Wednesday, October 12, 2016
“We know this is a problem. We know there is a simple fix for this problem. We chose to ignore the problem until someone pointed out to the rest of the world that the Emperor wore no clothes.”
Much has been written about the dangers of poorly secured MongoDB databases among others. Despite the many warnings, millions of records have been lost due to misconfigurations in this database software. Now we have yet another massive database leak has been uncovered related to an insecure MongoDB installation, exposing at least 58 million subscriber records.
Twitter user @0x2Taylor posted exfiltrated data on the file sharing site MEGA twice over the weekend, each time resulting in the data being taken down very quickly. The data was then released for a third time on a smaller file sharing website. After analyzing the dataset, we can confirm that nearly 58 million records contain full names, IP addresses, dates of birth, email addresses, vehicle data, and occupations were included in the leak.
Read more on RiskBasedSecurity, who note that ModB may have dodged a serious bullet, because there was another table with 258 million records that were being downloaded or accessed when the entire bucket was pulled offline.
As of today, ModB has not responded to this site’s original notification to them, alerting them to the leak. Nor have they responded to an inquiry asking them for a comment or what they intended to do about 58 million people having their PII exposed.
We need to talk about this guy, ‘foreign power.’ Clearly he is acting like a common criminal. Should we sic Elliot Ness on him now or wait for him to become a full Tony Montana?
Claire Reilly reports:
It’s official. Foreign spies compromised Australia’s government networks last year, and they got at us through our weather division.
The Australian Cyber Security Centre has confirmed that a 2015 attack on servers at Australia’s Bureau of Meteorology was conducted by a “foreign intelligence service.” The attack saw two computers on the BOM’s network infected with remote access malware, allowing the attacker to search for, and copy, an “unknown quantity of documents.
Read more on CNET.
(Related) Probably not worth mucking up their elections – they do a fine job of mucking themselves. Could we un-muck them? Probably not. An interesting question…
White House Vows ‘Proportional’ Response for Russian DNC Hack
… White House press secretary Josh Earnest said Tuesday that President Barack Obama is considering “a range of responses” but isn't likely to announce one in advance.
It used public data, but it was against the rules!
Facebook, Twitter block surveillance tool
Facebook and Twitter are cutting off Geofeedia's access to their data after an ACLU report that the company created tools to help law enforcement with surveillance.
The ACLU report released Tuesday, titled “Facebook, Instagram, and Twitter Provided Data Access for a Surveillance Product Marketed to Target Activists of Color,” claims Geofeedia marketed the tool to help police monitor activists particularly minorities. The company mines social media and location data.
… “Twitter does have a 'longstanding rule' prohibiting the sale of user data for surveillance as well as a Developer Policy that bans the use of Twitter data “to investigate, track or surveil Twitter users,” a Twitter spokesperson explained in an email.
The tool made use of Geofeedia’s access to Facebook’s Instagram API and Topic Feed API, as well as searchable access to Twitter’s database of public tweets — data available to commercial entities with company approval.
A Facebook spokesperson noted that Geofeedia, “only had access to data that people chose to make public.”
Disappearing messages for Signal
With this update, any conversation can be configured to delete sent and received messages after a specified interval. The configuration applies to all parties of a conversation, and the clock starts ticking for each recipient once they've read their copy of the message.
… This release also includes support for Signal Protocol's numeric fingerprint format, which are called "safety numbers" in Signal.
Safety numbers can be verified by either scanning a QR code or by reading a string aloud.
… As always, all of our code is free, open source, and available on GitHub.
Time to replace SWIFT?
Second hacker group targets SWIFT users, Symantec warns
Cyber-security firm Symantec Corp said on Tuesday that a second hacking group has sought to rob banks using fraudulent SWIFT messages, the same approach that yielded $81 million in the high-profile February attack on Bangladesh's central bank.
Symantec said that a group dubbed Odinaff has infected 10 to 20 organizations with malware that can be used to hide fraudulent transfer requests made over SWIFT, the messaging system that is a lynchpin of the global financial system.
… The company in May said it believed the Bangladesh heist was carried out by a group known as Lazarus, which was also responsible for attacks on SWIFT customers in Southeast Asia as well as the 2014 hack of Sony Pictures Entertainment.
The U.S. government has blamed North Korea for the Sony attack.
This is not as hard as this article make it seem. It does require managers to manage. An unused tool is worthless.
Samsung Recall Puts Supply-Chain Oversight in Spotlight
Samsung Electronic Co. ’s botched recall of its Galaxy Note 7 smartphone is putting a spotlight on supply-chain oversight and raising questions about the ability of today’s technology and management tools to help companies maintain quality control in giant complex networks of suppliers—as when products are being built and upgraded more swiftly.
It's like Wells Fargo, only smaller. Will I get my money back?
FCC hits Comcast with $2.3 million fine
The Federal Communications Commission (FCC) announced on Tuesday that it has a reached a $2.3 million settlement with Comcast Corporation over charges for services that customers never authorized.
It’s the largest fine the FCC has ever levied against a cable company.
“The Communications Act and the FCC’s rules prohibit a cable provider from charging its subscribers for services or equipment they did not affirmatively request, a practice known as ‘negative option billing,’ ” a statement from the FCC said.
… The Comcast representative said the company is overhauling its customer service process.
“We have retrained our reps, and we’re providing specific information to customers on the phone,” the representative said. “We have a way for them to quickly get things resolved if there is something that they didn’t know about on their bill.”
Is this how Jeff Bezos beats Safeway and King Soopers? (Or 7-11?)
Amazon to Expand Grocery Business With New Convenience Stores
… The Seattle company aims to build small brick-and-mortar stores that would sell produce, milk, meats and other perishable items that customers can take home, these people say. Primarily using their mobile phones or, possibly, touch screens around the store, customers could also order peanut butter, cereal and other goods with longer shelf lives for same-day delivery.
For customers seeking a quicker checkout, Amazon will soon begin rolling out designated drive-in locations where online grocery orders will be brought to the car, the people said. The company is developing license-plate reading technology to speed wait times.
A heads-up for my lawyer friends.
Faced with the claim that AI and robots are poised to replace most of today’s workforce, most mainstream professionals — doctors, lawyers, accountants, and so on — believe they will emerge largely unscathed. During our consulting work and at conferences, we regularly hear practitioners concede that routine work can be taken on by machines, but they maintain that human experts will always be needed for the tricky stuff that calls for judgment, creativity, and empathy.
Our research and analysis challenges the idea that these professionals will be spared. We expect that within decades the traditional professions will be dismantled, leaving most, but not all, professionals to be replaced by less-expert people, new types of experts, and high-performing systems.
60 seconds of social media.
What happens online in one minute / 60 seconds
Potentially useful tool?
A Nice Way to Share Bundles of Links With Your Students
Sqworl is a free bookmarking tool for teachers and students. In Sqworl you can create groups or bundles of bookmarks to share with your students and or colleagues. It provides a convenient way for you or your students to share collections of resources created while researching or browsing the web. As is demonstrated in my video below, Sqworl has a nice feature that lets you add descriptive notes to each visual bookmark within your Sqworl bundles. Watch my video embedded below to learn more.
This is interesting!
Stack Overflow puts a new spin on resumes for developers
Stack Overflow, the community site best known for providing answers for all of your random coding questions, also has a thriving jobs board and provides services to employers looking to hire developers. Today, the team is expanding the jobs side of its business with the launch of Developer Story, a new kind of resume that aims to free developers from the shackles of the traditional resume.
… Developer Story offers two views: a traditional resume view for employers and a more modern timeline view. It’s the timeline view that emphasizes your achievements, but even the traditional view puts its emphasis on which projects you have contributed to, which languages you’ve used, which questions you’ve answered on Stack Overflow, etc. What’s important to note is that it’s the developers who gets to choose which accomplishments they want to highlight to potential hiring managers.
… If you want to give it a try, the new service is now available on Stack Overflow; like all of the company’s other services for developers, it’s available for free.