A Dunkin’ Donuts Hack, a Fake FedEx Site, and More Security News This Week
Credit to Author: Brian Barrett| Date: Sat, 01 Dec 2018 15:13:39 +0000
Marriott, you're bringing us down. On Friday, the hotel giant disclosed that up to 500 million Starwoods guests had their personal information stolen, including passport numbers for many. Here are some things you can do to protect yourself, but mostly let's hope companies start protecting themselves better to keep this from happening in the first place.
It was an eventful news on other fronts as well, particularly the Robert Mueller investigation. After a long quiet stretch, the special counsel reappeared with an accusation that rather than cooperating, Paul Manafort had lied repeatedly during questioning. Mueller has requested that they move directly to sentencing, and signaled an intention to lay out the case against Manafort in the process—which could wind up giving the best view yet into the entire web of alleged Russia connections to the Trump campaign.
Soon after, the special counsel revealed a major Michael Cohen plea deal. The president's former lawyer and "fixer"detailed the Trump Organization's interest in a Moscow development that lasted deep into the 2016 presidential campaign—a time when Trump repeatedly denied any involvement with Russia whatsoever. It marks yet another set of court documents in which Trump himself appears, albeit as "Individual 1," and indicates that Mueller is willing to go after people for lying to Congress, a crime that typically doesn't get prosecuted.
The Justice Department was busy elsewhere also, indicting two Iranian men in connection with the devastating SamSam ransomware attack that crippled the City of Atlanta and dozens of hospitals and other organizations. And deputy attorney general Rod Rosenstein repeated the call for encryption backdoors, offering no new evidence that it's not, you know, a technological impossibility to do so responsibly.
In similarly disappointing but unsurprising news, Russia continues to probe the US power grid, and gets a lot of out of it even without causing large-scale blackouts.
We strongly recommend that you turn off Siri on your lock screen. And that you take a moment to enjoy this very silly but also concerning printer-hacking escapade in support of YouTube star PewDiePie.
And there's more! As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.
A moment of silence for our friends in New England. The venerable donut and coffee chain disclosed this week that its DD Perks system had been compromised, potentially exposing names, email addresses, DD perks account numbers, and DD perks QR codes. Dunkin' suspects it was a simple password reuse-based attack, where hackers took an existing database of exposed email address and password combinations and tried them at other institutions. The lesson here, as always, is to use a unique password on every account—try a password manager, friends!—and to watch your DD perks points like a hawk.
Motherboard reports this week that in an effort to catch a cybercriminal, the FBI in 2017 created a fake FedEx website as well as "rigged" Word documents, both designed to reveal the IP address of their targets. It's unclear whether either effort proved successful but they do indicate that the agency has become increasingly bold in its techniques to target online adversaries.
Popular startup Urban Massage apparently left its entire customer database exposed on the open web recently, which included names, email addresses, and phone numbers of clients. There's no indication that bad guys got their hands on any of it, but anyone could have found it and copied its contents, yet another in an infinitely long string of companies with lax database security.
The New York Times this week took a look at the fake call centers that plague the internet with pop-ups, many of which appear to originate in India. Over the last month or so, local authorities have raided over two dozen of these scam centers, making plenty of arrests in the process. That won't stop the scamming, but hopefully it puts a dent in an increasingly pervasive problem. In the meantime, don't call the number that appears on your computer screen, no matter how alarming the message accompanying it.
https://www.wired.com/category/security/feed/