allheart55 Cindy E

This is pretty messed up. What is wrong with people?

Getting packages stolen from your front doorstep is unpleasant, no matter who you are or what time of year it is, and knowing that you or a neighbor actually let the thief inside must be even worse. We buzz delivery people who are strangers in and give them get a kind of implicit trust, and one delivery driver in Chicago is accused of violating that trust by grabbing packages on his way out the door. Unfortunately, we know this because there’s surveillance video of the man scooping up his own takeout (warning: auto-play video at that link) on his way out the door after a resident of the condo building had buzzed him in. Who dispatched this driver? That’s where things get confusing. The customer had placed an order through Grubhub with a restaurant, which in turn had hired a site called Zoomer to handle its deliveries. “I felt violated,” the customer who noticed the thefts after his grocery bags disappeared told CBS Chicago, “and then this guy walks out and takes all of our stuff.” In a statement, Zoomer apologized and said that the driver was no longer working g for the platform. “This conduct is completely unacceptable and Zoomer intends to take all necessary and appropriate corrective actions.” Maybe that will include reminding delivery drivers that customers’ homes are not an all-you-can-steal buffet. The victim in this case, meanwhile, reminded viewers that they should meet food delivery drivers at the door rather than buzzing them in and letting them wander the halls. Source: Consumerist

If you’ve been shopping online a lot this holiday season or just in general, you probably have a lot of cardboard boxes in your house that you don’t need. You could break them down and recycle them, or you could fill them with crap around the house that you don’t need and make someone else recycle them. Give Back Box has been around for a few years, but a recent holiday-related burst of publicity about Amazon’s participation in the program brought it to our attention. The idea is simple: you take a cardboard box and fill it with clothing, household items, and anything that you’d normally donate to your favorite thrift store other than electronics. You print out a USPS mailing label from the site, and you can arrange for your mail carrier to pick the box up during your regular delivery. Your box will be routed to the nearest Goodwill store that’s participating in the program, and if you’re willing to register for a Give Back Box account, you can get a tax receipt for your donation as well. Official “partners” include companies like Amazon, Overstock, Newegg, and Uncommon Goods, but the fine print says that any box that’s suitable for mailing can be used. Source: Consumerist

:thumbsup: It's making me hungry too!

:big_ha:I am 739.19 months.

Everybody's sounds delicious!

Lobster Tails and Shrimp.

Netgear updated its security advisory on Friday, detailing the list of devices that it had confirmed to be vulnerable, all of which now have either beta or production firmware fixes available for them to resolve the vulnerability. At the time of writing, here is the list of routers for which production firmware updates are available: R6400 R7000 R8000 And the following routers have beta firmware fixes available: R6250 R6700 R6900 R7100LG R7300DST R7900 D6220 D6400 In addition, Netgear has confirmed that its D700 model is not at risk of exploitation as first feared. Netgear says it will release production firmware fixes for remaining routers as quickly as possible. Netgear goes on to say that it is continuing to review its entire range of routers to see if any others might be affected by the security vulnerability, and will release firmware updates if necessary. If you wanted an omen of what 2017 has in store for us, this is it. Expect many more internet-connected devices to be found to be lacking when it comes to security. You can help protect yourself, and other internet users, by ensuring that you apply patches as quickly as possible. Source: Graham Cluley

The records of more than one billion Yahoo users, secretly stolen from the site in 2013 but only brought to the world’s attention this month, have reportedly been sold on the computer underground. InfoArmor’s Andrew Komarov told the New York Times that his firm has uncovered that the valuable data has been sold to three buyers – “two known spammers and an entity that appeared more interested in espionage”, the paper reports – for about US $300,000 each. That means, if you are an affected Yahoo user, that personal information (including your backup email addresses, security questions & answers, and – potentially – passwords) are in the hands of criminals. At the very least, the information could be used by online criminals to distribute spam messages, launch phishing attacks designed to steal credentials from users, or infect recipients’ computers with malware. If the data fell into the wrong hands it could also be used for targeted attacks against specific individuals or organizations, potentially for covert surveillance. The fact that many users also had their security questions stolen is a point that many commentators have ignored, but is potentially a significant threat. We often talk about the importance of using different passwords on different websites, but it’s just as important to have different security answers for those sites which offer the ability to grant access to users who forget their passwords. The common problem with security questions and answers (“What was your mother’s maiden name?” etc) are that they’re often easy to determine, particularly if you know the individual whose account you are trying to crack into. However, if you are also in the habit of reusing security answers then the problem is compounded – as details stolen from one site might help online criminals break in elsewhere. For this reason I recommend that you use a password manager to not only remember your login credentials, but also to generate and store securely random and unique answers to security questions. So, for instance, my mother’s maiden name on one site might be dYMqizwmFYdP,dwygoKx and on another HANwtXfafYEaxHqks/j?. You can see why she took my father’s name now. ;-) The New York Times report says that InfoArmor first spotted the stolen data months ago, but did not contact Yahoo directly when it first discovered that the tech company’s data was being sold online: “InfoArmor did not go to Yahoo directly, Mr. Komarov said, because the internet giant was dismissive of the security firm when approached by an intermediary. He also said he did not trust Yahoo to thoroughly investigate the breach since it could threaten the sale to Verizon.” Instead, the security firm alerted law enforcement and military agencies in the United States, Australia, Canada, Britain and European Union. Yahoo itself only seems to have realized it had another security crisis on its hands when contacted by the authorities. Separately, Yahoo has been strongly criticized for failing to follow best practices when it comes to the way in which it was securing the compromised passwords. The site was the easy-to-crack MD5 hashing rather than the superior bcrypt algorithm preferred by security-savvy professionals. Worryingly, in its breach statement the Yahoo’s CISO failed to mention whether any salting was being used. According to reports, the price of Yahoo’s data has dropped dramatically to US $20,000 since the company became aware of the breach and started resetting users’ passwords. Source: Hot For Security

The Federal Trade Commission (FTC) has demanded Ashley Madison pay US $1.6 million for its failure to protect millions of users' data. As we all recall, hackers stole a database containing the usernames, passwords, and other personal information for all 37 million users of the pro-affair adult dating website back in the summer of 2015. The stolen data was ultimately published online, a leak which led more than one Ashley Madison user to commit suicide and extortionists to blackmail site members and their wives. The FTC launched a probe into Ashley Madison in July 2016 to determine if the company had taken adequate steps to protect its users' data leading up to the breach. Among other things, it sought to determine if Ashley Madison honored those users who paid US $20 for a "Full Delete" of their information from the company's servers. But as the FTC explains in its complaint, it turns out the company was unfaithful to its users: "...Defendants have represented, expressly or by implication, directly or indirectly, that they would delete all of the information of consumers who chose the Full Delete option on AshleyMadison.com. ...In truth and in fact, ... even for those consumers who paid a $19 fee for the Full Delete option, Defendants retained the information from those profiles for up to 12 months. Therefore, the representation... is false or misleading." No doubt the breach damaged Ashley Madison's reputation among its users. Fortunate for them, the company has owned up to at least some its missteps by agreeing to settle with the FTC. FTC Chairwoman Edith Ramirez told Ars Technica that Ashley Madison has agreed to a settlement of US $17.9 million. The dating website doesn't currently have that amount, so it will pay a $1.6 million sum. That still doesn't mean the FTC won't collect the remainder of the fine at a later date. As noted by Megan Geuss of Ars Technica: "Ramirez noted that the commission looks at financial information provided by the company when the FTC is determining ability to pay. She added that the settlement was made with a so-called 'avalanche clause' stipulating that if it later becomes apparent that Ashley Madison’s operators can pay more, the company will be obligated to pay the full amount." Those provisions aside, Ramirez said the FTC will not be creating a redress program for users who paid for the "Full Delete" option. With that said, I can only hope everyone's learned a lesson from this experience. Ashley Madison should have a pretty clear idea now about what doesn't work when it comes to users' data security. Additionally, hopefully some of its former members might now consider going to couple's counseling before agreeing to hook up online. The idea of having an affair might still appeal to them, but as the Ashley Madison hack demonstrates, doing so doesn't pay and can hurt A LOT of people in the process. Source: Graham Cluley

This morning I received an email from Yahoo entitled “Important Security Information for Yahoo Users”. Five minutes later I’d closed my account. The email was Yahoo’s admission that I was one of 1bn victims in a data breach of staggering proportions. It wasn’t that this could be the biggest breach ever that pushed me over the edge and made me close my account. Nor was it that this was the second mega-breach that Yahoo has fessed up to just this year. It wasn’t even that Yahoo apparently had no idea that this three-year-old breach had even occurred until law enforcement told them about it (although that certainly helped to convince me). The straw that broke this camel’s back was this section of Yahoo’s email: The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. There’s plenty to get your teeth into there, and plenty to be mad about (date of birth in the wild for 3 years…) but I’m a password nerd and I was drawn to hashed passwords (using MD5). MD5 is a hashing function. The idea is that no matter what you feed it, whether it’s an eight-character password or the complete works of Shakespeare, you’ll get a pseudorandom 128-bit hash value out of it. What makes hashes useful for password storage is that those outputs aren’t reversible: if you know the password you can calculate the hash but if you know the hash there’s no way to unravel it back in to the original password. Hashing allows websites to check that your password is correct without actually having to store it. So long as the hash of the password you use when you login matches the hash on record, you must have entered the correct password. MD5 isn’t a good choice for this kind of hashing because in reality it doesn’t produce truly random hashes, and it’s possible to create MD5 “collisions” where two different inputs produce the same hash. Its use has been discouraged in favour of better hashing functions for two decades. But that isn’t why I closed my account. I didn’t close my account because Yahoo used MD5 rather than a more collision-resistant hashing function. I’d still have closed it if Yahoo had said it was using SHA-3. I closed it because a plain old hash by itself isn’t really enough to keep my password a secret. A crook who steals a database of password hashes has to guess at the passwords it might contain. The process is something like this: guess a password, pass it through a hashing function and see if the resulting hash matches anything in the database. The guesses the criminal makes are important but speed is king. The more guesses they can make, the more passwords they’ll uncover. In an offline attack against a victim who has no idea their password has been stolen the criminals hold most of the cards. They can use whatever specialist password cracking hardware they can get their hands on and they have all the time in the world. Effective password storage is about making your password too difficult, too time-consuming or too expensive to be worth bothering with even if your adversary can generate hundreds of billions of hashes per second. By themselves hashes just don’t pose enough of a barrier. Instead they should be used as one component in a more complex “salt, hash and stretch” password storage routine like PBKDF2, bcrypt or scrypt. Salting adds a unique secret to your password so that if even if somebody else is using it you’ll still have different hashes. Crooks will have to make two successful guesses to crack two identical passwords, not one. It also stops attackers from using lists of pre-computed hashes, because they now need a hash lookup list for every possible salt. Stretching means repeating the hashing process over and over and over again, usually many thousands of times for each password. To see the difference that password storage choices, just look at Ashley Madison. When the adultery website was breached, its password database was picked up by security researchers. Some passwords were stored as MD5 hashes and others were salted, hashed and stretched using bcrypt. A lot of security researchers simply didn’t try to crack the bcrypt hashes, but one blogger who did managed to recover 4,000 passwords after seven days of 24-hour password cracking. A different blogger spent 10 days cracking the MD5 hashes and successfully guessed 11 million of them. So, sure, Yahoo might have been using MD5 as the hashing algorithm at the heart of a salt, hash and stretch routine, and if they did, why not say so? Would you use a phrase that’s already used to describe a popular but ineffective form of password storage to describe one that isn’t? The company left me having to interpret its words and my filter for that was all that has gone before. There was no doubt. From upgrading RSA keys at the last minute to delivering TLS years after its competitors, Yahoo has made a habit of being late to the party. In the context of that tardiness, the idea that in 2013 Yahoo was using password storage from a bygone era does not seem far-fetched. Plenty of others were doing the same. To close your Yahoo account, as I have done, read Yahoo’s guide to closing your account. If you do close your account, be warned that it takes 90 days so be sure to change your password as well. For the definitive Naked Security guide to password storage, take a look at Paul Ducklin’s How to store your users’ passwords safely. Source: Sophos

I'm happy that don't use Yahoo any more either.

Remember how, just three months ago, Yahoo had to admit that data for more than 500 million of its users had been compromised in 2014? It seems ridiculous to refer to something that hit 500 million people as the smaller of anything, but it turns out that was only the second overwhelmingly huge data breach Yahoo suffered in recent years. This week, it's admitting a previous, even larger intrusion that hit more than a billion — yes, with a B — user accounts. This breach happened in 2013, Yahoo writes, and is likely distinct from the other breach they disclosed in September. The stolen data, however, comprises the same categories, including: Names E-mail addresses Telephone numbers Dates of birth Hashed passwords Encrypted and unencrypted security questions and answers Yahoo also believes that some bad actors got access to proprietary code in order to forge cookies that let them log into users™ accounts without even having a password, stolen or otherwise. The forged cookie incident, the company says, is probably related to the breach it reported in September. Yahoo says it will be notifying potentially affected users,� but since that number is in the billions it seems safe to assume that means basically everybody. All potentially affected users (again, basically everyone) will be required to reset their password, and will have their existing unencrypted security questions and answers invalidated. Don't consider yourself a Yahoo user? You still might be: in addition to all the Yahoo!-branded services and platforms the company offers, it also acquired Flickr in 2005 and Tumblr in mid-2013. As for what users can do, good old-fashioned security rules mostly apply: If you have a Yahoo account, change the password on it now If you ever used the same password anywhere else as on your Yahoo account ever, change those now Enable two-factor authentication (that thing where you get a secondary code texted to you) on every one of your accounts that you can Consider using a password manager If you use Yahoo as a login service for any other service, consider changing your accounts there, too The FTC also maintains a step-by-step, customizable guide for consumers who have been the victim of data theft at IdentityTheft.gov, which is a useful resource if you've been part of basically any hack, breach, or other, more severe data loss. News of this second breach is unlikely to go over well with, well, basically anyone. Yahoo was already facing Senate inquiries over the half-billion accounts hacked in 2014. And then there's that whole merger with Verizon thing, which is already looking troubled after it turned out that someone at Yahoo may have known about the 2014 hack more than two years before it was publicly disclosed. Anything that affects the value of Yahoo in a big negative way can be a material event� that lets Verizon walk away. Verizon leadership has already said that the 2014 hack may well be such a material event, so it's hard to see how another billion-user hack a year earlier wouldn't be as well. Source: Consumerist