Every week a company is in the news for some sort of data breach or security exploit, where customer information, sometimes including credit card numbers, are stolen in the process. This week leaves no exception as popular retailer Neiman Marcus' credit-card payment system was under attack for the better half of last year.
The hackers who accessed the database were able to get into the system more than 60,000 times over 8 months, digging through the files and installing software to steal credit card numbers. In a 157 page report on the matter, the analysis concludes that on some days, hundreds of alerts were set off while the hackers were in the system. Each day, their installed software that would steal the numbers was deleted, forcing the group to reinstall the package every night. While the crew was in the network for 8 months, card data was stolen from July to October.
The report also says that this attack does not appear to be affiliated with the Target breach that led to the theft of over 40 million credit card numbers.
The code style and the modus operandi look totally different. The attackers were using a specific code for a specific network, and the way they were writing their code doesn't seem to be related to the way that the attackers on the Target breach were.
How did the rogue software go undetected for so long? A spokeswoman for Neiman Marcus says that the hackers gave their software a name that looked almost identical to the retailer's existing payment system. When its security team scanned through alerts and logs, they simply passed over the issues in the sea of data that they looked at. Reports of activity identified the software as "suspicious behavior" over 59,000 times, but Neiman Marcus' security system did not automatically quarantine or remove the malicious program.
Ginger Reeder, the spokeswoman for Neiman Marcus, said,
These 60,000 entries, which occurred over a three-and-a-half month period, would have been on average around 1 percent or less of the daily entries on these endpoint protection logs, which have tens of thousands of entries every day.
It was estimated that 1.1 million cards were compromised in the attack, however after further investigation, Neiman Marcus is reporting that only 350,000 credit cards were taken from the clothier. 9,200 have been used since the breach.
In the past year we've had over a dozen infamous security and data breaches across retail, gaming and other spaces, so it definitely raises a cause for concern over your information and how it's being safely secured. What should retailers do differently to ensure this doesn't happen? What are you doing to protect yourself? We want to know in the comments below.
On Tuesday, MMORPG Wurm Online suffered an attack, causing their servers to fail completely. The attack, a distributed denial-of-service attack, kept the service offline through Wednesday as the company moved their servers to a new host. The move was planned, but the timeline was changed in light of the attack and their previous host ending their relationship. A representative posted,
Shortly after today's update we were the target of a DDoS attack and our hosting provider had to pull us off the grid for now. will be back as soon as possible but things are out of our hands since their other customers are affected. As we wrote in a previous news post we are planning on changing hosting anyways which should improve things for the future. We can offer 10,000 Euro for any tips or evidence leading to a conviction of the person responsible for this attack.
This bounty, which works out to just over $13,000, is a reaction to the incredible level of attacks lately. The amount of bandwidth that is being consumed during these attacks has gotten to a level that was impossible just a few years ago. CloudFlare, a company that helps defend against these attacks and, therefore is a good source of information on the topic, said they recently defended 400 gigabits per second. The attack was so powerful it was felt through parts of Europe.
Instead of merely defending against the attack, which they did not, Wurm Online is looking to dissuade future attacks by encouraging insiders or relatives to turn against the organizers in a way that leads to a conviction. If more DDoS victims responded in this way, perhaps we would see less of these high-profile attacks, either because of fear or a lack of leadership.
Do you think this plan has a chance of working? Let us know your thoughts in the comments.
Even with the impending Supreme Court case only 2 months away, the U.S. District Court in Utah has decreed that Aereo's Internet rebroadcasts are not legal within its jurisdiction. This ruling will shut down operations, at least temporarily, in Colorado and Utah and prevent further markets to open in Oklahoma, New Mexico and Wyoming. These bans are in addition to New York, which has already decreed the practice illegal.
Judge Dale Kimball said, in regards to the ruling,
Based on the plain language of the 1976 Copyright Act and the clear intent of Congress, this court concludes that Aereo is engaging in copyright infringement of Plaintiffs' programs. Despite its attempt to design a device or process outside the scope of the 1976 Copyright Act, Aereo's device or process transmits Plaintiffs' copyrighted programs to the public.
This leaves Aereo with injunctions against them in 3 of their major markets: New York, Salt Lake City and Denver. Their bigger problem, however, is the dangerous precedent this sets heading into the Supreme Court case. The prosecution will be able to argue that judges in multiple parts of the country have ruled independently that this business model violates copyright law.
Now, this argument has not gone well in previous cases. For example, many states had agreed not to recognize same-sex marriages from other states where it is legal. The Supreme Court found that unified decisions do not indicate accuracy, so there is a good chance that this ruling will have no bearing on the outcome in April.
After being in a partnership for years, Verizon and Vodafone Group finally parted ways on their collaboration, Verizon Wireless. Vodafone, who owned 45 percent of the joint venture, sold it to Verizon proper for $130 billion in cash and stock. This leaves Verizon as the sole owner of Verizon Wireless: a goal they have had for a few years now with no help from Vodafone.
The transfer of power entirely to Verizon might well allow Verizon to offer more combined capabilities, such as bundling with landline, FiOS, etc. Last year, Verizon had mentioned the ability to offer "seamless and integrated services" following a complete ownership stake in VZW and had hoped for more financial flexibility, leading to more efficiencies in the company and, hopefully, more options for customers.
Vodafone, on the other hand, now has an influx of capital on its hands. Vodafone is known for investing in communications companies, such as VZW, and will probably use this newfound money to invest in new European companies. It is even possible they could invest in cable or landline companies, creating a scenario similar to the Verizon group they are leaving in the US.
The agreement to finally get out of the Verizon Wireless family might have to do with reports that AT&T has been in discussions to purchase Vodafone. AT&T representatives said last month that they had no intentions to enter into any agreement with Vodafone within the next 6 months, unless another bidder came forward. An AT&T-owned Vodafone would certainly never be allowed if Vodafone owned any of VZW.
A week after Rakuten purchased Viber, Facebook, not to be outdone in the expanding messaging market, has agreed to purchase WhatsApp. For those who might not know what WhatsApp is, the simple answer is a mobile app that allows people to send unlimited international text messages for $1 per year.
There are, obviously, a few oddities about this purchase. First, it is always surprising to hear that people are using SMS internationally. Clearly, when having to pay for a service for SMS when services like KIK are free, there must be something going on. In this case, it has a lot to do with device integration and service stability abroad. SMS is built-in on the phone, whereas KIK is not.
However, Facebook messenger is integrated into many devices and looks just like a standard text message. This purchase might be a way to allow Facebook to live on both sides of the integrated messaging system for phones worldwide.
The other major oddity is the massive pricetag. When Facebook skirted regulations a little to purchase Instagram during their IPO quiet period, the pricetag was $1 billion. That number seemed inflated, but since everyone seemed to be using the service, plus Twitter was actively trying to purchase the company, it made sense. A large userbase, one that was being stolen almost directly from Facebook, plus their biggest competitor in tasks for a buyout equals a bigger cost than its actual value.
So, with Instagram being overinflated at $1 billion, how did we get to $16 billion for a niche messaging app? Mark Zuckerberg, Facebook CEO said,
WhatsApp is on a path to connect 1 billion people. The services that reach that milestone are all incredibly valuable. I've known Jan for a long time and I'm excited to partner with him and his team to make the world more open and connected.
Jan Koum, WhatsApp co-founder and CEO, said,
WhatsApp's extremely high user engagement and rapid growth are driven by the simple, powerful and instantaneous messaging capabilities we provide. We're excited and honored to partner with Mark and Facebook as we continue to bring our product to more people around the world.
So, lots of people means lots of value? I suppose, with Instagram being a free service and WhatsApp being a paid service, there will be a differing value on engagement. On average, tech startup multipliers range in the 6-10x range, meaning that the value of the company is 6-10 times the annual revenue of the company. With nearly 1 billion users and the high-end of the range, we can account for about $10 billion; so where did the other 6 come from?
First, Facebook is known for purchasing top development talent. While I have never used WhatsApp, I can assume there are people on the team that Zuckerberg wants on his team. That will increase the price some. In addition, there is a lot of interest in the messaging market, as we discussed last week. With uncertainty in the market and a large purchase last week, that will make the price spike as well.
So, is the $16 billion price reasonable or completely insane? Let us know your thoughts in the comments.
When things are popular, they get hacked. Last Wednesday was no exception for the crowd-funding site Kickstarter, as the company officially announced on Saturday that it fell victim to a security breach where passwords and other user data were stolen from the site.
Thankfully no credit card information was taken, though email addresses, usernames, mailing addresses, phone numbers and encrypted passwords were snatched up during the breach.
In the blog post, Kickstarter said,
While no credit card data was accessed, some information about our customers was... Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.
Obviously everyone should change their passwords here, and also change any other place where you use the same password or a slight variant. Kickstarter has offered solutions for those needing to securely store passwords and has encouraged users to select different passwords for each site they use. Those using Facebook to connect to Kickstarter need not worry, as the site reset all Facebook login credentials.
Additionally, Kickstarter recognized two users' accounts who were compromised and have reached out to them to secure their accounts.
Kickstarter ended its blog post by apologizing for what happened.
We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again.
Again, with data breaches and hacks becoming a more common occurrence, people everywhere should take these situations as lessons in online protection and make sure they do everything in their power to protect their accounts. Systems like two-step authorization or device recognition can go a long way to ensure your data is safe and changing up your passwords frequently is highly recommended.