Archive for March 13, 2017

Yahoo CEO Scores A $23 Million Severance Payday Despite Multiple Yahoo Hacks

Posted in Commentary with tags on March 13, 2017 by itnerd

I clearly am in the wrong business because upon Verizon’s completion of its acquisition of Yahoo’s core internet assets, Marissa Mayer who is Yahoo’s CEO will score a $23 million dollar payday  according to a filing with the Securities and Exchange Commission. If that’s not mind blowing enough, the same documents indicates that Yahoo Chief Financial Officer Ken Goldman is set to get $9.5 million in severance too. Both are expected to leave their roles once the deal goes through.

You have to wonder how someone like Mayer who among other things has allowed Yahoo to get hacked multiple times by hackers on her watch deserves that sort of payday. Not to mention that she also failed miserably to make Yahoo relevant again which led to this sale. Last time I checked, you shouldn’t be rewarded for failure. But clearly, the business world doesn’t work that way.


Buy An Android Smart Phone, Get Malware Preinstalled For Free

Posted in Commentary with tags , on March 13, 2017 by itnerd

A new report from CheckPoint has discovered that buying a new Android smartphone doesn’t guarantee that it is clean. Many of the biggest names and models come preinstalled with potentially dangerous malware:

The Check Point Mobile Threat Prevention has recently detected a severe infection in 38 Android devices, belonging to a large telecommunications company and a multinational technology company. While this is not unusual, one detail of the attacks stands out. In all instances, the malware was not downloaded to the device as a result of the users’ use, it arrived with it.

According to the findings, the malware were already present on the devices even before the users received them. The malicious apps were not part of the official ROM supplied by the vendor, and were added somewhere along the supply chain. Six of the malware instances were added by a malicious actor to the device’s ROM using system privileges, meaning they couldn’t be removed by the user and the device had to be re-flashed.

Now let me be clear. Since they were added after manufacture, the vendors of the smartphones aren’t to blame. But this should concern you as it means that you cannot trust the security of these devices right out of the box.

Now it is possible for you to re-flash the device the second you get it to avoid this issue. And if you’re really paranoid, you could go to the extreme of rooting the device and installing Android from scratch. But why should you have to do either? Should you not have a reasonable expectation to take a device out of the box? Clearly that’s not the case and perhaps you will need to do one of the above if you want to be as secure as possible.

VW Pleads Guilty To DieselGate Charges In The USA

Posted in Commentary with tags on March 13, 2017 by itnerd

On Friday Volkswagen admitted in a US court that they’d committed fraud in their diesel emissions tests, also pleading guilty to falsifying statements and obstruction of justice. Here’s the details from CNET:

It marks the first time VW admitted guilt in any court in the world, according to a VW spokesman speaking to Reuters. The judge overseeing the case in the U.S. District Court in Detroit accepted the plea and will issue a sentence at a hearing on April 21. “The agreements that we have reached with the US government reflect our determination to address misconduct that went against all of the values Volkswagen holds so dear,” Volkswagen said in an emailed statement… The road to Dieselgate’s conclusion still has plenty of pavement, though. The company is still under investigation by the Securities and Exchange Commission and Internal Revenue Service. And that’s in the US alone.

What’s interesting about this is the fact that VW as a company might have admitted guilt. However the management, from the top down to the bottom have not. For example, the CEO tried to blame it on “a couple of rogue programmers.” That really sounds like a version of the Sergeant Schultz defense to me. The thing is, there’s zero chance that this got the green light without some exec in Germany being involved. Thus I hope that those investigating this continue to dig to get to those who were truly responsible for this fiasco so that they can be brought to justice.

CRA Website Gets Shut Down Over The Weekend To Patch A Serious Flaw

Posted in Commentary with tags on March 13, 2017 by itnerd

If you’re in Canada and were planning to file your taxes this past weekend, you likely had to find something else to do as the Canada Revenue Agency website was shut down over the weekend to patch a serious flaw. The site was back up as of 5:00PM Sunday after being taken down on Friday. But other than words like this, they aren’t saying why they took the site down:

The CRA acted quickly to temporarily take down our online services, including electronic filing, and put in place the necessary maintenance security patches to ensure that all information and systems remained safe

Okay. So they patched something. My first thought was that they patched their webserver so that they don’t get hit by someone taking advantage of the Struts 2 vulnerability that is out in the wild. So I used Netcraft to confirm or deny that. The report that I got was kind of surprising. It seems that is running older versions of Apache Web Server that is vulnerable to Struts 2. That seems to be a #fail on the surface. But to be fair, they appear to be behind a F5 neworks Big-IP for protection and content delivery purposes, so I am not likely seeing what they’re really running. Thus it is an open question as to what got patched. But I am betting that it is Struts 2 related as the CRA said in its statement that they patched something that affected “websites worldwide.” Struts 2 fits that description.

This isn’t the first time that the CRA has had to take down their site because of a security issue. They got hit by someone who pwned them via an Open SSL bug known as Heartbleed a few years back. That led to a 19 year old being put in the clink because of it. But not before other Canadian Government websites had to be taken down to fix the issue and personal data was leaked.