Thursday, June 08, 2017

Hackable Toys and Richards with Atitudes

Comey hype continues as intelligence chiefs testify

First Amendment group threatens to sue President Trump unless he unblocks Twitter critics

 Contractor charged in NSA document leak case Washington Post. Her life is over. She admitted everything to the FBI. Does no one tell people 1. never never talk to police without a lawyer present and 2. to take the Fifth Amendment? Or was this world’s fastest plea deal?

Sen. Mark Warner, D-Va., Monday pressed the Federal Trade Commission on what the agency is doing to keep hackable children’s toys out of the marketplace. The letter follows a report from security researcher Troy Hunt about CloudPets, an internet-connected teddy bear that allows parents to send recorded messages to their children that left data from hundreds of thousands of users easily hackable online. Warner wants to know whether the commission has contacted CloudPets or its parent company Spiral Toys, according to the letter to acting FTC Chairwoman Maureen Ohlhausen.

Even with the Senate Intelligence Committee focused this week on its investigation of Russia's alleged meddling in last year's presidential election, the committee met behind closed doors today for a classified briefing from senior FBI and Homeland Security officials over another alleged threat emanating from Moscow: a major software company whose products are used widely across the United States. The visit from FBI and Homeland Security officials has long been planned. But congressional sources told ABC News that in recent days the agenda expanded to specifically include an update on U.S. intelligence about Kaspersky Lab, a Moscow-based firm that has become one of the world’s largest and most respected cybersecurity firms. Current and former U.S. officials worry that state-sponsored hackers could try to exploit Kaspersky Lab’s anti-virus software to steal and manipulate users’ files, read private emails or attack critical infrastructure in the U.S. And they point to Kaspersky Lab executives with previous ties to Russian intelligence and military agencies.

GCHQ has demanded that directors start taking charge of cyber security, warning that they are “devolving responsibility” for protecting businesses from hackers. Ciaran Martin, the head of the agency’s National Cyber Security Centre (NCSC), said it is unacceptable for boards to plead ignorance about the threat from cyber attacks. It comes after this month’s debilitating “WannaCry” ransomware outbreak, which caused chaos in the NHS and brought operations at factories and train stations to a halt. “Our business leaders need to stop saying that cyber security is too complicated – and stop devolving responsibility,” Mr Martin said at The Telegraph Cyber Security conference. “Boards must start to treat cyber threats with the same level of critical importance as they do financial or legal issues. It needs to be unthinkable that a board member would say that cyber issues are too complex for them to make judgements about.”

A utility company in Lansing is still transitioning back to stability after a cyberattack temporarily disabled the company’s internal network and required it to pay a $25,000 ransom. Dick Peffley, general manager for the Board of Water & Light, confirmed that 13 information technology employees as well as the emergency management director left after an April 2016 cyberattack that officials said didn’t compromise any customer or employee data. Todd Bertolozzi, one of the IT employees who left the company, said utility ratepayers should be concerned about BWL’s security because of the staffing losses. “Every time you lose somebody, especially in IT, there’s a little bit of chaos for three to six months — at least,” Bertolozzi said. “When 14 people resign from any department, something is going on that’s not normal.” Peffley said none of the employees who left were asked to resign, nor did they receive severance packages.

The Interior Department stopped a phishing attack by speeding up its plans to require two-factor authentication for email, the agency’s inspector general said. More than 1,500 Interior employees received an email with a link to what appeared to be the agency’s standard log-in page. Instead, it captured credentials of more than 100 employees and resulted in network access through at least eight different Gmail accounts in January 2016, according to the report released Wednesday. The agency’s Office of the Chief Information Officer fast-tracked implementing two-factor authentication for its Gmail system, completing it 11 days after the attack. “By implementing two-factor authentication, DOI ended the attack,” the report said.

The heartiest laghter ... Born in Pilhov ŠTEFAN ŽIVČÁK

Chipotle warned its customers on Friday that it suffered a breach between March 24 and April 18 on its sales system. Hackers stole troves of credit card information from customers, as well as the victims' names. “Customers that used a payment card at an affected location during its at-risk time frame should remain vigilant to the possibility of fraud," Chipotle said in a statement. The thieves infected Chipotle and Pizzeria Locales across the country in Colorado, Kansas, Missouri and Ohio. You can look up your local Chipotle here to see if it had been hacked and your local Pizzeria Locale here.

For years, Yahoo Mail has exposed a wealth of private user data because it failed to update widely used image-processing software that contained critical vulnerabilities. That's according to a security researcher who warned that other popular services are also likely to be leaking sensitive subscriber secrets. Chris Evans, the researcher who discovered the vulnerabilities and reported them privately to Yahoo engineers, has dubbed them "Yahoobleed" because the vulnerabilities caused the site to bleed contents stored in server memory.