Articles

Yahoo Hackers Plundered Data on 500 Million.

SAN FRANCISCO — Yahoo announced on Thursday that the account information of at least 500 million users was stolen by hackers two years ago, in the biggest known intrusion of one company’s computer network.

“seriousness of this breach at Yahoo is huge.”

In a statement, Yahoo said user information — including names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions — was compromised in 2014 by what it believed was a “state-sponsored actor.”

While Yahoo did not name the country involved, how the company discovered the hack nearly two years after the fact offered a glimpse at the complicated and mysterious world of the underground web.

The hack of Yahoo, still one of the internet’s busiest sites with one billion monthly users, also has far-reaching implications for both consumers and one of America’s largest companies, Verizon Communications, which is in the process of acquiring Yahoo for $4.8 billion. Yahoo Mail is one of the oldest free email services, and many users have built their digital identities around it, from their bank accounts to photo albums and even medical information.

Changing Yahoo passwords will be just the start for many users. They’ll also have to comb through other services to make sure passwords used on those sites aren’t too similar to what they were using on Yahoo. And if they weren’t doing so already, they’ll have to treat everything they receive online with an abundance of suspicion, in case hackers are trying to trick them out of even more information.

The company said as much in an email to users that warned it was invalidating existing security questions — things like your mother’s maiden name or the name of the street you grew up on — and asked users to change their passwords. Yahoo also said it was working with law enforcement in their investigation and encouraged people to change up the security on other online accounts and monitor those accounts for suspicious activity as well.

“The stolen Yahoo data is critical because it not only leads to a single system but to users’ connections to their banks, social media profiles, other financial services and users’ friends and family,” said Alex Holden, the founder of Hold Security, which has been tracking the flow of stolen Yahoo credentials on the underground web. “This is one of the biggest breaches of people’s privacy and very far-reaching.”

How to Protect Yourself After the Yahoo Attack

Yahoo said on Thursday that hackers stole the account information of at least 500 million users. Here are some answers to frequently asked questions about how you can protect yourself.

The Yahoo hack also adds another miscue to what has been a troubled sale of a long-troubled company. In July, Verizon said it would acquire the internet pioneer, roughly a month before Yahoo security experts started looking into whether the site had been hacked. It is unclear what effect, if any, the breach will have on Yahoo’s sale price.

In a statement on Thursday, a Verizon spokesman, Bob Varettoni, said his company learned of the breach of Yahoo’s systems only two days ago and had “limited information and understanding of the impact.”

It is unclear whether security testing — such as a test to see if security experts could break into the Yahoo network — was performed as part of Verizon’s due diligence process before it agreed to the acquisition.

But such security is often overlooked by investors, even though breaches can result in stolen intellectual property, compromised user accounts and class-action lawsuits. To date, no law requires such security checks as part of due diligence.

“Cybersecurity can absolutely affect a valuation, and these are important questions that investors need to be asking,” said Jacob Olcott, vice president of BitSight Technologies, a security company.

Yahoo said it learned of the data breach this summer after hackers posted to underground forums and online marketplaces what they claimed was stolen Yahoo data. A Yahoo security team was unable to verify those claims. But what they eventually found was worse: a breach by what they believe was a state-sponsored actor that dated back to 2014.

A potential breach of Yahoo’s systems was first reported by the tech news site Recode early Thursday morning.

The first sign that something was amiss appeared in June, when a Russian hacker who goes by the user name Tessa88 started mentioning, in underground web forums, a new trove of stolen Yahoo data, Mr. Holden said. In July, Tessa88 supplied a sample of the stolen collection to people in the so-called underground web for authentication.

Backup generators and buildings housing computer servers at a Yahoo facility in Lockport, N.Y. Credit Andrew Harrer/Bloomberg
Backup generators and buildings housing computer servers at a Yahoo facility in Lockport, N.Y. Credit Andrew Harrer/Bloomberg

The sample contained valid Yahoo user accounts, but it was unclear whether the data was from a breach of a third-party service or Yahoo itself. And it was not clear whether it came from a recent Yahoo breach or a previous incident in 2012, when the internet service acknowledged that more than 450,000 user accounts were compromised.

Then, in August, a second hacker who goes by the alias Peace of Mind began offering a large collection of stolen Yahoo credentials — including user names, easily cracked passwords, birth dates, ZIP codes and email addresses — on a site called TheRealDeal, where hackers can buy and sell stolen data, Mr. Holden said.

TheRealDeal uses Tor, the anonymity software, and Bitcoin, the digital currency, to hide the identities of buyers, sellers and administrators who are trading attack methods and stolen data.

After looking into that data, Yahoo did not find evidence that the stolen credentials came from its own systems. But it did find evidence of a far more serious breach of its systems two years earlier.

Two years is an unusually long time to identify a hacking incident. According to the Ponemon Institute, which tracks data breaches, the average time it takes organizations to identify such an attack is 191 days, and the average time to contain a breach is 58 days after discovery.

Security experts say the breach could bring about class-action lawsuits, in addition to other costs. An annual report by the Ponemon Institute in July found that the costs to remediate a data breach is $221 per stolen record. Added up, that would top Yahoo’s $4.8 billion sale price.

Thursday afternoon, Senator Mark R. Warner, a Democrat from Virginia and former technology executive, issued a statement that said the “seriousness of this breach at Yahoo is huge.”

He weighed in with a call for a federal “breach notification standard” to replace data notification laws that vary by state. Senator Warner added that he was “most troubled” that the public was only learning of the incident two years after it happened.

800,000 Users Exposed in Brazzers vBulletin Vulnerability

Nearly 800,000 users’ information has been exposed in a vBulletin vulnerability of the porn site Brazzers.  The user data appears to have been taken from the Brazzers forum. However, many users used the same login details for the forum as they did for the main site, leaving hundreds of thousands of people exposed.

The data leak is said to have included email addresses, user-names, and unencrypted passwords, which most websites typically encrypt or hash in case of leak scenarios. This means that users on the porn site who have used the same email address and password on other sites may be vulnerable to attacks elsewhere.

“Problem with a hack like that is it’s a forum. Worse than just adult website (credentials), this is what people were talking / fantasizing about.”

Troy Hunt on Twitter said highlighting the fact that users’ specific sexual fetishes and fantasies could now be leaked into the open.

The leak, which actually happened in 2013 but has only just been discovered, was reportedly due to the forum’s vBulletin software. Brazzers has confirmed that vBulletin was the cause of the vulnerability and is currently taking “corrective measures” to protect its users and their information from cyber criminals.

Obama: Internet Cannot Be like Wild, Wild West

President Barack Obama called for a series of international agreements to regulate activity on the Internet, citing his preference not to start an arms race in cyberspace. Obama Says Cyber Hacking Can’t Become ‘Wild, Wild West’

“What we cannot do is have a situation where this becomes the wild, wild West, where countries that have significant cyber capacity start engaging in unhealthy competition or conflict through these means,”

President Obama said during a press conference in China on Monday after the G-20 Summit, referring to every country using the Internet as they wished, including using it to hack into other countries’ data. He added that nations have enough to worry about in the realm of cyber attacks from non-state actors without nation-states engaging in hacking against one another. Obama claimed, however, that America was winning the Internet battle, despite repeated hacks into the data controlled by the U.S.

“Frankly, we’ve got more capacity than anybody, both offensively and defensively,”

He bragged, referring to a growing escalation of cyber-capabilities from other governments.

He added that he wanted to avoid an arms race in cyberspace, but rather institute international norms “so that everybody’s acting responsibly.”

Russian hackers having been implicated in some current cyber threats and security issues was a key topic. Though Obama didn’t identify specific instances, he said:

“we have had problems with cyber intrusions from Russia in the past”

And that the goal is to not to duplicate a “cycle of escalation” that has occurred in arms races of the past. This cycle of escalation refers to the trade of vulnerabilities and the expansion of capabilities by military actors to attack one another in a shadowy war known as a cyber war. Journalists questioned the President about recent reports that Russian hackers had hacked into voters’ election data, and he declined to discuss the reports in detail, citing an ongoing investigation.

So, What’s the deal with SEO?

Check out the following e-mail that I received from Alexa.com last week in regards to building an SEO and online marketing strategy.

Hi there,

Finding out which websites compete with your site online is a key step to building an SEO and marketing strategy.

Once you understand that, you can benchmark your site against the others, discover which keywords your competitor is using for SEO, and find out more about the content they’re creating.

In our latest post, find out how you can find which sites are competing with yours online. In addition, you can also find and save groups of sites that are related to any other website, which comes in handy whether you’re a business owner, consultant, analyst, advertiser or marketer.

Read: How to Find Similar Websites with the Audience Overlap Tool

Give the new tool a try and let us know what you think!

Cheers to your success,

marketing@alexa.com

In regards to the above, the real issue relates to tailoring a website’s content in order to be competitive with other existing sites that may or may not have similar writing and/or keywords.

Flexbox: Still Widely Misunderstood

Abstract:

Flexbox is commonly used in UI layouts on the web. Margins can be used to space items around. Nested flexboxes are achievable; as we will see later on, flex properties can be applied to descendents allowing for flex nesting.

Browser Support in 2012:

IE 11+, Firefox 22+, Chrome 21+, Safari 6+, iOS 7+ (4S), Android 4.4 (KitKat)

Browser Support in 2016:

IE 11, 13, 14, Firefox 47-51, Chrome 29-55, Safari 9.1 -TP, iOS 9.2-9.3, Android 4.4-51

As you can see in the impromptu table above, Flexbox support is growing strong. So let’s dive in and find out why it’s still such a widely misunderstood portion of CSS.

Q: First of all, how do I use Flexbox for progressive enhancement?

A: Well, for progressive enhancement, you might already be employing floats, clears or table-cell, or even Bootstrap framework to get the job done. The good news is that flexbox CSS can simply be placed above your existing code to enhance it progressively. Let me show you what I mean:

E.g.: Say you want a responsive container for a large image on your blog post, and you always want it floated left.

Code Sample: This code is before adding Flexbox code:


.img-container-float-left{
display:block;
float:left;
margin:0em auto;
margin-top:10%;
position:relative;
width:33%;
}

Since we want to enhance the above code progressively, we just need to insert our flex code above the existing LOCs as follows:


.img-container-float-left{
display:flex;
display:block;
float:left;
margin:0em auto;
margin-top:10%;
position:relative;
width:33%;
}

Now we have applied display:flex directly above display:block.

The implications is that browsers that don’t have flex support will ignore the display:flex and continue to use display block as usual. By inserting this one line of code we have progressively enhanced each and every instance of our responsive float left image, but there’s more.

With bootstrap, you may be familiar with specifying how many columns a given element will span given a particular breakpoint. E.g. .col-md-4 .col-xs-6 will span four columns on medium size viewports and it will span 6 columns on an extra small device.

What if we want to declare a proportion of our container for our floating image example code above?

Now we need to use the flex property on the actual image element to achieve that and another implication is that the image will be displayed block once we set the flex property on. Let’s take a look:


div.img-container-float-left > img{
flex: 0 0 30%; /* .col-md-4 implies 4 out of 12 columns. approximately 30% */
}

flex: 0 0 30%;

The first parameter is called grow. It determines by how much this item can expand.

The second parameter is called shrink. It determines by how much this item can shrink.

The third parameter is called basis. This indicates the default width, or height. The width or height is determined by the flex-direction of its parent. So, if an item’s parent’s flex-direction is set to row then the basis is referring to it width. Conversely, if an item’s parent’s flex-direction is set to column then its basis always refers to its height.

Nested Flexboxes:

Rule #1: Only children become flex items, not all descendants.

Rule #2: Forget Rule #1, because you can set display:flex on descendants too!

Following will be a code sample:

Taking advantage of variable space

Flexbox is great for this sort of micro-layout stuff. Managing the sizing and spacing of items within a component or module…”

“…Where you have a component that sometimes has room for its sub-items to sit side-by-sid and sometimes needs to put them in a stack without you having to figure out at what point that happens (resorting to media queries)…Flexbox is great for aligning stuff, especially shifting content in responsive web design.” – Zoe M. Gillenwater

References:

1. Zoe M. Gillenwater: Enhancing Responsiveness With Flexbox
2. DevTips: CSS FlexBox Essentials
3. CodePen FlexBox Sample

Truth is stranger than fiction

Aug 17, 6:11 PM EDT’Auction’ of NSA tools sends security companies scrambling

TPP Text is Still Top Secret

Hacker releases cell phone numbers, personal emails of House Democrats

“It’s time for new revelations now. All of you may have heard about the DCCC hack. As you see I wasn’t wasting my time! It was even easier than in the case of the DNC breach.” –  Guccifer 2.0

Microsoft to buy LinkedIn for $26B. in its largest acquisition evar.

You can’t make these headlines up

The state of net neutrality

Net neutrality? What net neutrality?

There is an entire website dedicated to listing the websites that are blocked in P.R.C.

Privacy? What privacy?

There are products designed to block signals to your mobile phone in your pocket, so that you can “hide” your location from the government.

It’s safe to say that privacy is dead.

We are living in an Orwellian world, where closed circuit television constantly captures our activities in real-time.

Julian Assange talks about Geopolitics, Hillary Clinton and TPP, TTIP, TISA

WikiLeaks - The US strategy to create a new global legal and economic system

2016 Collapse of the USD

WESTERN VALUES HEADING TOWARD OBLIVION