How long will it take
my students to find this site? Could be a fun way to kill a few
minutes at the end of class…
Seth Boster reports:
Jacksonville State University officials learned Tuesday of a website that allows users to search for students’ personal information, including photos, addresses and phone numbers, all apparently stolen from JSU’s own database.
The site allows visitors to search using students’ names to find photographs along with birthdates, student ID numbers, fraternity and sorority affiliation and other information. Information for some former students, faculty and staff is also on the site.
Read more on The
Anniston Star.
Following concerns raised on Twitter, the site has
now redacted street addresses, but the database can be searched by
entering just a single letter. For example, entering “A” returns
150 results that include date of birth, picture, and student ID
number, as well as email address.
The site’s maintainer(s) posted the following
message on a paste site:
The website is intended to be a safe yet intriguing lesson to universities and other academic institutions to value their students’ personal information. We live in an age where records that were once on paper protected by security guards are now digitized protected by nothing.
The sad truth is college aged students are very susceptible to identity theft: they post every detail of their life online and are just beginning to understand financial security.
I believe among the responsibilities of any organization that one belongs to is the protection of their subjects’ personal information. Jacksonville State University among others have failed to honor this responsibility.
You know what’s scarier than your address and phone number being released on a website? Not knowing that your SSN, credit card, and account numbers are being silently collected every day by cybercrime organizations.
In lieu of similar compromises our academic institutions will hopefully adapt from this misfortune.
If the hackers are really good – perhaps doing
something never done before – you may face a Class Action lawsuit
because you were not gooder? Sounds like the FTC's argument.
There’s an update to the Scottrade breach
previously
reported on this blog. The breach, potentially impacting 4.6M
customers, was disclosed in October 2015 but had reportedly occurred
between late 2013 and early 2014. Three individuals were indicted
in November, 2015.
Now Top
Class Actions reports that a consolidated data breach class
action lawsuit was filed in Missouri federal court last week.
“Scottrade’s cybersecurity measures were so deficient that it never realized the massive theft occurred until two years later, when federal authorities told them about it,” the Scottrade class action lawsuit states. The hackers allegedly accessed the personal identification information (PII) of Scottrade customers from September 2013 to February 2014 without detection from Scottrade, which the plaintiffs call an “inexcusable failure of Scottrade’s obligation to take reasonable steps to safeguard this information.”
[…]
The consolidated Scottrade class action lawsuit was filed on Feb. 19 by plaintiffs Andrew Duqum, Stephen Hine, Matthew Kuhns and Richard Obringer. Hine filed a separate data breach class action lawsuit in California, but Scottrade argued in December that it should be consolidated with a nearly identical case that was already pending in Missouri.
Read more on Top
Class Actions.
For my Ethical Hacking
students old enough to drive.
Controlling
vehicle features of Nissan LEAFs across the globe via vulnerable APIs
Last month I was over
in Norway doing training for ProgramUtvikling,
the good folks who run the NDC conferences I've become so attached
to.
… I also cover how to inspect, intercept and
control API requests between rich client apps such as those you find
on a modern smart phone and the services running on the back end
server. And that’s where things got interesting.
One of the guys was a bit inspired by what we’d
done and just happened to own one of these – the
world’s best-selling electric car, a Nissan LEAF:
What the workshop
attendee ultimately discovered was that not only could he connect to
his LEAF over the internet and control features independently of how
Nissan had designed the app, he could control other people’s
LEAFs.
… Let me clarify something before going any
further and it’s something I harp on about in my workshops too;
when a potential security flaw is identified, you’ve
got to think very carefully about how you proceed with verification.
[Amen! Bob]
Hard to tell if this is
significant or not. All of this information is already available
online, most of it is presumed to be false (users provide phoney
names on such sites) and possession of such data is not proof you
hacked the system. (If they have more evidence, it is not mentioned
in the articles.) Why do they care? Is republishing a subset of
the data a crime?
Tracie Sullivan reports:
Utah authorities are investigating a website allegedly created by a Cedar City resident who published personal information of Southern Utah residents whose names were part of a 2015 website hack.
According to four search warrants unsealed last week in 3rd District Court, a Facebook page and a website called AM Southern Utah “disclosed customers’ names, physical and email addresses for the Southern Utah area,” who had allegedly registered with Ashley Madison.
The warrants stem from a Utah investigation conducted by the State Bureau of Investigations and is part of a larger FBI investigation into the hack. No one has been charged with a crime in either investigation.
Read more on St.
George News.
[From
the article:
… the SBI investigator believes there has been
a violation of Utah’s Computer Crimes Act, Utah Code 76-6-703.
Specifically, the violation “has occurred, ‘without authorization
(the suspect) gains…access to and…discloses…computer data…and
thereby causes damage to another.’ The damage in this case was to
the reputation of the individuals whose information was listed on
amsouthernutah.com.”
Okay, maybe he didn't side with the FBI. But he
still seems to be washing his wishy. Make up your mind Bill!
FBI v Apple
spat latest: Bill Gates is really upset that you all thought he was
on the Feds' side
Bill Gates says reports of him backing the FBI in
the ongoing saga with Apple over the unlocking of a killer's iPhone
are inaccurate.
Asked about widespread
reports that the former Microsoft CEO and the world's richest man
was taking the Feds' side, Gates told Bloomberg News on Tuesday that
he was "disappointed" with the reporting and that it
"doesn't state my view on this."
… According to Gates, however, he has a more
nuanced view about "striking a balance" in providing
government access to information rather than in deciding who is
right, the FBI or Apple.
(Related) Just as perspective… This is one
reason why the FBI will have to play wack-a-mole if they want to gain
backdoors into every encryption package.
Encrypted-Messaging
App Telegram Now Has 100 Million Users
… Less than three years after Durov and his
brother launched Telegram, he now reports that 100 million people use
the free encrypted messaging app every month, up from 60 million
people last May. That growth is coming from all over the world.
While that’s a small number compared with the
billion people who pull up WhatsApp every month, or the
800 million people who go on Facebook Messenger, it’s
illustrative of the early growth that signaled each of these services
had mainstream appeal. “Every day, 350,000 new users sign up for
Telegram,” Durov said. “And we have zero marking budget.” In
other words, Telegram is not going away.
(Related) You could dispute the claim that this
is “more scholarly” but certainly it's what Congress is seeing.
Encryption
and Evolving Technology: Implications for U.S. Law Enforcement
Investigations
by Sabrina
I. Pacifici on Feb 23, 2016
Via FAS – CRS Report – Encryption
and Evolving Technology: Implications for U.S. Law Enforcement
Investigations, Kristin Finklea Specialist in Domestic Security
February 18, 2016.
“Because modern-day criminals are constantly
developing new tools and techniques to facilitate their illicit
activities, law enforcement is challenged with leveraging its tools
and authorities to keep pace. For instance, interconnectivity and
technological innovation have not only fostered international
business and communication, they have also helped criminals carry out
their operations. At times, these same technological advances have
presented unique hurdles for law enforcement and officials charged
with combating malicious actors. Technology as a barrier for law
enforcement is by no means a new issue in U.S. policing. In the
1990s, for instance, there were concerns about digital and wireless
communications potentially hampering law enforcement in carrying out
court-authorized surveillance. To help combat these challenges,
Congress passed the Communications Assistance for Law Enforcement Act
(CALEA; P.L. 103-414), which among other things, required
telecommunications carriers to assist law enforcement in executing
authorized electronic surveillance. The technology boundary has
received renewed attention as companies have implemented advanced
security for their products—particularly their mobile devices. In
some cases, enhanced encryption measures have been put in place
resulting in the fact that companies such as Apple and Google cannot
unlock devices for anyone under any circumstances, not even law
enforcement. Law enforcement has concerns over certain technological
changes, and there are fears that officials may be unable to keep
pace with technological advances and conduct electronic surveillance
if they cannot access certain information. Originally, the going
dark debate centered on law enforcement’s ability to intercept
real-time communications. More recent technology changes have
potentially impacted law enforcement capabilities to access not only
communications, but stored data as well.”
[The
most recent Wiretap Report to Congress is for 2014. You can find it
here:
http://www.uscourts.gov/statistics-reports/wiretap-report-2014
Encryption
The number of state wiretaps in which encryption
was encountered decreased from 41 in 2013 to 22 in 2014. In two of
these wiretaps, officials were unable to decipher the plain text of
the messages. Three federal wiretaps were reported as being
encrypted in 2014, of which two could not be decrypted. Encryption
was also reported for five federal wiretaps that were conducted
during previous years, but reported to the AO for the first time in
2014. Officials were able to decipher the plain text of the
communications in four of the five intercepts.
For my Computer Security class. If the bad guys
don't get you, the FTC might. If the bad guys get you, the FTC will
be happy to pile on!
Asus
Settles FTC Charges Over Router Security
The
FTC filed a lawsuit
against Asus claiming that the vendor has put hundreds of thousands
of consumers at risk through a series of critical vulnerabilities
found in its routers and related services.
The
agency accused Asus that it misrepresented the security features
included in its routers and falsely claimed that they can protect
computers and local networks against hacker attacks, when in reality
they were plagued by serious vulnerabilities
that allowed malicious actors to hijack devices.
… As
part of the settlement
with the FTC, Asus will have to establish and maintain a
comprehensive security program that is subject to external audits for
a period of 20 years. The vendor will also have to ensure that
customers can sign up for a security notification system designed to
inform them about the availability of firmware updates and provide
instructions on how to protect themselves against potential attacks.
Is
this just to harass Google and Facebook?
Christoph
Ritzer and Sven Jacobs write:
A new German law, which grants authority to the country’s consumer and business associations to enforce compliance with data protection laws, goes into force on February 24, 2016. A representative of the German Ministry of Justice pointed out that the new enforcement powers are specifically aimed at foreign companies having their headquarters or operating from outside Germany, including the U.S.
Read more on Norton Rose Fulbright Data
Protection Report.
(Related) Or part of a more general attack on
“Internet stuff?”
German
government to use Trojan spyware to monitor citizens
… The interior ministry spokesman defended the
government's decision, saying "basically we now have the skills
in an area where we did not have this kind of skill." The
program was already endorsed by members of the government in autumn
2015, the ministry said. [More
bragging than defense... Bob]
A network of citations?
Free tool
to visualize Supreme Court cases
by Sabrina
I. Pacifici on Feb 23, 2016
“As lawyers, we’re all accustomed to talking
about the lines of cases that create bodies of precedent for legal
principles. A new tool launched this week lets you visualize lines
of Supreme Court cases so that you can better analyze and study them.
Called Supreme
Court Citation Networks, it was created as a collaboration
between the Free
Law Project and The
Supreme Court Mapping Project at the University
of Baltimore School of Law.”
Tools & Techniques. This could be useful.
Tagboard
Offers New Features for Following Hashtags Across Multiple Networks
Tagboard
is a tool that allows you follow a hashtag and see all of the Tweets,
Instagram, Facebook, and Google+ posts about it in one place. Last
year I created
a tutorial video about Tagboard in which I demonstrated its
primary features. Today, Tagboard added some new features that
teachers will probably appreciate.
Tagboard
now offers some post moderation tools. You can now block or remove
posts and users within a saved Tagboard. Within a saved Tagboards
you can now filter by keyword, post type, and or social network.
Applications for
Education
Tagboard
can be a good tool for tracking trending news stories with your
students. The new moderation features will be helpful if you are
planning to display a Tagboard in your classroom. Before displaying
the Tagboard go through and remove any content that you don't want to
share with your students.
For my next Statistics class (and a cautionary
tale for Computer Security and other classes). You should ask
yourself if everyone agrees with your assumptions.
How a Group
of MIT Students Gamed the Massachusetts State Lottery
Have I mentioned that I'm teaching Spreadsheets in
the Spring?
How to
Import Data Into Your Excel Spreadsheets the Neat & Easy Way
Dilbert brilliantly summarizes the good and bad of
the “Gig Economy.”
No comments:
Post a Comment