Structure News: Yahoo sets a record that nobody wants to hold

Your weekly tech news roundup, with a little bit of Structure. Where Structure Security Is Less Than One Week Away September 23rd, 2016 / by Tom Krazit This week, we'll talk about the biggest security breach (that we know of, anyway) in internet history, five things we've learned while diving headfirst into security, and how Larry Ellison continues to be Larry Ellison. BIG PICTURE Nothing has gone right for Yahoo over the last decade. So, it's almost fitting that one of the last acts it takes as an independent company is to reveal what is probably the largest security breach in the history of the internet, based on the number of accounts affected. Yahoo disclosed Thursday that state-sponsored hackers, in its words, accessed the personal information of around 500 million accounts in late 2014. It's not clear why it took Yahoo so long to discover and acknowledge the breach, which was reported earlier this year by Motherboard, but the size of it is staggering. Fortunately, it doesn't appear that financial information was accessed, and Yahoo hashed its users passwords with bcrypt, but obviously this is not good. We're scheduled to have Yahoo CISO Bob Lord, author of the above-linked blog post, at Structure Security next week on the second day of the show, Wednesday September 28th. Hopefully he'll be able to shed a little more light on the nature of this breach and the actors behind it. The fallout from this breach will emerge over the next several weeks. Already some are wondering if the breach could damage the pending takeover of Yahoo by Verizon. Jokes about the advanced age of the average Yahoo user swirled around Twitter on Thursday, and that almost exacerbates the problem: if the stereotypes are accurate, the average Yahoo user probably reuses a lot of passwords (I re-use too many passwords) and might now be exposed to far greater harm. It's just another reminder that we need to find a new way to protect user security and identity management, because this whole protect-the-password-database thing obviously isn't working. What will it take for internet companies to get serious about user security? I'm not sure I want to know. STRUCTURE NEWS FIVE THINGS WE LEARNED PLANNING STRUCTURE SECURITY It has been a great experience planning our first security conference, Structure Security, which finally arrives next Tuesday and Wednesday at the Golden Gate Club in San Francisco. In dozens and dozens of conversations with our advisors and speakers, we've identified a few key themes that will be highlighted at the conference next week, and I expanded on those points in a post on our new site, Structure Events. It's going to be a great show next week out in the Presidio, where hundreds of the best information security and technology professionals will gather in one of San Francisco's most beautiful settings. If you haven't registered, secure a ticket to this awesome event here. INDUSTRY NEWS ARTIFICIAL INTELLIGENCE SOFTWARE IS BOOMING. BUT WHY NOW? There's nothing Salesforce.com likes better than tweaking Oracle (more on that in a bit), so it's not surprising that it announced Sunday that it was adding artificial intelligence capabilities to its popular flagship product, according to The New York Times. We might be in an era of AI washing, to some extent, but the number of companies making important bets on AI technology cant be ignored. HOW CYBER SECURITY TEAMS CAN CONVINCE THE C-SUITE OF THEIR VALUE Security professionals are seen as getting in the way at a lot of tech (and non-tech) companies, putting unnecessary restrictions on when products can be shipped. In a partial preview of what I'll discuss with IBM's Diana Kelley at Structure Security, Harvard Business Review has a nice overview of how information security practitioners can get more support from the upper ranks of their company, authored by Alejandra Quevedo of Facebook. KREBSONSECURITY HIT WITH RECORD DDOS Brian Krebs is one of the most hard-working and influential journalists in the field of information security, which means he has made a few enemies over the years. Krebs' site was hit this week by what Akamai called the largest DDoS attack it had ever seen, according to a blog post from Krebs (link is to a mirrored site, because, well...). He later tweeted that Akamai was forced to take his site offline, and we'll try to get clarification from Akamai CSO Andy Ellis next week at Structure Security the scope of this attack. EXCLUSIVE: PROBE OF LEAKED U.S. NSA HACKING TOOLS EXAMINES OPERATIVES MISTAKE The fallout from the leak of hacking tools used by the NSA continues, and Reuters reports that government investigators believe a former employee or contractor left the tools exposed on an outside server. In an interesting twist to this saga, Reuters reports that the NSA discovered the tools had been exposed three years ago after being informed of an error by that employee, but didn't tell the companies whose software vulnerabilities were being exploited by those tools because it couldnt detect any use of them by foreign hacking groups against friendly assets. ARM RAISES BAR FOR SAFETY, DETERMINISM One of the sessions I'm looking forward to next week at Structure Security involves a discussion between representatives from Intel, Qualcomm, and ARM on how hardware security can improve, and ARM this week released a new core design for automotive applications with enhanced security. EETimes reports that the new Cortex core offers new sandboxes for executing code in a secure environment. ORACLE'S CLOUD STRATEGY: IS SIMPLE: WOO AND WIN THE LATECOMERS It was Oracle Week in downtown San Francisco this week, which means the usual mix of horrible traffic and grandiose statements. The Register breaks down Oracle's pitch to its customers, many of whom have been quite skeptical about this whole cloud thing and might respond to Oracle's hybrid cloud products and services. QUOTE OF THE WEEK Our second customer -- and they're also very serious about security -- they don't think Edward Snowden was a good employee. They would not rehire him." Larry Ellison, Oracle CEO, in Forbes, being Larry Ellison Click here to unsubscribe from this list. Our mailing address is: 405 El Camino Real, #215 Menlo Park, CA 94025 Copyright (C) 2016 StructureSeries All rights reserved.