tag:blogger.com,1999:blog-4503292949532760618.post6307806915966788572..comments2024-03-28T13:39:27.601-07:00Comments on DSHR's Blog: Not Whether But WhenDavid.http://www.blogger.com/profile/14498131502038331594noreply@blogger.comBlogger48125tag:blogger.com,1999:blog-4503292949532760618.post-40515066697793450332021-03-10T16:53:58.513-08:002021-03-10T16:53:58.513-08:00When I was writing this back in 2017 I should have...When I was writing this back in 2017 I should have noticed that 18 months earlier Bruce Schneier had written the definitive account of the problem in <a href="https://www.schneier.com/essays/archives/2016/03/data_is_a_toxic_asse.html" rel="nofollow"><i>Data Is a Toxic Asset, So Why Not Throw It Out?</i></a>:<br /><br />"because the cost of saving all this data is so cheap, there’s no reason not to save as much as possible, and save it all forever. Figuring out what isn’t worth saving is hard. And because someday the companies might figure out how to turn the data into money, until recently there was absolutely no downside to saving everything. That changed this past year.<br /><br />What all these data breaches are teaching us is that data is a toxic asset and saving it is dangerous."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-23573249476872571642019-10-22T07:18:41.741-07:002019-10-22T07:18:41.741-07:00Ethan Wolff-Mann's Equifax used 'admin'...Ethan Wolff-Mann's <a href="https://finance.yahoo.com/news/equifax-password-username-admin-lawsuit-201118316.html" rel="nofollow"><i>Equifax used 'admin' as username and password for sensitive data: lawsuit</i></a> starts:<br /><br />"Equifax (EFX) used the word “admin” as both password and username for a portal that contained sensitive information, according to a class action lawsuit filed in federal court in the Northern District of Georgia.<br /><br />The ongoing lawsuit, filed after the breach, went viral on Twitter Friday after Buzzfeed reporter Jane Lytvynenko came across the detail.<br /><br />“Equifax employed the username ‘admin’ and the password ‘admin’ to protect a portal used to manage credit disputes, a password that ‘is a surefire way to get hacked,’” the lawsuit reads.<br /><br />The lawsuit also notes that Equifax admitted using unencrypted servers to store the sensitive personal information and had it as a public-facing website."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-51501612987465961402019-07-20T09:36:04.289-07:002019-07-20T09:36:04.289-07:00In Equifax settles with FTC, CFPB, states, and con...In <a href="https://boingboing.net/2019/07/20/america-doxed-2.html" rel="nofollow"><i>Equifax settles with FTC, CFPB, states, and consumer class actions for $700m</i></a> Cory Doctorow reports that:<br /><br />"Equifax's market cap stands today at $16.6B, and it posted $3.412B in earnings in 2018, up 1.48% increase from 2017.<br /><br />The company has settled virtually all the civil liability from its breach for $700m. The victims of the breach have effectively unlimited, permanent liability from this breach and will face identity theft, fraud and stalking risks for the rest of their lives -- and after they die, their estates will also be under threat from the breach.<br /><br />The settlement covers federal liability from the FTC and CFPB, class action suits, and most state attorneys general actions."<br /><br />No biggie - 20% of 2018 earnings.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-84595084605796970692019-06-11T10:41:48.499-07:002019-06-11T10:41:48.499-07:00Sidney Fussell's This Is Exactly What Privacy ...Sidney Fussell's <a href="https://www.theatlantic.com/technology/archive/2019/06/travelers-images-stolen-attack-cbp/591403/" rel="nofollow"><i>This Is Exactly What Privacy Experts Said Would Happen</i></a> recounts the inevitable leak of the Customs and Border Patrol's personal data:<br /><br />"U.S. Customs and Border Protection announced yesterday afternoon that <a href="https://www.washingtonpost.com/technology/2019/06/10/us-customs-border-protection-says-photos-travelers-into-out-country-were-recently-taken-data-breach/?utm_term=.03e791550676" rel="nofollow">hackers had stolen an undisclosed</a> number of license-plate images and travelers’ ID photos from a subcontractor. Privacy and security activists have long argued that as law enforcement vacuums up more data without legal limits, the damage of a possible breach scales up. The lack of restrictions on data collection is why, for many experts, this hack feels like an inevitability.<br /><br />According <a href="https://twitter.com/ericgeller/status/1138185315364069376?s=20" rel="nofollow">to an emailed statement to journalists from CBP</a>, an unnamed subcontractor transferred copies of license-plate images and travelers’ photos from federal servers to its own company network, without CBP’s authorization. Hackers then targeted and successfully breached the subcontractor’s network. CBP reports that its own servers were unharmed by any cyberattack."<br /><br />And, as is usual with data breaches, it is likely to be <a href="https://www.theatlantic.com/technology/archive/2019/06/travelers-images-stolen-attack-cbp/591403/" rel="nofollow">worse than first revealed</a>:<br /><br />"The full scope of the breach may be much larger than what CBP revealed in its original statement, he said. In recent years, CBP has asked travelers for <a href="https://www.cbp.gov/travel/biometrics" rel="nofollow">fingerprints, facial data</a>, and, recently, even <a href="https://www.dhs.gov/publication/dhscbppia-058-publicly-available-social-media-monitoring-and-situational-awareness" rel="nofollow">social-media</a> accounts. “If CBP’s contractor was targeted specifically, it’s unlikely that the attacker would have stopped with just photo data,” Loder told me."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-28024751416534663172019-05-25T08:00:26.098-07:002019-05-25T08:00:26.098-07:00Brian Krebs reports that First American Financial ...Brian Krebs reports that <a href="https://krebsonsecurity.com/2019/05/first-american-financial-corp-leaked-hundreds-of-millions-of-title-insurance-records/" rel="nofollow"><i>First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records</i></a>:<br /><br />"The Web site for Fortune 500 real estate title insurance giant First American Financial Corp. leaked hundreds of millions of documents related to mortgage deals going back to 2003, until notified this week by KrebsOnSecurity. The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a Web browser.<br />...<br />KrebsOnSecurity confirmed the real estate developer’s findings, which indicate that First American’s Web site exposed approximately 885 million files, the earliest dating back more than 16 years. No authentication was required to read the documents."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-3929404251793264792019-02-14T06:53:59.683-08:002019-02-14T06:53:59.683-08:00Kate Fazzini's The great Equifax mystery: 17 m...Kate Fazzini's <a href="https://www.cnbc.com/2019/02/13/equifax-mystery-where-is-the-data.html" rel="nofollow"><i>The great Equifax mystery: 17 months later, the stolen data has never been found, and experts are starting to suspect a spy scheme</i></a> is interesting:<br /><br />"CNBC talked to eight experts, including data "hunters" who scour the dark web for stolen information, senior cybersecurity managers, top executives at financial institutions, senior intelligence officials who played a part in the investigation and consultants who helped support it. All of them agreed that a breach happened, and personal information from 143 million people was stolen.<br /><br />But none of them knows where the data is now. It's never appeared on any hundreds of underground websites selling stolen information. Security experts haven't seen the data used in any of the ways they'd expect in a theft like this — not for impersonating victims, not for accessing other websites, nothing.<br /><br />But as the investigations continue, a consensus is starting to emerge to explain why the data has disappeared from sight. Most experts familiar with the case now believe that the thieves were working for a foreign government and are using the information not for financial gain, but to try to identify and recruit spies."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-85865558645203815222018-12-11T05:16:21.074-08:002018-12-11T05:16:21.074-08:00Olivia Beavers' House panel issues scathing re...Olivia Beavers' <a href="https://thehill.com/policy/technology/420582-house-panel-issues-scathing-report-on-entirely-preventable-equifax-data" rel="nofollow"><i>House panel issues scathing report on 'entirely preventable' Equifax data breach</i></a> reports that<br /><br />"The House Oversight and Government Reform Committee, following a 14-month probe, released a scathing report Monday saying the consumer credit reporting agency aggressively collected data on millions of consumers and businesses while failing to take key steps to secure such information."<br /><br />The <a href="https://oversight.house.gov/wp-content/uploads/2018/12/Equifax-Report.pdf" rel="nofollow">96-page report</a> was authored by Republicans but attacked by Democrats:<br /><br />"two Democratic lawmakers also criticized the content of the report.<br /> <br />"The Republican staff report merely reiterated findings by media outlets and the Government Accountability Office about Equifax's cybersecurity vulnerabilities and the company's lack of preparedness to protect breach victims," they said in their statement. "In contrast, the Democratic staff report provides detailed legislative and oversight recommendations to better protect consumers from future cyberattacks."<br /> <br />Cummings and Johnson recommended "requiring federal financial regulatory agencies to report their efforts to protect consumers from cybertheft and identify areas Congress could enhance agencies' authorities to achieve that goal," guidelines for federal contractors to comply with established cybersecurity standards, a comprehensive notification law that dictates how victims of a victim breach must be notified and an amended Federal Trade Commission Act to "strengthen civil penalties for private sector violations of consumer data security requirements."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-37312562279523073252018-12-11T05:09:37.651-08:002018-12-11T05:09:37.651-08:00This comment has been removed by the author.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-90825721186124379522018-06-29T05:58:33.120-07:002018-06-29T05:58:33.120-07:00Exactis said to have exposed 340 million records, ...<a href="https://www.cnet.com/news/exactis-340-million-people-may-have-been-exposed-in-bigger-breach-than-equifax/" rel="nofollow"><i>Exactis said to have exposed 340 million records, more than Equifax breach</i></a> by Abrar Al-Heeti reports:<br /><br />"Florida-based marketing and data aggregation firm Exactis exposed a database containing nearly 340 million individual records on a publicly accessible server, <a href="https://www.wired.com/story/exactis-database-leak-340-million-records/" rel="nofollow">Wired</a> reported. Earlier this month, security researcher Vinny Troia found that nearly 2 terabytes of data was exposed, which seems to include personal information on hundreds of millions of US adults and millions of businesses, the report said.<br /><br />"It seems like this is a database with pretty much every US citizen in it," Troia told Wired."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-42251186157515137722018-05-09T09:19:55.792-07:002018-05-09T09:19:55.792-07:00Brian Krebs has discovered that Equifax operates a...Brian Krebs has discovered that <a href="https://krebsonsecurity.com/2018/05/another-credit-freeze-target-nctue-com/" rel="nofollow">Equifax operates a second, stealth credit reporting agency called NCTUE</a>. The story is long and pretty amazing, but <a href="https://boingboing.net/2018/05/09/centralized-credit-check-syste.html" rel="nofollow">Cory Doctorow's summary</a> is on point:<br /><br />"Equifax operates a secondary, noncompliant credit bureau called National Consumer Telecommunications and Utilities Exchange (NCTUE), on behalf of a secretive cartel of owners led by AT&T, but also including mysterious organizations like "Centralized Credit Check Systems."<br /><br />Freezing your credit report has no effect on NCTUE; what's more, NCTUE operates in a careless and incompetent fashion, with invalid SSL certificates and other glaring errors. NCTUE has a separate system for freezing your credit report there, but it doesn't work -- filling in the form and submitting it just returns obscure errors. You may be able to freeze your report by calling NCTUE, but they might charge you a separate fee, and there's no guarantee you'll get through."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-6628363687572105362018-05-08T07:55:00.924-07:002018-05-08T07:55:00.924-07:00"As well as the ... 146.6 million names, 146...."As well as the ... 146.6 million names, 146.6 million dates of birth, 145.5 million social security numbers, 99 million address information and 209,000 payment cards (number and expiry date) exposed, the company said there were also 38,000 American drivers' licenses and 3,200 passport details lifted, too."<br /><br />Richard Chirgwin at <i>The Register</i> has the <a href="https://www.theregister.co.uk/2018/05/08/equifax_breach_may_2018/" rel="nofollow">latest numbers on the Equifax breach.</a>David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-70621595574546179512018-03-01T19:33:41.468-08:002018-03-01T19:33:41.468-08:00Breaches are always worse than the victims say - E...Breaches are always worse than the victims say - <a href="https://www.nbcnews.com/business/business-news/equifax-identifies-additional-2-4-million-customers-hit-data-breach-n852226%22" rel="nofollow"><i>Equifax identifies additional 2.4 million customers hit by data breach</i></a> reports Reuters.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-74621411569342783292018-02-09T19:15:49.891-08:002018-02-09T19:15:49.891-08:00"A leaked set of disclosures made by Equifax ..."A leaked set of disclosures made by Equifax to the US Senate have revealed that the breach of 145.5 million Americans' sensitive financial data was even worse than suspected to date: in addition to data like full legal names, dates of birth, Social Security Numbers, and home addresses, it appears that Equifax also breached drivers' license numbers and issue-dates." writes <a href="https://boingboing.net/2018/02/09/database-nation.html" rel="nofollow">Cory Doctorow</a>. Equifax explains why they didn't reveal this initially:<br /><br />"the original list of vulnerable personal information was never intended to represent the full list of potentiality exposed information."<br /><br />So maybe they breached our bank account numbers and passwords too. Time may tell.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-65902415014447106822018-01-07T06:32:38.245-08:002018-01-07T06:32:38.245-08:00"Electrum has long been one of the most popul..."Electrum has long been one of the most popular Bitcoin software wallets. It’s fast, simple and lightweight. It’s a “light” wallet, that doesn’t require you to download a 150 gigabyte blockchain before you can do anything.<br /><br />It turns out to have been completely insecure since 2015 — any web page you go to could have stolen your coins." <a href="https://davidgerard.co.uk/blockchain/2018/01/07/be-your-own-bank-every-bitcoin-electrum-wallet-since-2015-is-insecure-update-now/" rel="nofollow">Tavis Ormandy found this</a>, and discovered that a bug report for it was months old:<br /><br />"Bitcoin users responded to news of the security hole as you might expect, including accusing Ormandy of not understanding computer security"<br /><br /><a href="https://davidgerard.co.uk/blockchain/2018/01/07/be-your-own-bank-every-bitcoin-electrum-wallet-since-2015-is-insecure-update-now/" rel="nofollow">David Gerard notes</a>:<br /><br />"The more general problem is that cryptocurrency security is vastly harder than any normal user can be expected to achieve — because every mistake or theft is utterly irreversible, by design."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-12027957464496478662017-12-15T07:02:33.334-08:002017-12-15T07:02:33.334-08:00"Revelations from papers leaked by former NSA..."Revelations from papers leaked by former NSA sysadmin Edward Snowden that the NSA paid RSA Security $10m to use <a href="https://www.theregister.co.uk/2013/09/23/rsa_crypto_warning/" rel="nofollow">the weak Dual_EC_DRBG technology</a> by default in its cryptographic toolset show that concerns about mathematical or by-design backdoors are far from theoretical." John Leyden at <i>The Register</i> reports on a <a href="http://www.theregister.co.uk/2017/12/15/crypto_mathematical_backdoors/" rel="nofollow">Black Hat presentation by Eric Filiol and Arnaud Bannier</a> who:<br /><br />"presented BEA-1, a block cipher algorithm which is similar to the AES and which contains a mathematical backdoor enabling an operational and effective cryptanalysis. “Without the knowledge of our backdoor, BEA-1 has successfully passed all the statistical tests and cryptographic analyses that NIST and NSA officially consider for cryptographic validation,” the French crypto boffins explain."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-46871966446831666842017-12-13T14:31:28.166-08:002017-12-13T14:31:28.166-08:00"AT&T's DirecTV wireless kit has an e..."AT&T's DirecTV wireless kit has an embarrassing vulnerability in its firmware that can be trivially exploited by miscreants and malware to install hidden backdoors on the home network equipment, according to a security researcher. ... [Ricky] Lawshae homed in on the Linux-powered wireless bridge, and found it was running a web server. Incredibly, rather than hit a login form or similar, he found the builtin web server would cough up internal diagnostic information." <a href="http://www.theregister.co.uk/2017/12/13/att_directv_wireless_bridge_security_hole/" rel="nofollow">Iain Thomson</a> links to a <a href="https://youtu.be/3gUjBnNGLKM" rel="nofollow">video of Lawshae getting a root shell in less than 30s</a>. Even the "network experts" can't get the simplest things right.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-82039836650205935862017-12-13T07:07:54.712-08:002017-12-13T07:07:54.712-08:00"Researchers working on a technology to detec..."Researchers working on a technology to detect unannounced data breaches have found, to their dismay, that one per cent of the sites they monitored were hacked over the previous 18 months." <a href="http://www.theregister.co.uk/2017/12/13/one_per_cent_of_all_web_sites_probably_p0wned_each_year_say_boffins/" rel="nofollow">Richard Chirgwin at <i>The Register</i></a> reports on <a href="http://jacobsschool.ucsd.edu/news/news_releases/release.sfe?id=2396" rel="nofollow">research by Joe DeBlasio at UCSD</a>.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-25234693133688347112017-12-12T06:36:07.821-08:002017-12-12T06:36:07.821-08:00"A data dump containing over 1.4 billion emai..."A data dump containing over 1.4 billion email addresses, passwords, and other credentials, all in clear text, has been found online by security shop @4iQ." <a href="http://www.theregister.co.uk/2017/12/12/archive_of_14_beeelion_credentials_in_clear_text_found_in_dark_web_archive/" rel="nofollow">reports Iain Thomson at <i>The Register</i></a>.<br /><br />And the winner is:<br /><br />"The top password is, depressingly, still 123456, followed by 123456789, qwerty, password and 111111,"David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-34113004196113554512017-12-11T06:54:36.041-08:002017-12-11T06:54:36.041-08:00Not to mention that, ironically, last Thursday:
&...<a href="https://www.theregister.co.uk/2017/12/07/microsoft_emergency_update_malware_protection_engine_needs_erm_malware_protection/" rel="nofollow">Not to mention that, ironically</a>, last Thursday:<br /><br />"Microsoft has posted an out-of-band security update to address a remote code execution flaw in its Malware Protection Engine."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-41543992588681329742017-12-11T06:48:18.947-08:002017-12-11T06:48:18.947-08:00"Microsoft accidentally left a Dynamics 365 T..."Microsoft accidentally left a Dynamics 365 TLS certificate and private key where they could leak, and according to the discoverer, took 100 days to fix the bungle." reports <a href="http://www.theregister.co.uk/2017/12/11/dynamics_365_sandbox_leaked_tls_certificates/" rel="nofollow">Richard Chirgwin at <i>The Register</i></a>.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-14957616393327188552017-12-09T13:41:04.339-08:002017-12-09T13:41:04.339-08:00Today's headline vulnerabilities include a zer...Today's headline vulnerabilities include a <a href="https://9to5mac.com/2017/12/07/homekit-vulnerability/" rel="nofollow">zero-day in Apple's HomeKit</a> that can comprise your "smart" door-lock, and a <a href="https://www.bleepingcomputer.com/news/security/-process-doppelg-nging-attack-works-on-all-windows-versions/" rel="nofollow">"fileless" vulnerability in all versions of Windows</a> that uses NTFS transactions to load malware then rolls back the transaction to make the malware invisible to anti-virus software:<br /><br />"The good news is that "there are a lot of technical challenges" in making Process Doppelgänging work, and attackers need to know "a lot of undocumented details on process creation."<br /><br />The bad news is that the attack "cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows."<br /><br />Process Doppelgänging now joins the list of new attack methods discovered in the past year that are hard to detect and mitigate for modern AVs, such as <a href="https://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions" rel="nofollow">Atom Bombing</a>, <a href="https://www.bleepingcomputer.com/news/security/new-ghosthook-attack-bypasses-windows-patchguard-protections/" rel="nofollow">GhostHook</a>, and <a href="https://www.bleepingcomputer.com/news/security/researcher-details-new-windows-code-injection-technique-named-propagate/" rel="nofollow">PROPagate</a>.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-78426755997447127922017-11-15T09:57:00.211-08:002017-11-15T09:57:00.211-08:00Hack o' the Day - Boeing 757 Testing Shows Air...Hack o' the Day - <a href="http://www.aviationtoday.com/2017/11/08/boeing-757-testing-shows-airplanes-vulnerable-hacking-dhs-says/" rel="nofollow"><i>Boeing 757 Testing Shows Airplanes Vulnerable to Hacking, DHS Says</i></a>:<br /><br />"A team of government, industry and academic officials successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting last year, a U.S. Department of Homeland Security (DHS) official said Wednesday at the 2017 CyberSat Summit in Tysons Corner, Virginia.<br /><br />“We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration,” said Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate."<br /><br />and:<br /><br />"The initial response from experts was, “’We’ve known that for years,’” and, “It’s not a big deal,” Hickey said.<br /><br />But in March 2017, at a technical exchange meeting, he said seven airline pilot captains from American Airlines and Delta Air Lines in the room had no clue.<br /><br />“All seven of them broke their jaw hitting the table when they said, ‘You guys have known about this for years and haven’t bothered to let us know because we depend on this stuff to be absolutely the bible,'” Hickey said."<br /><br />and the vulnerabilities aren't going to be fixed:<br /><br />"Patching avionics subsystem on every aircraft when a vulnerability is discovered is cost prohibitive, Hickey said.<br /><br />The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing’s 737, it would “bankrupt” them if a cyber vulnerability was specific to systems on board 737s"David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-14433161801656778022017-11-11T11:40:29.843-08:002017-11-11T11:40:29.843-08:00Cory Doctorow reports that Richard Smith's rep...Cory Doctorow reports that <a href="https://boingboing.net/2017/11/11/this-is-fine-3.html" rel="nofollow">Richard Smith's replacement as Equifax CEO</a>:<br /><br />"has told Congress that he's not really sure if the company has finally started encrypting the detailed, compromising, sensitive data they nonconsensually harvest from every person in the USA."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-19312123232473117172017-11-09T14:14:51.279-08:002017-11-09T14:14:51.279-08:00"Google researchers identified 788,000 potent..."Google researchers identified 788,000 potential victims of keylogging and 12.4 million potential victims of phishing. These types of attacks happen all the time. For example on average, the phishing tools Google studied collect 234,887 potentially valid login credentials, and the keylogging tools collected 14,879 credentials, each week."<br /><br />Hat tip to <a href="http://money.cnn.com/2017/11/09/technology/google-hackers-research/index.html" rel="nofollow">CNN</a>. The paper is <a href="https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/46437.pdf" rel="nofollow">here</a>:<br /><br />"7–25% of exposed passwords match a victim’s Google account ... We observe a remarkable lack of external pressure on bad actors, with phishing kit playbooks and keylogger capabilities remaining largely unchanged since the mid-2000s."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-25933094889557211022017-11-09T05:46:29.931-08:002017-11-09T05:46:29.931-08:00Bruce Schneier's must-read testimony to the Ho...Bruce Schneier's must-read testimony to the House Energy & Commerce Committee on the Equifax breach is <a href="https://www.schneier.com/blog/archives/2017/11/me_on_the_equif.html" rel="nofollow">here</a>David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.com