Friday News Bites – June 15, 2018

Details Emerge on TicketFly Hack

More details are coming out about the TicketFly attack.  First thing is that the web site was based on WordPress.  While WordPress is a very popular site for individuals and small businesses; using it for something as complex as a concert ticketing site is likely a mistake.  Hackers were able to get data on 27 million customers, but the good news is that no passwords or credit card data was accessed;  only names, addresses, phones, emails,etc. were compromised.  This is likely due to security minded design decisions made early in the development of the site. The site was down for almost a week, a disaster in the online ticketing business and likely they are going to have to pay the venues that use them significant compensation to keep them from jumping ship.  That is in addition to the megabucks spent in recovery and probably more megabucks in rebuilding the site using something other than Worpress. (Source: Variety )

FBI Arrests 74; recoups $14 Million

Business email compromise is a $5 billion industry according to the FBI (see article here).  The FBI says that they disrupted a business email compromise scheme, recovered $2.4 million and halted $14 in bogus wire transfers.  This represents 0.3 percent (about one third of one percent)  of the reputed losses.  While any arrests are a good thing, no one should think that this problem is handled, because, if anything, it is getting worse.  (Source: Ars Technica)

Apple Continues to Poke the Tiger in the Eye

Apple seems to be committed to doing battle with the feds while the rest of us enjoy popcorn.  When Apple refused to unlock an iPhone after the San Bernadino shooting (in part because the FBI did not follow Apple’s instructions), the FBI paid a third party to hack it.  Now Apple is saying that, in the next software release, they are going to disable data transfer from locked iPhones via the charging port after a phone has been locked for an hour.  Why that should have ever been open is not clear.  This will likely break some of the hacking software that the police are using.  (Source: NY Times)

Another Day, Another Intel Speculative Execution Bug

I am beginning to feel sorry for Intel.   In addition to the original Spectre and Meltdown bugs, some of which will never be fixed and others of which are hard to exploit, there recently were 8 more flaws announced with differing degrees of difficulty and impact.  This week brings Lazy State, an exploit that allows a process to infer the contents of floating point arithmetic registers of another process due to a time optimization called lazy floating point state restore.  Some operating systems have already turned this optimization off (Red Hat Enterprise Linux) and any Linux variant running version 4.9 of the Kernel or newer is also safe.  Others have patched the flaw recently (OpenBSD, FreeBSD).  I am assuming that Microsoft and Apple will fix this month since turning off this optimization does not require a microcode update.  Still, collectively, all of these fixes will reduce performance.  (Source: ZDNet)

Another Crypto-currency Breach

We continue to see attacks against crypto-currencies.  Why?  Because, hackers think it is easy to do and the odds of getting caught is low.  This week it is Ethereum and they lost about $20 million.  One more time, this is not an attack on the math, but rather on the implementation.  Users leaving ports open on their client computers which allowed the attackers to steal the user’s wallets. (Source: The Hacker News)

by