Tag Archives: Education

If Bill Gates really thinks ctrl-alt-del was a mistake, he should have fixed it himself

/ Leave a Comment

An IBM keyboard signed by ctrl-alt-del inventor, David Bradley (credit: Ross Grady)

Once again, Bill Gates has bemoaned the creation of the ctrl-alt-del shortcut. Talking at Bloomberg Global Business Forum, Gates reiterates that he wishes IBM had created a dedicated button for the feature. We’re republishing this piece from 2013, because we still think that Gates’ telling of the story is a little misleading; for IBM it was a feature, not a flaw, that ctrl-alt-del requires two hands, and if Microsoft really wanted a single button ctrl-alt-del for Windows NT, it was Microsoft, not IBM, with the market dominance to achieve that.

Speaking at Harvard earlier this month, Bill Gates was asked why you have to press ctrl-alt-del before you can enter your password and log in to Windows. After explaining the security rationale, Gates then said that it was a "mistake," and that it was due to IBM refusing to add a single button to take the place of the three finger salute.

It’s a nice story, but it doesn’t really add up.

Read 28 remaining paragraphs | Comments

http://ift.tt/2hlU4A0 Source: https://arstechnica.com

a-PATCH-e: Struts Vulnerabilities Run Rampant

/ Leave a Comment

by Steve Povolny

Equifax confirmed the attack vector used in its data breach to be CVE-2017-5638, a vulnerability patched last March 2017 via S2-045. The vulnerability was exploited to gain unauthorized access to highly sensitive data of approximately 143 million U.S. and 400,000 U.K. customers, as well as 100,000 Canadian consumers. This vulnerability was first disclosed in March, almost immediately followed by publicly available POCs, weaponized exploits, and scanners produced by third parties.

Trend Micro observed thousands of filter events via our intrusion prevention solutions against the filters for this vulnerability since March, and these exploits or enumeration attempts are still being seen. It’s worth noting that these solutions can leverage these filters to provide a highly effective virtual patch to address critical Apache Struts vulnerabilities until actual software updates are deployed to secure the system.

We’ve observed the filter events against this vulnerability from a large number of countries, with the majority of events sourced from regions below:

Figure 1: Graphical representation of top source countries of attackers for CVE-2017-5638

Trend Micro has also actively blocked and thwarted attacks and enumeration attempts against organizations across various industries, including universities in the U.S., Europe and South America, healthcare, internet service, and telecommunications providers, automotive manufacturers, banks and other financial institutions.

Apache Struts Vulnerabilities are Actively Exploited
The following image is an example of an exploit attempting to leverage the vulnerability used to breach Equifax:

Figure 2: Screenshot of exploitation attempt against CVE-2017-5638

On July 11, we released a filter for the vulnerability techniques observed in another critical Apache Struts application (identified as CVE-2017-9791, patched in July via S2-048). Several weeks ago, a spate of Apache Struts vulnerabilities was published, including CVE-2017-12611 (patched September 9 via S2-053). We quickly located all public exploits surrounding the vulnerability and tested them against our Digital Vaccine filters. They didn’t just block all versions of this exploit with no updates needed; digging deeper, we found these filters have already been blocking intrusion attempts for nearly two months. The diagrams below highlight the timeline of events we observed in relation to the exploit code’s availability.

Figure 3: Timeline of intrusion attempts we observed exploiting CVE-2017-5683 (click to enlarge)

Figure 4: Timeline of attack attempts we observed exploiting CVE-2017-12611, based on existing filter coverage released last July for CVE-2017-9791; note that the figure is based on 5% of total customer activity (click to enlarge)

The types of attacks we have observed have been a combination of targeted or non-targeted intrusion attempts as well as automated enumeration scans for fingerprinting vulnerable servers. Below is a screenshot of an enumeration attempt using the non-intrusive ECHO command, which can be used to inform the attacker if the targeted machine is vulnerable.

Figure 5: Code snippet (highlighted) showing the ECHO command

A Lesson on Patching
A vulnerable framework can cause significant damage regardless of the kind or type of flaw, and it can affect things beyond a company’s bottom line and reputation. At stake are also the privacy and security of personally identifiable data, which can have long-term, real-life repercussions when compromised—not to mention the risk to the integrity of the infrastructure from which the information changes hands.

The takeaway? A single, vulnerable machine on a network is sometimes all it takes to affect millions. Implement defense in depth. Apply more robust patch management policies, but strike a balance between your business needs and the importance of securing your assets and data. Some best practices include:

  • Patching your systems and servers as well as the applications that run on them
  • Deploying vulnerability-driven filters to provide a wider net of protection to the network, system or server
  • Considering virtual patching to address unidentified vulnerabilities or platforms for which patches aren’t directly available
  • Enforcing the principle of least privilege, avoiding or minimizing the use of third-party applications, and disabling unnecessary components to limit your attack surface
  • Proactively monitoring your network, i.e., employing firewalls as well as intrusion detection and prevention systems
  • Backing up your files and implementing defensive measures such as data categorization and network segmentation


Trend Micro Solutions
Trend MicroTippingPoint™ provides virtual patching and extensive zero-day protection against network-exploitable vulnerabilities via DigitalVaccine™ filters. Trend Micro™ Deep Security™ and Vulnerability Protection also provide virtual patching that protects servers and endpoints from threats that abuse vulnerabilities in critical applications such as Apache Struts. OfficeScan’s Vulnerability Protection shields endpoints from identified and unknown vulnerability exploits even before patches are deployed. Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats that may exploit Struts vulnerabilities even without an engine or pattern update.

Here are the links to the list of Trend Micro protections against these Apache Struts vulnerabilities: CVE-2017-5638, CVE-2017-9791, and CVE-2017-9805.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

a-PATCH-e: Struts Vulnerabilities Run Rampant

http://ift.tt/2wJRlGj Source: http://ift.tt/1amucZ5

Experian Site Can Give Anyone Your Credit Freeze PIN

/ Leave a Comment

An alert reader recently pointed my attention to a free online service offered big-three credit bureau Experian that allows anyone to request the personal identification number (PIN) needed to unlock a consumer credit file that was previously frozen at Experian.

Experian's page for retrieving someone's credit freeze PIN requires little more information than has already been leaked by big-three bureau Equifax and a myriad other breaches.

Experian’s page for retrieving someone’s credit freeze PIN requires little more information than has already been leaked by big-three bureau Equifax and a myriad other breaches.

The first hurdle for instantly revealing anyone’s freeze PIN is to provide the person’s name, address, date of birth and Social Security number (all data that has been jeopardized in breaches 100 times over — including in the recent Equifax breach — and that is broadly for sale in the cybercrime underground).

After that, one just needs to input an email address to receive the PIN and swear that the information is true and belongs to the submitter. I’m certain this warning would deter all but the bravest of identity thieves!

The final authorization check is that Experian asks you to answer four so-called “knowledge-based authentication” or KBA questions. As I have noted in countless stories published here previously, the problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.

What’s more, many of the companies that provide and resell these types of KBA challenge/response questions have been hacked in the past by criminals that run their own identity theft services.

“Whenever I’m faced with KBA-type questions I find that database tools like Spokeo, Zillow, etc are my friend because they are more likely to know the answers for me than I am,” said Nicholas Weaver, a senior researcher in networking and security for the International Computer Science Institute (ICSI).

The above quote from Mr. Weaver came in a story from May 2017 which looked at how identity thieves were able to steal financial and personal data for over a year from TALX, an Equifax subsidiary that provides online payroll, HR and tax services. Equifax says crooks were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering KBA questions about those employees.

In short: Crooks and identity thieves broadly have access to the data needed to reliably answer KBA questions on most consumers. That is why this offering from Experian completely undermines the entire point of placing a freeze. 

After discovering this portal at Experian, I tried to get my PIN, but the system failed and told me to submit the request via mail. That’s fine and as far as I’m concerned the way it should be. However, I also asked my followers on Twitter who have freezes in place at Experian to test it themselves. More than a dozen readers responded in just a few minutes, and most of them reported success at retrieving their PINs on the site and via email after answering the KBA questions.

Here’s a sample of the KBA questions the site asked one reader:

1. Please select the city that you have previously resided in.

2. According to our records, you previously lived on (XXTH). Please choose the city from the following list where this street is located.

3. Which of the following people live or previously lived with you at the address you provided?

4. Please select the model year of the vehicle you purchased or leased prior to July 2017 .

Experian will display the freeze PIN on its site, and offer to send it to an email address of your choice.

Experian will display the freeze PIN on its site, and offer to send it to an email address of your choice. Image: Rob Jacques.

I understand if people who place freezes on their credit files are prone to misplacing the PIN provided by the bureaus that is needed to unlock or thaw a freeze. This is human nature, and the bureaus should absolutely have a reliable process to recover this PIN. However, the information should be sent via snail mail to the address on the credit record, not via email to any old email address.

This is yet another example of how someone or some entity other than the credit bureaus needs to be in put in charge of rethinking and rebuilding the process by which consumers apply for and manage credit freezes. I addressed some of these issues — as well as other abuses by the credit reporting bureaus — in the second half of a long story published Wednesday evening.

Experian has not yet responded to requests for comment.

While this service is disappointing, I stand by my recommendation that everyone should place a freeze on their credit files. I published a detailed Q&A a few days ago about why this is so important and how you can do it. For those wondering about whether it’s possible and advisable to do this for their kids or dependents, check out The Lowdown on Freezing Your Kid’s Credit.

http://ift.tt/2ytbjHq Source: http://ift.tt/TKsn16

5 Unbelievably Simple Ways To Increase Your Twitter Exposure

/ Leave a Comment

5 Unbelievably Simple Ways To Increase Your Twitter Exposure

Twitter is an amazing marketing, sales, and customer support tool. Its increasingly important role in helping campaigns go viral and political messages get spread is obvious proof of its power of influence.

In 2016, an insurance company called Esurance ran a Twitter-focused campaign during the Super Bowl. The campaign earned them over 160K tweets and literally millions of impressions!

Clearly, exposure is key to success on Twitter’s platform. Here are five unbelievably simple but highly effective ways to increase your exposure on Twitter.

1. Get the basics out of the way

When sharing content on Twitter, it’s vital to understand the fundamentals of how the platform works. A few small changes can dramatically boost your visibility.

Here’s what NOT to do:

  • Don’t overload your tweets with hashtags. You may think this helps and taps into trends, but it looks spammy, unprofessional and decreases the ultimate shareability of your tweets.
  • Don’t begin tweets with @mentions. Doing this limits the visibility of tweets to you, the owner of the @mention handle, and any mutual followers you may have.
  • Don’t toot your own horn too hard. This can be particularly damaging if you’re a small business and you don’t already have a passionate fan following. Instead, behave as a neutral and trustworthy information source to build respect for your business.
  • Don’t over-write your tweets. The 140-character limit can be your friend by pushing you to craft neat, punchy and effective tweets. Don’t abuse it by trying to squeeze too much info into a single tweet, and avoid shortening words such as ‘you’ to ‘u’.
  • Don’t tweet just for the sake of it. Tweet frequency isn’t valued so much as tweet quality and tweet engagement, in the eyes of both Twitter’s algorithm and your own followers.

In addition to following these DON’Ts, you can incorporate the following DO’s:

2. Get creative with visuals to beat the 140-character limit

Twitter lets you upload videos as large as 512MB (or 140 seconds). How great is that? With this feature and Periscope combined, there’s huge potential for audience engagement.

Video can be great for a bit of low-budget PR. For instance, look at what UFC did to connect with Twitter followers. It wasn’t a professionally shot fight sequence – they literally had popular fighter Menace Bermudez start a cooking show in his kitchen.

Another great idea is to use screenshots to add context to tweets, make them stand out or reiterate a point.

For instance, Moz founder Rand Fishkin uses screenshots in tweets often. This one helps emphasize his opinion on the topic being discussed.

Screenshots can also help you beat the 140-character limit and get away with sharing a text-heavy post.

You can also even use graphs in your tweets. Breaking research and case studies hold a lot of bearing in the professional world. If your company has original case studies that are suitable for public distribution, you can portray them powerfully using graphs.

3. Embed tweets in your blog posts and guest posts

Have you ever tried to get customers to write testimonials for your brand? If you have, you know it’s like pulling teeth.

Customers do, however, tweet positive experiences from time to time without being prompted.

These tweets are gold when utilized properly. You can feature these Twitter testimonials on your blog or website’s testimonials page, or use them in places where you need social proof – like a sales email or your checkout page.

You can also embed tweets as examples or illustrate your point in a blog post, just like I have in this one.

If you have conversational-style SlideShare or video content to share with fans, you can always first tweet it and then embed that tweet into a blog post. That way, your readers can always click on the embedded post and reply to the tweet.

Embedding tweets is really simple. When you see a tweet you want to embed, simply click on the drop-down menu and use the URL generated when you click on ‘embed tweet’.

If you’re using WordPress, you can just copy the URL of the tweet and paste it in your visual editor whereever you want the tweet embedded.

4. Use Twitter lists to create lasting relationships 

If you want to receive consistent engagement on your tweets, then you need to build a small and active community of brand advocates. Generally, a big part of receiving love on Twitter is giving love in return.

You need to take interest in what your team, customers, and Twitter friends are up to for them to reciprocate in kind. It’s just like in real life.

So how can you keep in touch with everyone who matters on Twitter? Use Twitter lists!

Madalyn Sklar has her lists organized brilliantly:

Create separate lists for your office team, webinar attendees, people you are trying to get to notice you (prospect brand ambassadors or influencers), and people who share content that is useful to your audience.

Engage with them on a needs-must basis. For instance, you should regularly initiate meaningful conversations with people you want to be noticed by.

You could even create a list of your biggest fans and reward them from time to time with contests or giveaways.

Bloggers and industry experts are important because they can give you access to new, untapped markets. One tweet by an influencer could give your brand more exposure. For that to happen, they have to notice you and you have to build a good rapport with them.

You don’t have to manually create Twitter lists for bloggers and influencers, you can just subscribe to public lists created by reliable brands or people.

You can also keep your clients engaged by interacting with them via a separate, private Twitter list.

5. Use advanced search to find unique opportunities

It’s a smart move to use Twitter’s advanced search to monitor mentions and conduct research for content ideas. A valuable find in either of these categories is a potential opportunity for more exposure.

To access the search page, click here. Alternatively, you can use Twitter’s default search bar on the platform.

To view the most popular content created by a particular website, or in an industry, you can use Twitter’s search operators – “keyword + min_retweets:[number]” or “keyword min_faves:[number]”.

For example, if I want to find all Jeff Bullas’ blog posts that contain tweets that were retweeted over 30 times, I’ll type jeffbullas.com min_retweets:30.

To keep track of mentions, you could set up an automated system. Warble lets you monitor tweets with a daily updates email. You can also set up smart keyword combinations, like ‘your brand name’ + ‘wish’, or ‘your industry keyword’ + ‘need’.

These can help you find unique opportunities to increase brand exposure. For instance, dog food brand Purina wished a customer’s dog happy birthday. He was so pleased that he wrote a blog post that attracted a lot of attention.

Wrapping up

Twitter has incredible potential to create real-time and raw interactions that ultimately boost exposure for your business.

The key is to use original and attention-grabbing content and take an open-minded approach to finding opportunities for exposure.

Hopefully, this blog post can fuel your first few experiments for exposure, and make you realize it can be incredibly easy.

Guest Author: Disha Dinesh is a Content Writer at Godot Media, a leading content agency. Her interests include social media and content marketing. When she’s not writing, she’s on the prowl for social media trends and inspiration.

The post 5 Unbelievably Simple Ways To Increase Your Twitter Exposure appeared first on Jeffbullas’s Blog.

Source: http://ift.tt/im5GqL

How does Bing’s voice search compare to Google’s?

/ Leave a Comment

Google remains the dominant player in search marketing, but the industry is changing very rapidly and the old certainties may erode. Does voice search provide a platform for Microsoft to compete?

A study earlier this year revealed that Microsoft’s speech recognition technology demonstrated only a 5.1 percent word error rate in Switchboard, a conversational speech recognition task. This shows impressive development and shows that Microsoft is more than competitive in this domain, but it is only part of the picture.

Speech recognition and voice recognition are significantly different. The former extracts words and comprehends what is said; the latter also understand who said it. We could frame this as content and context.

Context will be the defining factor in who becomes the dominant player in voice search, with an increasing amount of internet-enabled devices providing the opportunity for a seamless, conversational experience.

No doubt, search is at the very heart of this battle.

Bing has positioned itself as simply a more effective search engine, with campaigns like Bing It On aimed at showing users the quality of its results compared to those of Google.


Occasionally we see stories of impressive user growth for Bing, but never quite enough to suggest a significant threat to Google’s totemic stature. Latest estimates from Smart Insights put Google’s global share of the search market at 77%, with Bing on about 8%.

The signs so far suggest that Google will remain the dominant search player in the West, but the sands are shifting and it is increasingly difficult to predict where the industry will go. With a newly-announced partnership with Amazon’s Alexa, Microsoft is clearly not going to give up the fight.

So, if search is the glue that holds this together, what is Microsoft’s strategy to compete with Google? We know Microsoft’s speech recognition technology is effective, but how do its voice search capabilities stack up?

Microsoft voice search: the key details

Microsoft’s digital assistant, Cortana, is embedded into Windows-enabled devices and into Microsoft’s Edge internet browser. That provides access to over half a billion users, once we factor in Microsoft’s Xbox gaming consoles.

Cortana has a multitude of uses. It helps users navigate the Windows interface and can respond to a multitude of wider queries, powered by Microsoft’s Bing search engine, for example.

Of course, mobile is a core focus and therefore Cortana is available via a range of Microsoft mobile hardware and software.

Like other digital assistants, Cortana is always ready to answer queries on a Windows device. It now prompts users to test its broadening functionalities by pushing notifications like “Ask me to remind you to buy eggs next time you’re at the supermarket” or “Would you like to know which song is playing?”

It can be a bit creepy and intrusive, but for the most part users will only really notice Cortana when they need to use it. The list of prompts is quite formulaic and Cortana simply searches a query on Bing when it can’t understand what the user wants.

Cortana voice commands

All of this functionality is at its best when a user is logged in across a range of Microsoft devices, however. The same is true of any digital assistant, but the the respective cases of Apple and Google this is simply more likely to occur.

This means that Cortana misses out on vital context, not through any technological shortcoming, but rather through the lack of mass adoption of Microsoft’s hardware.

On the software front, Microsoft fares better. There are now over 100 million monthly users of Cortana via Windows 10, and the latest edition of the Edge browser continues to bring voice search to the fore.

This is still not quite enough to make a significant dent in Google’s lead, however. One of the most searched-for technology-based phrases on Bing is [google], after all.

Microsoft’s voice search strategy

The challenge for Microsoft has always been to gain enough of the valuable mobile software market to compete with Apple and Google.

Where Apple controls a very profitable section of both the hardware and software ecosystems, Google has historically focused on its Android OS as a Trojan horse to ensure continued use of its products on a wide range of devices.

With Google Home, the Google Pixel smartphone, and Google’s soon-to-be-completed purchase of Taiwanese smartphone company HTC, the focus has shifted to hardware as the Internet of Things comes of age.

Microsoft’s Invoke smart speaker ensures it has a seat at the table, but it is the partnership with Amazon’s highly successful Echo speakers that should increase usage numbers for Cortana.


Microsoft has always fared well in the enterprise market (albeit under increasing competition from Apple and Google here, too), but the personal smartphone market has been harder to break.

Further integrations with popular platforms such as Spotify, to go along with Microsoft’s ownership of Skype, could start to position Cortana as an appealing alternative to the walled garden approach of Apple.

How does Microsoft voice search differ from Google voice search?

Although both function in similar ways, there are some core areas of differentiation:

  • Speech recognition: Cortana does this fantastically well and, although Google Assistant is still very accurate, small margins do matter in this arena. Although only a sample size of one, I can also attest that Cortana comprehends my Irish brogue much more accurately than Google Assistant.
  • Business task management: Cortana can be a huge timesaver with commands like “Pull up the latest version of my task tracker.” With full access to the Windows OS, it can locate documents quite easily and reduce time spent on laborious document searching.
  • Context: When a user is logged in across Windows products, Cortana can serve accurate contextual results. See below for an example of the same phrase searched by voice on a Windows laptop using Cortana and Google:


The differences are slight, but telling. Cortana knows that I am currently in Spain (I am using a Windows laptop), and therefore provides the kick-off in my local time. Google is not privy to this information and serves the result in Eastern Time, as my account is based in the US.

When results default to Bing, it all gets a little hairier.

I follow up by asking who will be in the starting lineup and receive a bizarre result about the USA soccer team, a news story about a Leeds starting lineup from three years ago, and some news about the Leeds music festival.

Leeds line-up

Google does a better job of this, but both lack the immediacy that integration with a social media feed would provide:
Google Leeds

This same pattern plays out across a wide range of travel, weather, and commercial queries. When Cortana can pull an immediate answer, it does so very capably; when it resorts to providing a list of search results from Bing, the quality varies. Google therefore represents a much more consistent, reliable option.

The new partnership with Amazon may open a range of avenues for Microsoft to reach a wider audience, which will only help to refine these recommendations. For the moment, Google’s superior search experience remains its trump card in the battle for digital assistant supremacy.

In summary

A graphic comparing the voice search capabilities of Microsoft and Google, respectively. Under the Microsoft section, the pros are listed as: speech recognition, ecommerce offering via Amazon, and Skype integration. The cons are listed as: voice recognition, lack of third-party integrations, and Bing search results. The devices which support Microsoft voice search are listed as: Microsoft devices, Windows 10 and Microsoft Edge. Under the Google section, the pros are listed as: context recognition, linked to all Google products, and Google search. The cons are listed as: speech recognition is flawed, shopping offering is a work in progress. The devices which support Google voice search are listed as: Android devices, Google Chrome and Chromebooks.

Image created by Clark Boyd

Source: http://ift.tt/1JcVoR1

Equifax Breach: Setting the Record Straight

/ Leave a Comment

Bloomberg published a story this week citing three unnamed sources who told the publication that Equifax experienced a breach earlier this year which predated the intrusion that the big-three credit bureau announced on Sept. 7. To be clear, this earlier breach at Equifax is not a new finding and has been a matter of public record for months. Furthermore, it was first reported on this Web site in May 2017.

equihaxIn my initial Sept. 7 story about the Equifax breach affecting more than 140 million Americans, I noted that this was hardly the first time Equifax or another major credit bureau has experienced a breach impacting a significant number of Americans.

On May 17, KrebsOnSecurity reported that fraudsters exploited lax security at Equifax’s TALX payroll division, which provides online payroll, HR and tax services.

That story was about how Equifax’s TALX division let customers who use the firm’s payroll management services authenticate to the service with little more than a 4-digit personal identification number (PIN).

Identity thieves who specialize in perpetrating tax refund fraud figured out that they could reset the PINs of payroll managers at various companies just by answering some multiple-guess questions — known as “knowledge-based authentication” or KBA questions — such as previous addresses and dates that past home or car loans were granted.

On Tuesday, Sept. 18, Bloomberg ran a piece with reporting from no fewer than five journalists there who relied on information provided by three anonymous sources. Those sources reportedly spoke in broad terms about an earlier breach at Equifax, and told the publication that these two incidents were thought to have been perpetrated by the same group of hackers.

The Bloomberg story did not name TALX. Only post-publication did Bloomberg reporters update the piece to include a statement from Equifax saying the breach was unrelated to the hack announced on Sept. 7, and that it had to do with a security incident involving a payroll-related service during the 2016 tax year.

I have thus far seen zero evidence that these two incidents are related. Equifax has said the unauthorized access to customers’ employee tax records (we’ll call this “the March breach” from here on) happened between April 17, 2016 and March 29, 2017.

The criminals responsible for unauthorized activity in the March breach were participating in an insidious but common form of cybercrime known as tax refund fraud, which involves filing phony tax refund requests with the IRS and state tax authorities using the personal information from identity theft victims.

My original report on the March breach was based on public breach disclosures that Equifax was required by law to file with several state attorneys general.

Because the TALX incident exposed the tax and payroll records of its customers’ employees, the victim customers were in turn required to notify their employees as well. That story referenced public breach disclosures from five companies that used TALX, including defense contractor giant Northrop Grumman; staffing firm Allegis GroupSaint-Gobain Corp.; Erickson Living; and the University of Louisville.

When asked Tuesday about previous media coverage of the March breach, Equifax pointed National Public Radio (NPR) to coverage in KrebsonSecurity.

One more thing before I move on to the analysis. For more information on why KBA is a woefully ineffective method of stopping fraudsters, see this story from 2013 about how some of the biggest vendors of these KBA questions were all hacked by criminals running an identity theft service online.

Or, check out these stories about how tax refund fraudsters used weak KBA questions to steal personal data on hundreds of thousands of taxpayers directly from the Internal Revenue Service‘s own Web site. It’s probably worth mentioning that Equifax provided those KBA questions as well.


Over the past two weeks, KrebsOnSecurity has received an unusually large number of inquiries from reporters at major publications who were seeking background interviews so that they could get up to speed on Equifax’s spotty security history (sadly, Bloomberg was not among them).

These informational interviews — in which I agree to provide context and am asked to speak mainly on background — are not unusual; I sometimes field two or three of these requests a month, and very often more when time permits. And for the most part I am always happy to help fellow journalists make sure they get the facts straight before publishing them.

But I do find it slightly disturbing that there appear to be so many reporters on the tech and security beats who apparently lack basic knowledge about what these companies do and their roles in perpetuating — not fighting — identity theft.

It seems to me that some of the world’s most influential publications have for too long given Equifax and the rest of the credit reporting industry a free pass — perhaps because of the complexities involved in succinctly explaining the issues to consumers. Indeed, I would argue the mainstream media has largely failed to hold these companies’ feet to the fire over a pattern of lax security and a complete disregard for securing the very sensitive consumer data that drives their core businesses.

To be sure, Equifax has dug themselves into a giant public relations hole, and they just keep right on digging. On Sept. 8, I published a story equating Equifax’s breach response to a dumpster fire, noting that it could hardly have been more haphazard and ill-conceived.

But I couldn’t have been more wrong. Since then, Equifax’s response to this incident has been even more astonishingly poor.


On Tuesday, the official Equifax account on Twitter replied to a tweet requesting the Web address of the site that the company set up to give away its free one-year of credit monitoring service. That site is http://ift.tt/2xdYnYt, but the company’s Twitter account told users to instead visit securityequifax2017[dot]com, which is currently blocked by multiple browsers as a phishing site.



Under intense public pressure from federal lawmakers and regulators, Equifax said that for 30 days it would waive the fee it charges for placing a security freeze on one’s credit file (for more on what a security freeze entails and why you and your family should be freezing their files, please see The Equifax Breach: What You Should Know).

Unfortunately, the free freeze offer from Equifax doesn’t mean much if consumers can’t actually request one via the company’s freeze page; I have lost count of how many comments have been left here by readers over the past week complaining of being unable to load the site, let alone successfully obtain a freeze. Instead, consumers have been told to submit the requests and freeze fees in writing and to include copies of identity documents to validate the requests.

Sen. Elizabeth Warren (D-Mass) recently introduced a measure that would force the bureaus to eliminate the freeze fees and to streamline the entire process. To my mind, that bill could not get passed soon enough.

Understand that each credit bureau has a legal right to charge up to $20 in some states to freeze a credit file, and in many states they are allowed to charge additional fees if consumers later wish to lift or temporarily thaw a freeze. This is especially rich given that credit bureaus earn roughly $1 every time a potential creditor (or identity thief) inquires about your creditworthiness, according to Avivah Litan, a fraud analyst with Gartner Inc.

In light of this, it’s difficult to view these freeze fees as anything other than a bid to discourage consumers from filing them.

The Web sites where consumers can go to file freezes at the other major bureaus — including TransUnion and Experian — have hardly fared any better since Equifax announced the breach on Sept. 7. Currently, if you attempt to freeze your credit file at TransUnion, the company’s site is relentless in trying to steer you away from a freeze and toward the company’s free “credit lock” service.

That service, called TrueIdentity, claims to allow consumers to lock or unlock their credit files for free as often as they like with the touch of a button. But readers who take the bait probably won’t notice or read the terms of service for TrueIdentity, which has the consumer agree to a class action waiver, a mandatory arbitration clause, and something called ‘targeted marketing’ from TransUnion and their myriad partners.

The agreement also states TransUnion may share the data with other companies:

“If you indicated to us when you registered, placed an order or updated your account that you were interested in receiving information about products and services provided by TransUnion Interactive and its marketing partners, or if you opted for the free membership option, your name and email address may be shared with a third party in order to present these offers to you. These entities are only allowed to use shared information for the intended purpose only and will be monitored in accordance with our security and confidentiality policies. In the event you indicate that you want to receive offers from TransUnion Interactive and its marketing partners, your information may be used to serve relevant ads to you when you visit the site and to send you targeted offers.  For the avoidance of doubt, you understand that in order to receive the free membership, you must agree to receive targeted offers.

TransUnion then encourages consumers who are persuaded to use the “free” service to subscribe to “premium” services for a monthly fee with a perpetual auto-renewal.

In short, TransUnion’s credit lock service (and a similarly named service from Experian) doesn’t prevent potential creditors from accessing your files, and these dubious services allow the credit bureaus to keep selling your credit history to lenders (or identity thieves) as they see fit.

As I wrote in a Sept. 11 Q&A about the Equifax breach, I take strong exception to the credit bureaus’ increasing use of the term “credit lock” to divert people away from freezes. Their motives for saddling consumers with even more confusing terminology are suspect, and I would not count on a credit lock to take the place of a credit freeze, regardless of what these companies claim (consider the source).

Experian’s freeze Web site has performed little better since Sept. 7. Several readers pinged KrebsOnSecurity via email and Twitter to complain that while Experian’s freeze site repeatedly returned error messages stating that the freeze did not go through, these readers’ credit cards were nonetheless charged $15 freeze fees multiple times.

If the above facts are not enough to make your blood boil, consider that Equifax and other bureaus have been lobbying lawmakers in Congress to pass legislation that would dramatically limit the ability of consumers to sue credit bureaus for sloppy security, and cap damages in related class action lawsuits to $500,000.

If ever there was an industry that deserved obsolescence or at least more regulation, it is the credit bureaus. If either of those outcomes are to become reality, it is going to take much more attentive and relentless coverage on the part of the world’s top news publications. That’s because there’s a lot at stake here for an industry that lobbies heavily (and successfully) against any new laws that may restrict their businesses.

Here’s hoping the media can get up to speed quickly on this vitally important topic, and help lead the debate over legal and regulatory changes that are sorely needed.

Tags: , , , , ,

You can skip to the end and leave a comment. Pinging is currently not allowed.

http://ift.tt/2hibfpI Source: http://ift.tt/TKsn16

Microsoft: Windows getting more stable, faster, and lasting longer on battery

/ Leave a Comment

Enlarge /

With Windows breaking less often, scenes like this should become a thing of the past.

reader comments

Windows 10 is getting better and better, Microsoft insists, as it works to build confidence in the operating system in the run up to the next major update. The company says that the Creators Update (version 1703) has seen a 39 percent drop in driver and operating system stability issues relative to the Anniversary Update (version 1607).

Performance is better too; according to Microsoft’s telemetry, boot time is 13 percent faster, logging in 18 percent faster, and facial recognition 30 percent faster. There are incremental improvements in battery life, too, from 2.5 to 5 percent longer life watching videos in the Movies & TV app, and a 17 percent improvement in the Edge browser.

The subtext to these numbers is that Microsoft is still working to convince customers, especially corporate customers, that the new Windows development model is working, and that the company is hearing the feedback. The Anniversary Update was rapidly deployed, and it hit a number of issues soon after launch, causing problems for both consumers and enterprise users alike.

The unlabelled axes make it impossible to know just how many times people contact support for Windows 10, but clearly the number is declining.

Enlarge /

The unlabelled axes make it impossible to know just how many times people contact support for Windows 10, but clearly the number is declining.

Microsoft had to examine how it handled deployments, and the result is a much more conservative, much more careful staged deployment. Five months after the Creators Update was released, it was only on two-thirds of Windows machines, compared to 85 percent at the same stage for the Anniversary Update. This less-aggressive rollout seems to have done a good job; there have been far fewer complaints about the Creators Update, and in general it has worked as it should.

The numbers also send a message that the updates are worthwhile: even if the major features of each update aren’t of interest, the improved stability, battery life, and security capabilities are valuable and make updates worth having. This is particularly important for Enterprise customers, as it means they shouldn’t be tempted by the Long Term Servicing Channel version of Windows. This version doesn’t receive the six monthly updates and instead uses the traditional, familiar ten year servicing model that previous versions of Windows used. On the basis of this data, the last LTSC version (which coincided with the Anniversary Update) is meaningfully less stable and efficient than the current mainstream version.

Underpinning the slower rollout and stability data is, of course, the contentious collection of telemetry data. Microsoft uses the data to, among other things, detect deployment issues with the Creators Update and, if necessary, delay its rollout to problematic hardware, drivers, or other software. The Fall Creators Update will give enterprises a little more control over which telemetry data is collected, but a built-in way to disable telemetry collection entirely remains out of reach for regular consumers.

http://ift.tt/2xxg04T Source: https://arstechnica.com