Tuesday, September 11, 2012

I doubt any (both?) of my readers would fall for this, but my Computer Security students should find it amusing that the Democrats haven't noticed a similar problem. And it's legal?
"Shane Goldmacher writes that a network of look-alike campaign websites have netted hundreds of thousands of dollars this year in what some are calling a sophisticated political phishing scheme. The doppelgänger websites have the trappings of official campaign pages: smiling candidate photos and videos, issue pages, and a large red "donate" button at the top and exist for nearly three-dozen prominent GOP figures, including presidential nominee Mitt Romney, House Speaker John Boehner, House Majority Leader Eric Cantor, and donation magnets such as Reps. Michele Bachmann of Minnesota and Allen West of Florida. The only difference is that proceeds from the shadow sites go not to the candidates pictured, but to an obscure conservative group called CAPE PAC run by activist Jeff Loyd, a former chairman of the Gila County GOP in Arizona. 'The only thing they are doing is lining their pockets and funding their own operation,' says Republican political strategist Chris LaCivita. CAPE PAC has a strong Web presence, with over 100,000 followers on Twitter and 50,000 on Facebook and its business model is to buy Google ads — about $290,000 worth, as of the end of June — to promote its network of candidate sites whenever people search for prominent GOP officials. A search for 'Mitt Romney,' for instance, often leads to two sponsored results: Romney's official site and CAPE PAC's mittromneyin2012.com. Once on a CAPE PAC site, users would have to notice fine print at either the top or bottom of the page revealing that they were not on the official page of their favored politician. A dozen donors, including some experienced Washington hands such as Neusner, had no idea they had contributed to the group before National Journal Daily contacted them. 'It confused me, and I do this for a living,' says Washington lobbyist Patrick Raffaniello. 'That's pretty sophisticated phishing.'"


A look at what information is collected but not much on haow it is being used. Another “we had no idea” security breach.
EXCLUSIVE: The real source of Apple device IDs leaked by Anonymous last week
A small Florida publishing company says the million-record database of Apple gadget identifiers released last week by the hacker group Anonymous was stolen from its servers two weeks ago. The admission, delivered by the company’s CEO exclusively to NBC News, contradicts Anonymous' claim that the hacker group stole the data from an FBI agent's laptop in March.
Anonymous’ accusations garnered attention because they suggested that the FBI was using the unique gadget identifiers -- called UDIDs -- to engage in high-level spying on American citizens via their iPhones, iPads, and iPod Touch devices. The FBI denied the claim, last week, and when asked to comment for this story, referred to last week’s denial.
Paul DeHart, CEO of the Blue Toad publishing company, told NBC News that technicians at his firm downloaded the data released by Anonymous and compared it to the company's own database. The analysis found a 98 percent correlation between the two datasets.
DeHart said an outside researcher named David Schuetz contacted his company last week and suggested the data might have come from Blue Toad. The company's forensic analysis then showed it had been stolen "in the past two weeks." He declined to provide further details, citing an ongoing investigation.
DeHart said he could not rule out the possibility that the data stolen from his company’s servers was shared with others, and eventually made its way onto an FBI computer. He also said that he doesn’t know who took the data.
The discovery of the theft casts serious doubt on Anonymous’ claims that the data came from the FBI, and was pilfered in March.
… "As an app developer, BlueToad would have access to a user's device information such as UDID, device name and type," Apple spokeswoman Trudy Mullter told NBC News on Monday. "Developers do not have access to users' account information, passwords or credit card information, unless a user specifically elects to provide that information to the developer." [For instance, to register or to purchase something... Bob]
… DeHart said his firm would not be contacting individual consumers to notify them that their information had been compromised, instead leaving it up to individual publishers to contact readers as they see fit.
… The UDID -- which stands for Unique Device Identifier -- is present on Apple iPads, iPods and iPhones, and is similar to a serial number. During the past year, researchers have found that many app developers have used the UDID to help keep track of their users, storing the data in various databases and often associating it with other personal information. When matched with other information, the UDID can be used to track users' app usage, social media usage or location. It could also be used to "push" potentially dangerous applications onto users' Apple gadgets.
… There is no way for users to check to see if their UDID information has been collected by Blue Toad, DeHart said. He recommended that concerned Apple users visit websites that have created search engines where users can see if their UDID is in the data dump, such as this one. But he said consumers should not overreact to news of the leak.
… Updating is important because, seeing the potential privacy issues, Apple earlier this year advised developers to discontinue use of the UDID to track users. Blue Toad no longer uses UDIDs [Yet these are still available online? Bob] in its software, DeHart said, and updated versions of its software don’t collect it.
Aldo Cortesi, a security researcher who has been crusading against use of UDIDs for some time, disagreed with DeHart and said the release of the data represents a great risk to users. Cortesi has previously used UDIDs to log into consumers’ gaming accounts, access contact lists, and connect the ID numbers to real identities. He was then able to hijack device owners’ Twitter and Facebook accounts.


I guess they don't like the Superbowl ads? Interesting what Go Daddy does and does not know...
Go Daddy says client Web sites back up
Web sites serviced by Web hosting and domain registrar Go Daddy were back online early this evening after being down for much of the work day, a company spokeswoman told CNET.
"All services are restored and at no time was sensitive customer information, such as credit card data, passwords, names, addresses, ever compromised," Go Daddy spokeswoman Elizabeth Driscoll said in a phone interview just before 5 p.m. PT. She said the company does not know at this time exactly what caused the outage and she couldn't say exactly how many sites were affected.


No security? Quite possible as many naming conventions use easily “guessed” names, like the docket number, to organize their web pages.
Hacker suspected of stealing scores of court documents claims no hacking required to access files
September 10, 2012 by admin
Eli Senyor and Maor Buchnik report:
The police have arrested Moshe Halevi, 40, from Acre, for allegedly hacking into one of the Israeli courts’ databases and accessing thousands of case files, some of which contain classified information.
Two additional suspects were arrested as well. One of the suspects, Attorney Boaz Guttman, is a former high-ranking police officer with the National Fraud Unit.
Read more on ynet.
But was it really hacking or just sloppy security on the court’s web site? The reporters note:
Halevi, who was in trouble with the law in the past over similar offences, denied being involved in any illegal hacking and was quick to blame the courts’ website administrator:
“I didn’t hack any database. All I did was go on the website. I accessed the files with my ID number – I didn’t uses anything.
“Documents from the Anat Kam and the Holyland cases were open and the court records had the full name of the State witness,” he said.


Interesting comments. Probably enough here for a Privacy article...
"I'm a mobile developer at a startup. My experience is in building user-facing applications, but in this case, a component of an app I'm building involves observing and collecting certain pieces of user information and then storing them in a web service. This is for purposes of analysis and ultimately functionality, not persistence. This would include some obvious items like names and e-mail addresses, and some less obvious items involving user behavior. We aim to be completely transparent and honest about what it is we're collecting by way of our privacy disclosure. I'm an experienced developer, and I'm aware of a handful of considerations (e.g., the need to hash personal identifiers stored remotely), but I've seen quite a few startups caught with their pants down on security/privacy of what they've collected — and I'd like to avoid it to the degree reasonably possible given we can't afford to hire an expert on the topic. I'm seeking input from the community on best-practices for data collection and the remote storage of personal (not social security numbers, but names and birthdays) information. How would you like information collected about you to be stored? If you could write your own privacy policy, what would it contain? To be clear, I'm not requesting stack or infrastructural recommendations."


I will be interested in hearing their “justification” for this one...
Judge won’t dismiss lawsuit accusing Minnesota school of demanding sixth-grader’s Facebook password
September 11, 2012 by Dissent
A lawsuit filed in March against Minnewaska Area Schools has survived a motion to dismiss. Bailey McGowan of the Student Press Law Center reports:
Judge Michael Davis’ Thursday decision lets the student, identified in court documents as R.S., continue with her complaint arguing that the school violated her First Amendment right to free speech and Fourth Amendment right to be free from unreasonable search and seizure.

(Related) It's not wrong, but it sure is sneaky.
Why is Georgia Secretly Giving Student Test Scores to Military Recruiters?
September 10, 2012 by Dissent
Azaden Shahshahani reports:
In 2006, Marlyn, a mother who lives in Gwinnett County with her children, was surprised to hear that her son Kyle, a senior at Brookwood High School, had taken the ASVAB test. ASVAB or the Armed Services Vocational Aptitude Battery test is the military’s entrance exam, given to recruits to determine their aptitude for military occupations. Marlyn does not recall consenting to her son’s taking of the test or for the results to be sent to military recruiters. Her son did not know either that the results will be sent to recruiters. Kyle was subsequently contacted by recruiters and Marlyn had a tough time getting them to stop once Kyle had made a college selection.
Marlyn and Kyle are certainly not alone. In fact, Georgia’s record in terms of protecting the privacy of students who take the ASVAB test has gotten even worse over the years.
Read more on CounterPunch.


Can they make a tactical nuke that small? (Have they asked the CIA?)
Army Wants Tiny Suicidal Drone to Kill From 6 Miles Away
Killer drones just keep getting smaller. The Army wants to know how prepared its defense-industry partners are to build what it calls a “Lethal Miniature Aerial Munition System.” It’s for when the Army needs someone dead from up to six miles away in 30 minutes or less.
How small will the new mini-drone be? The Army’s less concerned about size than it is about the drone’s weight, according to a recent pre-solicitation for businesses potentially interested in building the thing. The whole system — drone, warhead and launch device — has to weigh under five pounds. An operator should be able to carry the future Lethal Miniature Aerial Munition System, already given the acronym LMAMS in a backpack and be able to set it up to fly within two minutes.


Because a picture is worth 1000 bytes...

No comments: