Tuesday, August 27, 2013
Tools & Techniques for my Ethical Hackers A very common error in the security design.
Security researcher Dan Melamed has found a serious Pinterest Exploit that exposed user’s information of over 70 Million accounts.
The security researcher Dan Melamed has found a Critical Pinterest Exploit that compromised the privacy of over 70 Million Users, the flaw allows hackers to view the email address of any user on Pinterest.
Dan has found the way to access to the information belonging to the owner of the Access token, as the researcher has shown it is possible to display them visiting the following RL.
Substituting the “/me/” part of the link with the username of another Pinterest user it is possible to view its email address.
Read more on SecurityAffairs.co. The exploit has already been patched, and it sounds like Pinterest responded appropriately to notification of the problem.
(Related) ...although this looks deliberate. Note that the Metadata revealed this information, not the content of the letter.
Discover and American Express often submit copies of their breach notification letters to cardmembers to state attorneys general. Their letters, however, generally do not include the name of a breached merchant, so it is often difficult to know what to make of their submissions. But one particular American Express notification, submitted to California last week, caught my attention. Their letter states:
A company that provides payment processing services to numerous merchants has informed us that there has been unauthorized access to its processing system. As a result, account information of some of our Cardmembers, including some of your account information, may have been improperly accessed.
The breach occurred on January 15, according to the date American Express reported to California. But which payment processing services provider and what happened – and when did the provider discover the breach? AmEx reported to California that the breach was discovered on August 23, but I suspect this means that they first learned of the breach on August 23 and that is not when the breached entity learned of the breach.
From the filename AmEx used for its notification letter (“Celerant-C2013068451%20CA%20Customer%20Letter_0.pdf”) and the description saying “Celerant customer letter” (see screen shot taken from the California Attorney General’s web site), the breach appears to have been at Celerant Technology Corporation:
Celerant is a certified provider of retail payment processing software. On its web site, it states:
Celerant offers a multichannel, retail software solution for numerous retail industries, including apparel, footwear, sporting goods, furniture, specialty, gifts, convenience and more. With over 450 clients primarily within the United States, Canada, Europe and the Middle East, our retail system provides an all-in-one solution for retailers selling via brick and mortar stores and on the web.
DataBreaches.net has sent two emails to Celerant since Friday requesting confirmation and information on the breach, but has received no response as yet. I will provide an update when more information becomes available.
For my law geeks...
Article: “The Fourth Amendment Implications of the Government’s Use of Cell Tower Dumps in its Electronic Surveillance”
Jeffrey Brown of CybercrimeReview.com points readers to an upcoming article in the University of Pennsylvania Journal of Constitutional Law. Here’s the abstract of “”The Fourth Amendment Implications of the Government’s Use of Cell Tower Dumps in its Electronic Surveillance” by Brian Owsley:
Privacy concerns resonate with the American people. Although the right to privacy is not explicitly protected in the United States Constitution, the Supreme Court has found the right to privacy rooted within the Constitution based on various amendments. In the modern era, with rapid advances in technology, threats to privacy abound including new surveillance methods by law enforcement.
… Recently, the American Civil Liberties Union brought to light the popular use of government surveillance of cell phones, including the gathering of all cell phone numbers utilizing a specific cell site location. Known as a “cell tower dump,” such procedures essentially obtain all of the telephone number records from a particular cell site tower for a given time period: “A tower dump allows police to request the phone numbers of all phones that connected to a specific tower within a given period of time.”
… No federal statute directly addresses whether and how law enforcement officers may seek a cell tower dump from cellular telephone providers.
… This article provides a brief description of cellular telephone and cell-site technology in Part I. Next, Part II addresses the evolution of Fourth Amendment jurisprudence and argues that the reasonable expectation of privacy standard applies to electronic surveillance such as cell tower dumps. In Part III, the discussion follows the development of statutes addressing electronic surveillance and argues that cell tower dumps request more information than simply just telephone numbers. Part IV analyzes records from both cellular service providers and the federal government to conclude that cell tower dumps routinely occur. Part V assesses the few decisions that even discuss cell tower dumps and argues that the analysis is either non-existent or flawed regarding the use of the Stored Communications Act to permit cell tower dumps. Next, Part VI asserts that cell tower dumps cannot be analyzed pursuant to the Stored Communications Act because the language of the statute is inapplicable and the amount of information sought requires a warrant based on probable cause and concludes by proposing some protocols to safeguard individual privacy rights.
You can download the article from SSRN.
Something for my Ethical Hackers to override?
Police throughout the globe have been embarrassed to see online videos of their officers pepper spraying tied captives. In our age of mobile gadgets the pictures can be uploaded online in seconds, making supervisors to answer the questions.
But now the police may not need to fear scrutiny anymore, because Apple has recently patented a piece of technology that would allow the authorities and police to block data transmission, including video and photos, whenever they like. All they need to do is decide that a public gathering or venue is deemed “sensitive” and needs to be protected from externalities. In this case Apple will enable them to switch off all its gear. The developers insist that the affected locations are normally cinemas, theaters and concert grounds, but Apple admits it could also be used in covert police or government operations that may need complete “blackout” conditions.
Read more on VeteransToday. Thanks to Joe Cadillic for the link.
And if law enforcement or government activate this in a public demonstration/crowd situation, how is this not a violation of First Amendment rights to film public employees in the performance of their duties?
“You have a license to drive and we want to know where you drive.” I suppose driving with disabled trackers will be illegal.
California’s legislature is considering a bill to authorize adding radio tracking beacons to drivers licenses and state non-driver ID cards.
Each such card would broadcast a unique tracking number which could legally be intercepted by anyone with a suitable radio transceiver within range, and which would be linked to a national DHS database of drivers license, state ID card, and citizenship information.
The tracking beacons are designed to allow the tracking numbers on ID cards carried by travelers in motor vehicles to be read from outside their vehicles as they approach or pass through checkpoints. [Like the ones in Egypt? Bob]
Read more on Papers, Please!
Another step in our march towards a national ID and total surveillance state, it seems.
Be sure to check the credit score of anyone you want to “friend.” (Or Big Data will get you!)
Facebook friends could change your credit score
A handful of tech startups are using social data to determine the risk of lending to people who have a difficult time accessing credit. Traditional lenders rely heavily on credit scores like FICO, which look at payments history. They typically steer clear of the millions of people who don't have credit scores.
But some financial lending companies have found that social connections can be a good indicator of a person's creditworthiness.
One such company, Lenddo, determines if you're friends on Facebook (FB) with someone who was late paying back a loan to Lenddo. If so, that's bad news for you. It's even worse news if the delinquent friend is someone you frequently interact with.
Expect more hype and a “3D Bubble” followed by a collapse.
Wall Street Wakes Up to 3D Printing, Predicts Massive Growth
Oh those poor lawyers...
Chelsea Allison reports:
In a long-awaited conclusion to Facebook’s “Sponsored Stories” class action saga, a federal judge gave final approval to a $20 million settlement Monday but took an axe to the $7.5 million in fees requested by plaintiffs attorneys.
The settlement approved by U.S. District Judge Richard Seeborg provides for each Facebook user who submitted a valid claim to receive $15, with remaining funds disbursed to 14 organizations focused on consumer protection, privacy and other issues raised in the suit. Facebook Inc. is also required to improve its disclosure practices, giving users more control over when and how their names and photos will be used. The company must also create special controls for minors.
Read more on Law.com.
I didn't say it. I might have thought it, but I didn't say it.
Students Learn Less in States with Stronger Teachers' Unions
A 1-standard-deviation rise in teachers' union dues per teacher is associated with a 4% fall in student proficiency rates, according to a study of 721 U.S. school districts in 42 states by Johnathan Lott of the University of Chicago Law School and Lawrence W. Kenny of the University of Florida. Dues support union lobbying, which typically pushes for policies such as blocking merit pay and limiting the Teach for America program. Consequently, student proficiency is lower in states with stronger teacher unions, the researchers say.
Tools & Techniques Something to review before you sign up.
– Many companies use dark pattern techniques to make it hard to find how to delete your online account. JustDelete.me is a website that aims to be a directory of urls to enable you to easily find and delete your account from web services. All listed sites are colour-coded to indicate the difficulty level of account deletion. There is also additional info for each site, explaining how to proceed.
For my Smartphone toting students...
The best way to study and review text is to highlight and annotate what you read, and two of the most useful tools for doing this are the online and iPad app, Diigo, and the recently updated eHighlighter.
… Diigo provides you tools to bookmark and annotate webpages, and to also review, manage, and share your annotations in your Diigo account. All your highlights and notes get listed under the source link for each article. You can tag articles and group them into folders.
… If you’re like me and you still also read paper books, you probably know how laborious it can be to type and transcribe text from a book you’re reading. An iPhone OCR app called eHighlighter ($4.99), you can actually take a photo of a page you’re reading in a book, mark the text you want to copy, and eHighlighter will, using OCR technology, translate that image capture into text.
Before you start collecting highlights with eHighlighter, you can use the app to scan the bar code of the book, and in turn the app will locate and download the relevant information (title, author, publisher and date). If the barcode is not available, you can do a manual search in eHighlighter.
This is cool...
Lingualy Helps You Learn a Language While Browsing the Web
Lingualy is a free Google Chrome extension designed to help you learn a new language while browsing the web. With Lingualy installed anytime that you come across a new word you can double-click on it to hear it pronounced, read a translation, and read a definition. The words that you double-click are added to your Lingualy account where you can review them in a quiz format. Watch a short overview of Lingualy in the video below.
Lingualy supports English, Spanish, French, Hebrew, and Arabic. You could have students use Lingualy while reading news articles in the language that they're trying to learn. That would provide some current context for language lessons.
For my students. What does it say about America when Mad Magazine can safely assume everyone knows what they are talking about here?