I doubt any (both?) of my
readers would fall for this, but my Computer Security students should
find it amusing that the Democrats haven't noticed a similar problem.
And it's legal?
"Shane Goldmacher writes that a
network of look-alike campaign websites have netted hundreds of
thousands of dollars this year in what some are calling
a sophisticated political phishing scheme. The doppelgänger
websites have the trappings of official campaign pages: smiling
candidate photos and videos, issue pages, and a large red "donate"
button at the top and exist for nearly three-dozen prominent GOP
figures, including presidential nominee Mitt Romney, House Speaker
John Boehner, House Majority Leader Eric Cantor, and donation magnets
such as Reps. Michele Bachmann of Minnesota and Allen West of
Florida. The only difference is that proceeds from the shadow sites
go not to the candidates pictured, but to an obscure conservative
group called CAPE
PAC run by activist Jeff Loyd, a former chairman of the Gila County
GOP in Arizona. 'The only thing they are doing is lining their
pockets and funding their own operation,' says Republican political
strategist Chris LaCivita. CAPE PAC has a strong Web presence, with
over 100,000 followers on
Twitter and 50,000 on Facebook and its business model is to buy
Google ads — about $290,000 worth, as of the end of June — to
promote its network of candidate sites whenever people search for
prominent GOP officials. A search for 'Mitt Romney,' for instance,
often leads to two sponsored results: Romney's official site and CAPE
PAC's mittromneyin2012.com. Once on a CAPE PAC site, users would
have to notice fine print at either the top or bottom of the page
revealing that they were not on the official page of their favored
politician. A dozen donors, including some experienced Washington
hands such as Neusner, had no idea they had contributed to the group
before National Journal Daily contacted them. 'It confused me, and I
do this for a living,' says Washington lobbyist Patrick Raffaniello.
'That's pretty sophisticated phishing.'"
A look at what information
is collected but not much on haow it is being used. Another “we
had no idea” security breach.
EXCLUSIVE:
The real source of Apple device IDs leaked by Anonymous last week
A small Florida publishing company says
the million-record database of Apple gadget identifiers released last
week by the hacker group Anonymous was stolen from its servers two
weeks ago. The admission, delivered by the company’s CEO
exclusively to NBC News, contradicts Anonymous' claim that the hacker
group stole the data from an FBI agent's laptop in March.
Anonymous’ accusations garnered
attention because they suggested that the FBI was using the unique
gadget identifiers -- called UDIDs -- to engage in high-level spying
on American citizens via their iPhones, iPads, and iPod Touch
devices. The FBI denied the claim, last week, and when asked to
comment for this story, referred to last week’s denial.
Paul DeHart, CEO of the Blue Toad
publishing company, told NBC News that technicians at his firm
downloaded the data released by Anonymous and compared it to the
company's own database. The analysis found a 98 percent correlation
between the two datasets.
DeHart said an outside
researcher named David Schuetz contacted his company last week and
suggested the data might have come from Blue Toad. The company's
forensic analysis then showed it had been stolen "in the past
two weeks." He declined to provide further details, citing an
ongoing investigation.
DeHart said he could not rule out the
possibility that the data stolen from his company’s servers was
shared with others, and eventually made its way onto an FBI computer.
He also said that he doesn’t know who took the data.
The discovery of the theft casts
serious doubt on Anonymous’ claims that the data came from the FBI,
and was pilfered in March.
… "As an app developer,
BlueToad would have access to a user's device information such as
UDID, device name and type," Apple spokeswoman Trudy Mullter
told NBC News on Monday. "Developers do not have access to
users' account information, passwords or credit card information,
unless a user specifically elects to provide that
information to the developer." [For instance, to register or to
purchase something... Bob]
… DeHart said his firm would not be
contacting individual consumers to notify them that their information
had been compromised, instead leaving it up to
individual publishers to contact readers as they see fit.
… The UDID -- which stands for
Unique Device Identifier -- is present on Apple iPads, iPods and
iPhones, and is similar to a serial number. During the past year,
researchers have found that many app developers have used the UDID to
help keep track of their users, storing the data in various databases
and often associating it with other personal
information. When matched with other information, the
UDID can be used to track users' app usage, social media usage or
location. It could also be used to "push" potentially
dangerous applications onto users' Apple gadgets.
… There is no way for users to
check to see if their UDID information has been collected by Blue
Toad, DeHart said. He recommended that concerned
Apple users visit websites that have created search engines where
users can see if their UDID is in the data dump, such
as this one. But he said consumers should not
overreact to news of the leak.
… Updating is important because,
seeing the potential privacy issues, Apple earlier this year advised
developers to discontinue use of the UDID to track users. Blue
Toad no longer uses UDIDs [Yet these are still available online?
Bob] in its software, DeHart said, and updated versions of
its software don’t collect it.
Aldo Cortesi, a security researcher who
has been crusading against use of UDIDs for some time, disagreed with
DeHart and said the release of the data represents a great risk to
users. Cortesi has previously used UDIDs to log
into consumers’ gaming accounts, access contact lists, and connect
the ID numbers to real identities. He was then able to hijack device
owners’ Twitter and Facebook accounts.
I guess they don't like the Superbowl
ads? Interesting what Go Daddy does and does not know...
Go
Daddy says client Web sites back up
Web sites serviced by Web hosting and
domain registrar Go Daddy were back online early this evening after
being down for much of the work day, a company spokeswoman told
CNET.
"All services are restored and at
no time was sensitive customer information, such as credit
card data, passwords, names, addresses, ever compromised," Go
Daddy spokeswoman Elizabeth Driscoll said in a phone interview just
before 5 p.m. PT. She said the company does not know
at this time exactly what caused the outage and she couldn't say
exactly how many sites were affected.
No security? Quite possible as many
naming conventions use easily “guessed” names, like the docket
number, to organize their web pages.
Hacker
suspected of stealing scores of court documents claims no hacking
required to access files
September 10, 2012 by admin
Eli Senyor and Maor Buchnik report:
The police have
arrested Moshe Halevi, 40, from Acre, for allegedly hacking into one
of the Israeli courts’ databases and accessing thousands of case
files, some of which contain classified information.
Two additional
suspects were arrested as well. One of the suspects, Attorney Boaz
Guttman, is a former high-ranking police officer with the National
Fraud Unit.
Read more on ynet.
But was it really hacking or just
sloppy security on the court’s web site? The reporters note:
Halevi, who was in
trouble with the law in the past over similar offences, denied being
involved in any illegal hacking and was quick to blame the courts’
website administrator:
“I didn’t hack
any database. All I did was go on the website. I accessed the files
with my ID number – I didn’t uses anything.
“Documents from
the Anat Kam and the Holyland cases were open and the court records
had the full name of the State witness,” he said.
Interesting comments. Probably enough
here for a Privacy article...
"I'm a mobile developer at a
startup. My experience is in building user-facing applications, but
in this case, a component of an app I'm building involves observing
and collecting certain pieces of user information and then storing
them in a web service. This is for purposes of analysis and
ultimately functionality, not persistence. This would include some
obvious items like names and e-mail addresses, and some less obvious
items involving user behavior. We aim to be completely transparent
and honest about what it is we're collecting by way of our privacy
disclosure. I'm an experienced developer, and I'm aware of a handful
of considerations (e.g., the need to hash personal identifiers stored
remotely), but I've seen quite a few startups caught with their pants
down on security/privacy of what they've collected — and I'd like
to avoid it to the degree reasonably possible given we
can't afford to hire an expert on the topic. I'm
seeking input from the community on best-practices for data
collection and the remote storage of personal (not social security
numbers, but names and birthdays) information. How would you like
information collected about you to be stored? If you could write
your own privacy policy, what would it contain? To be clear, I'm not
requesting stack or infrastructural recommendations."
I will be interested in hearing their
“justification” for this one...
Judge
won’t dismiss lawsuit accusing Minnesota school of demanding
sixth-grader’s Facebook password
September 11, 2012 by Dissent
A lawsuit
filed in March against Minnewaska Area Schools has survived a
motion to dismiss. Bailey McGowan of the Student Press Law Center
reports:
Judge Michael
Davis’ Thursday decision lets the student, identified in court
documents as R.S., continue with her complaint arguing that the
school violated her First Amendment right to free speech and Fourth
Amendment right to be free from unreasonable search and seizure.
Read more on Student
Press Law Center.
(Related) It's not wrong, but it sure
is sneaky.
Why
is Georgia Secretly Giving Student Test Scores to Military
Recruiters?
September 10, 2012 by Dissent
Azaden Shahshahani reports:
In 2006, Marlyn, a
mother who lives in Gwinnett County with her children, was surprised
to hear that her son Kyle, a senior at Brookwood High School, had
taken the ASVAB test. ASVAB or the Armed Services Vocational
Aptitude Battery test is the military’s entrance exam, given to
recruits to determine their aptitude for military occupations.
Marlyn does not recall consenting to her son’s taking of the test
or for the results to be sent to military recruiters. Her son did
not know either that the results will be sent to recruiters. Kyle
was subsequently contacted by recruiters and Marlyn had a tough time
getting them to stop once Kyle had made a college selection.
Marlyn and Kyle
are certainly not alone. In fact, Georgia’s record in terms of
protecting the privacy of students who take the ASVAB test has gotten
even worse over the years.
Read more on CounterPunch.
Can they make a tactical nuke that
small? (Have they asked the CIA?)
Army
Wants Tiny Suicidal Drone to Kill From 6 Miles Away
Killer drones just keep getting
smaller. The Army wants to know how prepared its defense-industry
partners are to build what it calls a “Lethal Miniature Aerial
Munition System.” It’s for when the Army needs someone dead from
up to six miles away in 30 minutes or less.
How small will the new mini-drone be?
The Army’s less concerned about size than it is about the drone’s
weight, according to a recent
pre-solicitation for businesses potentially interested in
building the thing. The whole system — drone,
warhead and launch device — has to weigh under five pounds. An
operator should be able to carry the future Lethal Miniature Aerial
Munition System, already given the acronym LMAMS in a backpack and be
able to set it up to fly within two minutes.
Because a picture is worth 1000
bytes...
No comments:
Post a Comment