D.B. Hebbard reports:
If
WikiLeaks wanted to cause itself irreparable damage, it could not have done
worse than to publish a huge dump of emails, some of which contain personal
information such as passport or social security numbers, or credit card
information.
The organization, which usually gets support from the tech and liberal
media, is getting hammered for its poor judgement. Also, the source of the emails is also
controversial as the hack may involve a Russian hacker.
The 19,252 emails come from the
in-boxes of seven DNC employees, including Communications Director Luis Miranda
and National Finance Director Jordan Kaplan, but a search of several known
names deeper inside the organization turned up nothing (which show you just how
easy it is to run up the number of emails coming and going through an
organization).
Most of the donor notifications
includes the name, address, phone number, email address, occupation, payment
type, and partial account numbers of the donor. The emails even include the IP address that
the donation was sent from, along with the type of computer and browser that
was being used at the time.
The source being a Russian hacker wouldn’t concern me, but
the dumping of data without screening to redact some PII does, and this is not the first time WikiLeaks has done this.
We saw it with Sony hack email dump, and
we’ve seen it with other data dumps.
I understand that there are those who want to get stolen
or hacked data of political import out there. But perhaps they might consider using a more
responsible organization and system such as REVEAL
(formerly known as the Center for Investigative Reporting).
Yet another breach where a simple Google search found the
vulnerability.
Hacker steals 1.6 million accounts from top mobile game's
forum
A hacker has targeted the official forum for popular
mobile game "Clash of Kings," making off with close to 1.6 million
accounts.
The hack was carried out on July 14 by a hacker, who wants
to remain nameless, and a copy of the leaked database was provided to breach notification site LeakedSource.com,
which allows users to search their usernames and email addresses in a wealth of
stolen and hacked data.
In a sample given to ZDNet, the database contains (among
other things) usernames, email addresses, IP addresses (which can often
determine the user's location), device identifiers, as well as Facebook data
and access tokens (if the user signed in with their social account). Passwords stored in the database are hashed
and salted.
… The hack took
advantage of the company's lax approach to user security, such as failing to
use basic HTTPS website encryption.
The hacker exploited a known weakness in the forum's software, an older version of vBulletin, which dates back to late 2013. The version in question is vulnerable to a number of serious security flaws, which can be exploited with tools found readily online.
One of the LeakedSource members told me that the hacker
actively sought out sites running vulnerable, out-of-date forum software, using
a technique known as "Google dorking," which uses search engines to
find sites running potentially vulnerable software and insecure configurations.
The "Clash of Kings" forum was one of the
largest that shows up in the search.
"At this point, any unpatched vBulletin 4 forum with
over 100,000 users is probably hacked," the member said.
Update. How would
this have been handled in the US? Still
think only governments can wage cyberwar?
Martin Evans reports:
A teenage computer hacker who
shutdown government networks across the world and sent bomb threats to US
airlines from his bedroom, has walked free from court.
The 16-year-old from Plympton in
Devon, began hacking the sites of organisations and governments he disagreed
with when he was just 14.
Using a laptop computer in his
bedroom, the schoolboy, who cannot be named for legal reasons, caused chaos
targeting Iraq’s ministry of foreign of affairs, the department of agriculture
in Thailand and China’s security ministry.
He also crashed computers in the
Japanese town of Taiji, where an annual dolphin hunt takes place, and launched
a cyber-attack the SeaWorld theme park in Florida almost half a million pounds.
Read more on The Telegraph.
Privacy is a victim of a drive by?
Joe Cadillic writes:
DHS and the Dept., of
Transportation are using ‘Bluetooth
detectors‘ to spy on motorists and pedestrians.
Beginning in late 2007 the
University of Maryland, with support from the Maryland SHA, developed an
anonymous probe technique to monitor the travel time on highways and
arterials based on signals available from the point‐to‐point
networking protocol commonly referred to as Bluetooth.
If you guessed DHS, is involved
in Bluetooth spying, give your self a gold star. Click here, here & here to find out
more.
According to Gainesville.com.
motorists probably have no idea the government (DHS) is secretly
reading information on their cell phones, tablets, headphones.
Read more on MassPrivateI.
[From the
article:
According to Michael Robertson, "sensors
that re-identify vehicles specifically. Some examples given are
"electronic toll tag transponders, cell-phone tracking, license plate
reading, Bluetooth sniffing, magnetic signatures, (and) video tracking."
The DOT admits Bluetooth detectors can be used to identify
anyone...
This could be amusing.
Judge Orders Yahoo to Explain How It Recovered ‘Deleted’
Emails in Drugs Case
A judge has ordered Yahoo to present a witness and provide
documents explaining how the company handles supposedly deleted emails.
The move comes in the appeal case of a drug trafficker who
was convicted, in part, because of emails Yahoo provided to law enforcement
that conspirators believed had been deleted.
Defense lawyers in the case claim that six months of
deleted emails were recovered—something which Yahoo's policies state is not possible. The defense therefore speculates that the
emails may have instead been collected by real-time interception or an NSA
surveillance program.
United States Magistrate Judge Maria-Elena James, from a
San Francisco court, granted the defense's motion for discovery in an order
filed on Wednesday.
The case revolves around Russell Knaggs, from Yorkshire,
England, and a single Yahoo mail account. In 2009, Knaggs orchestrated a plan to import
five tonnes of cocaine from South America. At the time, Knaggs was already serving a
16-year prison sentence for another drug crime.
As part of the operation, a collaborator in Colombia would
log into the email account “slimjim25@ymail.com” and write a draft email. An accomplice based in Europe would then read
the message, delete it from both the “draft” and “trash” folders, and write his
own draft, in an effort not to leave behind any messages that could later be
read by law enforcement.
The defense alleges there should have been nothing for law
enforcement to find
Sukhdev Thumber, a solicitor representing Knaggs in the UK
proceedings, previously told Motherboard that the pair would sometimes
simply remove the text in the draft with the backspace key, rather than deleting
the email. Knaggs didn't actually use
the account himself.
WWPD (What will Putin do?) If Google more powerful than the FSB?
Shaun Waterman reports:
U.S.-based tech giants appear set to silently ignore new Russian laws
requiring them to hand over encryption keys for internet
communications to state security agencies, those tracking the issue tell
FedScoop.
Only two encryption providers
appear to have publicly responded to the new legislation, known as
“Yarovaya law,” after the hardline lawmaker responsible for drafting it. One virtual private
network provider, Private
Internet Access, announced they were leaving Russia, while another,
NordVPN, doubled down on their presence there, according to interviews and
public statements.
Read more on FedScoop.
Never say clearly what you can interpret however you want
later?
Civil Rights Office Issues Ransomware Guidance
… Ransomware
attacks have risen from about 1,000 a day last year to 4,000 a day this year,
Symantec has reported.
Many of those attacks are for small change, but some of
the larger ones have been directed at healthcare providers.
… The U.S. Health
and Human Services Department's Office for Civil Rights, which enforces
compliance with the Health Insurance Portability and Accountability Act, better
known as "HIPAA," has released new guidance for healthcare
organizations on ransomware
… "This OCR
guidance clearly says that chances are that if you're infected with ransomware,
it's likely a reportable breach unless
there are mitigating circumstances," Kim said. "Healthcare organizations know now that
if ransomware encrypts PHI (protected health information), it's likely you'll have to report it." [A clear and unequivocal “maybe.” Bob]
… The guidance can be found at: http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.
(Related) Make a
rule that is more like a suggestion. “We
don’t really want to block all those calls from politicians…”
FCC chief pushes phone companies to offer free robocall
blocking
The chairman of the Federal Communications Commission on
Friday told phone companies that they should start providing free technology
for their customers to block robocalls and spam texts.
“I strongly
urge you to offer your customers robust call blocking at no cost,”
Chairman Tom Wheeler wrote in letters to companies providing both wireless and
wired phone service, urging them to move immediately “to ensure consumers have
the tools necessary to block these unwanted calls.”
For my Computer Security students.
Auto makers' ISAC out with cyber best practices guide
The Information Sharing and Analysis Council for the motor
vehicle industry published a set of cybersecurity best practices Thursday.
The Auto-ISAC guidance recommends
a fairly standard set of precautions — baking in security at the earliest
stages of software development; standardized risk management procedures;
proactive network defenses; and incident response planning, among others.
"It's a high-level document," said Jon
Allen, a principal at Booz Allen Hamilton and acting executive director of
the Auto-ISAC.
He said there would be more detailed
"playbooks," bearing down on individual areas such as risk
management. "This is what the industry
needs to focus on as it prepares the playbooks," he said.
When your Wikipedia page is likely to be analyzed, bring
in the professional obfuscators?
Is Wikipedia Foreshadowing Clinton's Vice-Presidential Pick?
… Tom Vilsack, the
U.S. Secretary of Agriculture and one of two candidates on Clinton’s reported
shortlist, saw about 30 edits to
his page this week. Most of them were
just to clean up information already on his page, and they came from registered
Wikipedia users.
The Wikipedia page of Virginia Senator Tim Kaine, on the
other hand, has seen 62 edits on Friday
alone. There have been almost 90
edits over the past week. Many of them
originate from a user called Neutrality, a longtime Wikipedia editor who has
made more than 110,000 edits to the encyclopedia. Other minor edits come from two IP addresses
not associated with Wikipedia users, appearing to originate respectively from
Hicksville, New York, and the borough of Queens in New York City. Another user registered as a Wikipedia editor
(and thus impossible to geographically track) added paragraphs about
Kaine’s experience as mayor of Richmond and his energy policies.
In short, Kaine’s page has seen significantly more
Wikipedia edits than any other candidate’s.
More on the hottest thing since the last hot thing?
'Pokémon GO' Claims Twice The Daily Use Of Facebook, Most
First-Week Downloads On iOS
I had taken a break reporting on Pokémon GO
simply because I didn’t think the statistics could get any more staggering. Clearly I was wrong! Pokémon GO isn’t going to topple
Facebook’s massive user base any time soon, but it has snagged quite
the user engagement victory. On a daily
basis, the insanely popular app from Niantic Labs is being used twice as
much as the Facebook app on Android. This is honestly something I thought would be
inconceivable in a world where we’re tethered to our phones and addicted to
social media updates.
A new report gathered from 7Park Data — pulled from a
multi-million panel of anonymous U.S. Android users – shows that
during its first week, Pokémon GO users spent 75 minutes per day playing, versus only
35 minutes on the Facebook app. Beyond that, there’s another statistic
that may give YouTube and Snapchat executives pause. When comparing daily usage the week before and
the week after Pokémon GO’s release, 7Park Data discovered that
Niantic’s hit caused daily usage for said apps to drop by 9% and 18%,
respectively.
(Related) It looks
far too complicated for me.
A beginner's guide: How to play 'Pokémon Go'
The older I get, the less concerned I am about looking
foolish.
Modobag Lets You Zoom Around Airports While People Point and
Laugh
… The Modobag
isn't available yet, but you can pre-order one via its Indiegogo
campaign for the very high price of $995. Did I mention the luggage's companion app will
cost $69? Oh, and just one other small issue: you'll look like a total tool as
you tool around the terminal.
I look forward to this, every Saturday.
Hack Education Weekly News
… Via
The Chicago Tribune: “Gov. Bruce Rauner once told some of Chicago‘s
wealthiest and most influential civic leaders that half of Chicago Public
Schools’ teachers ‘are virtually illiterate’ and half of the
city’s principals are ‘incompetent,’ according to emails Mayor Rahm
Emanuel’s administration released Thursday under a court order.”
… Amazon
announced
that it is partnering with Wells Fargo to offer student
loans – Amazon Prime Student subscribers will be eligible for half a
percentage point reduction on their interest rate for private student loans. (As I’ve stated
elsewhere, private student loans and the expansion of “fintech” into education
is one of the most important ed-tech trends to watch, although you wouldn’t
know if it you only read those ed-tech publications that downplay VCs’ interest
in the private loan market.) Here’s
Inside Higher Ed on the news, which notes that consumer advocates are
concerned about the offering. No
surprise, as last
year the CFPB investigated the bank’s student loan
practices. As
US News & World Reports reports, “Wells Fargo, one of the largest
private student loan lenders that services more than 1 million borrowers,
received the fourth most complaints out of all private student loan servicers,
according to a 2015 report from the Consumer Financial Protection Bureau.”
… Via
The Washington Post: “Pokémon Go sparks concern about
children’s privacy.”
… “What Could Go
Wrong With Asking Teachers To Monitor Kids for ‘Extremist’ Beliefs?”
asks
the ACLU.