Just under a month ago, Samsung announced that it was recalling/replacing all Galaxy Note 7 phablets shipped prior to early September due to exploding batteries. Roughly two weeks later, news broke that Yahoo more than likely allowed US government agencies full access to the entire breadth of all email accounts hosted by Yahoo, while the fading tech giant was still reeling from a reported data breach and the pending sale to Verizon. Unfortunately both companies are back in the news this week and not for good reason. Samsung’s replacement Note 7s with the less explodey battery, has – you guessed it – started exploding again, even putting a customer in the hospital. This incident and at least 2 other reports of flaming phones has prompted Samsung to halt production on the Note 7, and all major US carriers will no longer sell the device. Yahoo’s troubles continue as well: the now infamous email service has suspiciously dropped the forwarding function from its service, making it more difficult for people to move to another provider. When you combine this mysterious change with the lawsuit against Yahoo’s CEO Marissa Meyer, Yahoo is looking less like a technology leader and more like a troubled company struggling to survive.
What this means for you:
Companies of this size typically have resources enough to pick themselves up and shake off these types of events. Heck, breaches are so commonplace now that most of the time consumers just shrug and carry on. Despite various widespread problems with iPhones (Antenna-gate, Bend-gate, Touch Rot) Apple still manages to sell lots of units every year. While Samsung will undoubtedly take a huge reputation hit in the mobile market, the Korean megacorp itself is so broad that it’s hard to image the Note 7 sinking the entire company. If anything the repeat failure just highlights the complex manufacturing chain that goes into producing our smartphones and will perhaps push Samsung and its competitors to look for safer, better battery solutions.
Yahoo is looking a lot less resilient than Samsung: it doesn’t have the broad product base to fall back on, and one might argue that its most valuable asset – the millions of people who still use Yahoo Mail – is in jeopardy at a time when the company can least afford it. Whether the disappearance of mail forwarding was ill-timed or carefully calculated, the long-term optics look worse than a smoking phablet. Last week’s news of Yahoo’s compromising relationship with US intelligence agencies should have been enough to encourage you to retire your Yahoo account, and their current strategy is not the Hail-Mary play they need to stay in the game.
The good ship Yahoo is still battling troubled waters on its journey to the safe harbor of a Verizon purchase. Reuters has just released a massive bombshell that may blockade if not outright scuttle the $4.8bln deal: two former employees of the beleagured media company have alleged that Yahoo complied with a classified directive from a government agency to directly surveil the millions of email accounts hosted by Yahoo in 2015. According to the Reuter sources, the decision to open Yahoo Mail’s kimono was made behind closed doors, excluding Yahoo’s then Chief Information Security Officer, who apparently resigned because of this incident.
Whiskey Tango Foxtrot, Yahoo?
Normally, I don’t urge folks to get out the pitchforks and torches, but on reading this I actually used language not normally heard in polite company. Thus far the government agencies named are declining comment. If the allegation proves accurate, I’d say Yahoo customers had their Fourth Amendment rights violated and thoroughly trod upon any trust they might have had left with their still substantial customer base. Coupled with the recent massive breach they experienced in 2014 and the debacle that was their conversion to a new email platform in 2013, it’s no wonder Yahoo has gone from an Internet powerhouse to second-tier media company up for sale. If you are still using Yahoo as a primary email provider for work, you should stop doing so immediately, not only for security issues that they can’t seem to get ahead of, but now for serious breaches of privacy and trust.
Today’s headline alludes to a concept perhaps as old as civilization itself. Plato expressed it as, “Quis custodiet ipsos custodes?” Who will watch the watchers? In a spectacular demonstration of what a well-executed hack can do, an unknown hacker has virtually imploded the operations of a digital surveillance company known (ironically now) as Hacking Team. Despite the rather colorful name, this Italian security company has contracts with dozens of government agencies from all over the world, including the United States. Their product? Essentially spyware for conducting remote surveillance and other covert digital operations. The unknown hacker taunted the company and its employees by taking over Hacking Team’s Twitter account and began sharing extremely sensitive internal files through tweets purportedly coming from the company itself. Once the breach was discovered, Hacking Team contacted its clients and strongly recommended they cease using any of the company’s software. Given the general public distaste for Hacking Team’s type of software and the amount of daylight this shines on its customers, its highly likely that very few contracts will be renewed, leaving the company’s future in very uncertain terms.
What this means for you:
Unless you happened to be on the list of Hacking Team customers, there’s not a lot you need to worry from your own organization’s perspective. However, as a citizen of a supposedly democratic nation, you should be concerned about how our government agencies conduct themselves. Should law enforcement agencies be allowed to break the law in order to do their jobs? Who will watch the watchers? Are those people (I’m talking about Congress now) qualified to make proper decisions when they barely understand how the Internet works? To translate this into more relatable (and actionable) terms, do you understand enough about your own organization’s security and technology to make informed decisions on what to buy, what to use, and who to hire? In the case of Hacking Team, it appears that the hacker breached the company through the personal computers of its own system administrators, an irony within an irony. Are you adhering to the security standards to which you hold your own employees accountable?
As if all the NSA surveillance nonsense wasn’t enough to put everyone on edge about covert snooping, a UK blogger has published information that appears to demonstrate that his LG Smart TV was transmitting data to internet servers about his and his family’s viewing habits, as well as information about USB devices and files attached to the television. On top of this blatant invasion of privacy, there appears to be no way to opt out of this information gathering and sharing, and the information was being sent unencrypted over the internet. When questioned about this particular behavior, an LG representative unapologetically pointed to the Terms and Conditions that the blogger tacitly agreed to upon purchase of the TV, and suggested that he take up his beef with the retailer who sold him the TV in the first place, essentially insinuating it was their fault for not warning the buyer that they were purchasing a 42″ privacy invasion.
What this means for you:
If you have an internet-enabled television, it’s very possible that device is phoning home with data about your viewing habits, and it’s also likely the only (easy) way to disable this is to disconnect the TV from the internet, a feature that was probably instrumental in this particular model being purchased in the first place. Granted, there have been thousands and thousands of families who have happily volunteered this information for decades (think Nielsen ratings), but they knowingly opted in to this reporting. It’s unclear whether TV manufacturers (and the entertainment industry in general) will come clean about this practice any time before Black Friday sells thousands (millions?) more of internet-enabled TVs, and even if they do, you can bet the majority of folks will be outraged for the regulation 15 minutes, and then will probably “return to their regularly scheduled program.” If you have concerns about your shiny big-screen selling you out, pick up the phone or write an email to the manufacturer. Failing a response from them, it may be time to raise a stink at your local big box that sold you the device, because nothing kills sales like angry customers dragging big screen TVs through the return lines.
Images Courtesy of Ohmega1982 (TV) and Salvatore Vuono (eyeball) / FreeDigitalPhotos.net
You’ve seen it in movies and television probably dozens of times: video surveillance systems being hacked into by both heroes and villains and being fooled into showing looped footage allowing said hero/villain to proceed undetected. This time around, life is imitating art as a security researcher demonstrated at the Black Hat security conference held this past weekend. In his presentation, dubbed “Exploiting Surveillance Cameras Like a Hollywood Hacker”, former NSA worker Craig Heffner demonstrated how he was able to research and exploit readily available internet-enabled video cameras commonly used for security surveillance in homes and businesses around the world. Given the well-honed skeptical nature of Black Hat attendees, Mr. Heffner provided a live demonstration wherein he focused a compromised camera on a bottle placed on stage. While the audience watched via the security console, Heffner hacked the camera to display a spoofed image of the bottle (the “Hollywood” part), and then proceeded to “steal” the bottle while the security camera continued to display an unmolested bottle.
What this means for you:
Unfortunately, Heffner was able to exploit cameras from many manufacturers primarily because the device firmwares contained hard-wired passwords and other backdoor mechanisms. Thanks to the internet, Heffner was able to download copies of many camera firmwares and research the vulnerabilities without even owning the actual device. Heffner contends that he has yet to come across a model of internet security camera that he cannot hack, primarily because the manufacturers have been careless in removing the backdoors and weakness, and that the basic operating system varied in only minor ways from model to model. If you are actively using any of the cameras listed in Heffner’s presentation, you may want to consider disconnecting them from the network (which essentially defeats the “Internet-enabled” part), or disabling them completely until the manufacturers patch the obvious security weaknesses.
Image courtesy of Renjith Krishnan / FreeDigitalPhotos.net
There’s a whole lot of spying going on: the US and China continue to bicker over who’s spying on who, and the Washington Post fumbles an early scoop that clearly confuses what may end up being the biggest information leak since the Wikileaks scandal. In the midst of this surveillance brouhaha, the confidential source that triggered the Washington Post story has stepped forward in the form of an IT security analyst employed by the spookiest of spook agencies, the Central Intelligence Agency and the National Security Agency. Based upon the information this whistleblower has provided to news agencies, the American Civil Liberties Union has brought suit against the president, the NSA and Verizon for illegal spying, and more are on the way.
What this means for you:
Though the details are still being argued over, it appears the NSA has had an ongoing warrant with Verizon that has provided them with calling histories for just about any domestic Verizon customer, all under the umbrella of the controversial Patriot Act. Now, before you start worrying if your recorded phone calls will be leaked and become the next YouTube sensation, the information collected is data-based (numbers, times, geographic locations) as opposed to them eavesdropping in on your conversations, Hollywood “listening post”-style. Given the vast computational power the NSA has at its fingertips, this is still amazingly comprehensive, and gives them the ability to very accurately profile any US Verzion customer based upon that history.
Sadly, once again, there’s very little you can do as an individual, other than to write your congressperson, or boycott just about every major telecommunications provider and credit card company out there, because it seems that all of them have been forced to cooperate with the NSA at one point or the other under the Patriot Act. The Wired article also makes a very good point: threats to our security can just as easily come from the inside as the outside. Unfortunately, for all involved, it also demonstrates the trend that trusted insiders can easily become the biggest security breach an organization has ever known.
Have you thought about what access your employees have to confidential information? How much trust have you invested in them? Do you have sufficient controls in place to protect your company from inadvertent security breaches caused by a trusted employee? What if that same employee was to deliberately breach your security?