Candlelites

Everything from Everywhere

eWeek

Latest headline news from eWeek with momentary update to provide the online news, world news, sports news, family news, health news, video news, national news, food news and politics news from eWeek.



uber ignored legal requirements, paid hush money to hackers

once again, uber has a data breach. this time the ride-hailing service had approximately 57 million accounts compromised, which included personal information from customers, as well as more detailed information from about 600,000 of the company’s drivers. the data came from an amazon web services cloud account used by the company. the hackers apparently gained access because uber staff failed to secure the login credentials for the cloud service.the breach itself was bad enough, but it’s been compounded by the fact that uber attempted to hide the event from customers and regulators. in fact, reuters is reporting that the company paid the hackers $100,000 in hush money to erase the data they took, and to keep the fact that the breach happened confidential.former ceo knew about breach a year agoformer ceo travis kalanick was made aware of the breach in november 2016, a month after it took place, however there’s no evidence that kalanick passed the information along to the new ceo, dara khosrowshahi.further readingthe two uber employees responsible for the mishandling of the incident, including security chief joe sullivan, have been fired. according to a blog entry written by khosrowshahi, the company is now working to notify the drivers who had their driver’s license information taken and said the company will offer free credit monitoring. he also said that uber is notifying regulators.the 2016 data breach happened just as uber was recovering from a similar data breach ...





uber ignored legal requirements, paid hush money to hackers

uber ignored legal requirements and paid hush money to hackersdespite new ceo, uber continues its culture of deception by failing to notify regulators, customers and drivers of new data breach for over a year.once again, uber has a data breach. this time the ride-hailing service had approximately 57 million accounts compromised, which included personal information from customers, as well as more detailed information from about 600,000 of the company’s drivers. the data came from an amazon web services cloud account used by the company. the hackers apparently gained access because uber staff failed to secure the login credentials for the cloud service.the breach itself was bad enough, but it’s been compounded by the fact that uber attempted to hide the event from customers and regulators. in fact, reuters is reporting that the company paid the hackers $100,000 in hush money to erase the data they took, and to keep the fact that the breach happened confidential.further readingformer ceo knew about breach a year agoformer ceo travis kalanick was made aware of the breach in november 2016, a month after it took place, however there’s no evidence that kalanick passed the information along to the new ceo, dara khosrowshahi.the two uber employees responsible for the mishandling of the incident, including security chief joe sullivan, have been fired. according to a blog entry written by khosrowshahi, the company is now working to notify the drivers who had their driver’s licen...





htc, huawei offering numerous black friday smartphone deals

the htc deals, including $400 off the htc bolt, are also good through cyber monday on nov. 27.





microsoft to release vmware-friendly azure cloud migrate service

as organizations quickly learn when they explore their cloud computing options, migrating to the cloud is often easier said than done. microsoft is smoothing out that process, at least for organizations that have invested in the vmware ecosystem, with a new service called azure migrate.available on nov. 27, azure migrate will help users to assess their on-premises vmware environments and make the move in a guided and semi-automated manner. the service's discovery tool can be used to visualize the dependencies in applications comprised of multiple virtual machines and detect cpu, memory, storage and network utilization, data that is then used to inform its cost and virtual machine sizing guidance.after this process is completed, azure migrate enlists microsoft's cloud-based disaster recovery solution to transfer vmware workloads."azure site recovery (asr) enables customers to migrate vmware-virtualized windows server and linux workloads with minimal downtime. asr offers application-centric migration, allowing you to sequence your application servers as they migrate," explained corey sanders, director of compute at microsoft azure, in a blog post.related readingmicrosoft's helping hand extends beyond vmware migrations.the company has also rolled out new updates to its azure advisor, which offers recommendations on how to improve the performance, security and availability of their cloud applications and services. the latest version features an updated dashboard that provide...





microsoft bing 'bird's eye' travels to more locations

microsoft has added dozens of new locations to the bird's eye feature in bing maps. bird's eye uses oblique imagery processing technology to provide detail-packed views that can help travelers navigate their surroundings by sight."oblique imagery is a great complement to aerial 2d imagery because it has much more depth and provides a view of your destination that is more familiar and in line with what people expect," stated microsoft bing staffers in a blog post. "you can see bird's eye imagery in bing maps, and this view can offer a better context for navigation because building facades can be used as landmarks."new areas include austin, texas, san francisco county, niagara falls, ny and orlando, fla., to name a few, nudging the total number of bird's eye areas past the 450 locations mark. a full list of the new areas and a sampling of the images produced by the imaging technology is available here.further readingbuilding on bing's existing sports search tools, pro football fans can use the new nfl historical results feature to settle arguments. meanwhile, a new historical weather search feature shows how weather patterns change over time in a given location.bing users who are staying put for the holidays can instead use the search engine to scope out black friday deals and keep an eye on their holiday packages with other recent updates.supplementing bing shopping's deal search capabilities, microsoft has gathered the black friday flyers from major u.s. retailers i...





dome9 launches magellan for context-aware cloud security

security startup dome9 announced its new magellan service on nov. 22, providing organizations with context-aware security capabilities for cloud deployments.the magellan service is a new module in dome9's arc cloud security platform that provides cloud configuration analysis capabilities. with magellan, dome9 is now adding context awareness, derived from enriched log data and threat analysis, to help organizations detect attacks."with magellan, we're connecting time-based data, whether it's network flows or user audits, to the knowledge we have on cloud configuration," zohar alon, ceo of dome9, told eweek. "trying to find out what is bad in a public cloud is very different from how traditional network intrusion technologies work."dome9 is using magellan to help its customers consume amazon web services (aws) network and audit logs into a threat intelligence system, alon said. those logs are enriched by dome9 with the configuration knowledge to help provide a more complete analysis of what is occurring in a given cloud environment.related reading"we can turn a very benign, simple-looking log entry into a chapter of a story," he said. for example, alon said magellan would know when an aws lambda function triggered a connection to a storage bucket or a database. he added that dome9's threat intelligence analyzes the data based on known threats and malicious indicators of compromise.serverlessas a cloud-native vendor, dome9 is making use of aws tools to deliver and po...





how fcc plans to reverse title ii action in december

despite dire warnings from some corners of the media, the federal communications commission’s planned action isn’t the end of net neutrality, and in fact it may foster growth on the internet.before we get started, let’s all take a deep breath. that’s it. breathe all the way in, then hold it for a few seconds, then exhale slowly. there. feel better?good. now that your heart rate has returned to normal, let’s set the record straight. the fcc’s plans regarding net neutrality, set to be revealed in detail on nov. 22, aren’t going to end net neutrality. what the fcc is planning to do is reverse the decision that placed the internet under title ii of the communications act.further readingobama changed internet governance in 2014a little background is required, since the title ii change happened three years ago. in 2014, then-president barack obama directed the fcc to change course and put internet governance under title ii. this is the same part of the communications act that regulates landline voice telephone service. title ii was conceived in the day when at&t was the only carrier of significance in the united states. in order to keep pricing and practices under control, rules were made controlling how at&t, a monopoly at the time, interacted with people.tom wheeler, who was the fcc chairman at the time, did what the president wanted and drafted rules placing the internet under that regulatory framework. prior to this, the fcc had been working with congress to draft...





uber admits it hid massive data breach of 57m users

uber publicly admitted on nov. 21 that it was the victim of a massive data breach that exposed personally identifiable information on 56 million users and 600,000 drivers."i recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use," uber ceo dara khosrowshahi wrote in a statement. "the incident did not breach our corporate systems or infrastructure."among the information that were stolen were names, email addresses and mobile phone numbers of uber users. the names and license numbers of approximately 600,000 uber drivers in the united states were also stolen. khosrowshahi noted that there is no indication that credit card numbers, social security numbers or dates of birth information was stolen in the data breach."at the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals," he stated. "we subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed."related readingaccording to a bloomberg report, uber paid $100,000 to the two hackers to delete the data and keep the matter quiet. uber did not publicly report the breach in 2016, nor did it alert the regulatory authorities. the decision to pay off the hackers and not disclose the attack was allegedly made by uber chief security officer joe sullivan, who has been fired by ub...





most organizations believe they are vulnerable to insider attacks

today’s topics include a research study highlighting the rise in insider attacks; volvo and uber’s self-driving car partnership; the north korean lazarus group now hacking in the mobile realm; and microsoft adding new hdr and on-screen input options to windows 10.according to the 2018 threat report released nov. 20 by crowd research partners, most damaging security threats surprisingly do not originate from malicious outsiders or malware, but from trusted employees inside their own organization.of the 472 cyber-security professionals surveyed, “about half … experienced an insider attack during the last 12 months,” said holger schulze, founder of crowd research partners. “this report reveals the latest trends and provides actionable guidance on addressing threats as well as showcases how organizations are working to protect their critical data to prevent and mitigate inside threats.”the report also suggests that 90 percent of organizations believe they are vulnerable to insider attacks. the main enabling risk factors include too many users with excessive access privileges, an increasing number of devices with access to sensitive data and the increasing complexity of information technology.related readingannounced nov. 20, volvo car group has agreed to sell uber tens of thousands of self-driving cars from 2019 to 2021. the two companies have been working together in tests in pittsburgh, san francisco and phoenix for the last few years.volvo said the agreement is n...





dome9 launches magellan for context-aware cloud security

security startup dome9 announced its new magellan service on nov. 22, providing organizations with context-aware security capabilities for cloud deployments.the magellan service is a new module in dome9's arc cloud security platform that provides cloud configuration analysis capabilities. with magellan, dome9 is now adding context awareness, derived from enriched log data and threat analysis, to help organizations detect attacks."with magellan, we're connecting time-based data, whether it's network flows or user audit to the knowledge we have on cloud configuration," zohar alon, ceo of dome9 told eweek. "trying to find out what is bad in a public cloud is very different than how traditional network intrusion technologies work."further readingalon explained that with magellan, dome9 is helping its customers to consume amazon web services (aws) network and audit logs into a threat intelligence system. those logs are enriched by dome9 with the configuration knowledge to help provide a more complete analysis of what is occurring in a given cloud environment."we can turn a very benign, simple-looking log entry into a chapter of a story," alon said. so for example, alon said that magellan would know when an aws lambda function triggered a connection to a storage bucket or a database. he added that dome9's threat intelligence analyzes the data, based on known threats and malicious indicators of compromise.serverlessas a cloud-native vendor, dome9 is making use of aws too...





smartphone makers htc, huawei offering black friday deals

htc and huawei have unveiled several models of smartphones that will priced at up to $400 off for black friday shoppers, along with cyber monday deals from htc.the htc sale, which began nov. 21, is available through htc.com, with the htc bolt phone selling for $200, which is $400 off its normal $600 price, or $599 for the htc u11 phone, which normally sells for $649 for a model with 4gb of memory and 64gb of built-in storage. the u11 model with 6gb of memory and 128gb of storage is also on sale for $679, a $50 savings from its regular price of $729.     buyers of the htc u11 smartphones also will receive a free set of jbl reflect aware c headphones ($200 value) and a free htc fetch key fob attachment ($20 value), which helps owners locate their misplaced phones.buyers of the htc bolt phones will also receive a free fetch fob. the bolt phones only operate on the sprint and boost mobile networks.related readingthe htc sale runs through nov. 29 at 12 a.m. et.squeeze phones the next new thingthe htc u11 is a 4g lte smartphone that features a 5.5-inch quad hd super lcd curved display (2,560-by-1,440 resolution) that's covered with durable corning gorilla glass 5, a qualcomm snapdragon 835 octa-core 64-bit processor, 4gb of memory, 64gb of built-in storage and a microsd card slot for storage cards up to 256gb.the htc u11 also includes htc's new edge sense feature, which allows users to squeeze the phone by its sides to choose and switch apps, take photos and more, giving us...





10 cool holiday gadget ideas, from high-tech mics to tv accessories

1 of 12top 10 gadgets to help you get your geek on this holiday season the holidays are a time of giving, and that means finding just the right gadget or new doohickey for your favorite techie. the recent getgeeked event in san francisco showcased a number of innovative products that could be perfect stocking stockers, hanukah gifts or simply a treat for yourself. with prices starting at $30 and going up to more than $500, there was something for every budget. some of these, like the mikme microphone, aren’t so much a new idea as a quality and design improvement. others, like the touchjet wave, transform a common appliance, the flat screen tv, into a touch screen computer for web surfing or giving presentations. check out our top 10 picks, listed in no particular order. 2 of 12mikme microphone if you do podcasts or want to easily record high-quality audio, check out the portable mikme microphone. the mikme works wirelessly via bluetooth to your iphone, letting you post podcasts or other audio on the go. the mikme app lets you sync audio from the mikme microphone with any video you capture with your smartphone and control recordings remotely, and wirelessly stream and sync audio with the phone. the portable, high-quality audio recording comes at a price—$499. mikme currently works only with iphones (ios 9 or higher).  3 of 12eyeque personal vision tracker the eyeque personal vision tracker is a "visual acuity screener" you can use at home to...





how to remove the need for shadow it with the right collaboration tool

1 of 8how good collaboration software can help erase shadow it most organizations contend that content security is always their highest priority. however, unless content collaboration technology is easy to use, users will inevitably turn to less-secure shadow it solutions like dropbox, evernote and google drive. why? employees simply want to be productive and get work done. while this motivation is admirable—and the underlying business purpose is usually fundamentally sound—the practice is highly risky, especially when dealing with sensitive information that may be subject to industry regulations. if organizations want to avoid having information handled, shared or stored using shadow it products, they need to introduce a collaboration solution that balances security and ease of use. in this eweek slide show, we offer some considerations. 2 of 8intuitive user interface one element that makes shadow it so compelling for employees is ease of use. by introducing collaboration solutions that feature a familiar user interface, enterprises are much more likely to see increased adoption rates. email, for example, is an application every employee is familiar and comfortable with. and by incorporating secure file sharing from within the email interface through a “plugin,” or inside of existing enterprise applications through api-level integration, secure collaboration is just a click away. 3 of 8mobile security while transformational for employee ...





google downplays report on android location data collection

google this week downplayed a report that it has quietly been collecting location data from android devices even when users have disabled location services or haven't even inserted a sim card into their phones.in a report nov. 21, the quartz online site contended that since at least the beginning of this year, newer android phones have been collecting addresses of a user's nearby cellular tower and relaying that data back to google.such data, while not as granular as gps data, could still help entities--including google--triangulate a user's location with considerable accuracy and far beyond any consumer's reasonable expectations of privacy, quartz said.quartz said its investigation showed that the location-sharing practice wasn't confined to any particular type of android smartphone or tablet. instead, the cell-tower address data was being collected from all new android devices as the result of a change to google's firebase cloud messaging service in early 2017.further readinggoogle claims it was not using data to target adsgoogle did not dispute quartz' claims about collecting the described data from new android phones. but the search king claimed the data was not being used to deliver targeted ads to android users as the report seemed to suggest."to ensure messages and notifications are received quickly, modern android phones use a network sync system that requires the use of mobile country codes (mcc) and mobile network codes (mnc)," the company said in a stateme...





htc, huawei offering numerous black friday smartphone deals

htc and huawei have unveiled several models of smartphones that will priced at up to $400 off for black friday shoppers, along with cyber monday deals from htc.the htc sale, which began nov. 21, is available through htc.com, with the htc bolt phone selling for $200, which is $400 off its normal $600 price, or $599 for the htc u11 phone, which normally sells for $649 for a model with 4gb of memory and 64gb of built-in storage. the u11 model with 6gb of memory and 128gb of storage is also on sale for $679, a $50 savings from its regular price of $729.     buyers of the htc u11 smartphones also will receive a free set of jbl reflect aware c headphones ($200 value) and a free htc fetch key fob attachment ($20 value), which helps owners locate their misplaced phones.buyers of the htc bolt phones will also receive a free fetch fob. the bolt phones only operate on the sprint and boost mobile networks.further readingthe htc sale runs through nov. 29 at 12 a.m. et.squeeze phones the next new thingthe htc u11 is a 4g lte smartphone which features a 5.5-inch quad hd super lcd curved display (2560 x 1440 resolution) that's covered with durable corning gorilla glass 5, a qualcomm snapdragon 835 octa-core 64-bit processor, 4gb of memory, 64gb of built-in storage and a microsd card slot for storage cards up to 256gb.the htc u11 also includes htc's new edge sense feature, which allows users to squeeze the phone by its sides to choose and switch apps, take photos and more, giving user...





how fcc plans to reverse title ii action in december

despite dire warnings from some corners of the media, the fcc’s planned action isn’t the end of net neutrality, and in fact it may foster growth on the internet.before we get started, let’s all take a deep breath. that’s it. breathe all the way in then hold it for a few seconds, then exhale slowly. there. feel better?good. now that your heart rate has returned to normal, let’s set the record straight. the fcc’s plans regarding net neutrality, set to be revealed in detail on nov. 22, aren’t going to end net neutrality. what the fcc is planning to do is reverse the decision that placed the internet under title ii of the communications act.obama changed internet governance in 2014further readinga little background is required, since the title ii change happened three years ago. in 2014, then-president barack obama directed the fcc to change course and put internet governance under title ii. this is the same part of the communications act that regulates landline voice telephone service. title ii was conceived in the day when at&t was the only carrier of significance in the united states. in order to keep pricing and practices under control was to make rules controlling how at&t, a monopoly at the time, interacted with people.tom wheeler, who was fcc chairman at the time, did what the president wanted and drafted rules placing the internet under that regulatory framework. prior to this, the fcc had been working with congress to draft legislation that would have creat...





aws secret region debuts for the intelligence community

amazon announced its newest cloud region on nov. 20, with the public announcement of the aws secret region.as opposed to other amazon web services (aws) regions, which are available for anyone to use, the secret region is specifically for use by the u.s. intelligence community. the secret region is being made available to the u.s. intelligence community by way of the existing commercial cloud services (c2s) contract with aws."aws now provides the u.s. intelligence community a commercial cloud capability across all classification levels: unclassified, sensitive, secret, and top secret," teresa carlson, vice president of amazon web services worldwide public sector, wrote in a blog post. "the u.s. intelligence community can now execute their missions with a common set of tools, a constant flow of the latest technology and the flexibility to rapidly scale with the mission."the new secret region complements the existing aws top secret region that was first made available in 2014. carlson noted that the top secret region is an air-gapped cloud, meaning it is physically separated from the public cloud.related reading"the aws secret region is a key component of the intel community's multi-fabric cloud strategy," john edwards, cio of the cia, wrote in a statement. "it will have the same material impact on the ic at the secret level that c2s has had at top secret." the secret region meets multiple compliance requirements, including national institute of standards and technolo...





microsoft and box deliver joint cloud content management solution

box using azure, an offering that combines the content management capabilities of the business-friendly box platform with microsoft cloud storage, is now available.it's not the first time microsoft and box have teamed up in the cloud collaboration space. in 2016, the two companies unveiled a set of integrations that allow users to save their office files directly to their box accounts using microsoft's native apps for android and preview excel files without launching the spreadsheet software.this time, the companies are focused on helping their joint customers securely manage their enterprise content using office 365 and other saas (software-as-a-service) applications. the integration will also allow organizations to add box's content management capabilities to their custom applications.some ai-enabled services are also in the works.related readingsanjay manchanda, vice president and general manager of box, teased some upcoming capabilities powered by microsoft cognitive services, saying they will "enable customers to automatically identify and categorize content, trigger workflows and tasks and make content more discoverable for users," in his nov. 20 announcement.it's not the first time box has dabbled in ai.the company introduced three box skills, tools that allow customers to derive more insights from their content. the initial box skills cover image, audio and video files, extracting and contextualizing information within each and improving their searchability.box ...





at&t to fight u.s. opposition to its proposed merger with time warner

at&t's proposed merger with time warner is now threatened after the u.s. department of justice filed an antitrust lawsuit nov. 20 to block the deal, citing concerns about higher prices for consumers and less innovation if the merger is completed.the action brought an immediate reaction from at&t, which called the government's lawsuit wrong and vowed to pursue the case in the courts."this merger would greatly harm american consumers," assistant attorney general makan delrahim, of the doj's antitrust division, said in a statement. "it would mean higher monthly television bills and fewer of the new, emerging innovative options that consumers are beginning to enjoy."further readingthe doj's action seeks an injunction from a federal judge to block the proposed $85.4 billion transaction, which was originally unveiled back in october of 2016.delrahim said the merger, if allowed, would also "enable the merged company to impede disruptive competition from online video distributors, competition that has allowed consumers greater choices at cheaper prices." the company would also "have the incentive and ability to charge more for time warner's popular networks and take other actions to discourage future competitors from entering the marketplace altogether," he said.at&t quickly disputed the doj's legal action, with david r. mcatee ii, a senior executive vice president and general counsel for the company, calling the government's lawsuit a "radical and inexplicable depart...





microsoft office the target of a fall cyber-offensive

office exploits are hardly new, but there has been a noticeable uptick in attacks in the fall of 2017 that target the popular business productivity software suite from microsoft.in a nov. 21 advisory, microsoft's office 365 threat research team said that they had observed an escalation in the efforts of attackers to infect systems running office. this new wave of activity can be traced to some recently-disclosed exploits, which are now serving as launching pads for complex attacks, according to the group."the discovery and public availability of a few office exploits in the last six months led to these exploits gaining popularity among crimeware and targeted attackers alike," wrote microsoft's security researchers in a blog post. "while crimeware attackers stick to payloads like ransomware and info stealers to attain financial gain or information theft, more sophisticated attackers clearly distinguish themselves by using advanced and multi-stage implants."microsoft singled out four vulnerabilities (cve-2017-0199, cve-2017-8570, cve-2017-8759 and cve-2017-11826), all of which have been fixed, but may still linger in organizations that have delayed or are a little behind in their security patches. the software maker noted that apart from cve-2017-11826, a memory corruption vulnerability, attacks based on these exploits "pull the malware payload from remote locations," a technique that makes it tough for anti-virus engines and security sandboxing solutions to reliably de...