Tag Archives: leak

M&S website temporarily suspended after leaking customers’ details

Updated: Around 800 Marks & Spencer customers had their personal details exposed online due to a technical glitch

British retailer Marks & Spencer temporarily suspended its website on Tuesday night, after some customers complained they could see each others’ details when they logged into their own accounts.

Posting on the company’s Facebook page, customers expressed alarm that they could see other people’s orders and payment details when registering for the new members club and card scheme called “Sparks.

“Interesting, I just created an M&S account to register my new Sparks card and out of a sudden I’m logged in to someone else’s account!” wrote Konstantinos Vlassis.

“M&S this is in breach of privacy and data security. I can see personal addresses, past orders and info of another account holder and I assume they can see mine? I can message you screen grabs if you want but this is not good security!”

Fellow customer Vanessa Frost wrote: “There seems to have been a data breach on your M&S website – if I log into my account on there it brings up another person’s details – this is happening to loads of people.”

M&S website

M&S said that the glitch was the result of an internal error rather than a third-party attack on the site, and said no financial data had been extracted. However, personal data, including names, dates of birth, contacts and previous orders were exposed.

The website was taken offline at about 6.30pm and was back on by 9pm.

“We can confirm that around 800 people were affected by a technical issue that led to us temporarily suspending our website yesterday evening,” a spokesperson for Marks & Spencer said.

“We are now writing to every customer affected to apologise and to assure them that their financial details are safe.”

Commenting on the incident, Phil Barnett, VP Global at Good Technology, said that many companies are flying blind when it comes to security, because they don’t think it affects them.

“Marks and Spencer’s proves that customer data breaches are real threats and have serious consequences. Data is a company’s biggest asset, and as mobility becomes more ingrained across every enterprise, security must become a higher priority,” he said.

“When GDPR is implemented in 2016, companies experiencing a data breach could face a fine of two percent of worldwide revenue, so it’s not just going to be some painful interviews and a drop in share price, there’s the potential of big fines for every business.”

Last week British telecoms firm TalkTalk suffered a major cyber attack, which potentially compromised the data of more than four million customers. A 15-year-old schoolboy has been arrested in connection with the incident.

Advertisements
Tagged , , , , ,

The Intercept’s drone doc mega-leak is whistleblowing evolved

The Intercept is once again the host of a major leak of classified US documents, this time with a focus on US policies on drones and the “targeted killings” they allow. The extensive eight-part series, called The Drone Papers, attempts to lay bare the process of selecting, approving, finding, and executing a target, explicitly comparing this process to the one stated or implied to be in effect by the Obama administration. Among the more concrete revelations, that targeted killings may hurt intelligence capabilities on the ground, and that US drone strikes kill potential innocents as often as 90% of the time.

The Drone Papers is a slick and effective display of complex leaked information. It shows both The Intercept‘s nature as an activist publication and its history with the Snowden leaks, that it has gone to such lengths to present a clear, compelling, monolithic place to read about this policy-relevant information. There is clearly an awareness of how poorly understood the Snowden revelations ultimately were, how scattered and overly technical the reporting. These documents are far less complex, and they can be summed up in a series of rather compelling news-pinion features. They say “months,” but it would still be interesting to know just how long these journalists have been sitting on this information, working to make sure the release goes just right.

drones 3

The premiere piece is titled The Assassination Complex, written by swashbuckling conflict journalist Jeremy Scahill. It sums up the issue and explains the leak and its anonymous source. This is an Intercept joint, so the whole thing is laced with legitimate but subjective points, while it would probably be more helpful as a sober primary document. As it is, this first reporting of the data comes in a nakedly interested package, talking about things like the “futility of the war in Afghanistan” and potentially providing a means for some to ideologically dismiss the otherwise hard-nosed empirical arguments.

The most interesting piece, I think, is the second one, entitled A Visual Glossary. This goes through many of the maps, figures, and charts of the leak with an eye for vocabulary. Drones are “birds.” A period of lost contact with a target is a “blink.” To kill is, in many cases, to “finish,” both the person and operation. And, as has been reported elsewhere before, seemingly important terms like “imminent” and “threat” are used so loosely as to be totally meaningless. It all sums to show the sanitized, fluorescent-lights-on-grey-carpet banality of remote warfare. The Drone Papers wants people to understand the human reality (or lack thereof) in the so-called Kill Chain that directs this program and ends at the very top, with the President of the United States.

drones 2This kill chain of legal authorities has been much ballyhooed by the government as being robust and accountable, with a tough requirement for reliable information. Targets are “finished” only when they are virtually certain to be guilty, and virtually certain to be taken out cleanly in the strike. The Intercept‘s reporting reveals a different story, particularly focusing on one five-month period in which only 10% of those killed by drones in Afghanistan’s Operation Haymaker were the intended target. Not all of the remaining 90% were civilians, as many would certainly have been terrorist-affiliated associates of the target — but neither can they all possibly be “enemies killed in action,” as is their official designation.

Aerial droneAs seen in the leaked papers, one of the major contributing factors to this state of affairs is an over reliance on so-called signals intelligence. Targeting bombs to SIM cards or online cookies can perhaps reliably target a particular device, but devices get passed around between friends and family. Perhaps that explains the2011 killing of Abdulrahman al-Awlaki, who was not an approved target on a kill list, two weeks after the assassination of his uncle, well-known jihadist and American citizen Anwar al-Awlaki. We still don’t know the reasoning behind that second strike.

There’s also an oft-repeated claim that the targeted killing program has come at the expense of intelligence capabilities, as potential sources of information are now being eliminated rather than captured for interrogation. The Intercept notes that, “The slide illustrating the chain of approval makes no mention of evaluating options for capture. It may be implied that those discussions are part of the target development process, but the omission reflects the brute facts beneath the Obama administration’s stated preference for capture: Detention of marked targets is incredibly rare.”

These policies straddle the line between security and foreign policy — is it a military or a diplomatic decision, to kill a foreign civilian on his own soil, in a country with no ongoing state of war? Is it a military or a legal decision, to kill an American citizen and avowed jihadist living abroad, without trial? Right now, the answer to both questions is clearly the military. As revelations like this continue to tumble out of the US government (and they almost certainly will), that mentality might finally be about to change.

Tagged ,

Lenovo’s Superfish security snafu blows up in its face

The preloaded Superfish adware does more than hijack website ads in a browser. It also exposes Lenovo owners to a simple but dangerous hack that could spell disaster.

Removing software that comes with your brand-new Windows computer can be frustrating, but recently discovered software on new Lenovo laptops — the top-selling laptop brand in 2014 — can put your entire digital life at risk.

The preloaded software, called Superfish, alters your search results to show you different ads than you would otherwise see. But it also tampers with your computer’s security so that attackers can snoop on your browser traffic — no matter which browser you’re using.

“Attackers are able to see all the communication that’s supposed to be confidential — banking transactions, passwords, emails, instant messages,” said Timo Hirvonen, a senior researcher at security software maker F-Secure. That kind of threat, known as a man-in-the-middle attack because the hacker can spy on the users’ Internet traffic and infiltrate their computer, poses a serious risk to consumers, he said.

Lenovo is scrambling to fix the problem. “We messed up badly,” said Peter Hortensius, Lenovo’s chief technology officer. He claims Lenovo was unaware Superfish put consumer’s Internet traffic up for grabs. “The intent was to supplement the shopping experience.”

On Friday afternoon, the PC maker said it was working with McAfee and Microsoft to have Superfish “quarantined or removed.” Lenovo released a Superfish removal tool that it promised would eliminate all traces of the software from Lenovo computers. Also on Friday, the US Department of Homeland Security warned that the Superfish software introduces a “critical vulnerability,” and it issued its own instructions for removing the spyware from Lenovo computers.

Superfish said Friday that it is working with Microsoft and Lenovo on a fix, and minimized concerns by the government and security researchers.

“The Superfish code does not present a security risk. In no way does Superfish store personal data or share such data with anyone,” Superfish said in an emailed statement. “Unfortunately, in this situation a vulnerability was introduced unintentionally by a third party. Both Lenovo and Superfish did extensive testing of the solution but this issue wasn’t identified before some laptops shipped. Fortunately, our partnership with Lenovo was limited in scale.”

A spokesman for Microsoft, which makes the Windows operating system that powers Lenovo’s laptops, at first referred to Lenovo’s own security advisory on Superfish. On Friday he added that Microsoft has changed its default Windows security software to detect and remove the Superfish software.

At issue is the potential impact of preinstalled spyware making consumers and businesses vulnerable to hackers without their knowledge. Superfish’s technique for spying on otherwise secure communications from your computer could herald a new and dangerous trend for preloaded software. And by exposing consumer Internet traffic to the kind of attack Hirvonen describes, user trust is on the chopping block.

Why did this happen? Part of the reason is that since the 1990s, consumers have become accustomed to both preloaded software and apps showing ads without permission. But it’s practically unheard of for that software to expose laptop owners to this kind of attack.

“Consumers trust that their laptops won’t come with a vulnerability like this,” said Chris Wysopal, co-founder of security analysis company Veracode. And it’s not just consumers at risk from insecure browsers, but businesses, too.

Another reason Superfish is unusually dangerous is that it’s not an app like Adobe Photoshop or Microsoft Word, but rather code hidden from everyday users.

“You know it’s not helpful software because helpful software is easy to install, and find and uninstall,” said Galen Ward, the CEO of Estately, a startup focused on home buying and selling. He removed Superfish from an employee’s Lenovo Flex 2 laptop in January, but following standard protocols of searching the laptop for Superfish files didn’t work, he said.

Lenovo now has labeled the Superfish threat on its laptops as “high,” its most severe rating. Nevertheless, the immediate impact on consumers could be minimal if they take steps to clean their computers. If you are worried your computer has Superfish on it, CNET has a Superfish removal guide.

Superfish makes two changes to the way computers surf the Internet. It alters search results, including those from Google, so when a user moves the mouse over a product, it shows additional information such as similar listings at lower prices. But Superfish also cripples a Web browser’s ability to communicate securely.

Lenovo’s Hortensius said the company is not aware of any consumers whose data was compromised in an attack because of the Superfish software. However, an investigation into Superfish by security researcher Robert Graham has shown that compromising a Lenovo laptop’s security via Superfish ismore than merely theoretical.

Lenovo declined to say how many people own laptops infected with the software, but the company sold 16 million Windows computers in the fourth quarter of 2014, IDC said. It was installed on more than 11 types of Lenovo laptops sold to the public between September 2014 and January 2015, including the popular Yoga and Flex models. Lenovo has published a full list of affected computers.

Tagged , , , , , ,

AMD’s next-gen CPU leak: 14nm, simultaneous multithreading, and DDR4 support

Ever since it became clear that AMD’s Carrizo would be a mobile update with a focus on energy efficiency as opposed to raw performance, enthusiasts and investors have been hungry for details about the company’s upcoming CPUs in 2016. AMD has been tight-lipped on these projects, though we heard rumors of a combined x86-ARM initiative that was up and running as of early last year — but now, a handful of early rumors have begun to leak about the eventual capabilities of these new cores.

As with all rumors, take these with a substantial grain of salt — but here’s what Sweoverclockers.com is reporting to date. We’ll rate the rumors as they’re given on the site: According to the post, the new AMD Zen is:

Built on 14nm: For a chip launching in 2016, this seems highly likely. Jumping straight for 14nm won’t obviate the gap between AMD and Intel, but the company is currently building its FX chips on legacy 32nm SOI while its Kaveri and Carrizo are both 28nm bulk silicon. The double-node jump from 28nm to 14nm should give AMD the same benefits as a single-node process transition used to grant. Given the advantage of FinFET technology, we’d be surprised if the company went with anything else. The chips are also expected to be built at GlobalFoundries, which makes sense given AMD’s historic relationship with that company.

Utilize DDR4: Another highly likely rumor. By 2016, DDR4 should be starting to supplant DDR3 as the mainstream memory of choice for desktop systems. AMD might do a hybrid DDR3/DDR4 solution as it did in the past with the DDR2/DDR3 transition, or it might stick solely with the new interface.

Up to 95W: Moderately likely, moderately interesting. This suggests, if nothing else, that AMD wants to continue to compete in the enthusiast segment and possibly retake ground in the server and enterprise space. Nothing has been said about the graphics architecture baked on to the die, but opting for an up-to 95W TDP suggests that the company is giving itself headroom to fight it out with Intel once again.

Opt for Simultaneous multithreading as opposed to Cluster Multithreading: With Bulldozer, AMD opted for an arrangement called cluster multi-threading, or CMT. This is the strategy used by Bulldozer, in which a unified front end issues instructions to two separate integer pipelines. The idea behind the Bulldozer design was that AMD would gain the benefits of having two full integer pipelines but save die space and power consumption compared to building a conventional multi-core design.

Hyper-Threading

Intel, in contrast, has long used simultaneous multithreading (SMT), which they call Hyper-Threading,  in which two different instructions can be scheduled and execute within a single clock cycle. In theory, AMD’s design could have given it an advantage, since each core contains a full set of execution units as opposed to SMT, where those resources are shared, but in practice Bulldozer’s low efficiency crippled its scaling.

The rumor now is that AMD will include an SMT-style design with Zen. It’s entirely possible that the company will do this — Hyper-Threading is one example of SMT, but it’s not the only implementation — IBM, for example, uses SMT extensively in its POWER architectures. The reason I’m not willing to completely sign off on this rumor is that it’s a rumor that’s dogged AMD literally since Intel introduced Hyper-Threading 15 years ago.

The benefits of using SMT are always dependent on the underlying CPU architecture, but Intel has demonstrated that the technology is often good for a 15-20% performance increase in exchange for a minimal die penalty. If AMD can achieve similar results, the net effect will be quite positive.

The final rumor floating around is that the chip won’t actually make an appearance until the latter half of 2016. That, too, is entirely possible. GlobalFoundries’ decision to shift from its own 14nm-XM process to Samsung’s 14nm designs could have impacted both ramp and available capacity, and AMD has pointedly stated that it will transition to new architectures only when it makes financial sense to do so. The company may have opted for a more leisurely transition to 14nm in 2016, with the new architecture debuting only when GF has worked the kinks out of its roadmap.

HBM-Memory

No information on performance or other chip capabilities is currently available, and the company has said nothing about the integrated GPU or possible use of technologies like HBM. The back half of 2016 would fit AMD’s timeline for possible APU integration of HBM — which means these new chips could be quite formidable if they fire on all thrusters out of the gate. During its conference call last week, AMD mostly dodged rumors about delays to its ARM products, noting that it had continued sampling them in house and was pleased with the response. Presumably the company’s partners remain under NDA — there are no published independent evaluations of these products to date.

Tagged , , , , ,