Category Archives: Security

Equifax Will Pay $575 Million as Part of Settlement With FTC



The Federal Trade Commission announced that Equifax Inc. has agreed to pay at least $575 million, and potentially up to $700 million, as part of a global settlement with the FTC, the Consumer Financial Protection Bureau (CFPB) and 50 states and territories, which alleged that the credit reporting company’s failure to take reasonable steps to secure its network led to a data breach in 2017 that affected approximately 147 million people.

As you may recall, Equifax discovered a data breach on July 29, 2017, but did not announce it until September of 2017. Hackers were able to access files that included personal information including dates of birth, Social Security numbers, addresses, and credit card numbers.

This is a nightmare scenario for not only a credit bureau, but also all the people who trusted Equifax to keep their personal information safe and secure. The FTC alleges that Equifax failed to patch its network after being alerted in March 2017 to a critical security vulnerability affecting its ACIS database. That is the database which handles inquires from consumers about their personal credit data.

The proposed settlement:

  • Equifax will pay $300 million to a fund that will provide affected consumers with credit monitoring services. The fund will also compensate consumers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the 2017 data breach.
  • Equifax will add up to $125 million to the fund if the initial payment are not enough.
  • Beginning in January of 2020, Equifax will provide all U.S. consumers with six free credit reports each year for seven years – in addition to the one free annual credit report that all credit bureaus offer.
  • Equifax will pay $174 million to 48 states, the District of Columbia, and Puerto Rico, as well as $100 million to CFPB in penalties.
  • The settlement also requires Equifax to obtain third-party assessments of its information security program every two years.

MJR Digital Cinemas has upgraded, but what’s wrong with this picture?



Despite the ever-increasing tab at the box office, we all, or most of us, enjoy seeing an occasional movie on the big screen. There are just some flicks that lend themselves to the immersive experience. 

The good news is theaters around the country have been upgrading recently – improved seating and digital systems along with a wider selection of (overpriced) goodies to choose from and dine on during your show. Some now even have bars. 

One theater chain in Michigan, MJR, has been among those to upgrade, however they apparently failed to consult any sort of IT professional, or at least one who knows anything about security. Take a look at the image below and see if any problems seem apparent. 

At least they made the job easy for hackers. In fact, there’s no real job at all, it’s just handed over to them. 


VLC patches multiple security flaws, two critical



There are many options out there for media playback, we’ve come a long way since Windows Media Player and Quicktime.  Alternatives abound, and some of them quite compelling.

Take the Video Lan Client, better known to everyone as VLC, which is capable playing almost any format a user can throw at it. Like any software, however, there are always bugs, and sometimes security holes  that could allow bad things to happen to good people.

VLC is issuing a number of security fixes, 33 of them to be exact, designed to keep your system healthy. Two of these are considered critical, designed to patch an out-of-bound write vulnerability and a stack-buffer-overflow bug.

According ThreatPost “Details are scant on the two high-severity bugs and how they could be exploited. Impacted is VLC 3.0.7 and the EU-FOSSA release of the player, along with code tied to the upcoming 4.0 release of the player.”

The high number of patches comes on the heels of a new bug bounty program started by the European Commission on January 7, 2019.

The updates are being pushed out so users shouldn’t need to do anything except wait, and actually, you may already have it.


Facebook and Twitter Disabled a Disinformation Campaign with Ties to Iran



The Washington Post reported that both Facebook and Twitter said they had disabled a “sprawling disinformation campaign that appeared to originate in Iran”. It included two Twitter accounts that mimicked Republican congressional candidates and may have sought to push pro-Iranian political messages.

According to The Washington Post, a private security firm called Fire Eye “did not attribute the activity to either Iranian state leaders or malicious actors operating within the country.” However, some of the tweets supported the Iranian nuclear deal, which President Trump withdrew from a year ago.

Some of the disabled account appeared to target their propaganda at specific journalists, policymakers, dissidents and other influential U.S. figures online. Those tactics left experts fearful that it could mark a new escalation in social-media warfare, with malicious actors stealing real-world identities to spread disinformation beyond the web.

Facebook posted on its Facebook Newsroom that it had removed 51 Facebook accounts, 36 Pages, seven Groups, and three Instagram accounts involved in coordinated inauthentic behavior that originated in Iran.

Facebook said the individuals involved misled people about who they were and what they were doing. “They purported to be located in the US and Europe, used fake accounts to run Pages and Groups, and impersonated legitimate news organizations in the Middle East. The individuals behind this activity also represented themselves as journalists or other personas and tried to contact policymakers, reporters, academics, Iranian dissidents and other public figures.”

Yoel Roth, Head of Site Integrity at Twitter, posted a thread of tweets that began with: “Earlier this month, we removed more than 2,800 inauthentic accounts originating in Iran. These are the accounts that FireEye, a private security firm, reported on today. We were not provided with this report or its findings.”

In another tweet, he wrote: “These accounts employed a range of false personas to target conservatives about political social issues in Iran and globally. Some engaged directly through public replies with politicians, journalists, and others.”

People need to be smarter about how they consume content on Facebook and Twitter. Think before you click a link. Seek out the real news website instead. Don’t retweet or share something without first taking the time to verify that it isn’t “fake news”.


UK Government Consults on IoT Security



The UK Government’s Department for Digital, Culture, Media & Sport (aka Ministry of Fun) has announced plans to introduce new laws governing internet-connected devices, i.e. Internet of Things.

Given that there have been some high-profile instances involving connected toys and cameras, this is welcome news. In a perfect world, users should be educated in the basics of IT security such as changing the default password, but sadly it’s case of getting a gadget out of the box and setup as fast as possible.

The Government is consulting on a “Secure by Design” initiative which intends for basic cyber security features to be built into products and for consumers to get better information on how secure the devices are.

Much like food packaging or the energy ratings on white goods, the Government is proposing a mandatory labelling scheme that states the security level of the gadget. Only goods with the applicable “IoT” label could be legally sold in the UK.

The consultation proposes three essential requirements for internet-connected gadgets.

  1. Device passwords must be unique without any standard factory setting
  2. The minimum duration for which the device will receive security updates must explicitly stated
  3. A public point of contact as part of a vulnerability disclosure policy must be given

Point 3 isn’t directly for consumers but rather for security researchers who will be able to directly contact organisations about security issues. All of these points will be a significant deterrent to the “cheap’n’cheerful” IoT gadgets that typically come in from China with zero support.

Overall, this is a very welcome consultation and I would encourage readers to review the proposals and feedback on the options. This is very much about protecting ourselves and our families and reducing the risk of being hacked. For too long, manufacturers have got away with having little responsibility for their devices after they’ve been bought and these ideas address that balance.

If you want to know more on the consultation and comment on the proposals, it’s over here.

Photo by Dan LeFebvre on Unsplash.


23 Million People Use 123456 as a Password



Despite all the warnings, 23 million people worldwide use the password “123456”. This is according the UK’s National Cyber Security Centre which analysed the Have I Been Pwned data set to produce a list of the top 100,000 passwords.

It’s frankly embarrassing – here’s the top 10. Anyone who uses any of these should have their computer, tablet and phone taken away from them immediately.

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 111111
  6. 12345678
  7. abc123
  8. 1234567
  9. password1
  10. 12345

Looking through the full list, there’s a reasonable selection of expletives, and for Brits, variations on “Liverpool” appear twenty eight times. For non-Brits, Liverpool is not only a city in the North of England but a premier league football (soccer) team. James Bond 007 is rich pickings too, with variations into the teens. No matter how smart or unique you think you are, there’s someone else who thinks the same.

The NCSC recommends using three random words for passwords such as “tablehouseblue” and  not to re-use passwords between accounts. It particularly suggests to always have a different password for your email account.

Dr Ian Levy, NCSC Technical Director, said: “Password re-use is a major risk that can be avoided – nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band. Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password.

You can read the full UK Cyber Survey and there’s more analysis on the password list in this article.

Photo by Kristina Flour on Unsplash


Alphabet’s Chronicle Launched Backstory



Chronicle, a new Alphabet company, announced the launch of Backstory. It is a global cloud service where companies can privately upload, store, and analyze their internal security telemetry to detect and investigate potential cyber threats.

Chronicle is focused entirely on enterprise cybersecurity. Their mission is: “Give Good the Advantage”. That mission is fueled by their ability to leverage significant resources to give security professionals an entirely new class of tools, perspectives, and abilities that aim to counter, and even leap ahead of, the capabilities of their antagonists.

Backstory compares your network activity against a continuous stream of threat intelligence signals, curated from a variety of sources, to detect potential threats instantly. It also continuously compares any new piece of information against your company’s historical activity, to notify you of any historical access to known-bad web domains, malware-infected files, and other threats.

In short, Backstory is designed to be used by companies, not individuals. The purpose is to provide companies with data that they probably cannot get on their own so they can use it to detect breaches and to improve their security efforts.

Overall, I think Backstory sounds like a useful thing. In their Medium Post, Chronicle used the DNC hack as an example, and showed how easy it is to miss a data breach. In addition to noticing a breach, Backstory can give a company information about whether or not any of their computers communicated with that web domain.

It seems unlikely that nefarious entities will stop trying to access data and information that they have no right to steal. Hopefully, Backstory can make it harder for hackers to harm people.