Monthly Archives: December 2016

Major Data Breach Deja Vu

Yahoo on Wednesday revealed that Net bandits stole data associated with 1 billion of its user accounts — one of the largest data breaches in Internet history.

The theft, which occurred in August 2013, is distinct from the theft disclosed earlier this fall, in which 500 million accounts were compromised, Yahoo CISO Bob Lord explained.

Stolen information may include names, email addresses, telephone numbers, dates of birth, hashed passwords using MD5 encryption — and in some cases, encrypted or unencrypted security questions and answers, according to Lord.

An unauthorized third party accessed the code Yahoo uses to create cookies, he noted. Access to that code allowed attackers to compromise accounts with forged cookies.

In response to this latest discovery, Yahoo is taking steps to secure the accounts of affected users and invalidate forged cookies, said Lord, as well as to harden its systems against similar attacks.

More Data NickedThis latest breach at Yahoo appears worse than the previous one not only because is it bigger, but also because more-sensitive information was stolen.

“More information was released than just usernames and passwords,” explained Rami Essaid CEO of Distil Networks.

“The bad guys are getting a more holistic look at these users,” he told TechNewsWorld.

The weakly encrypted or plaintext security questions in particular could be problematic, because the answers to those questions don’t change from site to site.

“You can change your passwords, but you only have one mother’s maiden name and one birth date,” Essaid noted.

Verizon Deal

How this latest data breach could affect the US$4.8 billion sale of Yahoo to Verizon is unknown. However, after news of the first breach made headlines, Verizon sought to lop $1 billion from the original purchase price, according to reports.

As with the previous Yahoo data breach, Verizon’s official reaction to the latest theft was brusque.

“As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation,” the company said in a statement provided to the E-Commerce Times by spokesperson Rich Young. “We will review the impact of this new development before reaching any final conclusions. We have no additional comment at this time.”

Companies buy other companies for any number of reasons — their customer lists, their technology or their talent, among other things — observed RedSeal CEO Ray Rothrock.

“If Verizon was buying Yahoo for its customers, this is a bad deal,” he told the E-Commerce Times.

Merger Downside

If Verizon expected to merge its customer databases with Yahoo’s, it might think twice about that now.

“It’s likely Verizon will avoid merging databases,” said Peter Martini, president of Iboss. “That will impact the value of the acquisition, since a good portion of that value was for Yahoo’s customer database.”

In addition, many Yahoo customers may avoid using the company’s services because of the breach.

“If they see a large exodus of customers, it will further impact the value of the company,” Martini told the E-Commerce Times.

Worse yet, Verizon doesn’t know if there is more bad news down the road, added Mark Graff, CEO of Tellagraff.

“They’ve had these breaches and have not been able to fix them,” he told the E-Commerce Times. “Why should we believe the intruders still aren’t there? Why should we think there’s not another shoe to drop?”

Stalking Customers is Need

The controversy over Uber staff using the company’s tech to track people’s movements was reignited this week when information in a pending lawsuit began circulating in the tech press.

Uber employees can pull customer data at will, alleged Ward Spangenberg, the company’s former forensic investigator, in a court declaration filed earlier this fall as part of his bid to prevent the firm from forcing his case into arbitration.

Uber staffers have been able to track high-profile politicians, celebrities and ex-significant others, Spangenberg said.

His original complaint, filed in the Superior Court of California in San Francisco, centers on his dismissal from the company.

Uber continues to allow broad access to users’ trip information, five security professionals formerly employed at the company told Reveal.

That has been going on, they said, in spite of Uber’s assertions two years ago that it had policies prohibiting such actions, following news that executives were taking advantage of its “God View” feature to track customers in real time without their permission.

Uber’s Side of the Story”It’s absolutely untrue that ‘all’ or ‘nearly all’ employees have access to customer data, with or without approval,” maintained Uber spokesperson Sophie Schmidt.

“We have built entire systems to implement technical and administrative controls to limit access to customer data to employees who require it to perform their jobs,” she told TechNewsWorld. “This could include multiple steps of approval — by managers and the legal team — to ensure there is a legitimate business case for providing access.”

Access is granted “to specific types of data based on an employee’s role,” Schmidt asserted. All data access is logged and routinely audited, and all potential violators are “quickly and thoroughly investigated.”

Uber employees must acknowledge and agree to the company’s data access policy, CIO John Flynn emphasized in a memo sent earlier this week.

Violators have been terminated, he reminded them.

“We want our security and privacy practices and technology to be world-class, and we’re moving quickly toward that goal,” Flynn said. It’s “the responsibility of each and every one of us to protect” customer and driver data.

However, Uber’s defense in the Spangenberg case relies mainly on procedural issues.

“It’s not logical for any company to proclaim that they are secure because they sent an email telling employees what to do,” remarked John Gunn, VP of communications at Vasco Data Security.

“In the real IT world you don’t need these types of emails, because you’ve implemented limitations on access to sensitive data [that] you monitor and enforce,” he told TechNewsWorld.

The Need for Privacy

The latest revelation follows news that Uber has tracked customers even after they left its vehicles.

Uber “needs to come clean on whether [the privacy violations] occurred … and needs to have full disclosure of how it uses customer data,” said Michael Jude, a program manager at Stratecast/Frost & Sullivan.

Frost’s research “indicates that people take personal security very seriously,” he told TechNewsWorld.

On the other hand, “consumers are becoming less concerned about exposing details about their personal information,” noted Michael Patterson, CEO ofPlixer.

“They don’t like the invasion, but they like the services and appear to be willing to compromise,” he told TechNewsWorld.

Still, high-profile Uber customers, including celebrities, could be at risk, suggested Csaba Krasznay, product manager at Balabit, pointing to Kim Kardashian’s robbery in Paris in October as an example.

“We can protect ourselves by not letting Uber and other apps use our smartphone’s GPS data,” Krasznay told TechNewsWorld. “It only takes one click.”

The Most Powerful Person in Tech

There are generally two paths for dealing with someone in power when disagreements arise. One is to confront, and the other is to understand and influence. What is interesting is the most common path taken is the former while the most successful is the latter. I think the reason is that the former path is both the natural path for disagreement and the most visible. Confrontation is always more newsworthy than influence.

When done right, exerting influence has the odd result of not conveying credit while actually making far more progress. This suggests that one of the ways to determine whether someone is doing something because they believe in the outcome vs. doing it for fame and status is whether they move to influence or to confront.

The vast majority of tech executives and politicians confronted Trump, which had little impact on him, while Peter Thiel moved to influence. As a result, he now may be the most powerful person in tech, even though that didn’t appear to be his goal.

I’ll share some thoughts about that this week and close with my last product of the week, which has to be Varonis. It is the one product that could have prevented virtually all of the high-profile breaches that crippled both Yahoo and Hillary Clinton’s campaign.

Confrontation and BackstabbingOne of the most common ways decisions are made in the tech industry is that the most outspoken and disagreeable person at the table wins, and the person who is better founded but isn’t as focused on the status of winning often loses. I call this the “biggest assh*le at the table method,” but there is a more technical term for this: argumentative theory. I’ve reviewed a lot of failed companies, and at the heart of most failures seems to be this process.

There is a second process that is equally common, in tech firms in particular, and it has a common name that I’ll paraphrase because I can’t use the actual name in mixed company. It is “kiss you screw you.” This occurs after everyone at the table agrees, and then a bunch go out and do everything they can to cause the idea to fail in order to screw the poor person who is trying to execute.

If you’ve ever wondered why a lot of good ideas fail, it is largely because some group of folks inside companies secretly move to cause them to fail. Personally, I think people should be fired for doing that, but they often are rewarded instead, which suggests there are a lot of managers on the wrong side of this practice.

I personally think the Obama administration was defined by both practices. The Republicans largely practiced the “biggest assh*le at the table” method and were obstructionist, while the Democrats seemed to agree but acted against the president behind the scenes, which is why efforts like Obamacare were such a train wreck.

 

Collaboration and Influence

Compare the way much of the tech industry supported Clinton vs. how Peter Thiel supported Trump. Clinton got money and vocal support, and Thiel provided technical advice and focus. He advised and kept tightly to tech topics like cybersecurity, which are critical to the well being of the country. Clinton’s massive support from the industry largely consisted of money, because most thought she was an idiot. That was thanks largely to the email thing, but I’ve seen notes going back years, suggesting that was hardly a new perception.

The right path for Clinton’s supporters would have been to fix the “idiot” thing. Yet there is no evidence it was even attempted. Thiel, in contrast, worked to make Trump smarter, and the result was not only better execution in the final days of the campaign, but also last week’s tech meeting, which focused on making tech companies more profitable.

Contrast this with Eric Schmidt’s relationship with President Obama, which became an embarrassment for the president and didn’t seem to result in anything but an unusual protection against antitrust charges for Google. As a result, it’s arguable that tech actually appears weaker at the end of Obama’s term than it did at the beginning. If the current trend holds, that shouldn’t be the case with Trump, but that outcome will depend largely on Thiel’s relationship with Trump.

Thiel vs. Gawker

Peter Thiel spent $10M taking out Gawker, which scared a lot of folks because it silenced a voice in media. Personally, I thought Gawker was an abomination — largely because it focused on disclosing personal information about powerful people or celebrities, doing them harm for money.

Gawker had its roots in tech, and a tech service that monetizes hurting people tarnishes the entire industry and is counter to efforts that are working to eliminate bad behavior, like bullying, by making it appear like you can bully anyone. By the way, this doesn’t mean that I agree with some of the behavior that Gawker called out — I just don’t think it is in the tech industry’s best interest to validate the hostile use of personal information, given the critical need to protect everyone’s individual privacy.

I’m kind of surprised more tech CEOs haven’t backed Thiel’s efforts, largely because having a “secret mistress” is an extremely common perk of the job. My guess is that most believe they are careful and that their clandestine relationships won’t be reported. Sadly, many aren’t as good at keeping this stuff secret as they think. Had Gawker not been killed, many of those delusional executives likely would have had some explaining to do to their wives, kids, employees, stockholders and boards. Such things rarely go well, so Thiel did them one hell of a favor that most may never appreciate fully.