Fog rolled in and coated San Francisco in clouds during the Structure Security conference this week. The weather served as an appropriate meteorological metaphor for the event’s theme: dealing with cyber threats—and the fallout from them.
Bob Lord, chief information security officer at Yahoo, was easily the two-day event’s highlight when he appeared on stage to chat about the mega security breach that his company is facing. Although he didn’t reveal much new information, Lord did reiterate key details about the data heist at Yahoo involving 500 million user accounts. Among them, he said he strongly believed that the attack was state sponsored (despite some speculation to the contrary); it happened in late 2014 (before he took a job there); and no, it was not part of an alleged compromise of user login credentials that news site Motherboard reported on earlier this year.
That earlier breach claim—which Lord described as “independent,” “unrelated,” and “unsubstantiated”—did have an effect though. It provoked the investigation that would ultimately uncover the far bigger theft of information, he said. Looking poised and professional, Lord took questions from the audience during his session, including one about a New York Times report that Yahoo had a lackadaisical attitude about security, in general. Lord dismissed the claim, and added that he joined “the Paranoids,” as the security team at Yahoo is known, because of its exceptional reputation.
Kudos to Yahoo for letting Lord speak at the event. There’s no telling what the impact of the breach will be on its pending $4.8 billion acquisition by Verizon. With many details still to be disclosed about the attack, we’ll just have to wait, like the Bay Area’s residents, for the fog to clear.
Robert Hackett
@rhhackett
robert.hackett@fortune.com
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
THREATS
FBI to get hack-happy. A change in the federal rules governing criminal investigations is set to give the Federal Bureau of Investigation expanded hacking powers—namely, the ability to seek a computer hacking warrant in any jurisdiction, regardless of the location of the target machines. The revision, slated for December, is designed help the bureau catch pedophiles online, but it could also give law enforcement a free pass to conduct mass hackings, critics warn. (Washington Post)
J-Law gets justice after 'Celebgate.' Edward Majerczyk, the 29-year-old man charged with hacking into celebrities' online accounts and accessing private data, like nude photos, pleaded guilty in a Chicago court on Tuesday. His sentencing of up to nine months in prison is scheduled for Jan. 10. (Fortune)
Let the bidding wars begin! Zerodium, a software exploit broker, tripled the price it is willing to pay for hacking tools that crack open Apple's iOS 10. The firm says it will now shell out $1.5 million for per "jailbreak," as the exploits are known, compared to Apple's maximum $250,000 reward. (Ars Technica)
Google saves the day. The search giant's Jigsaw Project swooped in to shield a site run by Brian Krebs, a computer security researcher, from a huge denial of attack. Akamai, the cloud network that had previously provided Krebs with protection free of charge, dumped him when faced with a massive surge in spoofed Internet traffic. (Fortune)
ForeScout eyes IPO. The billion-dollar network security firm is reportedly talking with investment banks about a potential initial public offering. Last week, Fortune reported that the firm had added McKesson's finance chief to its board, and would likely to start the IPO process soon. (Fortune, Fortune)
Oh, and in case you missed it, at Monday's presidential debate America learned that "the cyber," as Republican nominee Donald Trump refers to computer-related activities, apparently involves of 400 lbs hackers.
Share today's Data Sheet with a friend:
http://fortune.com/newsletter/datasheet/
Looking for previous Data Sheets? Click here.
ACCESS GRANTED
Here's an excerpt from my recent profile of Vitalik Buterin, creator of Ethereum, a cryptocurrency network for building decentralized applications, in the 40 Under 40 issue of Fortune. The story opens with a blow-by-blow describing the attack that sunk The DAO, a venture once hailed as the most successful crowd-funded project ever.
In the chatroom, emotions ran high. “Are we fckd?” one person asked. “Man what a epic failure,” ranted another. “I’m in the bathtub, about to throw a toaster in!” said a third. Another person summarized: “:fire: :fire: :fire: :fire: NOBODY PANIC :fire: :fire: :fire: :fire:” Many drew comparisons to Mt. Gox, a Japanese virtual-currency exchange—once the largest of its kind—that had collapsed in a catastrophic $460 million hack two years prior. Were they now watching the DAO implode too?
By the time Slock.it had regained control the next day, the hacker (or hackers) had stolen more than $50 million—nearly a third of the DAO’s funds. As people scrambled to make sense of the calamity, one name rang out in the forum. “Where is Vitalik?” asked one. “Wake up vitalik,” pleaded another. “Vitalik, our alien overlord, please save us.” Read more on Fortune.com
FORTUNE RECON
Here's Why Europe Is Cracking Down on Surveillance System Exports by David Meyer
This Tool Tracks Everything You Do at Restaurants and Nightclubs by Polina Marinova
FBI Chief Security Guru Talks Fighting Insider Threats by Jonathan Vanian
Watch Out for the IRS Email Scam by Madeline Farber
Facebook, Uber, Slack, and Pandora Pros Praise Open Source Security Tools by Robert Hackett
Hackers Can More Easily Steal Your Passwords With Apple's iOS 10 by Don Reisinger
Blockchain Will Be Used By 15% of Big Banks By 2017 by Lucinda Shen
ONE MORE THING
Lock down your "connected" devices, people. Unsecured Internet-connected devices, like cameras, washing machines, and laptops, can be taken over by attackers and conscripted into denial of service strikes, like the kind that recently knocked security blogger Brian Krebs offline. The insecurity of the so-called Internet of Things poses a threat to free speech as well as to the tech underlying the Internet. (Wall Street Journal)
