Are we now reaching Carl Sagan levels of data breach? “BIL-yons and BIL-yons...”
http://www.databreaches.net/?p=19317
Groupon leaks entire Indian user database
June 27, 2011 by admin
Patrick Gray writes:
The entire user database of Groupon’s Indian subsidiary Sosasta.com was accidentally published to the Internet and indexed by Google.
The database includes the e-mail addresses and clear-text passwords of the site’s 300,000 users. [So, not yet BIL-yons... Bob] It was discovered by Australian security consultant Daniel Grzelak as he searched for publicly accessible databases containing e-mail address and password pairs. [Note: No hacking skills required Bob]
Grzelak used Google to search for SQL database files that were web accessible and contained keywords like “password” and “gmail”.
Read more on http://risky.biz/sosasta
The company’s statement to SoSasta.com users is cited in a Gadgets.ndtv article.
[From the Risky Biz article:
As a side project, he created shouldichangemypassword.com, a website that allows any Internet user to search a database of known-compromised e-mail address and password pairs to see if their password has been compromised.
[From the Gadgets article:
As per legal regulations, credit card, debit card and netbanking data is not stored in SoSasta's database and hence that data was not compromised. [Perhaps we need a similar law in the US? Bob]
Oh what fun! Perhaps we will learn how governments and organizations should react to such threats...
Anonymous Declares War On The City Of Orlando
The hacktivist group Anonymous may be setting its sights on the city of Orlando, Florida next, if an anonymous press release which has landed in our inbox is to be believed (see bellow). The group is threatening to take down a different city-related website every day, starting with Orlando Florida Guide, which doesn’t even appear to be owned by the city of Orlando (it is registered to an organization called Utopia, administered by a man named Steven Ridenour). So any random website extolling the virtues of Orlando could be targeted.
This looks like a challenge to hackers...
http://news.cnet.com/8301-13506_3-20074975-17/sony-brand-perception-clearly-improving-again/
Sony: Brand perception 'clearly improving again'
Sony CEO Howard Stringer had an upbeat attitude during his company's annual shareholders meeting today, saying that the firm's brand is on the upswing following the PlayStation Network security breach, the Associated Press is reporting.
"Our brand perception, you'll be happy to know, is clearly improving again," Stringer reportedly told investors during the meeting. He went on to point out that 90 percent of Sony's PlayStation Network users have come back to the service. [Dude! We only lost 10% of our business! Are we good or what? Bob]
Oh joy. Check your backups and pray.
Rootkit Infection Requires Windows Reinstall
"Microsoft is telling Windows users that they'll have to reinstall the OS if they get infected with a new rootkit. A new variant of a Trojan Microsoft calls Popureb digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration, Chun Feng, an engineer with the Microsoft Malware Protection Center (MMPC), said last week on the group's blog. 'If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,' said Feng. A recovery disc returns Windows to its factory settings."
Something for my lawyer friends to debate? Will there be an Audit Trail to prove or disprove that something failed? If not, isn't that a failure? (Business Opportunity: Add-on Audit Trail)
When Active-Safety Systems Fail, Who Pays?
It’s an intriguing, and increasingly relevant, question as automakers pack their cars with ever more electronic nannies and the government ponders requiring things like back-up cameras. Semiautonomous systems are becoming more common as our cars do everything from keep us in our lanes to prevent us from hitting pedestrians. If any of these systems should fail, how would an insurance company deal with it?
It acts like malware, but it's merely Facebook being Facebook. After all, it's their ball and you have to play be their rules.
Facebook Blocks KDE Photo App, Deletes Users' Pics
"KDE users have gotten a rather unpleasant surprise from Facebook: Not only is the site blocking KDE apps like Gwenview from uploading, the social media giant has also taken down photos uploaded with the KDE plugins. Yet another reason that users might think twice before depending on Facebook for photo storage."
“We are a search company, so when the government wants evidence, who they gonna call?”
http://www.pogowasright.org/?p=23561
Google turns over user data in 94% of US demands
June 27, 2011 by Dissent
Dan Goodin reports:
The US government filed more than twice as many demands for data about Google users than another other country in the past six months, according to figures the search behemoth supplied Monday. What’s more, according to the Google Transparency Report, Google fully or partially complied with the US demands in 94 percent of the cases, a rate that was higher than responses to any other government.
Read more on The Register.
(Related) Tools for those who don't want to wait for Google... (and possible jobs for my Ethical Hackers?)
Lawful Interception: Technology that is legally watching you
… The following is an outline of just some of the companies who develop and distribute interception and intrusion technologies to law enforcement and government intelligence services.
ELAMAN is German-based firm that specializes in security and communications monitoring.
… they offer law enforcement and governments the ability to intercept “…all kinds of communication within different telecommunication networks and carriers inside and outside a country’s borders.”
Security Software International (SSI)
They offer tactical and strategic intelligence solutions to governments and law enforcement.
… They offer the ability to monitor more than 200 different network nodes (switches, routers, gateways, application servers) developed by all of the top vendors. In addition, their LIMS offering enables real-time monitoring of telephony, fax, SMS, MMS, e-mail, VoIP, Push-to-Talk and other IP-based communication services.
Shield Security
Not much is known about this company. Their name originally appeared in Spam leaked from HB Gary and HB Gary Federal after the attack by Anonymous.
Located in the U.K., they deal with the government only, and offer a range of surveillance and monitoring products.
Intercept Monitoring Solutions (Discovery Telecom Technologies)
The company mantra says it all. “While others talk, we intercept.”
Shoghi Communications Ltd.
Focused on communications and signals intelligence, this firm is located in northern India, rather close to Pakistan.
Utimaco (Sophos Group)
There are plenty of documents available for Utimaco’s Lawful Interception Management System.
Group 2000
Group 2000 offers LIMA to law enforcement and intelligence services when they need to monitor communications.
VUPEN
VUPEN is known for exploit and vulnerability research. When they discover a flaw, they often tell the vendor last (if at all), but offer protection from the zero-day threats to customers who subscribe to their services.
Access to VUPEN’s custom Malware and exploits is highly restricted. Only countries, members, or partners of NATO, ANZUS and ASEAN can take part.
Gamma International
Their website, seen here, contains only the basics, and emails from the public are ignored. When it comes to those they work with, the client list is restricted to intelligence and law enforcement.
Hacking Team
Located in Milano, Italy, Hacking Team is another company that many outside of the intelligence and law enforcement world might not know. They offer both offensive and defensive security services to clients, including penetration testing.
HBGary
Based on emails leaked after the Anonymous attack, HBGary can be counted as an intrusion vendor. They developed a rootkit that is able to “exfiltrate information past personal firewalls without detection” noting that the elegance of their rootkit’s design means more reliability and less detection footprint.
Information on HBGary’s other offerings to law enforcement and intelligence agencies can be seen here.
Endgame Systems
Endgame offers the government subscription-based solutions. One of them, called Maui in company documents, includes vulnerability research, as well as custom exploit toolkit development. It isn’t cheap however, with prices reaching more than $2.5 million dollars per year.
Let me help you surveil me...
http://www.bespacific.com/mt/archives/027614.html
June 27, 2011
Consumer Groups Recommend Privacy Safeguards on "Smart Meter" Services
EPIC: "The Trans-Atlantic Consumer Dialogue (TACD), a coalition of consumer groups in Europe and North America, adopted a report on privacy and electrical services at the 12th Annual TACD meeting held recently in Brussels. The Smart Meter White Paper warns the "dramatic increase in the granularity of data available and frequency of collection of household energy consumption means that the smallest detail of household life can be revealed." The TACD report sets out recommendations to protect the privacy of users of new energy services. For more information, see EPIC - Smart Grid and Privacy."
Should be very popular! Gives congressmen the ability to have quality face-time with their constituents without actually having to be near them...
The U.S House Of Representatives Can Now Use Skype’s Video Calling Service
… Today, the U.S. House of Representatives is announcing that members of Congress will be able to use Skype’s videoconferencing technology on government computer systems.
(Related)
Microsoft patent raises concerns - Will Skype have a backdoor?
Nothing muddies up the water like a lawyer answering a direct question. In this case, “Can the police search my computer” is answered: Yes, No, Maybe, Except for, Unless, and It depends... All at the same time.
http://www.bespacific.com/mt/archives/027613.html
June 27, 2011
Know Your Digital Rights guide from EFF
Know Your Rights! by Hanni Fakhoury, EFF Staff Attorney, June 2011
"Your computer, your phone, and your other digital devices hold vast amounts of personal information about you and your family. This is sensitive data that’s worth protecting from prying eyes — including those of the government. The Fourth Amendment to the Constitution protects you from unreasonable government searches and seizures, and this protection extends to your computer and portable devices. But how does this work in the real world? What should you do if the police or other law enforcement officers show up at your door and want to search your computer? EFF has designed this guide to help you understand your rights if officers try to search the data stored on your computer or portable electronic device, or seize it for further examination somewhere else. Because anything you say can be used against you in a criminal or civil case, before speaking to any law enforcement official, you should consult with an attorney."
Not yet sure how I'll use this.
Google Quietly Rolls Out WDYL.com: A Range Of Google Product Results On One Page
For those times when you can't locate a geek...
Tildee - Create, Share, and Find Tech Tutorials
Tildee is a good site for creating, sharing, and locating tutorials for all kinds of technology-related things. Tildee provides a template and platform for sharing tutorials with others. Each tutorial you create is assigned a specific url that you can share with anyone. Your tutorials can include any combination of text, screen captures, and videos. Each tutorial that you create on Tildee is assigned a unique URL that you can share wherever you like.
Even if you don't use Tildee to create a tutorial yourself you can still use the site. You can browse or search the gallery of public tutorials to find one suits your needs.
I know this is a concern for many of my students...
Are Fake Geeks Dooming Real Ones?
"In the wake of the Best Buy 'geek' trademarking and Miss USA calling herself 'a huge history geek,' writer (and self-proclaimed geek) Eryn Green has an interesting piece for Esquire on how so-called 'geek chic' is pervading the culture so much that no one appreciates an actual geek anymore. From the article: 'The difference between brains and beauty is that you're more or less born into good looks — entitled, if you will. Intelligence? That takes work. If the hallmark of real geekiness — of America — is determination, then we seem too determined to have an entitlement problem.'"
[To avoid confusion, I suggest the following tests:
http://cybernetnews.com/cybernotes-you-might-be-a-geek-if/
http://lowendmac.com/lite/09lite/computer-geek.html
http://billzhouse.com/fun/geek.html
http://www.sanitarium.net/jokes/getjoke.cgi?199
For all my “Frequent Flyer” friends. This should stir things up a bit...
Cancer Cluster Possibly Found Among TSA Workers
"TSA employees at Logan International Airport believe they have identified a cancer cluster in their ranks, according to documents obtained under the Freedom of Information Act and released by the Electronic Privacy Information Center. They have requested dosimetry to counter 'TSA's improperly non-monitored radiation threat.' So far, at least, they have not received it. The documents also reveal a paper from Johns Hopkins that essentially questions whether it is even safe to stand near an operating scanner, let alone inside one. Also, the National Institute of Standards and Technology says that the Dept. of Homeland Security 'mischaracterized' their work by telling USA Today that NIST affirmed the safety of the scanners when in fact NIST does not do product safety testing and never tested a scanner for safety."
No comments:
Post a Comment