May 22, 2014
After hackers stole e-mail addresses and other user data from EBay's network, the company announced today that it would e-mail users to suggest they change their passwords. That doesn't make a whole lot of sense. The problem with this approach is that the hours immediately following a breach are prime time for hackers. Cyber-criminals are consummate opportunists. They scrutinize the news looking for ways to craft fraudulent and timely messages to trick people into clicking on them. The millions of EBay users who may have caught wind of the breach after seeing a headline today are more likely to fall for an e-mail scam prompting them to click a link and input their log-in information. A similar technique was used by Chinese military officers to hack into U.S. companies, showing that in cyber-security, people are their own worst enemies.
Instead of e-mailing the auction site's more than 145 million active buyers worldwide, EBay could have immediately done something that Adobe Systems, LinkedIn and Evernote all did after their recent high-profile hacks: change users' passwords. Automatically resetting accounts is becoming a "common courtesy" after many breaches, says Lysa Myers, a researcher with Slovakian security firm ESET. EBay said in a statement earlier today that there's no evidence of unauthorized activity resulting from the breach. Kari Ramirez, a spokeswoman for EBay, now says all users will "shortly" be required to change their passwords before logging in. "Far too many people will simply ignore the notification and do nothing," says Brian Contos, a vice president at security firm Blue Coat Systems. "Companies should automatically reset passwords, notify users why this is being done when they log in and hopefully allow more robust alternatives," such as two-step authentication.
For a case study in the danger of waiting, look at what happened to LinkedIn. A day after the company disclosed in June 2012 that encrypted passwords for some users had been stolen, 6.5 million LinkedIn passwords showed up on a hacker site. The company initially reset only the passwords it believed to be cracked. Later, LinkedIn disabled the passwords of other users who might have been affected. Contrast that with Evernote's response to a breach of its network in March 2013 where user data - including passwords protected by strong encryption - were stolen. The Redwood City, California-based company went all the way. It disabled all passwords and required users to create new ones the next time they logged in, a step the company said was taken out of "an abundance of caution."
A blanket resetting of passwords can irritate users and in the case of e-commerce, slow or deter purchases. But trusting people to protect themselves is not a good form of cyber-security. Bloomberg
Comcast Corp. held an uneventful shareholders meeting Wednesday, during which chief executive Brian Roberts reiterated his sentiment that he was "extremely excited" about a proposed merger with Time Warner Cable Inc., and unionized Comcast technicians pressured the company to improve its treatment of them. The Chicago union, one of the few recognized by Comcast, is negotiating a new contract. Roberts said the meeting was not the venue for bargaining.
After the meeting at the Kimmel Center, about 50 antimerger protesters on the sidewalk chanted "Comcast has the tower and the people have the power," calling it a peoples' vote on the merger. Consumers Union, Free Press, and Common Cause organized the protest and presented the names of several hundred thousand individuals who they said oppose the Comcast/Time Warner Cable deal. The two companies are the largest and second-largest cable-TV companies. Inside the meeting, Roberts noted that NBC would be the top-rated TV network for the 2013-14 prime-time season in the advertiser-coveted 18- to 49-year-old demographic. This year's TV season ended Wednesday night. "We have a lead that will not be overtaken," an NBC spokesman said Wednesday. NBC attributes its ratings success to solid ratings from Sunday Night Football, the Sochi Olympics, The Voice, and Blacklist. Philadelphia Inquirer; more in Los Angeles Times
- New York Times: Netflix Faces Hurdles, Country by Country, in Bid to Expand in Europe
- Fierce Cable: Wheeler expresses concern about programmers blocking websites during carriage fights
- Wall Street Journal: Meet Jessica Rosenworcel, the FCC Swing Vote (registration may be required)
- New York Times: Facebook Offers Privacy Checkup to All 1.28 Billion Users
- Pittsburgh Post-Gazette: Corbett frames gubernatorial election as jobs vs. taxes
- Philadelphia Inquirer: How to catch Wolf: GOP strategists begin counting ways
- Allentown Morning Call: Corbett got fewer votes than his lieutenant
- Pittsburgh Tribune-Review: Analysts don't discount Corbett, say Wolf has early momentum