Another large breach?
Easier to believe than 100 million individual
phishing or social engineering successes.
Looks like it’s going to be a record year.
Joseph Cox reports:
Accounts for over 100 million
users of popular social media site VK.com are being traded on the
digital underground.
Breach notification site
LeakedSource obtained the data and published an analysis on Sunday. The hacker known as Peace, meanwhile, listed
the data for sale on a dark web marketplace.
[…]
Peace provided Motherboard with a
dataset containing a total of 100,544,934 records, and LeakedSource provided a
smaller sample for verification purposes. The data contains first and last names, email
address, phone numbers and passwords.
Read more on
Motherboard.
These data are apparently from a breach
several years ago (circa 2011-2013).
Earlier
today, Motherboard updated its post to note that a VK spokesperson denied that
the site had been breached:
“VK database hasn’t been hacked. We
are talking about old logins/passwords that had been collected by fraudsters in
2011-2012. All users’ data
mentioned in this database was changed compulsorily. Please remember that installing unreliable
software on your devices may cause your data loss. For security reasons, we recommend enabling
2-step verification in profile settings and using a strong password.”
That’s all well and good, except that if the data are up
for sale now, they likely do contain some still-valid passwords despite any
“compulsory” reset a few years ago.
Hacking for Art? An
artistic hack? How easy would this
be?
John Oliver is not just a brilliant comedian.
Through his humor and segments, he often makes
compelling points about our society – and in this case – medical privacy.
Consumerist
has a piece on how Oliver easily created his own medical debt collection firm,
and thereby came into possession of many people’s medical information:
For a $50 fee, Oliver and his
team registered their new debt-acquisition firm,
Central
Asset Recovery Professionals — CARP, named after the bottom-feeding fish —
in Mississippi, complete with a website that was nothing more than the logo you
see here.
“With little more to go on than
that website,” says Oliver, “we were soon offered a portfolio of nearly $15
million of out-of-statute medical debt from Texas.”
The asking price was less than
$60,000 for $14,922,261.76 in this zombie debt — or around $.004 for every
dollar of debt owed. Purchasing the debt
would give CARP the names, current addresses, Social Security numbers, and
amount owed (or previously owed, as the statute of limitations had expired) for
nearly 9,000 individuals.
What Oliver did next is an amazing act of kindness to
people, but let’s not forget what he has demonstrated about the risks we face.
I wonder if Facebook would be interested in hiring one of
my Computer Security students?
Mark Zuckerberg social media accounts get hijacked, hacker
claims Facebook founder’s password was ‘dadada’
… While the social
network creator’s Facebook page remained intact, Mark Zuckerberg’s Twitter and
Pinterest accounts were hijacked by the hacker group OurMine Team on Sunday.
The group claiming responsibility for the high-profile
hacking left a taunting message on both social media accounts.
“Hey @finkd, you were in Linkedin Database with the
password ‘dadada’ !,” the team wrote from
Zuckerberg’s
Twitter page.
On
his Pinterest, the new title was “Hacked by OurMine Team.”
In a deleted tweet, OurMine claimed it also breached
Zuckerberg’s Instagram — which Facebook owns — claiming it was “just testing
your security.”
Prior to the hack, Zuckerberg did not tweet on his rival
social network since January 2012.
…
Zuckerberg is
the latest in a rash of recent celebrity hacks, with Tenacious D's Twitter
falling victim to a death hoax on Sunday.
The week before,
Katy Perry's Twitter was taken over, with the hacker
sending a message to the "Roar" singer's rival, Taylor Swift, and
releasing a never-before-heard song.
Now this would be fun!
Perhaps I could interest the Computer Security club? We could install it in the state legislature
as a demo. We could even rent it to
Computer Security managers preparing their budgets. This would really grab senior management’s
attention.
Liz Stinson reports:
If you’re connected to a wireless network, odds are high that
little bits of data are trickling out of your device like water from a leaky
faucet. “Our phones leak data in a bunch
of different ways,” says artist Kyle McDonald. “Sometimes it’s really insidious or
unexpected.”
Recently at Moogfest, a music and
technology festival in Durham, N.C.,
McDonald
with the help of fellow artist
Surya
Mattu created an installation called WiFi Whisperer that called
attention to all that data your phone is giving away for free.
As
festivalgoers walked past the installation, the artwork grabbed
insecure data and display it on monitors, while a hidden speaker
whispered the stream of data—what networks you’ve recently connected
to and websites you’ve visited, for example—like a creepy, demon-voiced Big
Brother.
“It’s sort of like looking
over someone’s shoulder,” says McDonald, “except you’re doing it without
actually looking over their shoulder.”
Some interesting scholarship. I hope this gets completed.
State attorneys general have authority to enforce a number
of federal privacy and data security statutes, and they may also have
additional authority to protect privacy and data security under state law.
… Until now,
however, there has been no academic scholarship on the role state attorneys
general play in privacy and data security. Happily, that has now changed with an
exploratory study by Danielle Citron, who shared her findings in a paper
workshopped at the Privacy Law Scholars Conference this week.
Here’s the abstract of her paper:
Accounts of privacy law have
focused on legislation, federal agencies, and the self-regulation of privacy
professionals. Crucial agents of regulatory
change, however, have been ignored: the state attorneys general. This article is the first in-depth study of
the privacy norm entrepreneurship of state attorneys general. Because so little has been written about this
phenomenon, I engaged with primary sources—first interviewing state attorneys
general and current and former career staff, and then examining documentary
evidence received through FOIA requests submitted to AG offices around the
country.
Much as Justice Louis
Brandeis imagined states as laboratories of the law, offices of state attorneys
general have been laboratories of privacy enforcement. State attorneys general have been nimble
privacy enforcement pioneers where federal agencies have been more conservative
or constrained by politics. Their local
knowledge, specialization, multistate coordination, and broad legal authority
have allowed them to experiment in ways that federal agencies cannot. These characteristics have enabled them to
establish baseline fair information protections; expand the frontiers of
privacy law to cover sexual intimacy and youth; and pursue enforcement actions
that have harmonized privacy policy.
Although certain systemic
practices enhance AG privacy policymaking, others blunt its impact, including
an overreliance on informal agreements that lack law’s influence and a
reluctance to issue closing letters identifying data practices that comply with
the law. This article offers ways state
attorneys general can function more effectively through informal and formal proceedings.
It addresses concerns about the
potential pile-up of enforcement activity, federal preemption, and the dormant
Commerce Clause. It urges state
enforcers to act more boldly in the face of certain shadowy data practices.
You can download a pre-publication version of the paper
from
SSRN.
Something my students are asking (since they will be the
ones to program and secure them) Not
sure this infographic has all the answers, but it hits a number of points worth
discussing.
How Close Are We to Self-Driving Cars Being Available?
Creating Apps for fun and the Prophet? Expect someone to create an App that gathers
information about users (potential terrorists?) for investigation and potential
targeting.
ISIS's Mobile App Developers Are in Crisis Mode
When they say, “There’s an app for everything,” terror
propaganda is no exception. In the past six months, the Islamic State (
IS, ISIS, or Daesh) and its news agency, ‘Amaq, have
officially developed at least six mobile apps, adding to a list of other apps
created by the group’s supporters.
… Just when it
seemed that IS had succeeded in creating a direct and uninterrupted method of
linking to its followers, the group would show signs that its app operations
had brought about new risks.
A notice disseminated officially by ‘Amaq on June 1—and
subsequently by other social media channels—claimed that “dubious sources” were
disseminating a fake version of the ‘Amaq app, purposed for “spying”:
Some arguments for not creating Apps?
Why Britain banned mobile apps
… So why did the
GDS ban apps? It wasn’t because they
weren’t technically savvy enough to build them.
Cost, he says. Apps
are “very expensive to produce, and they’re very, very expensive to maintain
because you have to keep updating them when there are software changes,”
Perhaps I should teach more Star Wars?
‘Chewbacca Mom’ Has Gotten $420,000 Worth of Gifts Since
Facebook Video Went Viral
…
“Chewbacca Mom”
is of course
Candace
Payne, the Wookie-loving stay-at-home mom from Grand Prairie, Texas, whose
claim to fame is the posting of a
Facebook
Live video in which she giggles joyfully and infectiously while wearing her
new Chewbacca mask.
The video, posted on May 19, quickly became the
most-watched Facebook Live video ever, and has been viewed more than 150
million times and counting. It’s also
been shared more than 3 million times.
…
Kohl’s got
plenty of free publicity thanks to Payne mentioning in her video that she
purchased her Chewbacca mask there.
And
Kohl’s returned the favor by showing up at Payne’s home with a
collection of gifts, including dozens of toys, $2,500 in
gift cards, and (of course) Chewbacca masks for her whole family so no one has
to share.