Tools & Techniques for my Ethical Hackers A very common error in
the security design.
paganinip posts:
Security researcher Dan Melamed has found a serious Pinterest Exploit
that exposed user’s information of over 70 Million
accounts.
The security researcher Dan Melamed has found a Critical Pinterest
Exploit that compromised the privacy of over 70 Million Users, the
flaw allows hackers to view the email address of any user on
Pinterest.
Dan has found the way to access to the information belonging to the
owner of the Access token, as the researcher has shown it is possible
to display them visiting the following RL.
Substituting the “/me/” part of the link with the username of
another Pinterest user it is possible to view its email address.
Read more on SecurityAffairs.co.
The exploit has already been patched, and it sounds like
Pinterest responded appropriately to notification of the problem.
(Related) ...although this looks deliberate. Note that the Metadata
revealed this information, not the content of the letter.
Discover and American
Express often submit copies of their breach notification
letters to cardmembers to state attorneys general. Their letters,
however, generally do not include the name of a breached merchant, so
it is often difficult to know what to make of their submissions. But
one particular American Express notification, submitted to California
last week, caught my attention. Their letter states:
A
company that provides payment processing services to numerous
merchants has informed us that there has been unauthorized access to
its processing system. As a result, account information of some of
our Cardmembers, including some of your account information, may have
been improperly accessed.
The breach occurred on
January 15, according to the date American Express reported to
California. But which payment processing services provider and what
happened – and when did the provider discover the breach? AmEx
reported to California that the breach was discovered on August 23,
but I suspect this means that they first learned of the
breach on August 23 and that is not when the breached entity learned
of the breach.
From the filename AmEx
used for its notification letter
(“Celerant-C2013068451%20CA%20Customer%20Letter_0.pdf”) and the
description saying “Celerant customer letter” (see screen shot
taken from the California Attorney General’s web site), the breach
appears to have been at Celerant Technology Corporation:
Celerant is a certified
provider of retail payment processing software. On its web site, it
states:
Celerant
offers a multichannel, retail software solution for numerous retail
industries, including apparel, footwear, sporting goods, furniture,
specialty, gifts, convenience and more. With over 450 clients
primarily within the United States, Canada, Europe and the Middle
East, our retail system provides an all-in-one solution for retailers
selling via brick and mortar stores and on the web.
DataBreaches.net has
sent two emails to Celerant since Friday requesting confirmation and
information on the breach, but has received no response as yet. I
will provide an update when more information becomes available.
For my law geeks...
Jeffrey Brown of
CybercrimeReview.com
points readers to an upcoming article in the University of
Pennsylvania Journal of Constitutional Law. Here’s the
abstract of “”The Fourth Amendment Implications of the
Government’s Use of Cell Tower Dumps in its Electronic
Surveillance” by Brian Owsley:
Privacy
concerns resonate with the American people. Although the right to
privacy is not explicitly protected in the United States
Constitution, the Supreme Court has found the right to privacy rooted
within the Constitution based on various amendments. In the modern
era, with rapid advances in technology, threats to privacy abound
including new surveillance methods by law enforcement.
…
Recently, the American Civil Liberties Union brought to light the
popular use of government surveillance of cell phones, including the
gathering of all cell phone numbers utilizing a specific cell site
location. Known as a “cell tower dump,” such procedures
essentially obtain all of the telephone number records from a
particular cell site tower for a given time period: “A tower dump
allows police to request the phone numbers of all phones that
connected to a specific tower within a given period of time.”
…
No federal statute directly addresses whether and how law
enforcement officers may seek a cell tower dump from cellular
telephone providers.
…
This article provides a brief description of cellular telephone and
cell-site technology in Part I. Next, Part II addresses the
evolution of Fourth Amendment jurisprudence and argues that the
reasonable expectation of privacy standard applies to electronic
surveillance such as cell tower dumps. In Part III, the discussion
follows the development of statutes addressing electronic
surveillance and argues that cell tower dumps request more
information than simply just telephone numbers. Part IV analyzes
records from both cellular service providers and the federal
government to conclude that cell tower dumps routinely occur. Part V
assesses the few decisions that even discuss cell tower dumps and
argues that the analysis is either non-existent or flawed regarding
the use of the Stored Communications Act to permit cell tower dumps.
Next, Part VI asserts that cell tower dumps cannot be analyzed
pursuant to the Stored Communications Act because the language of the
statute is inapplicable and the amount of information sought requires
a warrant based on probable cause and concludes by proposing some
protocols to safeguard individual privacy rights.
You can download the
article from SSRN.
Something for my
Ethical Hackers to override?
Police
throughout the globe have been embarrassed to see online videos of
their officers pepper spraying tied captives. In our age of mobile
gadgets the pictures can be uploaded online in seconds, making
supervisors to answer the questions.
But
now the police may not need to fear scrutiny anymore, because Apple
has recently patented a piece of technology that would allow the
authorities and police to block data transmission, including video
and photos, whenever they like. All they need to do is decide that a
public gathering or venue is deemed “sensitive” and needs to be
protected from externalities. In this case Apple will enable them to
switch off all its gear. The developers insist that the affected
locations are normally cinemas, theaters and concert grounds, but
Apple admits it could also be used in covert police or government
operations that may need complete “blackout” conditions.
Read more on
VeteransToday.
Thanks to Joe Cadillic for the link.
And if law enforcement
or government activate this in a public demonstration/crowd
situation, how is this not a violation of First Amendment rights to
film public employees in the performance of their duties?
“You have a license
to drive and we want to know where you drive.” I suppose driving
with disabled trackers will be illegal.
California’s
legislature is considering a bill
to authorize adding radio tracking beacons to drivers licenses and
state non-driver ID cards.
Each
such card would broadcast a unique tracking number which could
legally be intercepted by anyone with a suitable radio transceiver
within range, and which would be linked to a national DHS database
of drivers license, state ID card, and citizenship information.
The
tracking beacons are designed to allow the tracking numbers on ID
cards carried by travelers in motor vehicles to be read from outside
their vehicles as they approach or pass through checkpoints.
[Like the ones in Egypt? Bob]
Read more on Papers,
Please!
Another step in our
march towards a national ID and total surveillance state, it seems.
Be sure to check the
credit score of anyone you want to “friend.” (Or Big Data will
get you!)
Facebook
friends could change your credit score
A handful of tech
startups are using social data to determine the risk of lending to
people who have a difficult time accessing credit. Traditional
lenders rely heavily on credit scores like FICO, which look at
payments history. They typically steer clear of the
millions of people who don't have credit scores.
But some financial
lending companies have found that social connections
can be a good indicator of a person's creditworthiness.
One such company,
Lenddo,
determines if you're friends on Facebook (FB)
with someone who was late paying back a loan to Lenddo. If so,
that's bad news for you. It's even worse news if the delinquent
friend is someone you frequently interact with.
Expect more hype and a
“3D Bubble” followed by a collapse.
Wall
Street Wakes Up to 3D Printing, Predicts Massive Growth
Oh those poor lawyers...
Chelsea Allison
reports:
In
a long-awaited conclusion to Facebook’s “Sponsored Stories”
class action saga, a federal judge gave final approval to a $20
million settlement Monday but took an axe to the $7.5 million in fees
requested by plaintiffs attorneys.
The
settlement approved by U.S. District Judge Richard Seeborg provides
for each Facebook user who submitted a valid claim to receive $15,
with remaining funds disbursed to 14 organizations focused on
consumer protection, privacy and other issues raised in the suit.
Facebook Inc. is also required to improve its disclosure practices,
giving users more control over when and how their names and photos
will be used. The company must also create special controls for
minors.
Read more on Law.com.
I didn't say it. I
might have thought it, but I didn't say it.
Students
Learn Less in States with Stronger Teachers' Unions
A 1-standard-deviation
rise in teachers' union dues per teacher is associated with
a 4% fall in student proficiency rates, according to
a study of 721 U.S. school districts in 42 states by Johnathan Lott
of the University of Chicago Law School and Lawrence W. Kenny of the
University of Florida. Dues support union lobbying, which typically
pushes for policies such as blocking merit pay and limiting the Teach
for America program. Consequently, student proficiency is lower in
states with stronger teacher unions, the researchers say.
Tools & Techniques
Something to review before you sign up.
– Many companies use
dark pattern techniques to make it hard to find how to delete your
online account. JustDelete.me is a website that aims to be a
directory of urls to enable you to easily find and delete your
account from web services. All listed sites are colour-coded to
indicate the difficulty level of account deletion. There is also
additional info for each site, explaining how to proceed.
For my Smartphone toting students...
The best way to study
and review text is to highlight and annotate what you read, and two
of the most useful tools for doing this are the online and iPad
app, Diigo,
and the recently updated eHighlighter.
… Diigo provides
you tools to bookmark and annotate webpages, and to also review,
manage, and share your annotations in your Diigo account. All your
highlights and notes get listed under the source link for each
article. You can tag articles and group them into folders.
… If you’re like
me and you still also read paper books, you probably know
how laborious it can be to type and transcribe text from a book
you’re reading. An iPhone OCR
app called eHighlighter
($4.99), you can actually take a photo of a page
you’re reading in a book, mark the text you want to
copy, and eHighlighter will, using OCR technology, translate that
image capture into text.
Before you start
collecting highlights with eHighlighter, you can use the app to scan
the bar code of the book, and in turn the app will locate and
download the relevant information (title, author, publisher and
date). If the barcode is not available, you can do a manual search
in eHighlighter.
This is cool...
Lingualy
Helps You Learn a Language While Browsing the Web
Lingualy
is a free Google Chrome extension designed to help you learn a new
language while browsing the web. With Lingualy installed anytime
that you come across a new word you can double-click on it to hear it
pronounced, read a translation, and read a definition. The words
that you double-click are added to your Lingualy account where you
can review them in a quiz format. Watch a short overview of Lingualy
in the video below.
Lingualy
supports English, Spanish, French, Hebrew, and Arabic. You could
have students use Lingualy while reading news articles in the
language that they're trying to learn. That would provide some
current context for language lessons.
For my students. What does it say about America when Mad Magazine
can safely assume everyone knows what they are talking about here?
No comments:
Post a Comment