A new beginning, a refresh, or has nostalgia finally caught up? We’re changing the name of this weekly update back to “Things I Hearted this Week”. Here are some of the popular and not-so-popular security and technology stories that caught our fancy for your reading pleasure.
“It’s the only and most fascinating read you need to keep up to date with your security needs.” – Someone I hired to say this from fiverr.com
The big one on the tip of everyone’s tongue this week has been Equifax.
There’s little value in repeating every interesting article that was published on this topic during the week. From Adrian Sanabria’s Savage Security blog telling us Equifax breached, no eyebrows raised. To Brian Krebs providing his characteristic in-depth review The Equifax Breach: What you should know. All the way to articles exposing the poor manner in which the company has decided to respond, we tested Equifax's data breach checker — and it's basically useless.
There have been many large breaches, what makes Equifax largely different is that the details stolen weren’t things like usernames or passwords that could be easily changed. Rather it was users names, date of birth, and social security numbers – which are almost impossible to change.
Then there’s the case that a lot of the impacted individuals weren’t even customers of Equifax. They merely had their data held by the credit bureau. So it’s unlike, say, the Yahoo breach, where users can simply shut down their account and take their business elsewhere.
All eyes will be on the regulators to see if they can get to the bottom of the mess, and levy appropriate penalties. Maybe it’s time for the US to crystallise data protection, much like GDPR is seeking to achieve across Europe.
Chatbot to sue Equifax
It turns out that if you want to sue Equifax, you can do so without involving a lawyer. The creator, Joshua Browder, originally developed the chatbot to help people appeal against parking enforcement tickets. But now it’s looking to take on the big one and sue Equifax for its colossal breach.
- Chatbot lets you sue Equifax for up to $25,000 without a lawyer | The Verge
- Legal technology: the rise of the chatbots | Law Gazette
- Artificial intelligence developed its own non-human language | The Atlantic
Phishers targeting LinkedIn users via hijacked accounts
As users, we’re often aware of the dangers that could arise from a poorly secured bank account, but we don’t often give as much thought to other accounts we own such as email or social media. While an individual may not find LinkedIn particularly interesting themselves beyond maintaining a professional presence, attackers look at such accounts differently and will leverage to their advantage wherever possible. Therefore it is important users take the right steps to protect all of their accounts and social media profiles as best as possible by using strong, unique passwords, enabling two step or two factor authentication where possible, and if available turn on notifications for logins from new devices.
It’s worth bearing in mind that not having a social media account is also not guaranteed to protect you, as Bruce Schneier recently discovered.
- Phishing targeting LinkedIn users via hijacked accounts | HelpNetSecurity
In the shadow of the new iPhone release, one can question why would anyone be willing to pay $1000 for a mobile phone?
The truth is that for many people around the world, the mobile phone has become the primary connected electronic device. Always on, always within arm’s reach, and being relied on for an ever-increasing number of functions. From phone calls, to messenger apps, to verifying identity, making payments, conducting banking, making videos, taking photographs, or even as a flashlight… the list goes on.
Apple recognises the demand and need, and bearing all the functionality in mind, at $1000 dollars, that doesn’t sound like such a bad investment.
Criminals have also seen this trend and therefore malware like BankBot is becoming ever-increasingly popular. We see newer techniques being deployed in this latest variant and they tshould raise concerns for app store operators like Google. While Google already does a good job of screening most malicious apps, the increasing sophistication of mobile malware could mean app stores need to increase the level of testing to dig deeper into app functionality. They also need to collaborate more closely with security researchers, so that, like in this case, vulnerabilities and malicious app details can be shared quickly and pulled from stores.
- BankBot malware: More apps sneak into Google play stor, UAE banks targeted | IBTimes
- BankBot Found on Google Play and Targets Ten New UAE Banking Apps | OTX
I was fortunate enough to be invited back onto the Smashing Security Podcast with Graham Cluley and Carole Theriault.
If you don’t follow the podcast, it’s immense fun; probably one of my favourite podcasts both as a listener and a participant.
In this episode we discussed Equifax, BlueBorne, the iPhone X, how to improve your chess game, why you may be allergic to exercise, and how to relieve a trapped nerve.
- Listen to the episode | Smashing Security ep 42
- Previous episode I was invited on | Smashing Security ep 29
Bitcoin has been spoken of repeatedly in the news, nearly always on the topic of price movements and where it may go next. For more technical readers, the price movements aren't always the most important point. You may have fundamental questions that remain unanswered by these news organizations. Questions like; "How many Bitcoins are there?", "What is the Bitcoin network?", and even "How can I participate?"
Explain bitcoin to me | AlienVault
Maybe you share the opinion voiced by JP Morgan boss Jamie Dimon who said that Bitcoin is a fraud that will ultimately blow up and that it was only fit for use by drug dealers, murderers and people living in places such as North Korea.
Strong words indeed. I’m sure everyone remembers how Bitcoin caused a financial meltdown and needed to be bailed out by Governments using taxpayer money because it ‘blew up’.
- Bitcoin is a fraud that will blow up | The Guardian
- Should Jamie Dimon be terrified about Bitcoin? | Vanity Fair
- Bank of Finland researchers praise Bitcoin’s economic system as revolutionary | The Coin Telegraph
Cyber Security Duties of Corporate Directors
As corporate directors and officers, you are held to a higher standard of care than all other employees within your corporation. In the event of a cyber-attack, particularly a high-profile data breach, you go from being the victim of a crime to being the recipient of customer and shareholder scrutiny and becoming a target of litigation and regulatory fines. Essentially, you are being attacked by organized crime on one side and attacked by plaintiff lawyers on the other. Cyber Security Duties of Corporate Directors.
Ten Years of iPhones Have Made Apple the World’s No. 1 Company
Apple was the world’s 70th largest company a decade ago. Then the iPhone launched.
- The Life, Death, and Legacy of iPhone Jailbreaking | Motherboard
- Face ID, Touch ID, No ID, PINs and pragmatic security | Troy Hunt
Facebook’s €1.2m fine
Facebook has been hit with a €1.2m fine in Spain after the country’s data watchdog found it had...
In all likelihood, you probably know what comes next in the sentence.
- Facebook hit with €1.2m fine in Spain for breaking privacy laws | The Telegraph
The clever researchers over at Armis have discovered a Bluetooth vulnerability affecting all major mobile, desktop, and IoT operating systems across Android, iOS, Windows, and Linux.
BlueBorne is an attack vector by which hackers can leverage Bluetooth connections to penetrate and take complete control over targeted devices. The attack does not require the targeted device to be paired to the attacker’s device, or even to be set on discoverable mode. The BlueBorne attack vector can be used to conduct a large range of offenses, including remote code execution as well as Man-in-The-Middle attacks.