A reader kindly informed me that Movimiento
Ciudadano, one of the political parties that had legitimate
access to Mexico’s voter data list, has admitted
it was responsible for the leak on Amazon. Except that as I read more, I realized they
weren’t really admitting they were responsible for the leak.
I’ve been trying to read/translate a number of news
stories on today’s developments, including the
political party’s statement (ES).
From what I’m reading in their statement and from a number
of sources, it seems like the Citizens Movement party is filing a criminal
complaint against Chris Vickery, claiming he broke Amazon’s great
security, or some such nonsense. They
write, in part:
Para hacer pública la información
que estaba salvaguardada en los servidores de Amazon Web Services fue necesario
violar las medidas de seguridad a través de métodos altamente especializados,
característicos de hackers profesionales.
To be clear: Chris Vickery never hacked into the database.
Citizens Movement left port 27017 open,
and so anyone and everyone could access it and download the voter data with no
login required. Amazon was not
responsible for securing that database and Vickery didn’t break any security: there
was no security, and that was Citizens Movement’s responsibility.
Trying to make it out that Vickery engaged in criminal
conduct is a lame attempt on their part to deflect blame for their infosecurity
failure. It is especially lame in light
of how appreciative Mexico INE has been of Vickery’s discovery and
notification.
“Don’t put off until tomorrow that which you can secure today.” An ancient
saying, I just made up.
Nick Rummell reports that it’s not just affected customers suing Wendy’s after a data
breach disclosed in February – the banks are suing, too:
A major data security breach at
Wendy’s restaurants could have been easily prevented had the company acted
faster, according to a class action filed on behalf of banks whose customers
were affected by the breach.
The suit, filed in Federal Court
in Pittsburgh on April 25 by First Choice Federal Credit Union, claims the
fast-food chain “refused to take steps to adequately protect its computer
systems from intrusion,” which led to a nearly five-month-long data breach
where customer credit card information was stolen.
Read more on Courthouse News.
They must have something that convinced the judge he is
probably guilty, right? Or can they do
this to anyone with an encrypted hard drive?
I keep a large boring file named “This is important” on my backup DVDs
next to my encrypted files. Then I
re-encrypt everything. I will gladly
hand over that second encryption key and decrypting that file will prove that
it worked. Everything that still looks encrypted
must be gibberish.
David Kravets reports:
A Philadelphia man suspected of
possessing child pornography has been in jail for seven months and counting
after being found in contempt of a court order demanding that he decrypt two
password-protected hard drives.
The suspect, a former
Philadelphia Police Department sergeant, has not been charged with any child
porn crimes. Instead, he remains
indefinitely imprisoned in Philadelphia’s Federal Detention Center for refusing
to unlock two drives encrypted with Apple’s FileVault software in a case that
once again highlights the extent to which the authorities are going to crack
encrypted devices. The man is to remain
jailed “until such time that he fully complies”
with the decryption order.
Read more on Ars
Technica.
Legitimate porn? Porn in the
public interest?
Journalism in the Age of Hulkamania
In March, 2016, a jury awarded wrestler Hulk Hogan $140
million in damages from a suit he brought against Gawker Media. In 2012, Gawker
released a sex tape of Hogan and his friend and radio DJ Bubba Clem’s wife,
which was taped by Bubba Clem, allegedly without Hogan’s knowledge. Hogan claimed that the tape represented an
invasion of his privacy by the press. Gawker
is appealing the decision.
Fabio Bertoni, the New Yorker’s general counsel, makes
the argument that the decision against Gawker chips away at freedom of the
press, largely by threatening editorial discretion about what is newsworthy and
producing a chilling effect. Sex tapes are considered newsworthy if they
expose the hypocrisy of a public official or are in some other way relevant to
public life. The Hogan tape is not
clearly newsworthy—but it’s not clearly not newsworthy, either. It had been floating among news organizations
for some time before Gawker decided to publish it, and Gawker editors have
since backpedaled a bit from their decision.
Is it true that there was no mechanism to issue warrants to trash
collectors?
Erik Lacitis talks
trash on Seattle Times:
Seattle’s ordinance allowing
garbage collectors to look through people’s trash — to make sure food scraps
aren’t going into the garbage — was declared “unconstitutional and void”
Wednesday afternoon by King County Superior Court Judge Beth Andrus.
She entered an injunction against
its enforcement.
Words are important.
Tim Cushing reports that not satisfied to rest on his
laurels in the Really Bad Ideas Department, Rhode Island Attorney General
Peter F. Kilmartin is behind a legislative proposal that amounts to a
very bad state-level version of the federal hacking statute, CFAA. Tim writes:
Here’s the worst part of
the suggested amendments:
Whoever intentionally and
without authorization or in excess of one’s authorization, directly or
indirectly accesses a computer, computer program, computer system, or computer
network with the intent to either view, obtain, copy, print or download any
confidential information contained in or stored on such computer, computer
program, computer system, or computer network, shall be guilty of a felony and
shall be subject to the penalties set forth in §11-52-5.
This would make the
following Google search illegal:
filetype:pdf site:*.gov “law
enforcement use only”
Read more on TechDirt.
I wonder if our Computer Security club would be interested in creating a
similar database for Colorado? Maybe
just Denver? Maybe just elected
officials?
Grace Dobush writes:
…. With the advent of global
surveillance, “Our world is becoming better behaved, but perhaps less human,”
said Tijmen Schep, creative director of the Dutch arts collective SETUP, which for the past two years has worked on building a
national database of Dutch citizens based solely on open source data.
The initial point of the project
– originally known as the National Birthday Calendar – was to create
a provocative, interactive site that would know every Dutch citizen’s
birthday and recommend gifts based on their personal preferences. It became so easy to gather the information
about people, and they collected so much that they began referring to
it as the DIY NSA, a tongue-in-cheek reference to a do-it-yourself
National Security Agency.
Read more on Christian
Science Monitor.
(Related) Should my Ethical Hacking students ignore these
tools just because they can be used for evil?
Attackers Increasingly Abuse Open Source Security Tools
Instead of developing their own hacking tools or buying them from third
parties, threat groups have increasingly turned their attention to open source
security tools, Kaspersky Lab reported on Wednesday.
One such tool is the Browser Exploitation Framework (BeEF), a penetration testing
suite that focuses on the web browser. It
allows pentesters to determine if the targeted environment is vulnerable by
hooking the browser and using it to launch attacks.
BeEF enables attackers to monitor and profile the visitors
of a website as it can deploy evercookies for persistent tracking, it can enumerate
browsers and plugins, and obtain a list of domains visited by the victim. In addition to tracking, it can also be used
to find and exploit vulnerabilities.
Just because…
30 Insanely Useful Websites You Probably Don’t Know About
Because you never know when you may need to hack a computer.
5 Best Linux Distros for Installation on a USB Stick
No comments:
Post a Comment