Monday, June 06, 2016

Another large breach?  Easier to believe than 100 million individual phishing or social engineering successes.  Looks like it’s going to be a record year. 
Joseph Cox reports:
Accounts for over 100 million users of popular social media site are being traded on the digital underground.
Breach notification site LeakedSource obtained the data and published an analysis on Sunday.  The hacker known as Peace, meanwhile, listed the data for sale on a dark web marketplace.
Peace provided Motherboard with a dataset containing a total of 100,544,934 records, and LeakedSource provided a smaller sample for verification purposes.  The data contains first and last names, email address, phone numbers and passwords.
Read more on Motherboard.  These data are apparently from a breach several years ago (circa 2011-2013).  Earlier today, Motherboard updated its post to note that a VK spokesperson denied that the site had been breached:
“VK database hasn’t been hacked.  We are talking about old logins/passwords that had been collected by fraudsters in 2011-2012.  All users’ data mentioned in this database was changed compulsorily.  Please remember that installing unreliable software on your devices may cause your data loss.  For security reasons, we recommend enabling 2-step verification in profile settings and using a strong password.”
That’s all well and good, except that if the data are up for sale now, they likely do contain some still-valid passwords despite any “compulsory” reset a few years ago.

Hacking for Art?  An artistic hack?  How easy would this be? 
John Oliver is not just a brilliant comedian.  Through his humor and segments, he often makes compelling points about our society – and in this case – medical privacy.  Consumerist has a piece on how Oliver easily created his own medical debt collection firm, and thereby came into possession of many people’s medical information:
For a $50 fee, Oliver and his team registered their new debt-acquisition firm, Central Asset Recovery Professionals — CARP, named after the bottom-feeding fish — in Mississippi, complete with a website that was nothing more than the logo you see here.
“With little more to go on than that website,” says Oliver, “we were soon offered a portfolio of nearly $15 million of out-of-statute medical debt from Texas.”
The asking price was less than $60,000 for $14,922,261.76 in this zombie debt — or around $.004 for every dollar of debt owed.  Purchasing the debt would give CARP the names, current addresses, Social Security numbers, and amount owed (or previously owed, as the statute of limitations had expired) for nearly 9,000 individuals.
What Oliver did next is an amazing act of kindness to people, but let’s not forget what he has demonstrated about the risks we face.
Watch the whole segment here:

I wonder if Facebook would be interested in hiring one of my Computer Security students?
Mark Zuckerberg social media accounts get hijacked, hacker claims Facebook founder’s password was ‘dadada’
   While the social network creator’s Facebook page remained intact, Mark Zuckerberg’s Twitter and Pinterest accounts were hijacked by the hacker group OurMine Team on Sunday.
The group claiming responsibility for the high-profile hacking left a taunting message on both social media accounts.
“Hey @finkd, you were in Linkedin Database with the password ‘dadada’ !,” the team wrote from Zuckerberg’s Twitter page.
On his Pinterest, the new title was “Hacked by OurMine Team.”
In a deleted tweet, OurMine claimed it also breached Zuckerberg’s Instagram — which Facebook owns — claiming it was “just testing your security.”
Prior to the hack, Zuckerberg did not tweet on his rival social network since January 2012.
   Zuckerberg is the latest in a rash of recent celebrity hacks, with Tenacious D's Twitter falling victim to a death hoax on Sunday.
The week before, Katy Perry's Twitter was taken over, with the hacker sending a message to the "Roar" singer's rival, Taylor Swift, and releasing a never-before-heard song.

Now this would be fun!  Perhaps I could interest the Computer Security club?  We could install it in the state legislature as a demo.  We could even rent it to Computer Security managers preparing their budgets.  This would really grab senior management’s attention.  
Liz Stinson reports:
If you’re connected to a wireless network, odds are high that little bits of data are trickling out of your device like water from a leaky faucet.  “Our phones leak data in a bunch of different ways,” says artist Kyle McDonald.  “Sometimes it’s really insidious or unexpected.”
Recently at Moogfest, a music and technology festival in Durham, N.C., McDonald with the help of fellow artist Surya Mattu created an installation called WiFi Whisperer that called attention to all that data your phone is giving away for free.  As festivalgoers walked past the installation, the artwork grabbed insecure data and display it on monitors, while a hidden speaker whispered the stream of data—what networks you’ve recently connected to and websites you’ve visited, for example—like a creepy, demon-voiced Big Brother.   “It’s sort of like looking over someone’s shoulder,” says McDonald, “except you’re doing it without actually looking over their shoulder.”
Read more on Wired.

Some interesting scholarship.  I hope this gets completed. 
State attorneys general have authority to enforce a number of federal privacy and data security statutes, and they may also have additional authority to protect privacy and data security under state law.
   Until now, however, there has been no academic scholarship on the role state attorneys general play in privacy and data security.  Happily, that has now changed with an exploratory study by Danielle Citron, who shared her findings in a paper workshopped at the Privacy Law Scholars Conference this week.
Here’s the abstract of her paper:
Accounts of privacy law have focused on legislation, federal agencies, and the self-regulation of privacy professionals.  Crucial agents of regulatory change, however, have been ignored: the state attorneys general.  This article is the first in-depth study of the privacy norm entrepreneurship of state attorneys general.  Because so little has been written about this phenomenon, I engaged with primary sources—first interviewing state attorneys general and current and former career staff, and then examining documentary evidence received through FOIA requests submitted to AG offices around the country.  
Much as Justice Louis Brandeis imagined states as laboratories of the law, offices of state attorneys general have been laboratories of privacy enforcement.  State attorneys general have been nimble privacy enforcement pioneers where federal agencies have been more conservative or constrained by politics.  Their local knowledge, specialization, multistate coordination, and broad legal authority have allowed them to experiment in ways that federal agencies cannot.  These characteristics have enabled them to establish baseline fair information protections; expand the frontiers of privacy law to cover sexual intimacy and youth; and pursue enforcement actions that have harmonized privacy policy.
Although certain systemic practices enhance AG privacy policymaking, others blunt its impact, including an overreliance on informal agreements that lack law’s influence and a reluctance to issue closing letters identifying data practices that comply with the law.  This article offers ways state attorneys general can function more effectively through informal and formal proceedings.  It addresses concerns about the potential pile-up of enforcement activity, federal preemption, and the dormant Commerce Clause.  It urges state enforcers to act more boldly in the face of certain shadowy data practices.
You can download a pre-publication version of the paper from SSRN.

Something my students are asking (since they will be the ones to program and secure them)  Not sure this infographic has all the answers, but it hits a number of points worth discussing.
How Close Are We to Self-Driving Cars Being Available?

Creating Apps for fun and the Prophet?  Expect someone to create an App that gathers information about users (potential terrorists?) for investigation and potential targeting. 
ISIS's Mobile App Developers Are in Crisis Mode
When they say, “There’s an app for everything,” terror propaganda is no exception. In the past six months, the Islamic State (IS, ISIS, or Daesh) and its news agency, ‘Amaq, have officially developed at least six mobile apps, adding to a list of other apps created by the group’s supporters.
   Just when it seemed that IS had succeeded in creating a direct and uninterrupted method of linking to its followers, the group would show signs that its app operations had brought about new risks.
A notice disseminated officially by ‘Amaq on June 1—and subsequently by other social media channels—claimed that “dubious sources” were disseminating a fake version of the ‘Amaq app, purposed for “spying”:

Some arguments for not creating Apps?
Why Britain banned mobile apps
   So why did the GDS ban apps?  It wasn’t because they weren’t technically savvy enough to build them.
Cost, he says.  Apps are “very expensive to produce, and they’re very, very expensive to maintain because you have to keep updating them when there are software changes,”  

Perhaps I should teach more Star Wars? 
‘Chewbacca Mom’ Has Gotten $420,000 Worth of Gifts Since Facebook Video Went Viral
   “Chewbacca Mom” is of course Candace Payne, the Wookie-loving stay-at-home mom from Grand Prairie, Texas, whose claim to fame is the posting of a Facebook Live video in which she giggles joyfully and infectiously while wearing her new Chewbacca mask.
The video, posted on May 19, quickly became the most-watched Facebook Live video ever, and has been viewed more than 150 million times and counting.  It’s also been shared more than 3 million times.
   Kohl’s got plenty of free publicity thanks to Payne mentioning in her video that she purchased her Chewbacca mask there.  And Kohl’s returned the favor by showing up at Payne’s home with a collection of gifts, including dozens of toys, $2,500 in gift cards, and (of course) Chewbacca masks for her whole family so no one has to share.

No comments: