

  • Email gray
  • Permalink gray

1. Timehop, a social media aggregator, leaked 21M users’ email addresses and phone numbers. It was announced last week. The company said it was caused by cloud credentials that were compromised last December and only recently discovered. The company had a lot of timely information about the breach, notable for its transparency.– TIMEHOP BLOG

  • Email gray
  • Permalink gray

2. Twitter has suspended more than 70 million accounts since May, at a rate of more than a million a day or double the rate of suspensions from last fall. Twitter is finally addressing the automated bot disinformation campaigns that were in evidence back during the 2016 presidential campaign. “Free expression doesn’t really mean much if people don’t feel safe,” according to one of their executives interviewed in this in-depth report. – WASHINGTON POST

  • Email gray
  • Permalink gray

3. This careful analysis shows how attackers can hide their malware using various clever techniques to leverage standard Windows OS utilities. This includes renaming them, reading their binary code from a data file, appearing to be a benign Microsoft executable file and spoofing digital signatures and other methods. It is well worth reading for all defenders. – SPECTER OPS BLOG

  • Email gray
  • Permalink gray

4. Does this sound like déjà vu all over again? A popular fitness tracking app has inadvertently revealed the locations of military personnel. This time, it is the Polar Flow app, which allows anyone to access users’ activities simply by changing the browser’s web address. This also happened earlier this year with the Strava app. Not only was it possible to see exactly where a user had exercised, it was easy to pinpoint exactly where a user lived and if they started or stopped their fitness tracking as soon as they left their house. And unlike Strava, a user’s entire exercise history is available. The map shown here has one route taken by a member of Britain’s MI6. -- ZDNET

  • Email gray
  • Permalink gray

5. A data breach in Wisconsin has been revealed by the county IT staff. It happened in January through a phishing attack on one staffer's email. The county government IT department learned of it in late April but only sent out notifications a few weeks ago. Protected health data was part of the leak. This was in Manitowoc County, which should be a familiar location to viewers of the TV series Making a Murderer.

  • Email gray
  • Permalink gray

6. A team of researchers have found a way to exploit a remote access feature of HP servers called Integrated Lights-Out. The feature is used extensively in data centers to monitor and control its servers, with separate network connections that can be accessed remotely to install firmware and reboot the server. The vulnerability requires just a single cURL command-line request using a series of 29 letter "A" characters. It was patched last year, and if you are running v2.54 or better of the iLO software you are protected. – ACADEMIC PRE-PRINT (pdf)

  • Email gray
  • Permalink gray

7. Macy’s has discovered a data breach that exposed customer email addresses, credit and debit card numbers, birthdays and other data. The breach occurred between April and June, accessing its online Macys and Bloomingdale’s storefronts. The data didn’t contain Social Security numbers or credit card PIN numbers. Customers were emailed notification letters this week, which ironically could have been redirected to their spam folders. Those users’ online accounts have been blocked and will need a password reset. – DETROIT FREE PRESS

  • Email gray
  • Permalink gray

8. ExxonMobile’s Plenti rewards program members got postal letters notifying them about a new program that users would need to re-register. However, the letter was confusing in a number of ways, including an ambiguous phone number that could be misinterpreted. Krebs is on the case. – KREBS ON SECURITY

  • Email gray
  • Permalink gray

Interested in reaching smart, sophisticated readers like yourself?

Inside's newsletters have more than half a million highly-engaged, influential readers across industries. For the opportunity to tell your brand's story in a way that resonates with this outstanding readership, contact us today.

9. Funding news roundup.

Sigma Ratings received a $2.4M seed round led by FinTech Collective. It has created a business integrity rating scheme and is based in NYC. Its CEO is Stuart Jones.

Trillium Secure received a $11M A round led by Jafco. It is based in Silicon Valley and has automotive cybersecurity solutions. Its CEO is David Uze.  

PlainID received a $11M funding round led by Viola Ventures. It has an authorization and identity management platform, is based in Israel and its CEO is Oren Ohayon Harel.

Veridium received a $16.5M B round led by Michael Spencer. It is based in the Boston area and has biometric authentication solutions. Its CEO is James Stickland.

ThetaRay received a $30M funding round led by Jerusalem Venture Partners. It is based in NYC and does machine learning and security analytics. Its CEO is Mark Gazit.

  • Email gray
  • Permalink gray

10. The post is missing a few other things, such as autoplay video files, a few other pop-up promotions, a notification about new privacy laws and cookies.  -- REDDIT

  • Email gray
  • Permalink gray

Many thanks to Inside Security's corporate supporters.  Please go check them out!

Endgame

Endgame's endpoint security platform protects the world’s largest organizations from targeted attacks, eliminating the time & cost associated with incident response. Learn more

 

Nok Nok Labs has the ambition to transform authentication, by unifying it into one standard protocol, giving business the control they need. Learn more

 
   
   

Gain cybersecurity expertise from Harvard's VPAL in 8 weeks. Learn More.

HackerOne is the #1 hacker-powered security platform for finding critical vulnerabilities.

 

[YOUR LOGO HERE – click for details]

Subscribe to Inside Security

MORE NEWSLETTERS

Essays and musings from Inside.com founder Jason Calacanis

The Jason Calacanis Newsletter

Essays and musings from Inside.com founder Jason Calacanis

WEEKLY
Essays and musings from Inside.com founder Jason Calacanis

The Jason Calacanis Newsletter

WEEKLY

SUBSCRIBED!

Share via

Fascinating, curious and amazing journalism, all in one link.

ReadThisThing

Fascinating, curious and amazing journalism, all in one link.

DAILY
Fascinating, curious and amazing journalism, all in one link.

ReadThisThing

DAILY

SUBSCRIBED!

Share via

Financial, legislative, agricultural, and all the other most important news about the cannabis industry

Inside Cannabis

Financial, legislative, agricultural, and all the other most important news about the cannabis industry

DAILY
Financial, legislative, agricultural, and all the other most important news about the cannabis industry

Inside Cannabis

DAILY

SUBSCRIBED!

Share via

News, updates, reviews and analysis of industry and consumer trends in the world of streaming

Inside Streaming

News, updates, reviews and analysis of industry and consumer trends in the world of streaming

DAILY
News, updates, reviews and analysis of industry and consumer trends in the world of streaming

Inside Streaming

DAILY

SUBSCRIBED!

Share via