Inside | Real news, curated by real humans
Inside Security

Inside Security (Jul 9th, 2018)

Sending out breach notifications is a difficult process. Do you send out emails to every customer, even those that aren’t affected? Or just to the ones that are part of the breach? Your customers might get these emails in their spam folder or ignore them. Maybe it is better to send out postal letters. I have noted several breaches this week and show their different approaches, from Macy’s and ExxonMobil to Timehop. The latter was the most specific about what happened, why it happened, and what they are doing about the breach. Timehop also placed a banner notice on the top of its homepage to make sure as many people as possible saw it, so kudos to Timehop for its transparency.

-- David Strom, editor of Inside Security

  • Email gray
  • Permalink gray

1. Timehop, a social media aggregator, leaked 21M users’ email addresses and phone numbers. It was announced last week. The company said it was caused by cloud credentials that were compromised last December and only recently discovered. The company had a lot of timely information about the breach, notable for its transparency.– TIMEHOP BLOG

  • Email gray
  • Permalink gray

2. Twitter has suspended more than 70 million accounts since May, at a rate of more than a million a day or double the rate of suspensions from last fall. Twitter is finally addressing the automated bot disinformation campaigns that were in evidence back during the 2016 presidential campaign. “Free expression doesn’t really mean much if people don’t feel safe,” according to one of their executives interviewed in this in-depth report. – WASHINGTON POST

  • Email gray
  • Permalink gray

3. This careful analysis shows how attackers can hide their malware using various clever techniques to leverage standard Windows OS utilities. This includes renaming them, reading their binary code from a data file, appearing to be a benign Microsoft executable file and spoofing digital signatures and other methods. It is well worth reading for all defenders. – SPECTER OPS BLOG

  • Email gray
  • Permalink gray

4. Does this sound like déjà vu all over again? A popular fitness tracking app has inadvertently revealed the locations of military personnel. This time, it is the Polar Flow app, which allows anyone to access users’ activities simply by changing the browser’s web address. This also happened earlier this year with the Strava app. Not only was it possible to see exactly where a user had exercised, it was easy to pinpoint exactly where a user lived and if they started or stopped their fitness tracking as soon as they left their house. And unlike Strava, a user’s entire exercise history is available. The map shown here has one route taken by a member of Britain’s MI6. -- ZDNET

  • Email gray
  • Permalink gray

5. A data breach in Wisconsin has been revealed by the county IT staff. It happened in January through a phishing attack on one staffer's email. The county government IT department learned of it in late April but only sent out notifications a few weeks ago. Protected health data was part of the leak. This was in Manitowoc County, which should be a familiar location to viewers of the TV series Making a Murderer.

  • Email gray
  • Permalink gray

6. A team of researchers have found a way to exploit a remote access feature of HP servers called Integrated Lights-Out. The feature is used extensively in data centers to monitor and control its servers, with separate network connections that can be accessed remotely to install firmware and reboot the server. The vulnerability requires just a single cURL command-line request using a series of 29 letter "A" characters. It was patched last year, and if you are running v2.54 or better of the iLO software you are protected. – ACADEMIC PRE-PRINT (pdf)

  • Email gray
  • Permalink gray

7. Macy’s has discovered a data breach that exposed customer email addresses, credit and debit card numbers, birthdays and other data. The breach occurred between April and June, accessing its online Macys and Bloomingdale’s storefronts. The data didn’t contain Social Security numbers or credit card PIN numbers. Customers were emailed notification letters this week, which ironically could have been redirected to their spam folders. Those users’ online accounts have been blocked and will need a password reset. – DETROIT FREE PRESS

  • Email gray
  • Permalink gray

8. ExxonMobile’s Plenti rewards program members got postal letters notifying them about a new program that users would need to re-register. However, the letter was confusing in a number of ways, including an ambiguous phone number that could be misinterpreted. Krebs is on the case. – KREBS ON SECURITY

  • Email gray
  • Permalink gray

9. Funding news roundup.

Sigma Ratings received a $2.4M seed round led by FinTech Collective. It has created a business integrity rating scheme and is based in NYC. Its CEO is Stuart Jones.

Trillium Secure received a $11M A round led by Jafco. It is based in Silicon Valley and has automotive cybersecurity solutions. Its CEO is David Uze.  

PlainID received a $11M funding round led by Viola Ventures. It has an authorization and identity management platform, is based in Israel and its CEO is Oren Ohayon Harel.

Veridium received a $16.5M B round led by Michael Spencer. It is based in the Boston area and has biometric authentication solutions. Its CEO is James Stickland.

ThetaRay received a $30M funding round led by Jerusalem Venture Partners. It is based in NYC and does machine learning and security analytics. Its CEO is Mark Gazit.

  • Email gray
  • Permalink gray

10. The post is missing a few other things, such as autoplay video files, a few other pop-up promotions, a notification about new privacy laws and cookies.  -- REDDIT

  • Email gray
  • Permalink gray

Subscribe to Inside Security

MORE NEWSLETTERS

Rob May's roundup of stories and commentary on Artificial Intelligence, Robotics, and Neurotechnology

Inside AI

Rob May's roundup of stories and commentary on Artificial Intelligence, Robotics, and Neurotechnology

WEEKLY
Rob May's roundup of stories and commentary on Artificial Intelligence, Robotics, and Neurotechnology

Inside AI

WEEKLY

SUBSCRIBED!

Share via

For those in the business of buying, selling, and developing real estate.

Inside Real Estate

For those in the business of buying, selling, and developing real estate.

TWICE WEEKLY
For those in the business of buying, selling, and developing real estate.

Inside Real Estate

TWICE WEEKLY

SUBSCRIBED!

Share via

Fascinating, curious and amazing journalism, all in one link.

ReadThisThing

Fascinating, curious and amazing journalism, all in one link.

DAILY
Fascinating, curious and amazing journalism, all in one link.

ReadThisThing

DAILY

SUBSCRIBED!

Share via

Explaining the business and consumer sides of social media networks

Inside Social

Explaining the business and consumer sides of social media networks

DAILY
Explaining the business and consumer sides of social media networks

Inside Social

DAILY

SUBSCRIBED!

Share via