The FBI is one of the clients who bought hacking software from the private Italian spying agency Hacking Team, which was itself the victim of a recent hack. It’s long been suspected that the FBI used Hacking Team’s tools, but with the publication yesterday of internal documents, invoices, emails and even product source code from the company, we now have the first concrete evidence that this is true.
Tuesday, July 07, 2015
For my Ethical Hacking students. Would you have answered this guy? (Would your lawyers let you answer him?)
Ionut Ilascu writes:
Breaking into the systems of an organization and accessing files without authorization is regarded as trespassing. The motivation behind this act can be anything from financial gain to proving one’s skills among fellow hackers.
No matter the reasons, the success of such an action is most of the times due to lack of proper security measures.
Whitehats also resort to this method for evaluating the resilience of a company’s infrastructure against all sorts of attacks, as part of a process called penetration testing.
GhostShell, a hacker known for targeting entities from different sectors (government, law enforcement, companies) in the past, took a break in 2013 but decided to return in the spotlight this year on June 28, specifically to draw attention to the current state of insecurity many entities, and that blackhats can cause a lot of damage.
Read more on Softpedia.
[From the article:
The comeback was marked by a total of 548 announcements about compromised targets from various industries, all accompanied by proof of the hack through links to previews of the information accessed or exfiltrated.
Most of the victims were compromised in 2015, but some of them had been compromised in late 2014. The hacker said that efforts were made to report the vulnerabilities responsibly, but they went unanswered.
“Emailed more than a thousand people, not even one reply back,” the hacker said, adding that some of the sites were taken down after the intrusion, indicating that someone cared about the security of the data and made an effort to patch things up.
Also for my Ethical Hacking students. Any crime can be forgotten if you promise not to release the really embarrassing stuff?
Holder sees possible DOJ deal with Snowden
… In an interview with Yahoo News published on Monday, Holder threw cold water on the notion that the former contractor — who has been holed up in Moscow for two years — would never again step foot on U.S. soil.
“I certainly think there could be a basis for a resolution that everybody could ultimately be satisfied with,” Holder said. “I think the possibility exists.”
During the interview, Holder also appeared to go further toward praising Snowden’s actions than other members of the Obama administration have been willing to do.
… Snowden has been charged with multiple crimes for his 2013 leak of classified federal documents, including Espionage Act violations that could land him in jail for decades. Because of the nature of the charges, Snowden’s supporters say that he would not be able to fairly give his side of the story in court.
Can we agree on disingenuous? It is good to have the bad guys underestimate your capabilities.
FBI director says 'I really am not a maniac' just because he thinks he can kill encryption
The director of the FBI has denied claims the UK and US proposed encryption controls will “destroy” the internet, claiming they are a necessary step in the war on terrorism and crime.
… Comey attacked the technology in a public op-ed, where he claimed a move towards end-to-end encryption could benefit terrorist groups, more than general web users.
… The FBI director highlighted terrorist groups', such as the Islamic State (ISIS), use of encrypted online services as proof of his claim [Note that the FBI can identify ISIS communications despite the encryption. Or are they just guessing it is ISIS? Bob]
(Related) It is easier to buy these tools than to constantly reinvent the wheel.
Joseph Cox reports:
Read more on Wired.
[From the article:
The documents show that the FBI first purchased the company’s “RCS” in 2011. RCS stands for “Remote Control Service,” otherwise known as “Galileo,” Hacking Team’s premiere spy product.
RCS is a simple piece of hacking software that has been used by the Ethiopian regime to target journalists based in Washington DC. It has also been detected in an attack on a Moroccan media outlet, and a human rights activist from the United Arab Emirates.
Once a target’s computer has been infected, RCS is able to siphon off data, and listen in on communications before they have been encrypted. According to researchers based at the University of Toronto’s Citizen Lab, who have monitored the use of RCS throughout the world, the tool can also “record Skype calls, e-mails, instant messages, and passwords typed into a Web browser.” To top that off, RCS is also capable of switching on a target’s web camera and microphone.
… Despite this expenditure on controversial surveillance technology, it appears that the FBI is only using Hacking Team’s software as a “back up” to other tools, according to internal emails.
As highlighted by Forbes, Eric Rabe, Hacking Team’s communications chief, wrote in a leaked email that “The FBI unit that is using our system seems like a pretty small operation and they have purchased RCS as a sort of back up to some other system they use.”
The NSA Hates This Free Font
Thanks mostly to Edward Snowden, the security whistleblower now resident in Russia, we all know the extent to which the National Security Agency (NSA) is spying on us all. It’s believed that using certain words in electronic communication triggers perfunctory surveillance, which is disconcerting to say the least.
However, Project Seen is a free font offering one possible solution. It automagically redacts keywords and phrases recognized as triggers for the NSA. So, by running an email through Seen before sending it, you gain the opportunity to remove any references to the interception of communications by the NSA. Nice.
A resource for my Computer Security students. Not perfect, but it will likely get better.
Site tracks and maps data breaches around the globe
by Sabrina I. Pacifici on Jul 6, 2015
“ThreatWatch is a snapshot of the data breaches hitting organizations and individuals, globally, on a daily basis. It is not an authoritative list, since many compromises are never reported or even discovered. The information is based on accounts published by outside news organizations and researchers. We have tried to provide you with a sample of the most prevalent and interesting cyber events. Each incident chronicled includes the suspected attackers’ methods of penetration and apparent target to help highlight patterns of activity and emerging threats. The records are limited to episodes where data actually was compromised. These are not accounts of new viruses, spam, or malicious email campaigns that might lead to breaches. Some of the events cited are more damaging than portrayed, while others may later turn out not to be hacks at all: as you’ll see, the number of people affected is one of the hardest measures to track. About the map: The global map visualizes real-time malicious activity data captured by sensors used by the experimental Honeynet Project, an international non-profit security research organization dedicated to investigating the latest attacks and developing open source tools to improve Internet security. The green dots indicate the geographic locations of outgoing malicious activity. The map represents only some of the activity detected at any given time because not all of the project’s sensors push their data.”
Would any of the OBD Apps do the same thing?
GM to offer teen driver tracking to parents
GM has announced that it will be offering a way for parents to track their teens' driving behavior in order to help cut down on accidents.
… The new system can be set to track the distance driven, the maximum speed traveled, any over-speed warnings issued during a drive, stability control events, antilock brake events, forward collision alerts and forward-collision braking events (if the vehicle is equipped to offer them).
… Driver-tracking systems are nothing new. A vehicle's Engine Control Unit (internal computer) and on-board diagnostics (OBDs) already allow insurance companies to track driver behavior in order to offer lower rates to good drivers. Those systems, however, require a dongle to be plugged into any vehicle's OBDII port, which is located under the driver-side dashboard.
Hey, they don't like you. Get over it.
Washington State Appellate Court Agrees That Florida Divorce Lawyer Should Not Be Permitted to Unmask Online Critic
In a precedent-setting case argued by Public Citizen, the Washington state Court of Appeals has determined [PDF] that anonymous online reviewers are entitled to basic First Amendment protections.
In the case, the court denied a Florida divorce lawyer’s attempt to learn the identity of former client who wrote about her on Avvo, a Seattle-based website designed to allow users to find and rate lawyers. Public Citizen urged the court to adopt a strong standard used around the country to ensure that anonymous online critics retain their First Amendment right to post negative reviews online. The court agreed with Public Citizen and adopted most of the test that the organization advocated.
“The court has protected consumers’ ability to read criticism of businesses as well as the positive comments that are never the subject of defamation claims,” said Paul Alan Levy, the Public Citizen attorney who represented Jane Doe on appeal. “By requiring proof that the criticism is false, the Washington Court of Appeals has reassured consumers that their First Amendment right to speak anonymously cannot lightly be flouted.”
The case stems from a series of reviews that appeared on Yelp, Google and Avvo in September 2013 saying that Tampa attorney Deborah Thomson had done a poor job of handling a divorce. Thomson filed suit against the critics on May 21, 2014, in Hillsborough County, Fla., alleging defamation.
Thomson then went to court in Washington state to seek a subpoena to learn the identity of the critic who had posted on Avvo. Although 12 states and the District of Columbia, as well as many federal courts, have adopted standards that provide strong First Amendment protections to anonymous online reviewers, before this case, state courts in Washington had not yet set a standard. Thomson did not seek a subpoena in California, where Yelp and Google are based, and a state that has a strong protective standard.
A Washington trial court earlier rejected Thomson’s request for a subpoena, and she appealed. In its brief on behalf of Doe, Public Citizen urged the appellate court to require people who seek to identify online critics to provide proof that the criticisms are false and defamatory. Public Citizen’s work on other cases throughout the country helped create the standard for which we advocated.
“Happy Birthday! Would you like to buy a cake?”
This is the real reason Twitter is copying Facebook and wants your birthday
Twitter wants you to celebrate your birthday on its social network, and it will even give you some animated balloons for your profile when it's your special day of the year.
But, that's not the only birthday present Twitter will give you.
Buried beneath those birthday balloons is the real reason Twitter wants to know your birthday: it wants to better target ads.
In a link to a help center article on profile visibility, Twitter acknowledges that your birthday information will be used to "customize your Twitter experience."
"For example, we will use your birthday to show you more relevant content, including ads," the site reads.
It's all about what you don't say? Would every ecommerce site need to list everything that they don't sell that might be a match for the search terms?
Amazon must face trademark lawsuit over search results
Amazon.com Inc must face a trademark lawsuit brought by a watchmaker which says the online retailer's search results can cause confusion for potential customers, a federal appeals court ruled.
… MTM Special Ops are a military style model of watches which are not sold on Amazon's web site, according to the court ruling. If an Amazon shopper searches for it, however, Amazon the site will not say it does not carry MTM products.
Instead, Amazon displays MTM Special Ops in the search field and immediately below the search field, along with similar watches manufactured by MTM's competitors for sale.
MTM alleged this could cause customers to buy from one of those competitors, rather than encouraging the shopper to look for MTM watches elsewhere.
… In a dissent, 9th Circuit Judge Barry Silverman said Amazon's search results page clearly labels manufacturer for each watch.
"No reasonably prudent consumer accustomed to shopping online would likely be confused as to the source of the products," he wrote.
MTM attorney Eric Levinrad on Monday said that unlike Amazon, other online retailers will give customers a message that they don't sell a product if that's the case.
The case in the 9th Circuit is Multi Time Machine Inc vs. Amazon.com Inc and Amazon Services LLC, 13-55575.
Food for thought? Do we even teach kids how to use computers?
BBC Micro Bit computer's final design revealed
The BBC has revealed the final design of the Micro Bit, a pocket-sized computer set to be given to about one million UK-based children in October.
… The BBC's director general Tony Hall said the device should help tackle the fact children were leaving school knowing how to use computers but not how to program them.
Not a Spring Break thing. Florida just hates sex?
Man convicted of having sex on Bradenton Beach sentenced to 2 1/2 years in prison
The man convicted in May of having sex on Bradenton Beach nearly a year ago was sentenced to 2 1/2 years in prison on Monday.
Jose Caballero, 40, was found guilty of having sex on a public beach in broad daylight with Elissa Alvarez, 21, on July 20, 2014. Nearby witnesses caught the two on video, with Alvarez moving on top of Caballero in a sexual manner, and testified that a then 3-year-old girl saw the act. [Where were mom and Dad? Bob] Both were convicted on two counts of lewd and lascivious exhibition.
"Our office had discretion, and we felt that 2 1/2 years was something that not only held him accountable but also reflected his past history, as well," said Anthony Dafonseca, assistant state attorney.
Alvarez was sentenced to time served in May, but Dafonseca said they sought more time for Caballero because of his previous conviction and eight years in prison for cocaine trafficking. Originally, the prosecution filed paperwork to seek the maximum 15 years in prison for Caballero, but dropped that move soon after the guilty verdict.
Man Dressed as Armored Truck Driver Walks Out of Walmart With $75,000
"He came to the Walmart kind of dressed like a Loomis armored car driver," Williams said. Walmart employees called police after the real Loomis employee arrived about 45 minutes later.