I do like the “You've done something incredibly
stupid, now pay me to erase the evidence” strategy.
Hacked
infidelity site Ashley Madison offers free profile deletion
Extramarital dating site Ashley Madison has
apologised to its users a second time for allowing its database to be
comprehensively stolen, and is temporarily offering users the ability
to fully delete their account from the site free of charge.
The “paid delete” ability, which typically
costs £15 in the UK and $19 in the US per account, was cited by
Ashley Madison’s pseudonymous attacker, The Impact Team, as
a main reason for the hack in the first place. The group alleged
that the site did not in fact fully delete all information about a
user, even after they had paid the fee.
… It is not clear whether the move is intended
to assuage some of the hackers demands or simply an
attempt to lock the stable door after the horse has bolted.
… Tod Beardsley, security engineering manager
at cybersecurity firm Rapid7, says the hack is likely to be extremely
damaging once more data is made public, as users will not want to
admit they have suffered a breach.
… Ashley Madison’s chief executive and
founder, Noel Biderman, said
on Sunday that the firm believes the hack was an inside job, from
someone who already had access to its systems. “I’ve got their
profile right in front of me, all their work credentials,” he told
the security journalist Brian Krebs. “It
was definitely a person here that was not an employee but certainly
had touched our technical services.” [What
outsider would have the ability to copy their entire (unencrypted)
database? Bob]
(Related) Hactivism continues.
Of course, the big news today was the hack of
AshleyMadison.com
and the potential embarrassment it may cause to those using its
services to have affairs. Not to be deterred from his mission,
however, @ElSurveillance continued attacking escort-related sites,
posting the same message on their home page that he’s posted in the
past:
Dear Admin and the clients
What such a great example you have given to the world
On how we can teach and raise our next generations
So they can live a much better life, Server and save our
Planet instead of just wasting their money and help
Spread the viruses just like every single stupid
Government in every single country do these days
Since you came all the way to here, They’re two things
That you can do while still viewing this page
1 – Turn on your volume and listen to the Qur’an & Just
Listening to your feelings instead of listening to the
Media and the stupid ISIS
2 – Have a look at your Logs which includes your IP
Today’s batch of escort-related services
defaced/hacked by @ElSurveillance, with links to their mirrors on
Zone-h.org:
- ohcecilia.com | Mirror: https://zone-h.org/mirror/id/24614724
- seductivealchemy.com | Mirror: https://zone-h.org/mirror/id/24614724
- sofiadelterra.com |Mirror: https://zone-h.org/mirror/id/24614736
- taliaamour.com | Mirror: https://zone-h.org/mirror/id/24614749
- tabithalayne.com | Mirror: https://zone-h.org/mirror/id/24614762
- tawnybrie.com | Mirror: https://zone-h.org/mirror/id/24614806
Note: @ElSurveillance does not appear to be
dumping any personal data on users, other than their IP addresses and
browser info that shows up in the sites’ logs. But the hacks are
are yet another reminder that if you don’t want your details and
activity on a site showing up in a data dump, are you using a
throwaway account and a proxy (unless, of course, you have to give
your credit card details to get services or have your account
deleted, in which case you better hope for strong encryption and no
pissed-off employees who want to screw their employer!)
Alternatively, you could not visit/use those
sites, which seems to be what @ElSurveillance is hoping you’ll
choose to do.
Update: @ElSurveillance informs
DataBreaches.net that he has acquired user data from sites but hasn’t
dumped it – yet.
Interesting change in thinking?
Margaret Cronin Fisk reports:
Neiman Marcus Group LLC must face a proposed class action in which the high-end retailer is accused of failing to protect customers from computer hackers who stole credit and debit card information, an appeals court ruled, saying a judge decided too soon that the victims didn’t have a case.
The decision reverses a September ruling by a Chicago federal judge who found the customers didn’t show they suffered concrete harm. The consumers sued Neiman Marcus for negligence, breach of contract and deceptive business practices.
Read more on Bloomberg.
[From
the article:
U.S.
District Judge James B. Zagel, in rejecting the lawsuit last year,
said customers weren’t claiming they hadn’t been reimbursed for
fraudulent billings. He said he wasn’t convinced that there were
concrete injuries if the card-owners weren’t responsible for the
bills.
Unreimbursed
payments weren’t the only possible harm, the appeals court found,
citing the cost of credit
monitoring and the hackers’ ability to use the fraudulent data for
years.
Hack’s Purpose
“Presumably,
the purpose of the hack is, sooner or later, to make fraudulent
charges or assume those consumers’ identities,” the panel said.
For my Ethical Hacking students. Never trust the
default settings!
Configuration
Issue Exposes 30,000 MongoDB Instances: Researcher
Nearly
30,000 MongoDB instances are accessible over the Internet without any
authorization enabled, an expert has warned.
With
more than 10 million downloads, 2,000 customers and 1,000 partners,
MongoDB is the most
popular NoSQL database system. MongoDB is used by organizations
such as eBay, LinkedIn, SAP and Sourceforge.
According
to John Matherly, founder of the computer search engine Shodan,
roughly 30,000 MongoDB instances containing nearly 600TB of data are
exposed on the Internet.
The
expert said he was surprised by the results of the Shodan search
considering that the “mongodb.conf” configuration file available
on GitHub
since 2013 specified that MongoDB listens on localhost by default.
The
issue was reported in early 2012 by Roman Shtylman (SERVER-4216),
but it took MongoDB developers more than two years to actually
address it.
… Matherly
says MongoDB 2.4.14, a maintenance release from April 28, 2015, is
the last version that still listens to 0.0.0.0 by default, which
means listening is enabled on all interfaces. The expert believes
early versions of MongoDB 2.6 might also lack binding to localhost.
… This
isn’t the first time researchers report finding MongoDB databases
exposed on the Web. In February, students from the Saarland
University in Germany revealed finding nearly 40,000
exposed instances.
For my Computer Security students (and paranoids
everywhere).
Rook
Security Unveils Hacking Team Breach Detection Tool
IT
security firm Rook Security has released a free software tool
designed to help organizations determine if they have been impacted
by malware developed by Italian surveillance software maker Hacking
Team.
The
tool, dubbed the “Milano
utility”
by Rook, scans systems for the presence of files associated with the
recent Hacking
Team breach.
According
to the Indianapolis, Indiana-based security firm, the tool can
perform a basic scan for files by filename, or a more comprehensive
deep scan that checks all files (using their computed hash) against
all md5s from Hacking-Team-associated files leaked in the breach.
… A
beta release of the Milano Hacking Team Malware Detection Utility,
along with a list of the indicators of compromise (IOCs) for the
Hacking Team breach are available
online.
Anything the operating system does could be
exploited. Hackers only need one entry point. Microsoft has to
defend them all.
Windows
vulnerability lets hackers take control of computers, Microsoft
issues fix for PCs
… A vulnerability in the way that computers
running the software handle fonts could be exploited by to seize
control of a computer, Microsoft said. The company has already
issued a fix for the problem, which it recommends that users download
and install as soon as they can.
Users can patch up their computer by running
Windows Update, which can be accessed through the Start button.
… An attacker using the vulnerability could
“install programs; view, change, or delete data; or create new
accounts with full user rights”, Microsoft said.
One of the worst things a manager can say: “Hey!
You know what we could have done?” Yet it seems proper procedures
become obvious only after the breach.
Dara Bradley reports:
New guidelines for supervising students conducting research at University Hospital Galway (UHG) were put in place following the discovery of a serious breach of data protection of female patients at the hospital.
The guidelines were put in place in response to one of a number of data protection breaches, including release of sensitive information about patients and minors, within the health service in Galway in the past year.
All bar one of the incidents were reported to the Data Protection Commissioner, according to Health Service Executive internal documents released under the Freedom of Information Act.
Read more on Connacht
Tribune for a recap of the types of breaches that had occurred.
[From
the article:
One of the local breaches included a research
student at University Hospital Galway being given the names and
addresses of women patients – the student contacted the patients at
their homes.
The
breach deviated from ethics approval guidelines.
Following an investigation, the HSE said “steps
have been put in place to ensure adequate supervision of students
conducting research”. [Translation:
“We didn't bother to supervise the students.” Bob]
Professor Soma at the Sturm College of Law was
teaching Computer Law before there was a World Wode Web. (That's
like a million Internet years ago!) Nice that the DoJ is starting to
catch up!
DoJ: Firms
Should Hire Cyber-Savvy Lawyers
… The U.S. government -- itself a cybervictim
-- provides the guidance we have been waiting for. The Cybersecurity
Unit, part of the Computer Crime & Intellectual Property Section
(CCIPS) within the Department of Justice Criminal Division, earlier
this year issued its Best
Practices for Victim Response and Reporting of Cyber Incidents.
(Related) Constant change.
What Is a
‘Computer’ Anymore?
People used to be computers. That is, for
hundreds of years, computing was the work of humans, and very
often women. Then, in the mid-20th century, machines began to
take on the bulk of computing work, and the definition of “computer”
changed.
… “Because we’re making an architectural
change, not just a technology change. The new kinds of
capabilities—it won’t be a linear scale—this will be a major
leap.”
The architectural change he’s talking about has
to do with efforts to build a computer that can act—and, crucially,
learn—the way a human brain does.
I thought we had clearly labeled this a “Worst
Practice” year ago. Yet we make the exact same stupid mistakes
over and over again.
Users' data
compromised after technical glitch at Home Office contractor
… VFS Global, which acts for around 45
governments, released online application forms this week that used
sequential reference numbers, allowing users to access other people’s
private information by mistake.
Users could see the personal information of other
applicants, including their date of birth, passport details and
addresses, if they mistakenly [or
deliberately Bob] input the ID number of another person
when logging into the system.
Here in the US, the government wants to control
all health information. We wouldn't even notice if this happened
here.
Gerri Peev and Jack Doyle report:
A Downing Street official has demanded confidential details of millions of GP appointments.
Sparking yet another NHS privacy row, she has ordered the firm in charge of bookings [Not the doctors, nor the patients. Bob] at most English surgeries to hand over the sensitive data urgently.
The information includes the date, time and duration of appointments as well as the reason for the consultation.
Most of the postcode of the patient is also asked for, as well as their date of birth, according to a letter seen by the Daily Mail.
The information is intended to gauge demand for the Government’s planned seven-day NHS. But privacy campaigners say it is incredible that neither patients nor their GPs have been consulted about the move.
Read more on The
Daily Mail.
Because eventually all these students will become
criminals!
The
DOJ is investing millions of dollars in research to spy on students
at public schools nationwide
sosadmin writes:
The Department of Justice’s National Institute for Justice funds law enforcement research to the tune of tens of millions of dollars each year.
[…]
One of those projects is a City of Chicago Board of Education program called “Connect and Redirect to Respect (CRR),” which aims “to use social media monitoring to identify and connect youth to behavioral interventions.” In other words, the DOJ is giving $2.1 million dollars to the Chicago public schools to conduct research on how spying on student social media can impact school discipline. In New York, police spying on youth social media has resulted in the criminalization of speech.
Read more on PrivacySOS.
I find this type of story amusing, trashy but
funny.
Daniel DeMay reports:
The city of Seattle says its process for making sure residents comply with a compost ordinance is legal and doesn’t violate privacy, despite arguments made in a lawsuit filed last week.
The City Attorney’s Office issued a statement Monday saying that, after reviewing the lawsuit, it believes the ordinance “fully complies with the law, including the enhanced privacy protections afforded by the Washington Constitution.”
Read more on Seattle
PI.
Now every fast food joint has an App for your
smartphone. What we need is an App that reminds us how healthy all
that junk really is.
Online food
delivery ordering is about to overtake phone ordering in the US
Getting your dinner to your door is now easier
than ever, and thanks to the internet, almost no human interaction is
required. [Attention
Ethical Hacking students! Bob]
While phone orders dominated delivery only five
years ago, the balance between meal orders placed over the phone
versus those placed online have nearly switched, with internet orders
on track to surpass phone orders any minute now.
… Services like UberEATS,
Caviar,
Postmates, and
DoorDash are
providing delivery services for restaurants that don’t have their
own, upgrading customers’ dinner choices from the typical pizza,
sushi and Chinese food to include more artisanal, freshly prepared,
and lovingly packed meal options. These companies handled orders
totaling $400 million in 2014, says Cowen and Company, and that’s
expected to jump to $1.6 billion in 2016.
Sports can make you healthy and quite rich.
NFL teams
each earn $226.4M from national revenue sharing
… The Packers set records in total revenue and
local revenue last year; their local revenue was $149.3 million, up
9.4 percent, mostly because of their newly expanded pro shop at
Lambeau Field. The 21,500-square-foot store is the largest team
store in the NFL.
Packers CEO Mark Murphy said the team was 18th in
the league in average ticket prices. But with 7,000 more seats added
in the past couple of years, the team has the second-biggest stadium
in the league. That allowed the NFL's smallest host city to maintain
its spot in the top 10 in league revenue (ninth).
The Packers are required to announce earnings
because they are technically a public entity, although the
franchise's 360,760 shareholders hold stock that they paid for that
has no value and cannot be traded.
For my students in the “Outdoor Adventure Club?”
(Digest Item#2)
Earn Money
Shooting GoPro Videos
Action camera manufacturer GoPro has launched a
content licensing portal designed to pair creators with advertisers.
The biggest and best GoPro videos will be featured on GoPro
Licensing, with brands and marketers able to purchase the footage
for use in advertising campaigns.
For content creators, GoPro Licensing means an
opportunity to make serious money from shooting video, with prices
starting at $1,000 per clip. For marketers, GoPro Licensing means an
opportunity to use ready-made
footage likely to attract serious attention, and without the need
to pay for production.
GoPro has already struck deals with multiple
amateur and professional videographers, meaning there are 600 videos
available at launch. According to AdWeek,
the number of clips will continuously expand, with GoPro hoping to be
to video “what Getty Images and Shutterstock are to still images”.
Teaching my students to write more carefully?
Using
Social Media Without Jeopardizing Your Career
Boy, has Sears changed! I recently visited the
Sears website, so naturally they send me Ads for things on the pages
I browsed. I must have missed something, because “One of these
things is not like the others!” (The Ad did get my attention!)
No comments:
Post a Comment