Wednesday, April 26, 2017
No matter who dumped the data, this indicates that your security sucks!
Joseph Cox reports:
The industry for so-called encrypted or secure phones is a lively one. Several firms sell custom BlackBerry or Android devices that may come pre-loaded with tools such as PGP email for sending messages, and some of these companies’ products have allegedly been used by organized crime.
But it’s also a competitive market. Customer data from one company, including email addresses and unique IMEI numbers from users’ phones, is now available online for anyone to dig into, and Ciphr, the victim company, claims the data dump was the work of a competitor.
Read more on Motherboard.
Risky burritos. With 2,000 locations, this could be big.
Melissa Stephenson reports:
Chipotle Mexican Grill announced Tuesday that they have detected a data security breach.
The company believes the breach may have affected transactions from March 24 through April 18.
Read more on WTKR.
Not bad enough you were hacked, now you have blackmailers using the hacked data against you.
Graham Cluley reports:
Blackmailers are once again trying to make money out of the notorious Ashley Madison hack, which exposed the details of registered members of the cheating website in 2015.
Robin Harris writes on ZDNet that he has received a blackmail threat, alerting him that unless he pays up $500 worth of Bitcoin his personal details will be shared on a new website being created by the extortionists.
The site, which the blackmailers claim will be launched on May 1 2017, is said to be called “Cheater’s Gallery”:
“On May 1 2017 we are launching our new site — Cheaters Gallery – exposing those who cheat and destroy families. We will launch the site with a big email to all the friends and family of cheaters taken from Facebook, LinkedIn and other social sites. This will include you if do not pay to opting out.”
Read more on HotForSecurity.
Do you really want to play around in Tony Soprano’s back yard?
Paul Milo reported this yesterday:
Hackers have disabled some City of Newark computers and are now demanding about $30,000 worth of the online currency Bitcoin to render them operable once again, TAPInto reported Monday.
The computers were infected over the weekend with an encryption that affects nearly all files that operate on a desktop, according to a document obtained by TAPInto.
Read more on NJ.com.
A hardcoded key is the same as an unchangeable default password.
Flaws in Hyundai App Allowed Hackers to Steal Cars
The Blue Link application, available for both iOS and Android devices, allows users to remotely access and monitor their car. The list of features provided by the app includes remote engine start, cabin temperature control, stolen vehicle recovery, remote locking and unlocking, vehicle health reports, and automatic collision notifications.
… Versions 3.9.4 and 3.9.5 of the Blue Link apps upload an encrypted log file to a pre-defined IP address over HTTP. The name of the file includes the user’s email address and the file itself contains various pieces of information, such as username, password, PIN, and historical GPS data.
While the log file is encrypted, the encryption relies on a hardcoded key that cannot be modified. A man-in-the-middle (MitM) attacker — e.g. via a compromised or rogue Wi-Fi network — can intercept HTTP traffic associated with the Blue Link application and access the log file and the data it contains.
“How brave a world where devices doth conspire!” A possible AI Shakespeare?
Man Arrested in Wife's Murder After Fitbit Data Pokes Holes in His Alibi
A Connecticut man was arrested and charged with the murder of his wife after police found that Fitbit data didn't match his alibi.
Connecticut's Richard Dabate was accused of killing his wife Connie, who was found dead from gunshot wounds at their home in December 2015. Dabate said an unknown intruder broke into their house before shooting his wife and subduing Dabate with precision use of pressure points. But investigators have uncovered inconsistencies between his account and that of the devices he and Connie used, including the fitness tracker she wore on her wrist.
Evidence from her Fitbit, which works as a digital pedometer to keep track of the wearer's daily activity, shows she was up and moving an hour after Dabate claimed she had been attacked. It further pokes holes into his account of her morning, noting just how far she moved after arriving home. Electronic records from e-mail, phone, and text messages also contribute to a complicated picture, showing a marriage in trouble and the presence of a pregnant girlfriend. Dabate claimed his wife's life insurance policy the day after the crime.
A source of used Stingrays?
Mike Maharrey writes:
…Arizona Gov. Doug Ducey signed a bill that bans the use of “stingrays” to track the location of phones and sweep up electronic communications without a warrant in most situations. The new law will not only protect privacy in Arizona, but will also hinder one aspect of the federal surveillance state.
Sen. Bob Worsley (R-Mesa) introduced Senate bill 1342 (SB1342) back in January. The legislation will help block the use of cell site simulators, known as “stingrays.” These devices essentially spoof cell phone towers, tricking any device within range into connecting to the stingray instead of the tower, allowing law enforcement to sweep up communications content, as well as locate and track the person in possession of a specific phone or other electronic device.
Read more on Tenth Amendment Center.
Determining what to block or take down in real time is almost impossible. Perhaps AI can speed up detection, but can it anticipate a user’s post? When do you merely block or take down and when do you notify the police?
Thai Police Will Review Ways to Take Down Content After Man Murders Baby in Facebook Video
Police in Thailand on Wednesday said they would discuss how to speed up taking down "inappropriate online content" after a man broadcast himself killing his 11-month-old daughter in a live video on Facebook.
(Related). Tips for hackers. Problems for Forensic students.
A Trick That Hides Censored Websites Inside Cat Videos
A pair of researchers behind a system for avoiding internet censorship wants to deliver banned websites inside of cat videos. Their system uses media from popular, innocuous websites the way a high schooler might use the dust jacket of a textbook to hide the fact that he’s reading a comic book in class. To the overseeing authority—in the classroom, the teacher; on the internet, a government censor—the content being consumed appears acceptable, even when it’s illicit.
The researchers, who work at the University of Waterloo’s cryptography lab, named Slitheen after a race of aliens from Doctor Who who wear the skins of their human victims to blend in. The system uses a technique called decoy routing, which allows users to view blocked sites—like a social-networking site or a news site—while generating a browsing trail that looks exactly as if they were just browsing for shoes or watching silly videos on YouTube.
For my Computer Security students. Possible exam question: There are 65000 X 2 ports, name them!
Securing risky network ports
Data packets travel to and from numbered network ports associated with particular IP addresses and endpoints, using the TCP or UDP transport layer protocols. All ports are potentially at risk of attack. No port is natively secure.
… There is a total of 65,535 TCP ports and another 65,535 UDP ports; we’ll look at some of the diciest ones.
Also, an issue for my Computer Security students to consider. (AKA: Need to know) All new files should start with a “no one can access” rule and that will change only when managers specifically authorize a change.
Organizations Fail to Maintain Principle of Least Privilege
Security requires that confidential commercial data is protected; compliance requires the same for personal information. The difficulty for business is the sheer volume of data generated makes it difficult to know where all the data resides, and who has access to it. A new report shows that 47% of analyzed organizations in 2016 had at least 1,000 sensitive files open to every employee; and 22% had 12,000 or more.
These figures come from the Varonis 2016 Data Risk Assessments report. Each year Varonis conducts more than 1,000 risk assessments for both existing and potential customers.
… Varonis believes that organizations spend too much time and money in defending specific threats to keep attackers off the network; rather than protecting the data itself from both opportunistic insiders and hackers that breach the 'perimeter'. In January of this year, a separate report (PDF) from Forrester (commissioned by Varonis) concluded that "an overwhelming majority of companies face technical and organizational challenges with data security, are focused on threats rather than their data, and do not have a good handle on understanding and controlling sensitive data."
Only China? No other country is a risk? Wake up, DHS.
Adam Schwartz writes:
EFF has joined a coalition effort, led by Asian Americans Advancing Justice (AAAJ), to oppose the federal government’s proposal to scrutinize the social media activities of Chinese visitors. Specifically, U.S. Customs and Border Protection (CBP) seeks to ask certain visa applicants from China to disclose the existence of their social media accounts and the identifiers or handles associated with those accounts.
Last year, EFF opposed a similar CBP proposal concerning foreign visitors from countries that participate in the Visa Waiver Program (VWP). CBP finalized this proposal in December 2016.
Read more on EFF.
My students seem reluctant to use self-driving cars. Will they even consider self-flying?
Uber plans to rule the skies by 2020
Uber has revealed plans to team up with Aurora Flight Sciences to create and test out a network of aerial taxis for passengers to hire by 2020.
On Tuesday at Uber's Elevate Summit in Dallas, Texas, the companies said the electric vertical takeoff and landing (eVTOL) aircraft will be part of the Uber Elevate Network, a scheme designed to eventually give Uber users the opportunity to use both land and air to reach their destination. [What? No submarines? Bob]
My Indian students seem to think it is already an equal to Amazon.
Funding Flipkart: Can India’s Internet ‘Unicorn’ Take on Amazon?
Let’s hope this is not United’s fault.
United Airlines investigates giant bunny death
United Airlines is investigating the death of a giant rabbit which was being transported on one of its planes.
The 90cm-long bunny, called Simon, was found dead in the cargo hold when the flight arrived at Chicago's O'Hare airport from London Heathrow.
Reports in UK media say the 10 month-old giant rabbit was being delivered to a new "celebrity" owner.
… Owner Annette Edwards told the paper: "Simon had a vet's check-up three hours before the flight and was fit as a fiddle.
"Something very strange has happened and I want to know what. I've sent rabbits all around the world and nothing like this has happened before."
Something to record my lectures for later listening?
This Online Audio Editor Is Beautiful
Beautiful Audio Editor is a free audio editor that you can use in the Chrome and Firefox web browsers. Beautiful Audio Editor lets you record spoken audio directly and or import audio that you have previously recorded in MP3 and WAV formats. You can edit and blend multiple tracks in the Beautiful Audio Editor. When your audio editing project is complete you can download it as an MP3 file, download it as a WAV file, or you can save it in Google Drive.