FBI paid more than $1.3 million to break into San Bernardino
iPhone
Federal Bureau of Investigation Director James Comey said
on Thursday the agency paid more to get into the iPhone of one of the San
Bernardino shooters than he will make in the remaining seven years and four
months he has in his job.
According to figures from
the FBI and the U.S. Office of Management and Budget, Comey's annual salary as
of January 2015 was $183,300. Without a
raise or bonus, Comey will make $1.34 million over the remainder of his job.
That suggests the FBI paid
the largest ever publicized fee for a hacking job, easily surpassing the $1
million paid by U.S. information security company Zerodium to break into
phones.
Speaking at the Aspen
Security Forum in London, Comey was asked by a moderator how much the FBI paid
for the software that eventually broke into the iPhone.
"A lot. More than I
will make in the remainder of this job, which is seven years and four months
for sure," Comey said. "But it
was, in my view, worth it."
It is very easy to make an error in configuration. That’s why we suggest you have someone check
your work before going live.
In today’s installment of “Epic Infosecurity #FAIL,”
more than 93.4 million Mexican citizens have had their voter registration
details exposed online due to a misconfigured database. Why a database with Mexican voters’
information was hosted on a server outside of Mexico, who uploaded it to
Amazon, and why it wasn’t properly secured are questions in search of answers.
Last week, MacKeeper Security Researcher Chris Vickery
contacted DataBreaches.net to report that he had discovered yet another misconfigured
MongoDB database. This one, 132 GB in size, appeared to contain voter registration data
from 93,424,710 Mexican citizens.
Vickery, who has blogged about this incident on the MacKeeper
blog, provided this site with a redacted screen cap of an individual’s
record:
… Although there
was no information included in the leaky database that could point us to
its owner or who had uploaded it to Amazon cloud services, the data
appeared to be voter registration data compiled by the Instituto
Nacional Electoral (INE).
After some discussion as to whom to notify and how, Chris
decided to report his discovery to the State Department and let them contact
their Mexican counterparts in the spirit of cooperation. When
he got no meaningful response, he reached out to the State Department’s
Office of Mexican Affairs, who told him they would forward his alert up
the chain. When that still didn’t achieve the desired results of getting
the database secured, Chris contacted the U.S. Secret Service, Department of
Homeland Security, and US-CERT. He also contacted the Mexican
embassy directly:
After I explained the situation
over the phone, they wanted proof of the breach and gave me an email address to
send it to. I sent them an explanation with the IP address and two screenshots
as evidence. The embassy has never even responded to that email.
(First
lesson to be learned by INE: provide an easy-to-find email address on your web
site for people to report security breaches.)
As fate would have it, though, Chris was speaking up at
Harvard about his research and mentioned the leak. A student from Mexico verified the accuracy of
his father’s record, and a faculty member tried to assist Chris
with the notification problem by giving him other individuals to contact. Chris eventually heard back from someone from
the Instituto Federal Electoral, (IFE/INE), who thanked Chris and who said
they would get right on getting it secured. Of note, the coordinator said
that the IP address was not theirs and he was investigating to see who was
responsible for the database being on that IP address. In a subsequent
communication to DataBreaches.net, the coordinator reported that the
numbers in the database did not match national historic numbers, and that had
become part of their investigation, too.
The database has now been secured.
Publication of this post was delayed until now at the
request of the Mexican government to give them time to investigate
and to secure the database.
Entire Countries Breached
With this leak, Mexico now joins a list of countries where
almost the entire population has had their personal information leaked or
breached, as 93.4 million represents over 72% of Mexico’s estimated
population. Belize, Greece,
Israel,
Philippines,
and Turkey have
also experienced leaks of the majority of their population’s personal
information. And of course, let’s not forget that Chris Vickery had also
discovered 191
million U.S. voters‘ data leaking due to a similarly
misconfigured database.
An easy hack? At least, one to
watch for. (Vandalism is cheap)
Printers at German Universities Mysteriously Churn Out
Anti-Semitic Leaflets
Printers at several universities across Germany produced
anti-Semitic leaflets on or before Hitler’s birthday this week, after hackers
appeared to break into their computer systems, according to university
officials.
Universities in
Hamburg, Lüneburg and Tübingen confirmed that printers connected to their
computer networks had suddenly started churning out the leaflets, most of them
on Wednesday, the anniversary of Hitler’s birth in Braunau, Austria, in 1889.
… In the United
States, several colleges reported similar breaches in March, according to the
New Jersey-based website nj.com, which
reported an episode at Princeton, and to The Washington Post, which said
several universities across the country had been affected.
The
leaflet that was printed out in Hamburg included the Twitter hashtag
“dailystormer,” a term also used on a website referred to in the leaflets in
the United States, Mr. Matheis said. The
term is an allusion to a Nazi publication.
Is ‘gathering data” the same thing as “spying on?” (See the article on misconfigured databases,
above.)
UK intel agencies spy indiscriminately on millions of
innocent folks
The UK's intelligence agencies (MI5, MI6, and GCHQ) are
spying on everything you do, and with only the flimsiest of safeguards in place
to prevent abuse, according to more than a thousand pages of documents
published today as a result of a lawsuit filed by Privacy International.
The documents reveal the details of so-called "Bulk
Personal Datasets," or BPDs, which can contain "hundreds to millions
of records" on people who are not suspected of any wrongdoing.
… Nor, it seems,
are BPDs only being used to investigate terrorism and serious crime; they can
and are used to protect Britain’s “economic well-being”—including preventing
pirate copies of Harry Potter books from leaking before their release date.
BPDs are so powerful, in fact, that the normally toothless
UK parliament watchdog that oversees intelligence gathering, the Intelligence
and Security Committee (ISC), recommended
in February that "Class Bulk Personal Dataset warrants are
removed from the new legislation."
These data sets are so large and collect so much
information so indiscriminately that they even include information on dead
people.
If managers don’t learn to check the financial stability of vendors when
negotiating contracts, my students will learn about it in the Business
Continuity class.
Joseph Conn reports:
The hospital association that
operates a major Chicago-area health information exchange is suing its health
information technology vendor that abruptly announced it will go out of
business.
The hospital Metropolitan Chicago
Healthcare Council, now merged with the Illinois Health and Hospital
Association, operates the MetroChicago HIE that connects more than 30
northeastern Illinois hospitals, according to a membership list on its website.
A suit in U.S. District Court for
the Northeastern District of Illinois names as defendants Sandlot Solutions and
Santa Rosa Consulting, an owner of the company. The suit alleges that Sandlot breached its
agreement “by shutting down the MetroChicago HIE system and denying MCHC’s
participants access to their client data on the system.”
Read more on Crain’s.
[From the article:
The records show that Sandlot was planning to provide MCHC
a copy of its raw client data and then destroy the existing client data from
its third-party hosting service.
That plan, according to the complaint, would breach
Sandlot's data management and transition obligations under its contract, and would prevent the association from properly validating
the data, [Not sure how that occurs Bob]
which would result in a clear violation of federal privacy laws.
This sounds expensive. Have all
responsible managers lost their job or can we look for more of the same? (I would classify this as a “computer crime,”
wouldn’t you?)
Volkswagen will buy back most Dieselgate cars in US
Volkswagen will offer to buy back every diesel car in the
US that cheated emissions standards, a vast and expensive undertaking covering
nearly half a million vehicles. The
decision is part of a settlement in principle with the US Department of Justice
(DoJ), Environmental Protection Agency (EPA), and California Air Resources
Board (CARB), announced today, as part of the German automaker's grand
"Dieselgate" mea-culpa for fitting several of its models with cunning
bypass devices that helped fake the results during government testing.
… Those who want
to keep their vehicles will be offered a fix instead, and there's the promise
of "substantial compensation" involved too.
… Some reports
pegged a $5,000 payout to each owner as part of the deal, though the judge
criticized those responsible for the leaks.
Uber wins!
Uber Settles Cases With Concessions, but Drivers Stay
Freelancers
… On Thursday,
Uber moved a step closer to getting its way. The company reached a settlement
in a pair of class-action lawsuits in California and Massachusetts that will
let it continue to categorize drivers in those states as independent
contractors — a landmark agreement that could have lasting implications for the
long-term viability of the ride-hailing service.
Under the
settlement, filed in the United States District Court in the Northern District
of California, Uber will pay as much as $100 million to the roughly 385,000
drivers represented in the cases. The
company also agreed to several concessions to appease driver concerns,
including giving more information on how and why drivers are barred from using
the app, as well as aiding in creating new “drivers associations” in both
states. [Not Unions! Bob]
I expect to see this splashed all over the evening news. A side benefit: Drinking more beer means more
power! (I’m sorry. I just realized that it is very difficult not
to say something that isn’t humorous or “punny.”)
Coming soon: The Internet of Pee-Powered Things
… Researchers at
the University of Bath have revealed a breakthrough -- cheekily dubbed
"pee power" -- involving the use of urine to power electronic devices
in remote locations.
You can read the details in their paper, titled "Towards
effective small scale microbial fuel cells for energy generation from
urine." But in a nutshell,
they've figured out how to build one-inch-square fuel cells that cost a buck or
two and that get their buzz from urine, which interacts with
"electric" bacteria. So-called microbial fuel cells are seen as being a
carbon-neutral source of power generation, [Al Gore approved? Bob] and could be used to
provide juice to devices such as smartphones.
A class we should add?
Tech Savvy: Reinventing Work With Virtual Reality
Virtual reality could be the new reality at work: The
demand for the free Samsung Gear VR headsets offered in a recent promotion was
so high that the consumer electronics giant won’t be able to deliver them
for months. Yet, as hot as the
consumer market for VR gear appears to be, the business market may outstrip it.
I’m going to share this with my students who must write to our “Discussion
Board” every week. Note the tips I
suggest!
How to Write the Perfect Professional Email (Backed by Data)
… In the past,
we’ve listed 12 reasons why people are still ignoring your emails. We’ve
even given you step-by-step instructions on getting busy people to respond to your messages. But now
it’s time to share some even more specific, actionable tips — backed
by data.
Each of these tips doesn’t just improve the chances of
your emails being read, but also of you receiving a positive response from
those emails. This is important because email is still the main form of
communication in the business world. By knowing how to craft effective emails,
you give yourself a definite advantage over your colleagues.
[Okay, please don’t follow this tip.
7. Write at Third-Grade Level
The reading grade level of your emails can have a massive
effect on your response rates. According
to Boomerang, emails written at a college reading level had a response rate
of just 39%. The most effective reading
grade was third-grade, which achieved a 53% response rate.
[Absolutely do this!
8. Proofread Your Text
For longer emails this goes without saying, but for
shorter emails, proofreading is often
overlooked. This is a bad idea.
In a 2001 study, Larry Beason showed that mistakes in writing
(including spelling and grammatical mistakes, as well as logical mistakes) have
several negative effects on the perception of the writer.
For my students.
9 Cleanest & Safest Websites to Download Free Software
for Windows
(Ditto)
Microsoft Translator Adds Image Translation to Android
… With the new
image translation feature in the Translator app for Android, you no longer need to type text
or say foreign languages phrases out loud when you see them written on signs,
menus, flyers…whatever. Instead you can
translate pictures instantly from your phone, with the translation appearing in
an overlay above the existing text.
Dilbert perfectly illustrates the problem we face if
companies give them backdoors into their encryption!
No comments:
Post a Comment