Friday, April 22, 2016
This is still an interesting topic. I wonder how the hackers would have responded to a subpoena?
FBI paid more than $1.3 million to break into San Bernardino iPhone
Federal Bureau of Investigation Director James Comey said on Thursday the agency paid more to get into the iPhone of one of the San Bernardino shooters than he will make in the remaining seven years and four months he has in his job.
According to figures from the FBI and the U.S. Office of Management and Budget, Comey's annual salary as of January 2015 was $183,300. Without a raise or bonus, Comey will make $1.34 million over the remainder of his job.
That suggests the FBI paid the largest ever publicized fee for a hacking job, easily surpassing the $1 million paid by U.S. information security company Zerodium to break into phones.
Speaking at the Aspen Security Forum in London, Comey was asked by a moderator how much the FBI paid for the software that eventually broke into the iPhone.
"A lot. More than I will make in the remainder of this job, which is seven years and four months for sure," Comey said. "But it was, in my view, worth it."
It is very easy to make an error in configuration. That’s why we suggest you have someone check your work before going live.
In today’s installment of “Epic Infosecurity #FAIL,” more than 93.4 million Mexican citizens have had their voter registration details exposed online due to a misconfigured database. Why a database with Mexican voters’ information was hosted on a server outside of Mexico, who uploaded it to Amazon, and why it wasn’t properly secured are questions in search of answers.
Last week, MacKeeper Security Researcher Chris Vickery contacted DataBreaches.net to report that he had discovered yet another misconfigured MongoDB database. This one, 132 GB in size, appeared to contain voter registration data from 93,424,710 Mexican citizens.
Vickery, who has blogged about this incident on the MacKeeper blog, provided this site with a redacted screen cap of an individual’s record:
… Although there was no information included in the leaky database that could point us to its owner or who had uploaded it to Amazon cloud services, the data appeared to be voter registration data compiled by the Instituto Nacional Electoral (INE).
After some discussion as to whom to notify and how, Chris decided to report his discovery to the State Department and let them contact their Mexican counterparts in the spirit of cooperation. When he got no meaningful response, he reached out to the State Department’s Office of Mexican Affairs, who told him they would forward his alert up the chain. When that still didn’t achieve the desired results of getting the database secured, Chris contacted the U.S. Secret Service, Department of Homeland Security, and US-CERT. He also contacted the Mexican embassy directly:
After I explained the situation over the phone, they wanted proof of the breach and gave me an email address to send it to. I sent them an explanation with the IP address and two screenshots as evidence. The embassy has never even responded to that email.
(First lesson to be learned by INE: provide an easy-to-find email address on your web site for people to report security breaches.)
As fate would have it, though, Chris was speaking up at Harvard about his research and mentioned the leak. A student from Mexico verified the accuracy of his father’s record, and a faculty member tried to assist Chris with the notification problem by giving him other individuals to contact. Chris eventually heard back from someone from the Instituto Federal Electoral, (IFE/INE), who thanked Chris and who said they would get right on getting it secured. Of note, the coordinator said that the IP address was not theirs and he was investigating to see who was responsible for the database being on that IP address. In a subsequent communication to DataBreaches.net, the coordinator reported that the numbers in the database did not match national historic numbers, and that had become part of their investigation, too.
The database has now been secured.
Publication of this post was delayed until now at the request of the Mexican government to give them time to investigate and to secure the database.
Entire Countries Breached
With this leak, Mexico now joins a list of countries where almost the entire population has had their personal information leaked or breached, as 93.4 million represents over 72% of Mexico’s estimated population. Belize, Greece, Israel, Philippines, and Turkey have also experienced leaks of the majority of their population’s personal information. And of course, let’s not forget that Chris Vickery had also discovered 191 million U.S. voters‘ data leaking due to a similarly misconfigured database.
An easy hack? At least, one to watch for. (Vandalism is cheap)
Printers at German Universities Mysteriously Churn Out Anti-Semitic Leaflets
Printers at several universities across Germany produced anti-Semitic leaflets on or before Hitler’s birthday this week, after hackers appeared to break into their computer systems, according to university officials.
Universities in Hamburg, Lüneburg and Tübingen confirmed that printers connected to their computer networks had suddenly started churning out the leaflets, most of them on Wednesday, the anniversary of Hitler’s birth in Braunau, Austria, in 1889.
… In the United States, several colleges reported similar breaches in March, according to the New Jersey-based website nj.com, which reported an episode at Princeton, and to The Washington Post, which said several universities across the country had been affected.
The leaflet that was printed out in Hamburg included the Twitter hashtag “dailystormer,” a term also used on a website referred to in the leaflets in the United States, Mr. Matheis said. The term is an allusion to a Nazi publication.
Is ‘gathering data” the same thing as “spying on?” (See the article on misconfigured databases, above.)
UK intel agencies spy indiscriminately on millions of innocent folks
The UK's intelligence agencies (MI5, MI6, and GCHQ) are spying on everything you do, and with only the flimsiest of safeguards in place to prevent abuse, according to more than a thousand pages of documents published today as a result of a lawsuit filed by Privacy International.
The documents reveal the details of so-called "Bulk Personal Datasets," or BPDs, which can contain "hundreds to millions of records" on people who are not suspected of any wrongdoing.
… Nor, it seems, are BPDs only being used to investigate terrorism and serious crime; they can and are used to protect Britain’s “economic well-being”—including preventing pirate copies of Harry Potter books from leaking before their release date.
BPDs are so powerful, in fact, that the normally toothless UK parliament watchdog that oversees intelligence gathering, the Intelligence and Security Committee (ISC), recommended in February that "Class Bulk Personal Dataset warrants are removed from the new legislation."
These data sets are so large and collect so much information so indiscriminately that they even include information on dead people.
If managers don’t learn to check the financial stability of vendors when negotiating contracts, my students will learn about it in the Business Continuity class.
Joseph Conn reports:
The hospital association that operates a major Chicago-area health information exchange is suing its health information technology vendor that abruptly announced it will go out of business.
The hospital Metropolitan Chicago Healthcare Council, now merged with the Illinois Health and Hospital Association, operates the MetroChicago HIE that connects more than 30 northeastern Illinois hospitals, according to a membership list on its website.
A suit in U.S. District Court for the Northeastern District of Illinois names as defendants Sandlot Solutions and Santa Rosa Consulting, an owner of the company. The suit alleges that Sandlot breached its agreement “by shutting down the MetroChicago HIE system and denying MCHC’s participants access to their client data on the system.”
Read more on Crain’s.
[From the article:
The records show that Sandlot was planning to provide MCHC a copy of its raw client data and then destroy the existing client data from its third-party hosting service.
That plan, according to the complaint, would breach Sandlot's data management and transition obligations under its contract, and would prevent the association from properly validating the data, [Not sure how that occurs Bob] which would result in a clear violation of federal privacy laws.
This sounds expensive. Have all responsible managers lost their job or can we look for more of the same? (I would classify this as a “computer crime,” wouldn’t you?)
Volkswagen will buy back most Dieselgate cars in US
Volkswagen will offer to buy back every diesel car in the US that cheated emissions standards, a vast and expensive undertaking covering nearly half a million vehicles. The decision is part of a settlement in principle with the US Department of Justice (DoJ), Environmental Protection Agency (EPA), and California Air Resources Board (CARB), announced today, as part of the German automaker's grand "Dieselgate" mea-culpa for fitting several of its models with cunning bypass devices that helped fake the results during government testing.
… Those who want to keep their vehicles will be offered a fix instead, and there's the promise of "substantial compensation" involved too.
… Some reports pegged a $5,000 payout to each owner as part of the deal, though the judge criticized those responsible for the leaks.
Uber Settles Cases With Concessions, but Drivers Stay Freelancers
… On Thursday, Uber moved a step closer to getting its way. The company reached a settlement in a pair of class-action lawsuits in California and Massachusetts that will let it continue to categorize drivers in those states as independent contractors — a landmark agreement that could have lasting implications for the long-term viability of the ride-hailing service.
Under the settlement, filed in the United States District Court in the Northern District of California, Uber will pay as much as $100 million to the roughly 385,000 drivers represented in the cases. The company also agreed to several concessions to appease driver concerns, including giving more information on how and why drivers are barred from using the app, as well as aiding in creating new “drivers associations” in both states. [Not Unions! Bob]
I expect to see this splashed all over the evening news. A side benefit: Drinking more beer means more power! (I’m sorry. I just realized that it is very difficult not to say something that isn’t humorous or “punny.”)
Coming soon: The Internet of Pee-Powered Things
… Researchers at the University of Bath have revealed a breakthrough -- cheekily dubbed "pee power" -- involving the use of urine to power electronic devices in remote locations.
You can read the details in their paper, titled "Towards effective small scale microbial fuel cells for energy generation from urine." But in a nutshell, they've figured out how to build one-inch-square fuel cells that cost a buck or two and that get their buzz from urine, which interacts with "electric" bacteria. So-called microbial fuel cells are seen as being a carbon-neutral source of power generation, [Al Gore approved? Bob] and could be used to provide juice to devices such as smartphones.
A class we should add?
Tech Savvy: Reinventing Work With Virtual Reality
Virtual reality could be the new reality at work: The demand for the free Samsung Gear VR headsets offered in a recent promotion was so high that the consumer electronics giant won’t be able to deliver them for months. Yet, as hot as the consumer market for VR gear appears to be, the business market may outstrip it.
I’m going to share this with my students who must write to our “Discussion Board” every week. Note the tips I suggest!
How to Write the Perfect Professional Email (Backed by Data)
… In the past, we’ve listed 12 reasons why people are still ignoring your emails. We’ve even given you step-by-step instructions on getting busy people to respond to your messages. But now it’s time to share some even more specific, actionable tips — backed by data.
Each of these tips doesn’t just improve the chances of your emails being read, but also of you receiving a positive response from those emails. This is important because email is still the main form of communication in the business world. By knowing how to craft effective emails, you give yourself a definite advantage over your colleagues.
[Okay, please don’t follow this tip.
7. Write at Third-Grade Level
The reading grade level of your emails can have a massive effect on your response rates. According to Boomerang, emails written at a college reading level had a response rate of just 39%. The most effective reading grade was third-grade, which achieved a 53% response rate.
[Absolutely do this!
8. Proofread Your Text
For longer emails this goes without saying, but for shorter emails, proofreading is often overlooked. This is a bad idea.
In a 2001 study, Larry Beason showed that mistakes in writing (including spelling and grammatical mistakes, as well as logical mistakes) have several negative effects on the perception of the writer.
For my students.
9 Cleanest & Safest Websites to Download Free Software for Windows
Microsoft Translator Adds Image Translation to Android
… With the new image translation feature in the Translator app for Android, you no longer need to type text or say foreign languages phrases out loud when you see them written on signs, menus, flyers…whatever. Instead you can translate pictures instantly from your phone, with the translation appearing in an overlay above the existing text.
Dilbert perfectly illustrates the problem we face if companies give them backdoors into their encryption!