Saturday, July 23, 2016

Any leak is a good leak? 
D.B. Hebbard reports:
If WikiLeaks wanted to cause itself irreparable damage, it could not have done worse than to publish a huge dump of emails, some of which contain personal information such as passport or social security numbers, or credit card information.
The organization, which usually gets support from the tech and liberal media, is getting hammered for its poor judgement.  Also, the source of the emails is also controversial as the hack may involve a Russian hacker.
The 19,252 emails come from the in-boxes of seven DNC employees, including Communications Director Luis Miranda and National Finance Director Jordan Kaplan, but a search of several known names deeper inside the organization turned up nothing (which show you just how easy it is to run up the number of emails coming and going through an organization).
Read more on PoliMedia. As Mike Wehner succinctly describes on the Daily Dot:
Most of the donor notifications includes the name, address, phone number, email address, occupation, payment type, and partial account numbers of the donor.  The emails even include the IP address that the donation was sent from, along with the type of computer and browser that was being used at the time.
The source being a Russian hacker wouldn’t concern me, but the dumping of data without screening to redact some PII does, and this is not the first time WikiLeaks has done this.  We saw it with Sony hack email dump, and we’ve seen it with other data dumps.
I understand that there are those who want to get stolen or hacked data of political import out there.  But perhaps they might consider using a more responsible organization and system such as REVEAL (formerly known as the Center for Investigative Reporting).

Yet another breach where a simple Google search found the vulnerability.
Hacker steals 1.6 million accounts from top mobile game's forum
A hacker has targeted the official forum for popular mobile game "Clash of Kings," making off with close to 1.6 million accounts.
The hack was carried out on July 14 by a hacker, who wants to remain nameless, and a copy of the leaked database was provided to breach notification site, which allows users to search their usernames and email addresses in a wealth of stolen and hacked data.
In a sample given to ZDNet, the database contains (among other things) usernames, email addresses, IP addresses (which can often determine the user's location), device identifiers, as well as Facebook data and access tokens (if the user signed in with their social account).  Passwords stored in the database are hashed and salted.
   The hack took advantage of the company's lax approach to user security, such as failing to use basic HTTPS website encryption.

The hacker exploited a known weakness in the forum's software, an older version of vBulletin, which dates back to late 2013.  The version in question is vulnerable to a number of serious security flaws, which can be exploited with tools found readily online.
One of the LeakedSource members told me that the hacker actively sought out sites running vulnerable, out-of-date forum software, using a technique known as "Google dorking," which uses search engines to find sites running potentially vulnerable software and insecure configurations.
The "Clash of Kings" forum was one of the largest that shows up in the search.
"At this point, any unpatched vBulletin 4 forum with over 100,000 users is probably hacked," the member said.

Update.  How would this have been handled in the US?  Still think only governments can wage cyberwar? 
Martin Evans reports:
A teenage computer hacker who shutdown government networks across the world and sent bomb threats to US airlines from his bedroom, has walked free from court.
The 16-year-old from Plympton in Devon, began hacking the sites of organisations and governments he disagreed with when he was just 14.
Using a laptop computer in his bedroom, the schoolboy, who cannot be named for legal reasons, caused chaos targeting Iraq’s ministry of foreign of affairs, the department of agriculture in Thailand and China’s security ministry.
He also crashed computers in the Japanese town of Taiji, where an annual dolphin hunt takes place, and launched a cyber-attack the SeaWorld theme park in Florida almost half a million pounds.
Read more on The Telegraph.

Privacy is a victim of a drive by?
Joe Cadillic writes:
DHS and the Dept., of Transportation are using ‘Bluetooth detectors‘ to spy on motorists and pedestrians.
Beginning in late 2007 the University of Maryland, with support from the Maryland SHA, developed an anonymous probe technique to monitor the travel time on highways and arterials based on signals available from the pointtopoint networking protocol commonly referred to as Bluetooth.
If you guessed DHS, is involved in Bluetooth spying, give your self a gold star.  Click herehere here to find out more.
According to motorists probably have no idea the government (DHS) is secretly reading information on their cell phones, tablets, headphones.
Read more on MassPrivateI.
[From the article:
The DOT admits Bluetooth detectors can be used to identify anyone...

This could be amusing.
Judge Orders Yahoo to Explain How It Recovered ‘Deleted’ Emails in Drugs Case
A judge has ordered Yahoo to present a witness and provide documents explaining how the company handles supposedly deleted emails.
The move comes in the appeal case of a drug trafficker who was convicted, in part, because of emails Yahoo provided to law enforcement that conspirators believed had been deleted.
Defense lawyers in the case claim that six months of deleted emails were recovered—something which Yahoo's policies state is not possible.  The defense therefore speculates that the emails may have instead been collected by real-time interception or an NSA surveillance program.
United States Magistrate Judge Maria-Elena James, from a San Francisco court, granted the defense's motion for discovery in an order filed on Wednesday.
The case revolves around Russell Knaggs, from Yorkshire, England, and a single Yahoo mail account.  In 2009, Knaggs orchestrated a plan to import five tonnes of cocaine from South America.  At the time, Knaggs was already serving a 16-year prison sentence for another drug crime.
As part of the operation, a collaborator in Colombia would log into the email account “” and write a draft email.  An accomplice based in Europe would then read the message, delete it from both the “draft” and “trash” folders, and write his own draft, in an effort not to leave behind any messages that could later be read by law enforcement.
The defense alleges there should have been nothing for law enforcement to find
Sukhdev Thumber, a solicitor representing Knaggs in the UK proceedings, previously told Motherboard that the pair would sometimes simply remove the text in the draft with the backspace key, rather than deleting the email.  Knaggs didn't actually use the account himself.

WWPD (What will Putin do?)  If Google more powerful than the FSB? 
Shaun Waterman reports:
U.S.-based tech giants appear set to silently ignore new Russian laws requiring them to hand over encryption keys for internet communications to state security agencies, those tracking the issue tell FedScoop.
Only two encryption providers appear to have publicly responded to the new legislation, known as “Yarovaya law,” after the hardline lawmaker responsible for drafting it.  One virtual private network provider, Private Internet Access, announced they were leaving Russia, while another, NordVPN, doubled down on their presence there, according to interviews and public statements.
Read more on FedScoop.

Never say clearly what you can interpret however you want later? 
Civil Rights Office Issues Ransomware Guidance
   Ransomware attacks have risen from about 1,000 a day last year to 4,000 a day this year, Symantec has reported.
Many of those attacks are for small change, but some of the larger ones have been directed at healthcare providers.
   The U.S. Health and Human Services Department's Office for Civil Rights, which enforces compliance with the Health Insurance Portability and Accountability Act, better known as "HIPAA," has released new guidance for healthcare organizations on ransomware
   "This OCR guidance clearly says that chances are that if you're infected with ransomware, it's likely a reportable breach unless there are mitigating circumstances," Kim said.  "Healthcare organizations know now that if ransomware encrypts PHI (protected health information), it's likely you'll have to report it." [A clear and unequivocal “maybe.”  Bob]
   The guidance can be found at:

(Related)  Make a rule that is more like a suggestion.  “We don’t really want to block all those calls from politicians…” 
FCC chief pushes phone companies to offer free robocall blocking
The chairman of the Federal Communications Commission on Friday told phone companies that they should start providing free technology for their customers to block robocalls and spam texts.
“I strongly urge you to offer your customers robust call blocking at no cost,” Chairman Tom Wheeler wrote in letters to companies providing both wireless and wired phone service, urging them to move immediately “to ensure consumers have the tools necessary to block these unwanted calls.”

For my Computer Security students.
Auto makers' ISAC out with cyber best practices guide
The Information Sharing and Analysis Council for the motor vehicle industry published a set of cybersecurity best practices Thursday.
The Auto-ISAC guidance recommends a fairly standard set of precautions — baking in security at the earliest stages of software development; standardized risk management procedures; proactive network defenses; and incident response planning, among others.
"It's a high-level document," said Jon Allen, a principal at Booz Allen Hamilton and acting executive director of the Auto-ISAC. 
He said there would be more detailed "playbooks," bearing down on individual areas such as risk management.  "This is what the industry needs to focus on as it prepares the playbooks," he said.

When your Wikipedia page is likely to be analyzed, bring in the professional obfuscators?
Is Wikipedia Foreshadowing Clinton's Vice-Presidential Pick?
   Tom Vilsack, the U.S. Secretary of Agriculture and one of two candidates on Clinton’s reported shortlist, saw about 30 edits to his page this week.  Most of them were just to clean up information already on his page, and they came from registered Wikipedia users.
The Wikipedia page of Virginia Senator Tim Kaine, on the other hand, has seen 62 edits on Friday alone.  There have been almost 90 edits over the past week.  Many of them originate from a user called Neutrality, a longtime Wikipedia editor who has made more than 110,000 edits to the encyclopedia.  Other minor edits come from two IP addresses not associated with Wikipedia users, appearing to originate respectively from Hicksville, New York, and the borough of Queens in New York City.  Another user registered as a Wikipedia editor (and thus impossible to geographically track) added paragraphs about Kaine’s experience as mayor of Richmond and his energy policies.
In short, Kaine’s page has seen significantly more Wikipedia edits than any other candidate’s.

More on the hottest thing since the last hot thing?
'Pokémon GO' Claims Twice The Daily Use Of Facebook, Most First-Week Downloads On iOS
I had taken a break reporting on Pokémon GO simply because I didn’t think the statistics could get any more staggering.  Clearly I was wrong!  Pokémon GO isn’t going to topple Facebook’s massive user base any time soon, but it has snagged quite the user engagement victory.  On a daily basis, the insanely popular app from Niantic Labs is being used twice as much as the Facebook app on Android.  This is honestly something I thought would be inconceivable in a world where we’re tethered to our phones and addicted to social media updates.
A new report gathered from 7Park Data — pulled from a multi-million panel of anonymous U.S. Android users – shows that during its first week, Pokémon GO users spent 75 minutes per day playing, versus only 35 minutes on the Facebook app.  Beyond that, there’s another statistic that may give YouTube and Snapchat executives pause.  When comparing daily usage the week before and the week after Pokémon GO’s release, 7Park Data discovered that Niantic’s hit caused daily usage for said apps to drop by 9% and 18%, respectively.

(Related)  It looks far too complicated for me.
A beginner's guide: How to play 'Pokémon Go'

The older I get, the less concerned I am about looking foolish.
Modobag Lets You Zoom Around Airports While People Point and Laugh
   The Modobag isn't available yet, but you can pre-order one via its Indiegogo campaign for the very high price of $995.  Did I mention the luggage's companion app will cost $69? Oh, and just one other small issue: you'll look like a total tool as you tool around the terminal.

I look forward to this, every Saturday.
Hack Education Weekly News
   Via The Chicago Tribune: “Gov. Bruce Rauner once told some of Chicago‘s wealthiest and most influential civic leaders that half of Chicago Public Schools’ teachers ‘are virtually illiterate’ and half of the city’s principals are ‘incompetent,’ according to emails Mayor Rahm Emanuel’s administration released Thursday under a court order.”
   Amazon announced that it is partnering with Wells Fargo to offer student loans – Amazon Prime Student subscribers will be eligible for half a percentage point reduction on their interest rate for private student loans.  (As I’ve stated elsewhere, private student loans and the expansion of “fintech” into education is one of the most important ed-tech trends to watch, although you wouldn’t know if it you only read those ed-tech publications that downplay VCs’ interest in the private loan market.)  Here’s Inside Higher Ed on the news, which notes that consumer advocates are concerned about the offering.  No surprise, as last year the CFPB investigated the bank’s student loan practices.  As US News & World Reports reports, “Wells Fargo, one of the largest private student loan lenders that services more than 1 million borrowers, received the fourth most complaints out of all private student loan servicers, according to a 2015 report from the Consumer Financial Protection Bureau.”  
   Via The Washington Post: “Pokémon Go sparks concern about children’s privacy.”
   “What Could Go Wrong With Asking Teachers To Monitor Kids for ‘Extremist’ Beliefs?” asks the ACLU.

No comments: