They even delete the recovery files created by Windows Live backup -- and make sure they can also scramble the database. "Because they've used their sysadmin powers to rig the system to be as insecure as they can, they can often use older versions of ransomware, perhaps even variants that other crooks have given up on and that are now floating around the internet 'for free'."
Most of the attacks hit small-to-medium companies with 30 or fewer employees, since "with small scale comes a dependence on external IT suppliers or 'jack-of-all-trades' IT generalists trying to manage cybersecurity along with many other responsibilities. In one case a victim was attacked repeatedly, because of a weak password used by a third-party application that demanded 24-hour administrator access for its support staff."
Surprisingly, Facebook is among friends. Every payroll period, Amazon, Microsoft, and Oracle provide an electronic feed of their employees' hourly work and wage information to Equifax. So do Wal-Mart, Twitter, AT&T, Harvard Law School, and the Commonwealth of Pennsylvania. Even Edward Snowden's former employer, the sometimes secretive N.S.A. contractor Booz Allen Hamilton, sends salary and other personal data about its employees to the Equifax Work Number database. It now contains over 296 million employment records for employees at all wage levels, from CEOs to interns. The database helps streamline various processes for employers and even federal government agencies, says Equifax. But databases like the Work Number also come with considerable risks. As consumer journalist Bob Sullivan puts it, Equifax, "with the aid of thousands of human resource departments around the country, has assembled what may be the most powerful and thorough private database of Americans' personal information ever created." On October 8, a month after Equifax announced its giant data breach, security expert Brian Krebs uncovered a gaping hole in the separate Work Number online consumer application portal, which allowed anyone to view a person's salary and employment history "using little more than someone's Social Security number and date of birth -- both data elements that were stolen in the recent breach at Equifax."
Indiana has used Crosscheck for years. But until July, the state had a series of checks on the program. If Crosscheck found that an Indiana resident's name and birthdate matched that of a person in another state, Indiana law used to require officials to ask that person to confirm their address, or wait until that person went two general election cycles without voting, before the person's name was purged from Indiana voter rolls. Under the state's new law, officials can scrub a voter from the rolls immediately. That's a problem for Indiana residents, particularly people of color, a Friday lawsuit from Common Cause and the American Civil Liberties Union argues.
But are things about to get worse? Marketwatch reports: It will become harder for consumers to sue their banks or companies like Equifax... The Senate voted Tuesday night to overturn a rule the Consumer Financial Protection Bureau worked on for more than five years. The final version of the rule banned companies from putting "mandatory arbitration clauses" in their contracts, language that prohibits consumers from bringing class-action lawsuits against them. It applies to institutions that sell financial products, including bank accounts and credit cards. Consumer advocates say it's good news for companies like Wells Fargo or Equifax, which have both had class-action lawsuits filed against them, and bad news for their customers... Lisa Gilbert, the vice president of legislative affairs at Public Citizen, a nonprofit based in Washington, D.C., said the Senate vote shouldn't impact cases that are already ongoing. However, there will "certainly" be more forced arbitration clauses in contracts in the future, and fewer cases brought against companies, she said.
In an effort to force the state to scrap the system, a number of Georgia voters bandied together and sued. They asked for an independent security review of the server, expecting to find flaws that would lend weight to their argument for investment in a more modern and secure system. But emails released this week following a Freedom of Information Act request reveal that technicians at the election center deleted the server's data on July 7 -- just days after the lawsuit was filed. The memos reveal multiple references to the data wipe, including a message sent just last week from an assistant state attorney general to the plaintiffs in the case. That same email also notes that backups of the server data were also deleted more than a month after the initial wipe -- just as the lawsuit moved to a federal court. It is unclear who ordered the destruction of the data, and why, but they have raised yet more suspicions of collusion between the Trump campaign team, the Republican Party, and the Russian government.
How did this come to pass? In the old days, there was a physical dongle made by RSA that generated pseudorandom numbers in hardware. The secret key was stored in the dongle's flash memory, and the device was shipped with it installed. This was pretty plausibly "something you had" even though it was based on a secret number embedded in silicon. (More like "something you don't know?") The app authenticators are doing something very similar, even though it's all on your computer and the secret is stored somewhere on your hard drive or in your cell phone. The ease of finding this secret pushes it across the plausibility border into "something I know", at least for me. The original submission calls two-factor authentication "an enhancement to password security, but good password practices are far and away still the most important of security protocols." (Meaning complex and frequently-changed passwords.)
Slashdot turned 20 this month, which is ancient in internet years. How far have we come?
Also, we've set up a page to coordinate user meet-ups around the world to celebrate. Read on for the full 20-year history of Slashdot.
Horback and fellow researcher Willem Halffman wanted to know how extensive the phenomenon of misidentified cell lines really was, so they searched for evidence of what they call "contaminated" scientific literature. Using the research database Web of Science, they looked for scientific articles based on any of the known misidentified cell lines as listed by the International Cell Line Authentication Committee's (ICLAC) Register of Misidentified Cell Lines.There are currently 451 cell lines on this list, and they're not what you think they are -- having been contaminated by other kinds of cells at some point in scientific history. Worse still, they've been unwittingly used in published laboratory research going as far back as the 1950s.
The study found that cetaceans had complex alliances and communications, played and worked together for mutual benefit, and could even work with other species, like humans. Some also have individual signifiers, sounds that set them apart from others, and can mimic the sounds of others. In addition, it found that brain size predicted the breadth of social and cultural behaviors of these marine creatures (though ecological factors, like prey diversity and latitudinal range, also played a role). The researchers concluded there was a tie between cetacean encephalization, social structure, and group size.