Google Wallet debuts automatic transfers so you can skip “cashing out”

Google is stepping up its battle with Venmo, Square Cash and other person-to-person payment applications with an update to its Google Wallet mobile app, which now allows for automatic transfers to your bank account. That is, transfers will no longer require you to cash out money from your Wallet balance first. This will speed up the time it takes for Wallet users to gain access to their cash, something that has been slower in the past.

The feature was announced in the app’s update text on Friday, but we understand the feature will actually begin rolling out gradually, starting next week.

As you may recall, Google Wallet transitioned to become a peer-to-peer payments app last year following the launch of Android Pay, Google’s Apple Pay rival now used at point-of-sale and for in-app purchases on Android devices. Earlier this year, the company also dropped support for the physical, plastic Google Wallet card associated with the app, as it continued its transition to p2p payments.

Today, waiting to cash out your balance from Google Wallet can still take time, which is why Google is switching on this automatic transfers option.

Users will now be able to select a bank account or debit card for automatic transfers within the app or via the web. Once enabled, you won’t have to manually “cash out” money from your Wallet balance – it will just automatically become available.

That doesn’t necessarily mean it will be “instantly” available, however – that depends on several factors – like who you bank with, or whether you’re crediting the money back to a debit card. Transfers to debit cards will be instant in most cases, though some banks may take 24 hours to process those transactions. Meanwhile, transfers to banks should take 1 to 3 days.

This change also means that when you send money to friends, those funds will also be able to go to their bank accounts automatically, without any waiting time for them.

Of course, you’ll still be able to keep money in your Google Wallet balance if you want to – that option is not going away.

There will still be times when transfers take longer, though, as with any other payments service. Google may need to run fraud checks or may need to perform additional verification of user accounts, on occasion.

However, the move to bypass the “cash out” process could help Google Wallet better compete against the growing number of digital payment services, including PayPal and PayPal-owned Venmo, Square Cash, and even social networks like Facebook and Snapchat, which have experimented with bundling in payments to their messaging apps. Apple, too, will soon support payments in iMessage, as powered by Square Cash.

Square Cash powers Snapchat’s payment system, too, but it only this year added the option to hold a balance through an optional “Cash Drawer” setting. With the update, Google is moving like Square Cash in reverse. It already had the cash drawer option; now it can transfer the money more quickly, too.


via:  techcrunch

Save pagePDF pageEmail pagePrint page

vBulletin vulnerabilities expose 27 million accounts, including gamers on

LeakedSource disclosed 11 new data breaches.

Recently exploited software vulnerabilities in vBulletin have exposed more than 27 million accounts across nearly a dozen websites.

A majority of the compromised accounts are linked to three games on In addition to the gaming accounts, more than 190,000 accounts were exposed on, as well as more than 100,000 accounts on

Combined, the compromised domains allowed LeakedSource to add 25,133,805 accounts to their database on Wednesday. At the time of notification, they had managed to crack 12,463,300 passwords.

The compromised accounts were exposed recently (August 2016) and are from the gaming side of the company. CFire, Parapa, and Tanks accounts were all exposed. The Parapa forums were also compromised.

Along with passwords, the records include usernames, email addresses, phone numbers and IP addresses. The other accounts compromised include usernames, email addresses, IP information, passwords, and birthdays.

“Not a single website used proper password storage, they all used some variation of MD5 with or without unique salts,” LeakedSource said.

All of the compromised domains were running unpatched vBulletin software, which allowed attackers to target SQL Injection vulnerabilities in the Forumrunner add-on on vBulletin installations older than 4.2.2 or 4.2.3. These problems were patched in June.

Moreover, a recent security update impacting the same software versions running on the compromised domains was issued on August 1, which if exploited would allow malicious attachment uploads.

“Sadly, this compromise is not a surprise. Too often, companies know valuable applications and systems are vulnerable yet due to the risk of disrupting operations to apply a fix, critical vulnerabilities are not properly patched. They’re behavior results in a gamble that they won’t be hacked,” said Ryan Stolte, CTO and co-founder at Bay Dynamics, in a statement.

“IT and security teams are also not coordinating and communicating with the line-of-business application owners who govern those highly valued assets so that they are held accountable for remediating vulnerabilities. In other cases, there is simply an operational disconnect where they perform a vulnerability scan, find out which applications and systems are vulnerable, but the vulnerabilities are not prioritized and routed correctly based on the value of the asset at risk and who owns that asset.”

In addition to the domains, the remaining 2,315,283 accounts were exposed after the following domains were compromised via the same methods: (EN) (FR) (DE)

Salted Hash reached out to and the others for comment.

In response to the LeakedSource disclosure, – the company behind,, and – issued a public notice and apologized to users.

The company has since patched their vulnerable vBulletin installations, but they’re not able to determine when the data breach occurred. As such, they’ve reset all passwords on each of the impacted forums.

“We regret to inform you that the data breach includes e-mail addresses, user names, and encrypted passwords associated with forum accounts on these forums. Even though passwords were encrypted, these can be cracked and should be considered compromised. It is important to note that forum accounts and game accounts are separate and are stored on different servers using different security systems. Game accounts have not been compromised,” the statement explained.In a statement to Salted Hash, a spokesperson for Expert Law said they were not able to find evidence of a successful data breach in their system logs, but they’re going to assume the worst has happened.

“I do patch the server and software and maintain security measures, and I have not found evidence of a successful intrusion, but we could be talking about an access that occurred prior to the implementation of a patch and that predates or is not reflected in my logs,” the spokesperson said in an email exchange.

“I have not yet been able to produce certain unique email addresses from the database on the hackers’ website but, as they say, tomorrow is another day and I have to operate on the assumption that the hack occurred.”


A spokesperson from says the leaked passwords are not valid. However, the company didn’t address any of the questions sent by Salted Hash concerning the data breach. Their full statement is below:

“The passwords mentioned by LeakedSource are no longer valid. They are old passwords to the forums of game projects that Mail.Ru Group acquired over the years. All Mail.Ru Group’s forums and games have been using a secure integrated authorization system for a long time by now. These passwords have never been related to email accounts and other services of the company in any way. “

Update 2 (8/25/16 0800 EST):

Responding to the statement made by yesterday, a spokesperson for LeakedSource said one of the most important questions to ask when examining a data breach that includes credentials, is ‘are or were those passwords valid?’

So the statement from is “akin to Microsoft buying Minecraft, integrating users into Microsoft Live and then the original Minecraft passwords being stolen. Yeah, that’s nice Microsoft Live wasn’t hacked but the data is still highly relevant and important.”

In response to follow-up questions from Salted Hash, accused LeakedSource of not playing fair and being irresponsible with their disclosure.

“We found out about this episode from the media, to which LeakedSource gave this information, breaking the responsive disclosure rule. This unspoken rule is used by white hat hackers all over the world: before publicly disclosing a vulnerability or leak, inform the service of it to give an opportunity to patch it,” a spokesperson said.

“This is how the real care for users works. Thus we presume that it’s not actually users’ protection LeakedSource is so worried about but rather publicity and commercial profit (from clients attracted to them as a result of security scandals and from subscriptions to their services they are very aggressively offering to companies involved in such episodes).”

When questioned about the risk of password reuse, said that such a risk is always a factor and that the company will “check this database for password reuse as well and, if we find any matches, we’ll block the compromised accounts and force the owners to go through an access recovery procedure.”

Speaking to questions regarding the storage of passwords via MD5 with known salts, referred back to their original statement.

“As we said in our official statement, the database contains legacy passwords to the forums of game projects that Mail.Ru Group acquired over the years. All Mail.Ru Group’s forums and games have been using a secure integrated authorization system for a long time by now. These passwords have never been related to email accounts and other services of the company in any way.”

via: csoonline

Save pagePDF pageEmail pagePrint page

Why Continuous Scans Are Important to Vulnerability Management

To protect against evolving digital threats, more and more organizations are employing endpoint detection and response (EDR) systems on their computer networks.

EDR consists of six crucial security controls. The first two, endpoint discovery and software discovery, facilitate the process of inventorying each device that is connected to the network and documenting all software applications running on each device. Once organizations begin actively monitoring what is installed on their networks, they can then transition to hardening the security of those devices. An important part of that process is the decision to launch a vulnerability management program.

When it comes to vulnerabilities and exposures, attackers benefit from automation, crowdsourcing, big data, mobile, low cost cloud computing, and other resources just as much security personnel do. Only they have an advantage. Malicious actors need to find just one unpatched vulnerability, whereas security teams need to find (and patch) all hardware and software flaws every time.

Which begs the question: how can organizations leverage a vulnerability management program to gain an advantage over attackers?

Tripwire offers several answers in Endpoint Security Survival Guide: A Field Manual for Cyber Security Professionals, a guide which offers advice on how infosec professionals can implement the six security controls of EDR.

First and foremost, organizations need to remember that security is an ongoing process. Though a device might be safe today, an actor could discover a serious vulnerability in the application’s software tomorrow. Companies should therefore strive towards continuous vulnerability scans to pick up on those constant changes. Additionally, they should leverage resources like the Common Vulnerability Scoring System (CVSS) to prioritize vulnerabilities in a meaningful way.

Just as security is a process, so too is a vulnerability management program. At the outset, a company might not have the scanning infrastructure or human resources needed to conduct and analyze continuous scans of its network environment. But it’s important that it works towards that capability. Indeed, continuous scans not only help organizations determine whether they are actually fixing the flaws they discover. They also help companies identify trends in the performance of the vulnerability management program, information which security managers and other executives can use to justify budget allocation to the Board of Directors.

With more resources, organizations can strengthen their vulnerability management program by adding on digital threat intelligence feeds, authenticated/credentialed scans, and SIEM with Network Intrusion Prevention System (NIPS) logs.

Interested in getting even more out of your organization’s vulnerability management program? For more helpful tips and recommendations, please download Tripwire’s resource here.

Via: tripwire

Save pagePDF pageEmail pagePrint page

Is Your IT Security and Risk Management Strategy Getting the Job Done?

IT decision makers have a very difficult job. They are often asked to make technology decisions on subjects for which they may only have cursory knowledge. Then when things go wrong, they are responsible for dealing with the fallout of those decisions.

It’s one thing to make a mistake when deciding on something relatively trivial, like picking out what kind of PC to buy. You can easily address shortcomings for a disappointing solution. A PC that isn’t powerful enough can get more RAM or can be upgraded to a bigger hard drive. However, when it comes to making decisions about security/risk, the stakes are much higher.

A failed security solution that leads to a data breach can’t be fixed simply by buying a part or repurposing hardware assets. Unfortunately, these design failures can only be repaired after damage has already been done.

When you find out that your firewall was insufficient and a hacker penetrated your network, you can’t reverse the clock and make up for an uninformed decision that may have been made years ago. Your only option at that point is to control the amount of damage in place.

It’s just like buying a cheap washing machine. If the washing machine can’t handle the clothes you put in it and leaks water, you have to deal with the damage caused and probably repair the machine itself. From someone who has had to deal with water damage, I can tell you that I much prefer having a robust solution up front so that I never have to worry about the problem affecting my life.

This leads to the main issue I’d like to confront in this blog: how you, as a decision maker, can know up front if your security and risk management strategy is getting the job done.

I have some good news and some bad news. The bad news is that there is no 100% positive security and risk management approach. Any solution can fail. Even when building a system with security in mind from the beginning, sometimes these solutions fail when you need them most. Even an experienced, well-educated, trusted advisor can guide you down a path that they think will protect you, and a data breach can still happen.

The problem with security threats is that they are constantly evolving. Nobody holds the crystal ball to tell you what threat you may have to deal with tomorrow, much less threats that may develop months or years from the time you build your system.

The good news, however, is that there is a tried and true way to gain a real sense of how well your current security controls are working: a risk assessment.

In addition to providing you with insight into the effectiveness of your security measures, a robust risk assessment gives you the opportunity to evolve your IT security and risk management strategy. This allows you to stay on point when it comes to knowing what threats are out there and how you need to deal with them.

Four main features must be present in a solid risk assessment:

  1. Uses thorough vulnerability and configuration scanning tools to look for weaknesses within your system.
  2. Identifies various areas of risk based on the sensitivity of data, best IT practices, and the configuration of the current system.
  3. Performs vulnerability scans on the perimeter that expose specific weaknesses from the outside.
  4. Looks at workflows and behaviors of staff to ensure they are operating in a method that is consistent with the technical security measures.

In short, a well-designed risk assessment uses metrics, best configuration practices, other compliance standards, and to some extent user behaviors to determine what data assets are worth protecting and what shields those data assets from damage or loss.

From there, you can determine if your security and risk management strategy is effective, even if it’s not perfect (which it can never be).

My philosophy is that security and compliance should be treated as a discipline rather than just another technology solution you need to buy. Deploying proper tools to manage risk and then regularly evaluating how well those tools are working is the only reasonable approach to keeping up with a world of constantly evolving threats.

Via: tripwire

Save pagePDF pageEmail pagePrint page

Make sure your internet connection is clean: QUICK TIP

This has got to be the quickest Quick Tip of all. Literally. With just one click, it’s too easy not to do.

You know your computer can be infected. But did you know your router can, too? And because most people just aren’t aware of it, if your router is compromised, it could stay that way a long time without you ever knowing.

Unless, of course, you use our free Router Checker. No need to download anything. Just visit the page and click to start the check.

Hacking your router is just one more method attackers use to display fraudulent advertising, spread malware, or steal your private account credentials. It’s called DNS hijacking.

When you type in a website name, say “,” you’re directed to a DNS server that will find the website’s IP address – say “44.567.54.69” for example, and display the website you need. But in a DNS hijack, hackers change your router’s settings to direct you to a rogue DNS server. The rogue server will give a malicious IP address, purposely directing you to a website that may look like the one you want, but it’s not.

Here’s an example: Let’s say you want to log into your bank account. But unbeknownst to you, you’re directed to a look-alike website that’s not really your bank. You enter in your bank username and password. Now the attacker has your credentials, which he (or she) can use.

F-Secure Router Checker makes sure the settings on your computers, phones, and routers connect to safe DNS servers.

So what are you waiting for?

Visit the F-Secure Router Checker page and click on “Check Your Router.”

It’s too easy not to do.

Via: safeandsavvy

Save pagePDF pageEmail pagePrint page

Targeted Security Risk Assessments Using NIST Guidelines

What a whirlwind the past few months have been for data security, breaches and hacking events. From the Wyndham v. FTC ruling to yet another breach by a BCBS affiliate, there is increasing pressure across the information security industry to push organizations to perform those pesky security risk assessments touted by the National Institute of Standards and Technology (NIST).

No matter what country you are based in, odds are your client’s data touches, passes through, or sources from the United States. Given that, if you have not performed a security risk assessment pursuant to the NIST guidelines, now is the time.

For those of you not familiar with NIST, it draws its funding from the U.S. government and traces its origin back to 1821 (yes, really). The goal of NIST is to research, develop, standardize and push innovation forward across a broad swath of fields for the betterment of everyone, at no cost (other than taxes) to anyone.

One of NIST’s best and most useful documents is its Guide for Conducting Security Risk Assessments. The security risk assessment procedures and guidelines outlined in this document now serve as the foundation for many industry standard risk assessment methods across a wide array of fields and industries. Because why reinvent the wheel?

If you can have the risk assessment playbook the government paid NIST to create telling you how to assess risk in your organization, why not use it?


At the core of every security risk assessment lives three mantras: documentation, review, and improvement. Security risk assessments are only as valuable as the documentation you create, the honest review of the findings, and ultimately the steps towards improvement you take.

The goal of performing a risk assessment (and keeping it updated) is to identify, estimate and prioritize risks to your organization in a relatively easy-to-understand format that empowers decision makers. With that in mind, here is a break down of a NIST Security Risk Assessment framework that would be appropriate for a targeted risk assessment (as opposed to enterprise-wide).

For each of the steps listed below, track the results in a multi-page spreadsheet, and this document will serve as the root for further analysis.

  1. Baseline the System – Create a lifecycle chart of all the data within the targeted technology or program; encompassing birth, use, and destruction.
  2. Identify Threats – All of the threats you can imagine including intentional, unintentional, technical, non-technical, and structural. After you have made this list, cluster the threats into similar types (i.e. Non-Technical Threat – Fire, Flood, or Blood Events).
  3. Identify Vulnerabilities – All of the Vulnerabilities your organization has, including: patches, policies, procedures, software, equipment, etc. It often helps to group these Vulnerabilities to more easily analyze them (i.e. Vulnerability – Un-patched Servers/Workstations).
  4. Current Controls – All of the security and privacy controls you have in place to protect against the Vulnerabilities.
  5. Likelihood of Impact – Assign a value from low to high (e.g. – .1, .5, or 1) of how likely it is that a Threat hits a Vulnerability. Here, pair each cluster of similar threats and with your major groups of vulnerabilities to create an Impact pairing.
  6. Effect of Impact – Assign a value from low to high (e.g. – 10, 50, 100) of how bad the Impact would be on your organization if the Threat hit a Vulnerability.
  7. Risk Determination – Likelihood x Impact = Risk Level (0-33 = Low; 34-66 = Medium; 67-100 = High)

At the end of this process, you should have a spreadsheet that contains sortable columns of Impact pairings and their associated Risk Level. This will allow you to sort and parse the list in a way that gives you an easy view of those items with the greatest Risk Level, thereby creating a targeted list of what threats and vulnerabilities must be addressed first. Here is an example:


  1. Simple Baseline: Client PHI is entered, accessed, and stored within hospital EMR.
  2. Technical Threat: Malicious hackers attempting to gain access and steal PHI.
  3. Vulnerability: Un-patched Windows 2012 Server with default administrative password.
  4. Current Controls: Password protected, behind firewall with factory settings.
  5. Likelihood: .8 (Un-patched software accounted for the vast majority of breaches in 2014)
  6. Impact: 100 (Loss or theft of PHI would catastrophic for a hospital)
  7. Risk Determination: .8 x 100 = 80 (High Risk)


As you can see, the organization that produced the above analysis would need to immediately prioritize a Risk Determination of 80, especially on something so basic as maintaining patch updates. That aside, once you have completed your Security Risk Assessment and prioritized your Risk Determination list, turn to the Current Controls and make decisions of how to improve those controls to eliminate or mitigate the identified vulnerabilities.

Once you document those decisions, draft a summary of the Security Risk Assessment highlighting surprises, problems, fixes, and future plans. As you implement any changes, be sure to append the Security Risk Analysis, or if enough wholesale changes are made, perform an updated Security Risk Assessment.

This process seems daunting, and it can be. That said, once you have gone through the pain of doing it once, successive assessments will be quicker, more detailed, and serve to build upon what was done before. There are also third party tools that can streamline the process, such as the HHS Security Risk Analysis Tool created in conjunction with NIST. These third party tools vary wildly in quality, so choose wisely.

Whatever risk analysis process you choose, create, or purchase, make sure it fits your needs and gives you the documentation you want, the capability to thoroughly review results, and the tools necessary to make improvements.

Prepare now, or answer later when the investigators come knocking.

Via: tripwire

Save pagePDF pageEmail pagePrint page

Cisco to jettison 5,500 jobs, will reinvest in cloud, IoT & more

Cisco faces challenges in its core switching and routing business.

Cisco today confirmed it will lay off about 7% of its workforce – about 5,500 jobs.

Or as Cisco put it: “Today, we announced a restructuring enabling us to optimize our cost base in lower growth areas of our portfolio and further invest in key priority areas such as security, IoT, collaboration, next generation data center and cloud. We expect to reinvest substantially all of the cost savings from these actions back into these businesses and will continue to aggressively invest to focus on our areas of future growth.”

During its earnings announcement the company said total revenue actually increased 3% to $48.7 billion for its fiscal year ended July 30. Still, the company faces challenges in its core switching and routing business.

“Product revenue growth was led by Security at 16%. Collaboration, Wireless and switching product revenue increased by 6%, 5%, and 2%, respectively. Service Provider Video, NGN Routing and Data Center product revenue decreased by 12%, 6%, and 1%, respectively,” Cisco stated.

Sounding more optimistic CEO Chuck Robbins said:

“We had another strong quarter, wrapping up a great year. I am particularly pleased with our performance in priority areas including security, data center switching, collaboration, services as well as our overall performance, with revenues up 2% in Q4 excluding the SP Video CPE business,” Robbins said. “We continue to execute well in a challenging macro environment. Despite slowing in our Service Provider business and Emerging Markets after three consecutive quarters of growth, the balance of the business was healthy with 5% order growth. This growth and balance demonstrates the strength of our diverse portfolio. Our product deferred revenue from software and subscriptions grew 33% showing the continued momentum of our business model transformation.”

Reports earlier this week had the networking giant cutting as much as 14,000 jobs. Others have speculated Cisco would make a sizable cut in its workforce this year giving its growing stable of acquisitions and its shifting software emphasis. Cisco has acquired 15 companies under CEO Chuck Robbins tenure, which is now early into its second year.

Most recently the company bought cloud security firm CloudLock; other cloud-based technology from Synata; network semiconductor technology from Leaba and Software as a Service (SaaS) provider Jasper.

In recent history– the yearend earnings report which is expected today — hasn’t been kind to Cisco employees. The company has laid off a little over 11,000 employees total in late summer reductions since 2012.

Via: networkworld

Save pagePDF pageEmail pagePrint page

Google takes on FaceTime and Skype with Duo

Google is betting on simplicity, cross-platform functionality and privacy concerns to attract smartphone uses to its Duo video-calling app.

Google has launched video-calling app Duo to challenge Apple’s FaceTime and Microsoft-owned Skype, enabling video calls between Android and iOS devices with end-to-end encryption.

“You shouldn’t have to worry about whether your call will connect, or if your friend is using the same type of device as you are,” Google said in a statement.

Duo is widely seen as part of Google’s business strategy to make apps compatible with a broad set of devices, providing iOS and Mac users alternatives to Apple apps.

Google hopes to attract users through a simple and easy to use interface for Duo which enables calls to anyone on a user’s phone contact list without needing a separate account.

Analysts said Google’s previous video calling and messaging app Hangouts had limited adoption because it required both users to have a Google account.

The switch to using phone numbers rather than a Google account or Gmail address brings Duo in line with Facebook’s Messenger and WhatsApp, Skype and FaceTime, making it easier to video call friends, family and other people already stored on mobile phone contact lists.

Google also claims to have built Duo to be fast and reliable even on slow networks by adjusting picture resolution automatically to ensure connections are maintained.

Due is also designed to switch between Wi-Fi and cellular data automatically without dropping calls.

“To make calls feel more like an invitation rather than an interruption, we created a feature in Duo called Knock Knock which lets you see live video of your caller before you answer, giving you a sense of what they’re up to and why they want to chat,” Google said in a blog post.

Google is also hoping to win competitive advantage by emphasising the Duo has been built with attention to privacy and security, with Duo calls being encrypted end-to-end.

Duo is aimed at the consumer market, which means it will not replace Hangouts, which will continue to be developed for enterprise users and become more integrated with Google Apps.

Via: computerweekly

Save pagePDF pageEmail pagePrint page

Text messages aren’t private, judge rules

In a ruling released on 8 July in the Ontario Court of Appeal, Justice Justin MacPherson wrote that texts received by a person under investigation can be searched and admitted into court just by using a warrant.

In the case of text messages, this ruling states that there should be no expectation of privacy and wiretap laws are not applicable.

In the majority ruling in this case, Justice MacPherson wrote:

It has never been the case that privacy rights are absolute. Not everything we wish to keep confidential is protected under s. 8 of the Charter. In my view, the manner in which one elects to communicate must affect the degree of privacy protection one can reasonably expect.

The case in question involved Nour Marakah and Andrew Winchester, who were texting each other about purchasing firearms illegally. When both were under investigation, police seized their phones (and text messages) during searches of their homes.

Marakah’s lawyers were at first successful in arguing that the texts on Marakah’s phone weren’t court admissible, but that argument fell apart in the case of Winchester’s phone.

During the appeals process, which culminated in this ruling, the judges asserted that the texts on Winchester’s phone were absolutely admissible because Marakah had no expectation to privacy on texts he sent to Winchester once Winchester received them.

Same device, different rules

Although phone calls are usually protected by wiretap laws, meaning your phone calls are considered private, this landmark case helps establish the case for Canadian law enforcement and government that text messages don’t need wiretaps.

While text messages you send to someone else may be private from the cell phone carriers, thanks to this ruling they aren’t considered private once they reach your intended recipient and can be used in court to prosecute you without needing to use a wiretap.

The crux of the argument is that what happens to your text message after you send it is out of your control. After all, the person who receives your text could elect to share it with someone else, without your knowledge or consent.

This ruling is great news for Canadian law enforcement, as it means there’s no extra step of having to obtain a wiretap if they want to use text messages when investigating or prosecuting someone.

Not so great news for many people’s expectation and use of text messaging today though, wrote dissenting Judge H.S. LaForme:

A typical exchange of text messages is a private communication between two people. It is essentially a modern version of a conversation and can contain as much private information as an oral conversation.

If the majority of judges in this case agreed with this opinion, it would mean law enforcement would need a wiretap to use text messages in court.

Unfortunately for Marakah, that’s not how the case went.

Via: nakedsecurity

Save pagePDF pageEmail pagePrint page

Why Delta’s Outage Caused Such Widespread Headaches

The system-wide computer outage at Delta Air Lines continues to disrupt travel, with the cancellation of more than 2,100 flights and the delay of many more since the snafu began. Hundreds of thousands of passengers were stranded around the globe as the ripples spread out from Delta’s Atlanta headquarters.

The air carrier initially blamed the computer shutdown on a power outage by the Atlanta utility company but later said it was the result of an internal outage followed by the failure of a backup system to take over when the main computer system failed.

The airline had projected a return to normal operations by Wednesday afternoon, but delays and cancellations continued to mount.

“We’re in the final hours of bouncing back from the disruption,” Delta Senior Vice President Bill Lentsch said in an online update Wednesday.

Delta on Wednesday extended the period during which affected passengers can rearrange their travel plans without penalty and widened the pool to people with tickets for Tuesday and Wednesday flights. The company originally said rebooking and travel had to happen by Friday to avoid paying a change fee, but now customers have until Aug. 21. Delta also is offering refunds and $200 in travel vouchers to people whose flights were canceled or delayed at least three hours and is putting people up in hotels.

To find out what happened and why the effects were so widespread, The Times turned to industry experts Jan Brueckner, an economics professor at UC Irvine; Mark Gerchick, an author and former chief counsel at the Federal Aviation Administration; and Sam Kidd, an account manager at Zerto, a Boston-based data disaster recovery software company. Here are edited excerpts from those interviews.

Why was the impact of this computer shutdown so widespread?

Brueckner: Following a series of mergers over the past decade, 80% of all domestic travel is now controlled by four major carriers. They are, in order of passenger traffic, American Airlines, Southwest Airlines, Delta Air Lines and United Airlines. “When airlines get big, as current airlines are, when they have a problem it affects lots of people.”

Delta’s system was back online within a few hours. Why are we still seeing cancellations and delays days later?

Gerchick: To increase revenue and reduce costs, airlines fill planes to near capacity and try to schedule as many flights as possible with minimal turnaround time. “Capacity is being cut or not growing nearly as fast as demand. Load factors are high and there is much less flexibility in the system. You now have much more of a waterfall effect with each glitch.”

Have airline computer systems become too big and complicated?

Kidd: The computer systems used by airlines are not any more complicated than those used by other industries, such as banks. Airlines systems are just getting more scrutiny because a shutdown of an airline disrupts business trips and vacations and draws lots of media attention. “We can’t deny that the workload has gone up in the way airlines operate but it’s the same with finance companies and others. It’s just the nature of how we as a civilized society have evolved and adapted.”

Gerchick: An airline’s computer system is no longer just responsible for ticket bookings. It is also used for seat assignments, loyalty reward programs, targeting passengers for follow-up email and even selling vacations. And that is before you get into the ancillary sales. “I imagine the amount of information on these systems is greater than 20 years ago. I imagine the demands must be grand.”

Delta said it is still investigating why its backup system did not kick in when its main system failed. What can businesses like Delta do to reduce the likelihood of such catastrophes in the future?

Kidd: Airlines and other companies that handle a great deal of data must regularly invest in their software and hardware, and update and test it on a regular basis. At the same time, it’s more difficult and costly for a 24-hour operation like an airline to upgrade or test its computer system without interrupting regular operations. “The airlines I speak with are always investing in different things. Airlines are built on information technology. They know that every interaction with customers is done with IT.”

Are airlines investing enough in their computer systems or are they focused on buying new planes and building lounges — investments that might impress and draw in more high-paying customers?

Gerchick: It’s unclear how much is enough to invest in computer systems but airlines feel pressure to modernize their fleets because new planes give passengers the sense that airlines are more modern. Travelers rarely think about the investments needed for an airline’s computer system, until it fails. “Airlines are loath to spend on technology. People can tell if a fleet is old but they have no idea what’s going on in the back room. That is very different. They just assume the computer systems work. But you need to look at it through the prism of revenue. You are going to lose money if it screws up.”

Delta has had a reputation as one of the most punctual airlines in the industry. Will passengers forgive and forget this incident or will Delta feel long-term impacts?

Brueckner: “This kind of outage is a huge black eye for the airline. It’s like having a crash. You don’t want to do that.”

If a power outage could shut down the airline worldwide, what does this say about how vulnerable Delta’s system is to hackers or terrorists?

Kidd: The risk of a cyber attack cannot be totally eliminated, so airlines need to focus on recovering data quickly and getting systems back online as fast as possible. “All facilities have security. You can’t just walk up to these facilities. You can’t just stroll in there. The risk of an attack is pretty low. The bigger risk is how we deal with cyber crimes, people trying to hack into our systems. You can never say nothing will ever happen. We can just try to minimize the impact.”

Via: enterprise-security-today

Save pagePDF pageEmail pagePrint page