Tuesday, July 21, 2015

I do like the “You've done something incredibly stupid, now pay me to erase the evidence” strategy.
Hacked infidelity site Ashley Madison offers free profile deletion
Extramarital dating site Ashley Madison has apologised to its users a second time for allowing its database to be comprehensively stolen, and is temporarily offering users the ability to fully delete their account from the site free of charge.
The “paid delete” ability, which typically costs £15 in the UK and $19 in the US per account, was cited by Ashley Madison’s pseudonymous attacker, The Impact Team, as a main reason for the hack in the first place. The group alleged that the site did not in fact fully delete all information about a user, even after they had paid the fee.
… It is not clear whether the move is intended to assuage some of the hackers demands or simply an attempt to lock the stable door after the horse has bolted.
… Tod Beardsley, security engineering manager at cybersecurity firm Rapid7, says the hack is likely to be extremely damaging once more data is made public, as users will not want to admit they have suffered a breach.
… Ashley Madison’s chief executive and founder, Noel Biderman, said on Sunday that the firm believes the hack was an inside job, from someone who already had access to its systems. “I’ve got their profile right in front of me, all their work credentials,” he told the security journalist Brian Krebs. “It was definitely a person here that was not an employee but certainly had touched our technical services.” [What outsider would have the ability to copy their entire (unencrypted) database? Bob]

(Related) Hactivism continues.
Of course, the big news today was the hack of AshleyMadison.com and the potential embarrassment it may cause to those using its services to have affairs. Not to be deterred from his mission, however, @ElSurveillance continued attacking escort-related sites, posting the same message on their home page that he’s posted in the past:
Dear Admin and the clients
What such a great example you have given to the world
On how we can teach and raise our next generations
So they can live a much better life, Server and save our
Planet instead of just wasting their money and help
Spread the viruses just like every single stupid
Government in every single country do these days
Since you came all the way to here, They’re two things
That you can do while still viewing this page
1 – Turn on your volume and listen to the Qur’an & Just
Listening to your feelings instead of listening to the
Media and the stupid ISIS
2 – Have a look at your Logs which includes your IP
Today’s batch of escort-related services defaced/hacked by @ElSurveillance, with links to their mirrors on Zone-h.org:
Note: @ElSurveillance does not appear to be dumping any personal data on users, other than their IP addresses and browser info that shows up in the sites’ logs. But the hacks are are yet another reminder that if you don’t want your details and activity on a site showing up in a data dump, are you using a throwaway account and a proxy (unless, of course, you have to give your credit card details to get services or have your account deleted, in which case you better hope for strong encryption and no pissed-off employees who want to screw their employer!)
Alternatively, you could not visit/use those sites, which seems to be what @ElSurveillance is hoping you’ll choose to do.
Update: @ElSurveillance informs DataBreaches.net that he has acquired user data from sites but hasn’t dumped it – yet.

Interesting change in thinking?
Margaret Cronin Fisk reports:
Neiman Marcus Group LLC must face a proposed class action in which the high-end retailer is accused of failing to protect customers from computer hackers who stole credit and debit card information, an appeals court ruled, saying a judge decided too soon that the victims didn’t have a case.
The decision reverses a September ruling by a Chicago federal judge who found the customers didn’t show they suffered concrete harm. The consumers sued Neiman Marcus for negligence, breach of contract and deceptive business practices.
Read more on Bloomberg.
[From the article:
U.S. District Judge James B. Zagel, in rejecting the lawsuit last year, said customers weren’t claiming they hadn’t been reimbursed for fraudulent billings. He said he wasn’t convinced that there were concrete injuries if the card-owners weren’t responsible for the bills.
Unreimbursed payments weren’t the only possible harm, the appeals court found, citing the cost of credit monitoring and the hackers’ ability to use the fraudulent data for years.
    1. Hack’s Purpose

Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities,” the panel said.

For my Ethical Hacking students. Never trust the default settings!
Configuration Issue Exposes 30,000 MongoDB Instances: Researcher
Nearly 30,000 MongoDB instances are accessible over the Internet without any authorization enabled, an expert has warned.
With more than 10 million downloads, 2,000 customers and 1,000 partners, MongoDB is the most popular NoSQL database system. MongoDB is used by organizations such as eBay, LinkedIn, SAP and Sourceforge.
According to John Matherly, founder of the computer search engine Shodan, roughly 30,000 MongoDB instances containing nearly 600TB of data are exposed on the Internet.
The expert said he was surprised by the results of the Shodan search considering that the “mongodb.conf” configuration file available on GitHub since 2013 specified that MongoDB listens on localhost by default.
The issue was reported in early 2012 by Roman Shtylman (SERVER-4216), but it took MongoDB developers more than two years to actually address it.
Matherly says MongoDB 2.4.14, a maintenance release from April 28, 2015, is the last version that still listens to by default, which means listening is enabled on all interfaces. The expert believes early versions of MongoDB 2.6 might also lack binding to localhost.
This isn’t the first time researchers report finding MongoDB databases exposed on the Web. In February, students from the Saarland University in Germany revealed finding nearly 40,000 exposed instances.

For my Computer Security students (and paranoids everywhere).
Rook Security Unveils Hacking Team Breach Detection Tool
IT security firm Rook Security has released a free software tool designed to help organizations determine if they have been impacted by malware developed by Italian surveillance software maker Hacking Team.
The tool, dubbed the “Milano utility” by Rook, scans systems for the presence of files associated with the recent Hacking Team breach.
According to the Indianapolis, Indiana-based security firm, the tool can perform a basic scan for files by filename, or a more comprehensive deep scan that checks all files (using their computed hash) against all md5s from Hacking-Team-associated files leaked in the breach.
A beta release of the Milano Hacking Team Malware Detection Utility, along with a list of the indicators of compromise (IOCs) for the Hacking Team breach are available online.

Anything the operating system does could be exploited. Hackers only need one entry point. Microsoft has to defend them all.
Windows vulnerability lets hackers take control of computers, Microsoft issues fix for PCs
… A vulnerability in the way that computers running the software handle fonts could be exploited by to seize control of a computer, Microsoft said. The company has already issued a fix for the problem, which it recommends that users download and install as soon as they can.
Users can patch up their computer by running Windows Update, which can be accessed through the Start button.
… An attacker using the vulnerability could “install programs; view, change, or delete data; or create new accounts with full user rights”, Microsoft said.

One of the worst things a manager can say: “Hey! You know what we could have done?” Yet it seems proper procedures become obvious only after the breach.
Dara Bradley reports:
New guidelines for supervising students conducting research at University Hospital Galway (UHG) were put in place following the discovery of a serious breach of data protection of female patients at the hospital.
The guidelines were put in place in response to one of a number of data protection breaches, including release of sensitive information about patients and minors, within the health service in Galway in the past year.
All bar one of the incidents were reported to the Data Protection Commissioner, according to Health Service Executive internal documents released under the Freedom of Information Act.
Read more on Connacht Tribune for a recap of the types of breaches that had occurred.
[From the article:
One of the local breaches included a research student at University Hospital Galway being given the names and addresses of women patients – the student contacted the patients at their homes.
The breach deviated from ethics approval guidelines.
Following an investigation, the HSE said “steps have been put in place to ensure adequate supervision of students conducting research”. [Translation: “We didn't bother to supervise the students.” Bob]

Professor Soma at the Sturm College of Law was teaching Computer Law before there was a World Wode Web. (That's like a million Internet years ago!) Nice that the DoJ is starting to catch up!
DoJ: Firms Should Hire Cyber-Savvy Lawyers
… The U.S. government -- itself a cybervictim -- provides the guidance we have been waiting for. The Cybersecurity Unit, part of the Computer Crime & Intellectual Property Section (CCIPS) within the Department of Justice Criminal Division, earlier this year issued its Best Practices for Victim Response and Reporting of Cyber Incidents.

(Related) Constant change.
What Is a ‘Computer’ Anymore?
People used to be computers. That is, for hundreds of years, computing was the work of humans, and very often women. Then, in the mid-20th century, machines began to take on the bulk of computing work, and the definition of “computer” changed.
… “Because we’re making an architectural change, not just a technology change. The new kinds of capabilities—it won’t be a linear scale—this will be a major leap.”
The architectural change he’s talking about has to do with efforts to build a computer that can act—and, crucially, learn—the way a human brain does.

I thought we had clearly labeled this a “Worst Practice” year ago. Yet we make the exact same stupid mistakes over and over again.
Users' data compromised after technical glitch at Home Office contractor
… VFS Global, which acts for around 45 governments, released online application forms this week that used sequential reference numbers, allowing users to access other people’s private information by mistake.
Users could see the personal information of other applicants, including their date of birth, passport details and addresses, if they mistakenly [or deliberately Bob] input the ID number of another person when logging into the system.

Here in the US, the government wants to control all health information. We wouldn't even notice if this happened here.
Gerri Peev and Jack Doyle report:
A Downing Street official has demanded confidential details of millions of GP appointments.
Sparking yet another NHS privacy row, she has ordered the firm in charge of bookings [Not the doctors, nor the patients. Bob] at most English surgeries to hand over the sensitive data urgently.
The information includes the date, time and duration of appointments as well as the reason for the consultation.
Most of the postcode of the patient is also asked for, as well as their date of birth, according to a letter seen by the Daily Mail.
The information is intended to gauge demand for the Government’s planned seven-day NHS. But privacy campaigners say it is incredible that neither patients nor their GPs have been consulted about the move.
Read more on The Daily Mail.

Because eventually all these students will become criminals!
sosadmin writes:
The Department of Justice’s National Institute for Justice funds law enforcement research to the tune of tens of millions of dollars each year.
One of those projects is a City of Chicago Board of Education program called “Connect and Redirect to Respect (CRR),” which aims “to use social media monitoring to identify and connect youth to behavioral interventions.” In other words, the DOJ is giving $2.1 million dollars to the Chicago public schools to conduct research on how spying on student social media can impact school discipline. In New York, police spying on youth social media has resulted in the criminalization of speech.
Read more on PrivacySOS.

I find this type of story amusing, trashy but funny.
Daniel DeMay reports:
The city of Seattle says its process for making sure residents comply with a compost ordinance is legal and doesn’t violate privacy, despite arguments made in a lawsuit filed last week.
The City Attorney’s Office issued a statement Monday saying that, after reviewing the lawsuit, it believes the ordinance “fully complies with the law, including the enhanced privacy protections afforded by the Washington Constitution.”
Read more on Seattle PI.

Now every fast food joint has an App for your smartphone. What we need is an App that reminds us how healthy all that junk really is.
Online food delivery ordering is about to overtake phone ordering in the US
Getting your dinner to your door is now easier than ever, and thanks to the internet, almost no human interaction is required. [Attention Ethical Hacking students! Bob]
While phone orders dominated delivery only five years ago, the balance between meal orders placed over the phone versus those placed online have nearly switched, with internet orders on track to surpass phone orders any minute now.
… Services like UberEATS, Caviar, Postmates, and DoorDash are providing delivery services for restaurants that don’t have their own, upgrading customers’ dinner choices from the typical pizza, sushi and Chinese food to include more artisanal, freshly prepared, and lovingly packed meal options. These companies handled orders totaling $400 million in 2014, says Cowen and Company, and that’s expected to jump to $1.6 billion in 2016.

Sports can make you healthy and quite rich.
NFL teams each earn $226.4M from national revenue sharing
… The Packers set records in total revenue and local revenue last year; their local revenue was $149.3 million, up 9.4 percent, mostly because of their newly expanded pro shop at Lambeau Field. The 21,500-square-foot store is the largest team store in the NFL.
Packers CEO Mark Murphy said the team was 18th in the league in average ticket prices. But with 7,000 more seats added in the past couple of years, the team has the second-biggest stadium in the league. That allowed the NFL's smallest host city to maintain its spot in the top 10 in league revenue (ninth).
The Packers are required to announce earnings because they are technically a public entity, although the franchise's 360,760 shareholders hold stock that they paid for that has no value and cannot be traded.

For my students in the “Outdoor Adventure Club?” (Digest Item#2)
Earn Money Shooting GoPro Videos
Action camera manufacturer GoPro has launched a content licensing portal designed to pair creators with advertisers. The biggest and best GoPro videos will be featured on GoPro Licensing, with brands and marketers able to purchase the footage for use in advertising campaigns.
For content creators, GoPro Licensing means an opportunity to make serious money from shooting video, with prices starting at $1,000 per clip. For marketers, GoPro Licensing means an opportunity to use ready-made footage likely to attract serious attention, and without the need to pay for production.
GoPro has already struck deals with multiple amateur and professional videographers, meaning there are 600 videos available at launch. According to AdWeek, the number of clips will continuously expand, with GoPro hoping to be to video “what Getty Images and Shutterstock are to still images”.

Teaching my students to write more carefully?
Using Social Media Without Jeopardizing Your Career

Boy, has Sears changed! I recently visited the Sears website, so naturally they send me Ads for things on the pages I browsed. I must have missed something, because “One of these things is not like the others!” (The Ad did get my attention!)

No comments: