Thursday, April 28, 2016

Ah well, they’re politicians.  What do you expect?
A reader kindly informed me that Movimiento Ciudadano, one of the political parties that had legitimate access to Mexico’s voter data list, has admitted it was responsible for the leak on Amazon.  Except that as I read more, I realized they weren’t really admitting they were responsible for the leak.
I’ve been trying to read/translate a number of news stories on today’s developments, including the political party’s statement (ES).
From what I’m reading in their statement and from a number of sources, it seems like the Citizens Movement party is filing a criminal complaint against Chris Vickery, claiming he broke Amazon’s great security, or some such nonsense.  They write, in part:
Para hacer pública la información que estaba salvaguardada en los servidores de Amazon Web Services fue necesario violar las medidas de seguridad a través de métodos altamente especializados, característicos de hackers profesionales.
To be clear: Chris Vickery never hacked into the database.  Citizens Movement left port 27017 open, and so anyone and everyone could access it and download the voter data with no login required.  Amazon was not responsible for securing that database and Vickery didn’t break any security: there was no security, and that was Citizens Movement’s responsibility.
Trying to make it out that Vickery engaged in criminal conduct is a lame attempt on their part to deflect blame for their infosecurity failure.  It is especially lame in light of how appreciative Mexico INE has been of Vickery’s discovery and notification.


“Don’t put off until tomorrow that which you can secure today.” An ancient saying, I just made up.   
Nick Rummell reports that it’s not just affected customers suing Wendy’s after a data breach disclosed in February – the banks are suing, too:
A major data security breach at Wendy’s restaurants could have been easily prevented had the company acted faster, according to a class action filed on behalf of banks whose customers were affected by the breach.
The suit, filed in Federal Court in Pittsburgh on April 25 by First Choice Federal Credit Union, claims the fast-food chain “refused to take steps to adequately protect its computer systems from intrusion,” which led to a nearly five-month-long data breach where customer credit card information was stolen.
Read more on Courthouse News.


They must have something that convinced the judge he is probably guilty, right?  Or can they do this to anyone with an encrypted hard drive?  I keep a large boring file named “This is important” on my backup DVDs next to my encrypted files.  Then I re-encrypt everything.  I will gladly hand over that second encryption key and decrypting that file will prove that it worked.  Everything that still looks encrypted must be gibberish. 
David Kravets reports:
A Philadelphia man suspected of possessing child pornography has been in jail for seven months and counting after being found in contempt of a court order demanding that he decrypt two password-protected hard drives.
The suspect, a former Philadelphia Police Department sergeant, has not been charged with any child porn crimes.  Instead, he remains indefinitely imprisoned in Philadelphia’s Federal Detention Center for refusing to unlock two drives encrypted with Apple’s FileVault software in a case that once again highlights the extent to which the authorities are going to crack encrypted devices.  The man is to remain jailed “until such time that he fully complies” with the decryption order.
Read more on Ars Technica.


Legitimate porn?  Porn in the public interest? 
Journalism in the Age of Hulkamania
In March, 2016, a jury awarded wrestler Hulk Hogan $140 million in damages from a suit he brought against Gawker Media. In 2012, Gawker released a sex tape of Hogan and his friend and radio DJ Bubba Clem’s wife, which was taped by Bubba Clem, allegedly without Hogan’s knowledge.  Hogan claimed that the tape represented an invasion of his privacy by the press.  Gawker is appealing the decision.
Fabio Bertoni, the New Yorker’s general counsel, makes the argument that the decision against Gawker chips away at freedom of the press, largely by threatening editorial discretion about what is newsworthy and producing a chilling effect.  Sex tapes are considered newsworthy if they expose the hypocrisy of a public official or are in some other way relevant to public life.  The Hogan tape is not clearly newsworthy—but it’s not clearly not newsworthy, either.  It had been floating among news organizations for some time before Gawker decided to publish it, and Gawker editors have since backpedaled a bit from their decision.


Is it true that there was no mechanism to issue warrants to trash collectors? 
Erik Lacitis talks trash on Seattle Times:
Seattle’s ordinance allowing garbage collectors to look through people’s trash — to make sure food scraps aren’t going into the garbage — was declared “unconstitutional and void” Wednesday afternoon by King County Superior Court Judge Beth Andrus.
She entered an injunction against its enforcement.


Words are important.
Tim Cushing reports that not satisfied to rest on his laurels in the Really Bad Ideas Department, Rhode Island Attorney General Peter F. Kilmartin is behind a legislative proposal that amounts to a very bad state-level version of the federal hacking statute, CFAA.  Tim writes:
Here’s the worst part of the suggested amendments:
Whoever intentionally and without authorization or in excess of one’s authorization, directly or indirectly accesses a computer, computer program, computer system, or computer network with the intent to either view, obtain, copy, print or download any confidential information contained in or stored on such computer, computer program, computer system, or computer network, shall be guilty of a felony and shall be subject to the penalties set forth in §11-52-5.
This would make the following Google search illegal:
filetype:pdf site:*.gov “law enforcement use only”
Read more on TechDirt.


I wonder if our Computer Security club would be interested in creating a similar database for Colorado?  Maybe just Denver?  Maybe just elected officials? 
Grace Dobush writes:
…. With the advent of global surveillance, “Our world is becoming better behaved, but perhaps less human,” said Tijmen Schep, creative director of the Dutch arts collective SETUP, which for the past two years has worked on building a national database of Dutch citizens based solely on open source data.
The initial point of the project – originally known as the National Birthday Calendar – was to create a provocative, interactive site that would know every Dutch citizen’s birthday and recommend gifts based on their personal preferences.  It became so easy to gather the information about people, and they collected so much that they began referring to it as the DIY NSA, a tongue-in-cheek reference to a do-it-yourself National Security Agency.

(Related) Should my Ethical Hacking students ignore these tools just because they can be used for evil?
Attackers Increasingly Abuse Open Source Security Tools
Instead of developing their own hacking tools or buying them from third parties, threat groups have increasingly turned their attention to open source security tools, Kaspersky Lab reported on Wednesday.
One such tool is the Browser Exploitation Framework (BeEF), a penetration testing suite that focuses on the web browser.  It allows pentesters to determine if the targeted environment is vulnerable by hooking the browser and using it to launch attacks.
BeEF enables attackers to monitor and profile the visitors of a website as it can deploy evercookies for persistent tracking, it can enumerate browsers and plugins, and obtain a list of domains visited by the victim.  In addition to tracking, it can also be used to find and exploit vulnerabilities.


Just because…
30 Insanely Useful Websites You Probably Don’t Know About


Because you never know when you may need to hack a computer.
5 Best Linux Distros for Installation on a USB Stick

No comments: