Jump to content

Search the Community

Showing results for tags 'data'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 135 results

  1. Government says hackers breached 30 computers and stole data from 10. Hackers have breached the computer systems of a South Korean government agency that oversees weapons and munitions acquisitions for the country's military forces. The hack took place in October 2018. Local press reported this week[1, 2, 3] that hackers breached 30 computers and stole internal documents from at least ten. The breached organization is South Korea's Defense Acquisition Program Administration (DAPA), an agency part of the Ministry of National Defense. It is believed that the stolen documents contain information about arms procurement for the country's next-generation fighter aircraft, according to a news outlet reporting on the cyber-attack. Reports claim that hackers gained access to the server of a security program installed on all government computers. Named "Data Storage Prevention Solution," the app is installed on South Korean government computers to prevent sensitive documents from being downloaded and saved on internet-connected PCs. According to reports, hackers gained admin access to the software's server and used it to siphon documents from connected workstations. The country's intelligence agency (NIS, National Intelligence Service) investigated the breach in November and reported its findings to government officials, who disclosed the cyber-attack to the public this week. Government officials didn't pin the blame on North Korean hackers, as they usually do, although it wouldn't surprise anyone if they did, as North Korea has often launched cyber-espionage and intelligence collection operations against its southern neighbor. For example, in October 2017, South Korea accused North Korea of hacking and stealing the South's secret joint US war plans, which included detailed plans to attack the North in case diplomatic relations deteriorated to a point where military action was needed. Source
  2. The vast majority of televisions available today are "smart" TVs, with internet connections, advertising placement, and streaming services built in. Despite the added functionality, TV prices are lower than ever — especially from companies like TCL and Vizio, which specialize in low-cost, high-tech smart TVs. There's a simple reason that smart TVs are priced so low: Some TV makers collect user data and sell it to third parties. Did you get a 4K, HDR-capable TV this past holiday, perhaps on sale? Millions of Americans did. Massive TVs with razor-thin frames, brilliant image quality, and built-in streaming services are more affordable than ever thanks to companies like Vizio and TCL. If you want a 65-inch 4K smart TV with HDR capability, one can be purchased for below $500 — a price that may seem surprisingly low for such a massive piece of technology, nonetheless one that's likely to live in your home for years before you upgrade. But that low price comes with a caveat most people probably don't realize: Some manufacturers collect data about users and sell that data to third parties. The data can include the types of shows you watch, which ads you watch, and your approximate location. The Roku TV interface on TCL's smart TVs comes with a prominent ad placement on the home screen. A recent interview on The Verge's podcast with Vizio's chief technology officer, Bill Baxter, did a great job illuminating how this works. "This is a cutthroat industry," Baxter said. "It's a 6% margin industry. The greater strategy is I really don't need to make money off of the TV. I need to cover my cost." More specifically, companies like Vizio don't need to make money from every TV they sell. Smart TVs can be sold at or near cost to consumers because Vizio is able to monetize those TVs through data collection, advertising, and selling direct-to-consumer entertainment (movies, etc.). Or, as Baxter put it: "It's not just about data collection. It's about post-purchase monetization of the TV." And there are a few ways to monetize those TVs after the initial purchase. On TCL's Roku TVs, users can opt out of the full scope of ad tracking. How much you're able to block yourself from data tracking varies by TV manufacturer. "You sell some movies, you sell some TV shows, you sell some ads, you know," he said. "It's not really that different than the Verge website." It's those additional forms of revenue that help make the large, beautiful smart TVs from companies like Vizio and TCL so affordable. Without that revenue stream, Baxter said, consumers would be paying more up front. "We'd collect a little bit more margin at retail to offset it," he said. The exchange is fascinating and worth listening to in full — check it out right here. Source
  3. Late last year, the U.S. government accidentally revealed that a sealed complaint had been filed against Julian Assange, the founder of WikiLeaks. Shortly before this was made public, the FBI reconfirmed its investigation of WikiLeaks was ongoing, and the Wall Street Journal reported that the Department of Justice was optimistic that it would be able to extradite Assange. Soon after, portions of sealed transcripts leaked that implicate WikiLeaks and Assange in directing hackers to target governments and corporations. The charges against Assange have not been officially revealed, though it’s plausible that the offenses are related to Russian hacking and the DNC emails. The alleged offenses in the complaint notwithstanding, the government has an abundance of data to work with: over a dozen WikiLeaks’ computers, hard drives, and email accounts, including those of the organization’s current and former editors-in-chief, along with messages exchanged with alleged Russian hackers about DNC emails. Through a series of search warrants, subpoenas, equipment seizures, and cooperating witnesses, the federal government has collected internal WikiLeaks data covering the majority of the organization’s period of operations, from 2009 at least through 2017. The filing that committed a copy and paste error revealing charges against Assange. In some instances, the seized data has been returned and allegedly destroyed, such as in the case of David House, a technologist and friend of Chelsea Manning when she famously became a source for WikiLeaks. In others, the seized materials include communications between WikiLeaks and their sources. Some of these discussions show WikiLeaks discussing their other sources and specific identifying details about them. A copy of a chat log between Chelsea Manning and a WikiLeaks staff member IDed as Assange by government prosecutors and witnesses. Other seizures gave authorities a deeper view of the internal workings of WikiLeaks, including one of the earliest known seizures of WikiLeaks-related data, executed on December 14, 2010, when the messages and user information of several WikiLeaks-linked Twitter accounts were ordered. This search-and-seizure order included direct messages associated with WikiLeaks and its founder, former Army private first class and WikiLeaks source Chelsea Manning, WikiLeaks editor Rop Gongrijp, former WikiLeaks associate Jacob Appelbaum, and former WikiLeaks associate and Icelandic MP Birgitta Jonsdottir, between November 1, 2009, and the order’s execution. A couet order for information relating to people associated with WikiLeaks. On January 4, 2011, a sealed order filed in the Eastern District of Virginia requested all emails, address book, subscriber information, and other account information associated with Appelbaum’s email address [email protected], and another order would target his internet traffic. Appelbaum was a friend and confidant of Assange as well as a WikiLeaks volunteer. In 2010, Appelbaum was known as “the American WikiLeaks hacker,” and he was, at that time, referred to as WikiLeaks’ only known American member. In a private chat in 2015, WikiLeaks described Appelbaum as being “sort of” part of the group, though following multiple accusations of sexual abuse, the group publicly distanced itself from him. The emails obtained by the government extended from November 2010 at least through January 2011. The timing of the government’s acknowledgment of the order, along with other similar orders, suggest that the monitoring of the account may have continued through late 2014, when it and several orders were made public. A copy of a court order for information relating to Jacob Appelbaum, a hacker who worked with WikiLeaks (now credibly accused of multiple sexual assaults). Publicly released and leaked documents from Assange and his legal team allege that several laptops and hard drives belonging to the organization were intercepted by an intelligence agency during this time period. According to an affidavit from Assange, “three laptops ... assorted electronics [and] additional encrypted hard drives” were taken along with his suitcase in late September 2010. Assange’s legal team produced several additional affidavits and supporting documents detailing the existence and disappearance of the suitcase. The suitcase contained at least five hard drives, all of which were encrypted, according to Assange. However, the government has had eight years to guess or recover the passwords or break the encryption on the hard drives. Several other drives, numerous emails, and at least one cooperating witness may have aided in the process. Affadavit from Julian Assange. In mid-2011, the FBI had developed a major source who would become at least their second information with an eye into WikiLeaks’ operations. Soon after the arrest and cooperation of Hector Xavier Monsegur, a.k.a. Sabu, his hacking group (LulzSec) made contact with WikiLeaks. Sabu and LulzSec would become some of WikiLeaks’ most significant sources. The Syria files and Global Intelligence files LulzSec provided WikiLeaks increased their number of publications tenfold and still account for roughly half of their total number of publications. Communications between Sabu and WikiLeaks were monitored by the FBI. And some of the group’s communications with others were later seized in their arrest or turned over by Sigurdur Thordarson, a WikiLeaks volunteer who became an informant for the FBI that August. A section from the sentencing document for “Sabu.” It was later ID’d by WikiLeaks as about them. In addition to briefing the FBI in a series of meetings, Thordarson reportedly provided them with thousands of pages of WikiLeaks chat logs. Further, in March 2012, Thordarson allegedly provided the FBI with eight WikiLeaks hard drives containing up to 1020GB of data, according to a purported FBI document. Officials have not confirmed the authenticity of the document, though the amount of data provided is corroborated by additional sources. In an interview with Ars Technica, Thordarson claimed that Icelandic authorities had seized an additional 2 TB of WikiLeaks-related data from him, which he assumed was then shared with the U.S. American and Icelandic authorities had previously cooperated on Thordarson’s case and portions of the WikiLeaks investigation. According to leaked letters from WikiLeaks’ legal team, at least some of the hard drives had belonged to Assange. Thordarson’s debriefings and the hard drives of up to 3 TB of data may have contained the decryption keys or passwords needed to decrypt the hard drives Assange alleged had been seized earlier. A receipt given to Sigurdur Thordarson from the FBI for WikiLeaks hard drives. There are several hints as to the contents of these drives. According to the affidavit from Assange, the information on the hard drives included, in addition to the possible staff emails, “chat communications ... copies of passports [and] video footage taken in secret.” Following an Associated Press article based off of a cache of “WikiLeaks emails, chat logs, financial records, secretly recorded footage and other documents” from within the organization, WikiLeaks alleged that the cache was the same that had been provided to the FBI. In October 2011, amidst Thordarson and Sabu’s tenure as cooperating witnesses, American authorities issued a search warrant for the contents of WikiLeaks volunteer Herbert Snorrason’s Gmail account. The warrant requested all of the account’s information, “including stored or preserved copies of e-mails sent to and from the account, draft e-mails, deleted e-mails, emails preserved pursuant to a request made under 18 U.S.C. § 2703(f), the source and destination addresses associated with each e-mail, the date and time at which each e-mail was sent, and the size and length of each e-mail.” The volunteer had helped WikiLeaks with a minor technical issue. After learning that his account’s contents had been seized by the U.S. government, Snorrason told Mother Jones that he thought “pretty much everyone with both a Google account and a WikiLeaks connection will be getting one of those notices eventually.” Snorrason was correct in that other WikiLeaks-associated Google accounts had their information seized by the government. Six months after the order for Snorrason’s emails was issued, a trio of search orders were issued for the email accounts of senior WikiLeaks personnel. On April 5, 2012, sealed warrants were executed for the Google accounts of WikiLeaks editors Sarah Harrison and Joseph Farrell, as well as then-spokesman and future editor-in-chief Kristinn Hrafnsson on suspicion of espionage and violating the Computer Fraud and Abuse Act, as well as conspiracy and theft of government property. The warrants appear to have covered the entirety of the accounts and were disclosed by Google at the close of 2014. A court order for information relating to Kristinn Hrafnsson, current editor in chief of WikiLeaks, on suspicion if charges including but not limited to espionage. In late October 2017, a new government request was issued for portions of WikiLeaks’ communications. A letter from Sen. Diane Feinstein requested that Twitter provide copies of all direct messages that were over 180 days to or from the accounts belonging to WikiLeaks, the WikiLeaks Task Force, “Guccifer 2.0,” Assange, and Margaret Ratner Kunstler. As written, the request would include some of my communications with WikiLeaks and “Guccifer 2.0.” Ultimately, at least some messages between WikiLeaks and the “Guccifer 2.0” were obtained by the U.S. government, although the method of communication for those messages remains unconfirmed. In late October 2017, a new government request was issued for portions of WikiLeaks’ communications. A letter from Sen. Diane Feinstein requested that Twitter provide copies of all direct messages that were over 180 days to or from the accounts belonging to WikiLeaks, the WikiLeaks Task Force, “Guccifer 2.0,” Assange, and Margaret Ratner Kunstler. As written, the request would include some of my communications with WikiLeaks and “Guccifer 2.0.” Ultimately, at least some messages between WikiLeaks and the “Guccifer 2.0” were obtained by the U.S. government, although the method of communication for those messages remains unconfirmed. According to what’s informally known as “the GRU indictment,” WikiLeaks sent Guccifer 2.0 a message on June 22, 2016. The message instructed Guccifer 2.0, a persona the U.S. government believes was used by Russian operatives, to send new material to them so it would “have a much higher impact.” On approximately July 6, the organization sent another message encouraging Guccifer 2.0 to send “anything [H]illary related” in time for the Democratic National Convention, which WikiLeaks thought Clinton would use to solidify support. The quoted portion of the exchange ends with WikiLeaks saying they thought conflict between Sen. Bernie Sanders and Clinton would be “interesting.” These exchanges, about maximizing impact and damage, are relevant to one of the theories of Assange’s potential prosecution outlined by noted national security journalist Marcy Wheeler. An excerpt from a Mueller indictment. If the charges against Assange are related to Russian hacking and the Democratic National Committee email leak, this exchange could be one of the most likely pieces of evidence to be directly relevant to the initial charges against him. However, the entirety of the government’s evidence, including materials seized from alleged Vault 7 leaker Joshua Schulte and the alleged recordings of him transferring additional files to WikiLeaks regarding the organization, may be used to help make the case. Past statements and communications may be used to help establish a modus operandi, a pattern or an intent. As noted by the AP, some of the materials may point to the early beginnings of Assange’s reported relationship with Russia. Leaked copies of sealed files, statements by people familiar with the grand juries, and documents released through FOIA by independent journalist Alexa O’Brien—who also identified a number of sealed search orders—all indicate that the investigations converged and pooled evidence at times. The government’s information could be further augmented by recent surveillance of Assange in the Ecuadorian Embassy, where he has lived under asylum since 2012, the fruits of which may have reportedly been shared with the United States. Regardless of what the charges against Assange are, the government has terabytes of data with which to try to make its case, data that’s come from WikiLeaks supporters, sources, key personnel, and Assange himself. The full depth of the government’s sources, however, have yet to be revealed. Emma Best is a national security reporter and transparency activist. She has published millions of pages of government documents and is a member of the leak collective Distributed Denial of Secrets (DDoSecrets). Source
  4. Marketing firm parts with massive trove of customer data The last time an Apollo effort went this badly, Tom Hanks made a movie about it. Marketing intelligence (read: data broker) startup Apollo fessed up to being the victim of a massive theft that saw it reveal something in the neighborhood of nine billion points of data and contact information of 212 million people. As per usual, the massive trove was discovered online in a misconfigured database that had mistakenly been set to be accessible by anyone. Those "data points" include things like addresses and contact information, as well as contacts and connections on services like LinkedIn. Not particularly sensitive information, but a fairly valuable cache of data for marketers or, in the worst case, potential attackers looking to build spear-phishing emails. Source
  5. Hacker was selling 141.5GB of data from Huazhu Hotels Group. He also attempted to blackmail the hotel chain to pay for its own data. Huazhu Hotels Group Ltd, a China-based hotel chain, announced this week that Shanghai police arrested the hacker who was selling data on millions of its customers online, on the dark web. The arrest was announced on Monday, September 17, by the hotel group in an investors message, and confirmed two days later by Shanghai police for Chinese media. Police did not release the man's man, but according to local reports, the hacker is a 30-year-old man named Liu. Investigators did not reveal any other details about the investigation, but according to previous reports, it appears that Liu may have gotten hold of the hotel chain's data when a developer accidentally uploaded part of its database on GitHub. The hacker put the Huazhu data up for sale on a dark web hacking forum in mid-August, asking for 8 Bitcoin, which was worth around $56,000, at the time. The data was sold in three file packages, for a total of 141.5GB. The data trove contained over 500 million records, comprising of 240 million pieces of content related to hotel stays such as name, credit card details, and mobile number; 123 million pieces of registration data recorded on the group's official website such as userID and login pin; and 130 million pieces of check-in data, including birthday and home address. China hotel data sold on the dark web The Huazhu Hotels Group is one of China's largest hotel chains, operating 5,162 hotels across 13 hotel brands across in 1,119 Chinese cities. The data sold online was advertised to have originated from customers who stayed at Huazhu's hotel brands, such as Hanting Hotel, Grand Mercure, Joye, Manxin, Novotel, Mercure, CitiGo, Orange, All Season, Starway, Ibis, Elan, and Haiyou. The hotel chain filed a police complaint on the same day news of the hack broke in Chinese media --August 28. In its message to investors, the hotel chain said Liu was unsuccessful in selling the stolen data. They also said the hacker attempted to blackmail the hotel into paying for its own data by leveraging public pressure surrounding the public disclosure of the hack. "To comply with laws and police protocols, the Company cannot disclose additional information on the case at this time," a Huazhu spokesperson said. Source
  6. LC Technology International, Inc. is a global leader in data recovery, photo recovery, data recovery services , and SD card/flash media data recovery. Our mission is designed to help our clients resolve catastrophic problems. LC Technology International maintains the highest quality standards with award winning customer service and support as noted by the many awards and articles in the media. We have developed outstanding products that recover data and files in the event of data loss or hard drive failure. Home: https://www.lc-tech.com PHOTORECOVERY PRO 2018 5.1.7.0 AIO Keygen by Lord Blix-TSZ Repack JCVO Site: https://www.mirrorcreator.com Sharecode[?]: /files/0DP5OEJE/PHOTORECOVERY_PRO_2018_5.1.7.0_AIO_Keygen_by_Lord_Blix-TSZ_Repack_JCVO.zip_links Solid State Doctor 3.1.4.2 AIO Keygen by Lord Blix-TSZ Repack JCVO Site: https://www.mirrorcreator.com Sharecode[?]: /files/1GD0HMM6/Solid_State_Doctor_3.1.4.2_AIO_Keygen_by_Lord_Blix-TSZ_Repack_JCVO.zip_links FILERECOVERY Enterprise 5.5.9.8 AIO Keygen by Lord Blix-TSZ Repack JCVO Site: https://www.mirrorcreator.com Sharecode[?]: /files/LQDLYW4N/FILERECOVERY_Enterprise_5.5.9.8_AIO_Keygen_by_Lord_Blix-TSZ_Repack_JCVO.zip_links Digital Media Doctor PRO 3.1.5.3 AIO Keygen by Lord Blix-TSZ Repack JCVO Site: https://www.mirrorcreator.com Sharecode[?]: /files/IOETLXR3/Digital_Media_Doctor_PRO_3.1.5.3_AIO_Keygen_by_Lord_Blix-TSZ_Repack_JCVO.zip_links RescuePRO Deluxe for SSD 6.0.2.3 AIO Keygen by Lord Blix-TSZ Repack JCVO Site: https://www.mirrorcreator.com Sharecode[?]: /files/1CAOSRHH/RescuePRO_Deluxe_for_SSD_6.0.2.3_AIO_Keygen_by_Lord_Blix-TSZ_Repack_JCVO.zip_links RescuePRO Deluxe 6.0.2.3 AIO Keygen by Lord Blix-TSZ Repack JCVO Site: https://www.mirrorcreator.com Sharecode[?]: /files/FBYIUNN2/RescuePRO_Deluxe_6.0.2.3_AIO_Keygen_by_Lord_Blix-TSZ_Repack_JCVO.zip_links Versions Commercial RescuePRO Deluxe Commercial 6.0.2.3 AIO Keygen by Lord Blix-TSZ Repack JCVO Site: https://www.mirrorcreator.com Sharecode[?]: /files/2D23APRM/RescuePRO_Deluxe_Commercial_6.0.2.3_AIO_Keygen_by_Lord_Blix-TSZ_Repack_JCVO.zip_links FILERECOVERY Enterprise Commercial 5.5.9.8 AIO Keygen by Lord Blix-TSZ Repack JCVO Site: https://www.mirrorcreator.com Sharecode[?]: /files/16T2EYXQ/FILERECOVERY_Enterprise_Commercial_5.5.9.8_AIO_Keygen_by_Lord_Blix-TSZ_Repack_JCVO.zip_links PHOTORECOVERY PRO 2018 Commercial 5.1.7.0 AIO Keygen by Lord Blix-TSZ Repack JCVO Site: https://www.mirrorcreator.com Sharecode[?]: /files/3OTC3KZQ/PHOTORECOVERY_PRO_2018_Commercial_5.1.7.0_AIO_Keygen_by_Lord_Blix-TSZ_Repack_JCVO.zip_links installers original with keygen integrated eye are tested and work at the end of the installation will be marked 2 options please do not topen to open and run the program and the keygen that can register it, remember it is a false positive.
  7. Second worst stingray in history (RIP Steve Irwin) Someone may have spied on smartphones in or near the White House using a fake cellphone tower – and miscreants are said to have abused SS7 weaknesses to swipe US citizens' private information, it emerged this week. On Friday, Senator Ron Wyden (D-OR) revealed a letter he received from the US government's Department of Homeland Security earlier this month that suggested someone deployed a Stingray-like IMSI-capturing device to track and snoop on phones near the White House in Washington DC. This equipment works by pretending to be a real cellphone mast, connecting to passing handhelds to collect their owners' unique subscriber ID numbers, and potentially snooping on their chatter. Specifically, Homeland Security officials said they had detected activity that "appeared consistent" with Stingray devices within the capital region "including locations in proximity to potentially sensitive facilities like the White House." The DHS tempered that claim, though, by noting that it could not attribute the IMSI spying to any specific group, and that some of the transmissions turned out to be signals sent from legitimate cellphone towers. The news of a possible foreign stingray near the White House is of particular concern giving reports that the President isn’t even using a secure phone to protect his calls," Wyden said. "The cavalier attitude toward our national security appears to be coming from the top down." Separately, Wyden said he had been told by a big-name mobile network that malicious attackers are believed to have used SS7 – the 40-year-old protocol that glues cellular networks together – to obtain customer data. The Homeland Security letter indeed said it had received reports of "nefarious" types leveraging SS7 to spy on American citizens by targeting their calls, text messages, and other information. SS7 is typically abused by criminals hacking into phone networks, or rogue insiders, to swipe private info. State-owned carriers can also exploit SS7 on behalf of government snoops, or networks can be compelled by administrations to use the protocol to surveil targets. In any case, SS7 is a system that can be exploited by a phone network in one country to screw around with people using a network in another country, or within the same nation, and intercept calls and messages. Wyden released Uncle Sam's letter as part of his push to get America's comms watchdog the FCC, and US telcos, to conduct a more thorough investigation and report on the use of both SS7 exploits and Stingray devices within their networks. Not a useful Ajit Earlier this week, Wyden sent FCC boss Ajit Pai a letter calling for a probe, and blasted the chairman for seemingly refusing to do anything about security holes present in mobile networks. "One year ago I urged you to address serious cybersecurity vulnerabilities in US telephone networks," Wyden's letter [PDF] reads. "To date, your Federal Communications Commission has done nothing but sit on its hands, leaving every American with a mobile phone at risk." The senator added: "This threat is not merely hypothetical – malicious attackers are already exploiting SS7 vulnerabilities. One of the major wireless carriers informed my office that it reported an SS7 breach, in which customer data was accessed, to law enforcement." Wyden thus demanded to know what the regulator did in response to multiple reports of SS7 attacks. Source
  8. Google is reminding organizations to review how much of their Google Groups mailing lists should be public and indexed by Google.com. The notice was prompted in part by a review that KrebsOnSecurity undertook with several researchers who’ve been busy cataloging thousands of companies that are using public Google Groups lists to manage customer support and in some cases sensitive internal communications. Google Groups is a service from Google that provides discussion groups for people sharing common interests. Because of the organic way Google Groups tend to grow as more people are added to projects — and perhaps given the ability to create public accounts on otherwise private groups — a number of organizations with household names are leaking sensitive data in their message lists. Many Google Groups leak emails that should probably not be public but are nevertheless searchable on Google, including personal information such as passwords and financial data, and in many cases comprehensive lists of company employee names, addresses and emails. By default, Google Groups are set to private. But Google acknowledges that there have been “a small number of instances where customers have accidentally shared sensitive information as a result of misconfigured Google Groups privacy settings.” In early May, KrebsOnSecurity heard from two researchers at Kenna Security who started combing through Google Groups for sensitive data. They found thousands of organizations that seem to be inadvertently leaking internal or customer information. The researchers say they discovered more than 9,600 organizations with public Google Groups settings, and estimate that about one-third of those organizations are currently leaking some form of sensitive email. Those affected include Fortune 500 companies, hospitals, universities and colleges, newspapers and television stations and U.S. government agencies. In most cases, to find sensitive messages it’s enough to load the company’s public Google Groups page and start typing in key search terms, such as “password,” “account,” “hr,” “accounting,” “username” and “http:”. Many organizations seem to have used Google Groups to index customer support emails, which can contain all kinds of personal information — particularly in cases where one employee is emailing another. Here are just a few of their more eyebrow-raising finds: • Re: Document(s) for Review for Customer [REDACTED]. Group: Accounts Payable • Re: URGENT: Past Due Invoice. Group: Accounts Payable • Fw: Password Recovery. Group: Support • GitHub credentials. Group: [REDACTED] • Sandbox: Finish resetting your Salesforce password. Group: [REDACTED] • RE: [REDACTED] Suspension Documents. Group: Risk and Fraud Management Apart from exposing personal and financial data, misconfigured Google Groups accounts sometimes publicly index a tremendous amount of information about the organization itself, including links to employee manuals, staffing schedules, reports about outages and application bugs, as well as other internal resources. This information could be a potential gold mine for hackers seeking to conduct so-called “spearphishing” attacks that single out specific employees at a targeted organization. Such information also would be useful for criminals who specialize in “business email compromise” (BEC) or “CEO fraud” schemes, in which thieves spoof emails from top executives to folks in finance asking for large sums of money to be wired to a third-party account in another country. “The possible implications include spearphishing, account takeover, and a wide variety of case-specific fraud and abuse,” the Kenna Security team wrote. In its own blog post on the topic, Google said organizations using Google Groups should carefully consider whether to change the access to groups from “private” to “public” on the Internet. The company stresses that public groups have the marker “shared publicly” right at the top, next to the group name. “If you give your users the ability to create public groups, you can always change the domain-level setting back to private,” Google said. “This will prevent anyone outside of your company from accessing any of your groups, including any groups previously set to public by your users.” If your organization is using Google Groups mailing lists, please take a moment to read Google’s blog post about how to check for oversharing. Also, unless you require some groups to be available to external users, it might be a good idea to turn your domain-level Google Group settings to default “private,” Kenna Security advises. “This will prevent new groups from being shared to anonymous users,” the researchers wrote. “Secondly, check the settings of individual groups to ensure that they’re configured as expected. To determine if external parties have accessed information, Google Groups provides a feature that counts the number of ‘views’ for a specific thread. In almost all sampled cases, this count is currently at zero for affected organizations, indicating that neither malicious nor regular users are utilizing the interface.” Source
  9. In just under a week, on Friday the 25th of May, the new European Union data protection directive, GDPR, comes into effect. One aspect of the GDPR is that citizens now have the right to reach out to companies to get the data that it holds on them. Despite this, actually initiating the process of getting your data can be tedious. To aid with this, My Data Request is now providing “codified” guides to get your data from various online services. My Data Request offers guides for requesting your data from over 100 online services. The list of services includes many of the most popular apps from categories like social media, banking, dating, gaming, and much more. There’s a good chance that most of the services you care most about are listed on the website. Big companies such as Facebook and Google let you download archives of your data, these pages are linked to in the guides offered by My Data Request. Smaller services, however, don't have dedicated tools and require you to email them. In order to make your life simple, My Data Request has built an email template tool so you can grab your data more quickly. The website builds different email templates depending on your location, the four categories include ‘In the EU’, ‘In California’, ‘Everywhere’, and ‘Other’. While the GDPR legally only applies to people in the EU, companies may give people outside the bloc access to their data too even if they’re not covered by GDPR. More details < Here >
  10. The agency collected a staggering 534 million domestic phone records last year, up threefold on the year earlier. New figures reveal a sharp increase in the number of searches of Americans' calls and messages by the intelligence community during the Trump administration's first year in office. The figures, published Friday by the Office of the Director of National Intelligence (ODNI), show a rise in targeted surveillance and searches of people's data. It's the latest annual report from the government's chief spy, which has faced calls to be more transparent in the wake of the Edward Snowden disclosures into its surveillance programs. According to the figures, 7,512 searches of Americans' calls and messages without a warrant, up by 42 percent on the year prior. The government gets these search powers under the controversial section 702 authority, which allows the National Security Agency (NSA) to gather intelligence on foreigners overseas by collecting data from choke points where fiber optic cables owned by telecom giants enter the US. The powers also authorize the collection of data from internet giants and tech companies. But data collected under section 702 is near indiscriminate, and it also sweeps up large amounts of data on Americans, who are constitutionally protected from warrantless surveillance. The actual number of searches on Americans is likely significantly higher, because the reported figures don't account for searches by other civilian agencies, like the FBI or the Drug Enforcement Administration -- which also don't require a warrant to search the database. "We're almost certainly talking about tens of thousands of Americans being queried by FBI but have no clear info on that or the number of Americans whose data is collected," said Jake Laperruque, senior counsel at the Project On Government Oversight. Congress has long asked the government to reveal how many Americans have their data inadvertently collected by the NSA. Both the Obama and Trump administrations refused to disclose how many Americans are caught up in the dragnet. "Overall the numbers show that the scale of warrantless surveillance is growing at a significant rate, but ODNI still won't tell Americans how much it affects them," said Laperruque. It's not the only figure in the report to see a massive increase. The NSA targeted 129,080 foreign individuals or groups, representing a rise of 20 percent in the number of targets on the year earlier. Patrick Toomey, staff attorney at the ACLU's National Security Project, tweeted that the figure was the "biggest jump on record." The report also shows a massive spike in the number of collected phone records last year. The details of who calls who and when, collected under the NSA's phone metadata collection programs, was later curtailed when the Freedom Act was ratified in 2015. Last year, a staggering 534 million call detail records were collected, up from 151 million -- more than a three-fold increase on the year earlier. The figures don't represent the number of Americans whose phone records were collected, and likely includes duplicates, the report said. The number of orders to collect phone records, however, remained the same on the previous year. Robyn Greene, policy counsel and government affairs lead at New America's Open Technology Institute, said the intelligence community may have changed interpretations of their legal authorities. "The report raises some serious questions if the intelligence community, and the courts may be interpreting their authorities in an overbroad manner to permit too much collection," said Greene. "It's hard to imagine how you get the same number of targets yet over three-times as many records collected unless you've reinterpreted what constitutes a call detail record," Greene added. The report also showed a similar pattern with national security letters, a subpoena-like power that can compel tech and phone companies to turn over data on grounds of national security. Although the number of letters increased marginally by 5 percent to 12,762 last year, the number of requests for information more than tripled, indicating that the FBI sought more data per letter than in previous years. These letters are particularly controversial because they require no court approval and almost always include a gag order, which prevents the subject of the letter from being informed. In recent years, several companies including Apple, Facebook, Microsoft, Twitter, and Yahoo have fought to have details of the secretive letters publicly revealed. In 2008, a US court found the National Security Letter statute, amended by the Patriot Act in 2001, was unconstitutional. A separate case in 2013 found that the gag order provision was found to be in breach of the First Amendment, though the government appealed the ruling. Source
  11. WhatsApp cofounder Brian Acton expressed outrage at Facebook’s privacy policies last month by tweeting “It is time. #deletefacebook.” But WhatsApp’s Facebook-like group chat features also have design flaws that jeopardize user privacy. Maybe it’s also time to #DeleteWhatsApp. WhatsApp differentiates itself from parent company Facebook by touting its end-to-end encryption. “Some of your most personal moments are shared with WhatsApp,” the company writes on its website, so “your messages, photos, videos, voice messages, documents, and calls are secured from falling into the wrong hands.” But WhatsApp members may not be aware that when using the app’s Group Chat feature, their data can be harvested by anyone in the group. What is worse, their mobile numbers can be used to identify and target them. WhatsApp groups are designed to enable groups of up to 256 people to join a shared chat without having to go through a central administrator. Group originators can add contacts from their phones or create links enabling anyone to opt-in. These groups, which can be found through web searches, discuss topics as diverse as agriculture, politics, pornography, sports, and technology. Not all groups have links, but in those that do, anyone who finds the link can join the group. While all new joining members are announced to the group, they are not required to provide a name or otherwise identify themselves. This design could leave inattentive members open to targeting, as a new report from European researchers shows. The researchers demonstrated that a tech-savvy person can easily obtain treasure troves of data from WhatsApp groups by using nothing more than an old Samsung smartphone running scripts and off-the-shelf applications. This is not a security breach — the app is working exactly as designed. Kiran Garimella, of École Polytechnique Fédérale de Lausanne, in Switzerland sent me a draft of a paper he coauthored with Gareth Tyson, of Queen Mary University, U.K. titled “WhatsApp, doc? A first look at WhatsApp public group data.” It details how they were able to obtain data from nearly half a million messages exchanged between 45,794 WhatsApp users in 178 public groups over a six-month period, including their mobile numbers and any images, videos, and web links they had shared. The groups had titles such as “funny”, “love vs. life”, “XXX”, “nude”, and “box office movies”, as well as the names of political parties and sports teams. The researchers obtained lists of public WhatsApp groups through web searches and used a browser automation tool to join a few of the roughly 2,000 groups they found — a process requiring little human intervention and easily applicable to a larger set of groups. Their smartphone began to receive large streams of messages, which WhatsApp stored in a local database. The data are encrypted, but the cipher key is stored inside the RAM of the mobile device itself. This allowed the researchers to decrypt the data using a technique developed by Indian researchers L.P. Gudipaty and K.Y. Jhala. Note: The method Garimella and Tyson used only allowed them to access data posted to each of the groups after they’d joined them; they weren’t able to access any earlier data posted in the groups. The researchers’ goal was to determine how WhatsApp could be used for social-science research (they plan to make their dataset and tools publicly available after they anonymize the data). But their paper demonstrates how easily marketers, hackers, and governments can take advantage of the WhatsApp platform — with no contractual restraints and for almost no cost. This can have a much darker side. The New York Times recently published a story on the Chinese Government’s detention of human-rights activist Zhang Guanghong after monitoring a WhatsApp group of Guanghong’s friends, with whom he had shared an article that criticized China’s president. The Times speculated that the government had hacked his phone or had a spy in his group chat; but gathering such information is easy for anyone with a group hyperlink or access to a server. Earlier this year, Wired reported that researchers from Ruhr-University Bochum, in Germany, found a series of flaws in encrypted messaging applications that enable anyone who controls a WhatsApp server to “effortlessly insert new people into an otherwise private group, even without the permission of the administrator who ostensibly controls access to that conversation.” Gaining access to a computer server requires sophisticated hacking skills or the type of access only governments can gain. But as Wired wrote, “the premise of so-called end-to-end encryption has always been that even a compromised server shouldn’t expose secrets.” Researcher Paul Rösler reportedly said, “The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them. … If I hear there’s end-to-end encryption for both groups and two-party communications, that means adding of new members should be protected against. And if not, the value of encryption is very little.” Facebook and its family of companies are being much too casual about privacy, as we have seen from the Cambridge Analytica revelations, harming freedom and democracy. They need to be held to higher standards. Editor’s note: VentureBeat reached out to WhatsApp regarding the researchers’ findings, but the company did not provide a statement. Vivek Wadhwa is Distinguished Fellow at Carnegie Mellon University Engineering at Silicon Valley and author of The Driver in the Driverless Car: How Our Technology Choices Will Create the Future. Source
  12. Updated at 6:30 p.m. ET Facebook CEO Mark Zuckerberg issued a lengthy post Wednesday on his personal Facebook page promising to protect the data of platform users. He said Facebook will provide users with tools to show who has access to their data and how it is shared. Facebook will also "restrict developers' data access even further to prevent other kinds of abuse." "We have a responsibility to protect your data, and if we can't, then we don't deserve to serve you," he wrote. The post marks the first public comments made by Zuckerberg about the controversy involving Cambridge Analytica's use of personal data posted by Facebook users. Zuckerberg said there was a "breach of trust" involving Cambridge Analytica, Facebook, and a Cambridge University researcher named Aleksandr Kogan, who created an app to collect data that was later shared with Cambridge Analytica. "But it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it. We need to fix that," he wrote. Zuckerberg said Facebook will restrict third-party developers from accessing data beyond names, profile photos and email addresses. The company will also require developers to sign a contract before asking Facebook users for access to their posts or other private data. Users will also see a tool at the top of their news feeds showing the what apps they have used and will have an easy way to revoke the apps' access to their data. Zuckerberg concluded, Sen. Richard Blumenthal, D-Conn., a member of the Senate Judiciary and Commerce Committees, said he was not satisfied with Zuckerberg's statement, calling it "damage control." Blumenthal told NPR's Ailsa Chang on All Things Considered: Source
  13. AccuWeather is still sending precise geolocation data to a third-party advertiser, ZDNet can confirm, despite updating its app earlier this week to remove a feature that collected user's location data without their permission. In case you missed it, AccuWeather was until this week sending the near-precise location of its iPhone app users to Reveal Mobile, a data monetization firm -- even when location sharing was switched off. Security researcher Will Strafach, who first reported the issue, also accused the company of sharing a user's precise GPS coordinates under the guise of providing local weather alerts. The news sparked outrage and anger. AccuWeather responded with a forced apology, which one leading Apple critic John Gruber called a "bulls**t response." However, tests conducted by Strafach show that the updated app, released Thursday, still shares precise geolocation data with a data monetization and advertising firm. ZDNet independently verified the findings. We found that AccuWeather was still, with location sharing enabled, sending precise GPS coordinates and altitude albeit to a different advertiser, without the user's explicit consent. That data can be used to pinpoint down to a few meters a person's location -- even which floor of a building they are on. Article
  14. When it comes to what works and doesn’t work for protecting critical data, nearly one third (32%) of respondents at the recent Black Hat conference said that accessing privileged accounts was the number one choice for the easiest and fastest way to get access to critical data. The survey, carried out by Thycotic, found that was followed closely by 27% indicating access to user email accounts was the easiest path to disclosing sensitive data. Additionally, 85% of respondents blame humans for security breaches, more so than the lack of security or unpatched software. For instance, more than a third (35%) said that remembering and changing passwords is the top source of cybersecurity fatigue. The focus on hacking privileged and email accounts reflects a recognition on the part of hackers that traditional perimeter security is no longer an effective barrier to getting inside networks and gaining access to critical data. Findings from the survey indicate that 73% of hackers believe traditional security perimeter of firewalls and antivirus are irrelevant or obsolete. In fact, antivirus and anti-malware are considered the “least effctive and easiest to get past” security technologies by 43% of the Black Hat survey respondents, followed by firewalls (cited by 30% of Black Hat respondents). “Given that privileged accounts are prime targets for hackers, IT professionals should consider the opinions of the hackers themselves when it comes to protecting privileged accounts,” said Joseph Carson, chief security scientist, Thycotic. “In today’s connected world, organizations can no longer rely only on the traditional cybersecurity perimeter controls.” Hackers also view threat Intelligence solutions as one of the least effective security protections, along with reputation feeds and education/awareness; however, multi-factor authentication (38%) and encryption (32%) are their biggest obstacles, according to the survey. “Hackers are focusing more on gaining access to privileged accounts and email passwords by exploiting human vulnerabilities allowing the hacker to gain access abusing trusted identities,” noted Carson. “More than ever, it is critical for businesses to mitigate these risks by implementing the right technologies and process to ward off unsuspecting attacks and access to sensitive data.” Article source
  15. Soon after being found to have worm-like spreading capabilities, the TrickBot banking Trojan has expanded its attack surface to target Outlook and Web browsing data. While TrickBot has been an active threat for less than a year, its developers, supposedly the Dyre group, have been actively adding new capabilities to it. Earlier this year, they expanded the target list to hit private banking and payment processors, in addition to CRM providers. Independent researcher and programmer Hasherezade now reveals that the malware authors have added new modules to their creation and might have also added new developers to its team. A newly observed Outlook.dll module, for example, is written in Delphi, unlike most of the components, which are written in C++. The security researcher says that the current run comes with 5 modules: SystemInfo.dll and loader.dll (injectDll32), which have been observed in TrickBot since the very beginning, mailsearcher.dll, added in December 2016, and two modules that haven’t been observed before, namely module.dll and Outlook.dll. According to Hasherezade, module.dll/importDll32 is written in C++ and compiled with Qt5 and OpenSSL. It also incorporates SQLite. The compilation timestamp suggests it was written in May 2017. The module was designed to steal data from the browsers, including Cookies, HTML5 Local Storage, Browsing History, Flash LSO (Local Shared Objects), and URL hits, among other info. The module is bulky and doesn’t hide its intentions. “In contrary to loader.dll/injectDll, which is modular and stores all the scripts and targets in dedicated configuration files, module.dll/importDll32 comes with all the data hardcoded. For example, we can find inside the binary a very long list of targets – websites from countries all around the world – France, Italy, Japan, Poland, Norway, Peru and more,” the researcher reveals. The module creates a hidden desktop and uses it as a workspace to open and fingerprint browsers in such a way that the user isn’t aware of the malicious activity. Written in Delphi, the Outlook.dll module contains a hardcoded configuration that follows a pattern typical for TrickBot modules. Designed to steal data saved by Microsoft Outlook, the module opens relevant registry keys, then attempts to retrieve saved credentials. “TrickBot’s new modules are not written very well and they are probably still under development. The overall quality of the design is much lower than the quality of the earlier code. For example, module.dll is bulky and does not follow the clean modular structure introduced by TrickBot before. Also, they make use of languages and libraries that are easier – Qt instead of native sockets for module.dll, Delphi language for Outlook.dll,” Hasherezade points out. The findings are in line with Flashpoint’s report last week, which revealed that TrickBot’s authors were working on implementing a worm module to abuse the Server Message Block (SMB) protocol to spread locally, but that the logic to randomly scan external IPs for SMB connections wasn’t yet ready. The changes suggest that new members were added to the TrickBot development team, but that some of them are lower quality programmers, or that the team is only experimenting with new capabilities. “TrickBot is still actively maintained and it is not going to leave the landscape any soon,” Hasherezade concludes. Article source
  16. A journalist and a data scientist secured data from three million users easily by creating a fake marketing company, and were able to de-anonymise many users A judge’s porn preferences and the medication used by a German MP were among the personal data uncovered by two German researchers who acquired the “anonymous” browsing habits of more than three million German citizens. “What would you think,” asked Svea Eckert, “if somebody showed up at your door saying: ‘Hey, I have your complete browsing history – every day, every hour, every minute, every click you did on the web for the last month’? How would you think we got it: some shady hacker? No. It was much easier: you can just buy it.” Eckert, a journalist, paired up with data scientist Andreas Dewes to acquire personal user data and see what they could glean from it. Presenting their findings at the Def Con hacking conference in Las Vegas, the pair revealed how they secured a database containing 3bn URLs from three million German users, spread over 9m different sites. Some were sparse users, with just a couple of dozen of sites visited in the 30-day period they examined, while others had tens of thousands of data points: the full record of their online lives. Getting hold of the information was actually even easier than buying it. The pair created a fake marketing company, replete with its own website, a LinkedIn page for its chief executive, and even a careers site – which garnered a few applications from other marketers tricked by the company. They piled the site full of “many nice pictures and some marketing buzzwords,” claiming to have developed a machine-learning algorithm which would be able to market more effectively to people, but only if it was trained with a large amount of data. “We wrote and called nearly a hundred companies, and asked if we could have the raw data, the clickstream from people’s lives.” It took slightly longer than it should have, Eckert said, but only because they were specifically looking for German web surfers. “We often heard: ‘Browsing data? That’s no problem. But we don’t have it for Germany, we only have it for the US and UK,’” she said. The data they were eventually given came, for free, from a data broker, which was willing to let them test their hypothetical AI advertising platform. And while it was nominally an anonymous set, it was soon easy to de-anonymise many users. Dewes described some methods by which a canny broker can find an individual in the noise, just from a long list of URLs and timestamps. Some make things very easy: for instance, anyone who visits their own analytics page on Twitter ends up with a URL in their browsing record which contains their Twitter username, and is only visible to them. Find that URL, and you’ve linked the anonymous data to an actual person. A similar trick works for German social networking site Xing. For other users, a more probabilistic approach can deanonymise them. For instance, a mere 10 URLs can be enough to uniquely identify someone – just think, for instance, of how few people there are at your company, with your bank, your hobby, your preferred newspaper and your mobile phone provider. By creating “fingerprints” from the data, it’s possible to compare it to other, more public, sources of what URLs people have visited, such as social media accounts, or public YouTube playlists. A similar strategy was used in 2008, Dewes said, to deanonymise a set of ratings published by Netflix to help computer scientists improve its recommendation algorithm: by comparing “anonymous” ratings of films with public profiles on IMDB, researchers were able to unmask Netflix users – including one woman, a closeted lesbian, who went on to sue Netflix for the privacy violation. Another discovery through the data collection occurred via Google Translate, which stores the text of every query put through it in the URL. From this, the researchers were able to uncover operational details about a German cybercrime investigation, since the detective involved was translating requests for assistance to foreign police forces. So where did the data come from? It was collated from a number of browser plugins, according to Dewes, with the prime offender being “safe surfing” tool Web of Trust. After Dewes and Eckert published their results, the browser plugin modified its privacy policy to say that it does indeed sell data, while making attempts to keep the information anonymous. “We know this is nearly impossible,” said Dewes. Article source
  17. Data on millions of Dow Jones customers was potentially exposed to unauthorized access on Amazon Cloud due to a configuration error, a spokesman for the publishing and financial information giant confirmed Monday. The spokesman told The Hill that personal data on 2.2 million customers had been over-exposed on Amazon Cloud as a result of an internal error. There is no evidence that malicious actors accessed the information, however. The data included customers’ names, email addresses and some financial details — including the last four digits of some credit cards — though Dow Jones said that neither full account login credentials nor full credit card information was exposed. “This was due to an internal error, not a hack or attack,” the spokesman said. “We have no evidence any of the over-exposed information was taken.” Cybersecurity firm UpGuard discovered the exposure and notified Dow Jones of it in early June. Those affected include subscribers to Dow Jones publications like The Wall Street Journal. UpGuard put the number of affected accounts closer to 4 million. When asked whether the company had notified customers caught up in the data exposure, the Dow Jones spokesman indicated that the information was not sensitive enough to require it. “The customer information included basic contact information; it did not include full credit card or account login information that could pose a significant risk for consumers or require notification,” the spokesman said. However, UpGuard argued in a blog post published Monday that the data “could be exploited by malicious actors employing a number of attack vectors already known to have been successful in the past,” such as phishing scams tailored to individual targets. UpGuard also discovered that exposed data was related to the Dow Jones Risk & Compliance databases, which are used primarily by financial organizations to comply with anti-money laundering, anti-bribery and other regulations. Dow Jones said that the exposed risk and compliance data included only publicly available information, such as that from news articles, and not customer information. The Amazon Cloud repository was inadvertently configured to allow for “semi-public” access, letting any authenticated user of Amazon Web Services (AWS) download the data, UpGuard said. That included any user who has a free Amazon AWS account. The information on the exposure was passed on to Dow Jones on June 6, and the company’s cybersecurity firm worked to secure the data in less than two hours, the Dow Jones spokesman said. “We immediately secured the data once we became aware of the problem. We take the security of Dow Jones information very seriously,” the spokesman added. The Wall Street Journal first reported the data exposure on Sunday. The revelation comes a week after a cloud server problem resulted in personal information on as many as 14 million Verizon customers being publicly accessible. Wall Street Journal (requires subscription) Article (for us without subscriptions)
  18. Customer records for at least 14 million subscribers, including phone numbers and account PINs, were exposed. An Israeli technology company has exposed millions of Verizon customer records, ZDNet has learned. As many as 14 million records of subscribers who called the phone giant's customer services in the past six months were found on an unprotected Amazon S3 storage server controlled by an employee of Nice Systems, a Ra'anana, Israel-based company. The data was downloadable by anyone with the easy-to-guess web address. Nice, which counts 85 of the Fortune 100 as customers, plays in two main enterprise software markets: customer engagement and financial crime and compliance including tools that prevent fraud and money laundering. Nice's 2016 revenue was $1.01 billion, up from $926.9 million in the previous year. The financial services sector is Nice's biggest industry in terms of customers, with telecom companies such as Verizon a key vertical. The company has more than 25,000 customers in about 150 countries. Privacy watchdogs have linked the company to several government intelligence agencies, and it's known to work closely with surveillance and phone cracking firms Hacking Team and Cellebrite. In regulatory filings with the Securities and Exchange Commission, Nice noted that it can't control what customers do with its software. "Our products may also be intentionally misused or abused by clients who use our products," said Nice in its annual report. Chris Vickery, director of cyber risk research at security firm UpGuard, who found the data, privately told Verizon of the exposure shortly after it was discovered in late-June. It took over a week before the data was eventually secured. The customer records were contained in log files that were generated when Verizon residential customers in the last six months called customer service. These interactions are recorded, obtained, and analyzed by Nice, which says it can "realize intent, and extract and leverage insights to deliver impact in real time." Verizon uses that data to verify account holders and to improve customer service. Each record included a customer's name, cell phone number, and their account PIN -- which if obtained would grant anyone access to a subscriber's account, according to a Verizon call center representative, who spoke on the condition of anonymity as they were not authorized to speak to the press. Several security experts briefed on the exposure prior to publication warned of phone hijacking and account takeovers, which could allow hackers to break into a person's email and social media accounts protected even by two-factor authentication. Six folders for each month from January through to June contained several daily log files, apparently recording customer calls from different US regions, based on the location of the company's datacenters, including Florida and Sacramento. Each record also contained hundreds of fields of additional data, including a customer's home address, email addresses, what kind of additional Verizon services a subscriber has, the current balance of their account, and if a subscriber has a Verizon federal government account, to name a few. One field also appeared to record a customer's "frustration score," by detecting if certain keywords are spoken by a customer during a call. Although the logs referenced customer voice recordings, there were no audio files found on the server. Some of the records were "masked" in what appears to be a redaction effort to prevent an unauthorized disclosure of private information. But most of the customer records are in part or entirely visible. Ted Lieu, a Democratic congressman and computer science major, said the exposure was "highly troubling." "I'm going to be asking the Judiciary Committee to hold a hearing on this issue because Congress needs to find out the scale and scope of what happened and to make sure it doesn't happen again," he told ZDNet. Lieu, also a Verizon customer, said: "I would like to know if my data was breached." Verizon said it was investigating how its customer data was improperly stored on the Amazon Web Services (AWS) server as "part of an authorized and ongoing project" to improve its customer service. "Verizon provided the vendor with certain data to perform this work and authorized the vendor to set up AWS storage as part of this project," said a spokesperson. "Unfortunately, the vendor's employee incorrectly set their AWS storage to allow external access." One account from a senior Verizon employee with knowledge of the situation said that the company was unaware that the data was being exfiltrated or exported, and Verizon had no control over the server. The phone giant said that the "overwhelming majority of information in the data set has no external value." "There is some personal information in the data set," said the spokesperson, "but as indicated earlier, there is no indication that the information has been compromised." Verizon also would not say how it "masked" data, citing security concerns. Nice said it too was investigating the exposure. A spokesperson said that none of its systems or products were breached and "no other Nice customer data was involved." Vickery said, however, that there was evidence that data from Orange, a European telecoms provider was for a time also stored on the exposed server, according to Vickery, suggesting the data exposure may not be limited to Verizon. (Orange did not respond to a request for comment.) A Nice spokesperson later said that the data was "part of a demo system," and did not comment further. It remains unclear who else at Nice had access to the server, or if the data was downloaded by anyone else. Verizon said that it had requested information on who had access to the storage. A spokesperson said Monday that an investigation determined "no other external party accessed the data." When pressed, the company would not say how it came to that conclusion. Article source
  19. Recently discovered multi-level cell (MLC) solid-state drive (SSD) vulnerabilities by researchers from Carnegie Mellon University, Seagate, and the Swiss Federal Institute of Technology in Zurich, reveal the first-ever security weakness of its kind against MLC SSDs that store much of the world’s data. Two different types of malicious attacks are reported to corrupt data, leaving much of the world’s data currently exposed while organizations search for answers. If security experts and data protection experts didn’t have enough to worry about already, the latest discovery from Carnegie Mellon University has set off brand new alarms that could be far more crippling than the recent WannaCry virus or any ransomware attack. In this case, data is not infected or held hostage, but is lost entirely - not even the host SSD hardware can be salvaged after such an attack. This is not simply alarming to organizations that stand the most to lose like financial institutions, but we’re talking about real lives here if patient care is compromised as we saw earlier this month at hospitals across the UK. In a recently published report by researchers from Carnegie Mellon University, Seagate, and the Swiss Federal Institute of Technology in Zurich, there are two types of malicious attacks that can corrupt data and shorten the lifespan of MLC SSDs – a write attack (“program interference”) and a read attack (“read disturb”). Both attacks inundate the SSD with a large number of operations over a short period of time, which can corrupt data, shorten lifespan, and render an SSD useless to store data in a reliable manner into the future. However, both attacks rely upon native read and write operations from the operating system to the solid-state drive, which is circumvented by Condusiv® I/O reduction software on Windows systems (V-locity®, SSDkeeper®, Diskeeper® 16). The only reason this story has been covered lightly by the media and not sensationalized across headlines is because no one has died yet or lost a billion dollars. This is a new and very different kind of vulnerability. Protection from this kind of an attack is not something that can be addressed by traditional lines of defense like anti-virus software, firmware upgrades, or OS patches. Since it is cost prohibitive for organizations to “rip-and-replace” multi-cell SSDs with single-cell SSDs, they are forced to rely on data sets that have been “backed-up.” However, what good is restoring data to hardware that can no longer reliably store data? By acting as the “gatekeeper” between the Windows OS and the underlying SSD device, Condusiv I/O reduction software solutions perform inline optimizations at the OS-level before data is physically written or read from the solid-state drive. As a result, Condusiv’s patented technology is the only known solution that can disrupt “program interference” write operation attacks as well as “read disturb” read operation attacks that would attempt to exploit SSD vulnerabilities and corrupt data. While most known for boosting performance of applications running on Windows systems while extending the longevity of SSDs, Condusiv solutions go a step further as the only line of defense against these malicious attacks. Condusiv’s patented write optimization engine (IntelliWrite®) mitigates the first vulnerability, “program interference,” by disrupting the write pattern that would otherwise generate errors and corrupt data. IntelliWrite eliminates excessively small writes and subsequent reads by ensuring large, clean contiguous writes from Windows so write operations to solid-state devices are performed in the most efficient manner possible on Windows servers and PCs. An attack could only be successful in the rare instance of limited free space or zero free space on a volume that results in writes occurring natively, circumventing the benefit of IntelliWrite. Condusiv’s second patented engine (IntelliMemory®) disrupts the second vulnerability, “read disturb,” by establishing a tier-0 caching strategy that leverages idle, available memory to serve hot reads. This renders the “read disturb” attack useless since the storage target for hot reads becomes memory instead of the SSD device. A “read disturb” attack could only be successful in the rare instance that a Windows system is memory constrained and has no idle, available memory to be leveraged for cache. While organizations use Condusiv software on Windows systems to maintain peak performance and extend the longevity of their SSDs, they can trust Condusiv to protect against malicious attacks that would otherwise corrupt user data and bring great harm to their business and service to customers. Article source
  20. Mukesh Ambani telco says data safe; probe ordered Reliance Jio hacked: Reliance has said that the database is safe and that a probe has been ordered to find out what exactly had happened. Reliance Jio hacked: The company has said that the database is safe and that a probe has been ordered to find out what exactly had happened. (PTI) Reliance Jio hacked: In a major setback to Mukesh Ambani led Reliance Industries today, it has been revealed that its new telco arm Reliance Jio database has been hacked. The company has said that the database is safe and that a probe has been ordered t find out what exactly had happened. The numbers involved are as high as 120 mn, but their exact status is not known yet and this could well turn out to be the biggest data breach ever in India. According to a statement released by Reliance Jio spokesperson, “We have come across the unverified and unsubstantiated claims of the website and are investigating it. Prima facie the data appears to be unauthentic. We want to assure our subscribers that their data is safe and maintained with highest security. Data is only shared with authorities as per their requirement. We have informed law enforcement agencies about the claims of the website and will follow through to ensure strict action is taken. After the alleged breach, the data of customers has been uploaded on magicapk.com website, according to Indian Express Online. Among the first to report the hacking was Fonearena.com. IE spoke to Editor Varun Krish who expressed his shock at being able to find the particulars of his and those of his colleagues accounts available. The website concerned is open for search and if anyone puts in a query about any Reliance Jio account, the details are instantly made available. The traffic on the site has surged so much it is crashing frequently. Worryingly, according to Fonearena, Aadhaar numbers are being made available too. Article source
  21. Per its terms and conditions, YOU Broadband, the fifth largest Indian internet service provider (ISP), doesn’t let its subscribers use strong encryption. The ISP does technically allow VPN and encryption use… but only “up to the bit length permitted by the Department of Telecommunications,” which is 40 bits. It was over twenty years ago in 1997 that Ian Goldberg won $1,000 from RSA for breaking 40 bit encryption in just a few hours. He famously said then: “This is the final proof of what we’ve known for years: 40-bit encryption technology is obsolete.” Yet YOU Broadband, and other Indian ISPs, still insist that their users can’t use anything stronger than a twenty-year-broken key size. That’s not viable security in the 21st century, and makes you wonder why encryption is discouraged in the first place. Nowadays, because 40 bit encryption has long been shown to be obsolete, the minimum standard is usually at least a 128 bit encryption key size. Indian ISP, YOU Broadband, doesn’t want you to use encryption because it hampers their logging Earlier this week, redditor bf_of_chitti_robot pointed out in the /r/India subreddit that Clause 38 of YOU Broadband’s Terms and Conditions clearly set out the company’s stance on encryption, as well as explaining why the company wanted such a rule. YOU Broadband Terms and Conditions Clause 38 (June 2016 Internet Archive snapshot): The Customer shall not take any steps including adopting any encryption system that prevents or in any way hinders the Company from maintaining a log of the Customer or maintaining or having access to copies of all packages/data originating from the Customer. The ISP’s stated intentions of maintaining customer logs and ensuring that they have access to copies of all your packages/data are, of course, mandated by law under the Information Technology Act. After the clause was pointed out, YOU Broadband quickly updated Clause 38 of their user policy to simply state: The Customer may use VPN and encryption up to the bit length permitted by the Department of Telecommunications. Needless to say, nothing has changed about their intentions – making sure you aren’t using strong encryption because it gets in the way of their snooping. This is the same snooping that ISPs in America, like AT&T, are able to exploit now that internet privacy rules have been relaxed in the states (but not all states). Nosy ISPs seem to be an international problem. India’s Department of Telecommunications only allows up to 40 bit encryption, which is insecure What is the bit length permitted by the Department of Telecommunications, anyways? According to a 2002 note on ISP regulation by the Department of Telecommunications, the encryption key length hard limit is 40 bits for internet service licensees aka internet service providers. Internet service licensees, such as YOU Broadband, have an obligation to the licensor, the Department of Telecommunications, to forbid individuals, groups, and organizations from using encryption with keys stronger than 40 bits without permission. Instead of asking the regulators for this permission to allow its users to actually utilize viable encryption key lengths without violating the user policy, YOU Broadband has elected to pass on the 15 year old rule on encryption – essentially making the use of encryption online against the rules of the ISP and a potential reason to lose service. Under the current and previous iterations of the user policy, YOU Broadband subscribers are technically breaking the ISP’s rules every time they access https://www.google.co.in. Secure encryption is a necessity in today’s online world – and an ISP that explicitly forbids it needs to be pointed out. What would you do if your ISP said that you shouldn’t use meaningful encryption? What do you do when your government’s laws are outdated and don’t protect your privacy? Article source
  22. Last summer, France's data protection commissioner, CNIL, criticized Microsoft for collecting an excessive amount of user data on Windows 10 PCs, and publicly ordered the company to "comply with the law within a period of three months." Today, CNIL issued a public statement, saying that it is satisfied with Microsoft's efforts to address those criticisms in accordance with the country's 'computing and freedoms' laws, and has ended its "procedure of formal notice" against the company. The data protection watchdog said that Microsoft "has reduced by almost half the volume of data collected under the "basic level" of its telemetry service", and that it now limits its collection of data to the bare minimums required "to maintain the system and applications in good working order and to ensure users safety." Earlier this year, Microsoft introduced a range of privacy changes to improve the transparency of its data collection on Windows 10, and to give users greater control over the amount and types of data that they're willing to share with the company. These changes included a new online privacy dashboard, and a revised Windows 10 setup experience with clearer explanations of its data collection practices. CNIL also highlighted other improvements that Microsoft has made to address its concerns. It said that Microsoft has: inserted references to information in line with article 32 of the "computing and freedom" law; completed applications with the CNIL for its treatments of combating fraud; joined the Privacy Shield to govern international transfers of personal data; put an end to the deposit of cookies without prior collection of the consent of users for many of its Windows 10 web sites, and is committed to do for all before September 30, 2017. While CNIL considers the matter resolved, Microsoft's data collection activities in Windows 10 apparently remain under the scrutiny of the Article 29 Working Party, a group formed of representatives from data and privacy regulators in each of the European Union's member states. That group raised fresh concerns about Windows 10 data collection in February, saying that Microsoft "should clearly explain what kinds of personal data are processed for what purposes. Without such information, consent cannot be informed, and therefore, not valid." Source: CNIL via TechRepublic Article source
  23. In a bid to give a quantum boost to the Indian electronics and software manufacturing industry, the government is planning a new policy for electronics and software production, as well as for data protection and setting up start-up clusters. Electronics and Information Technology Minister Ravi Shankar Prasad announced this on Friday after a meeting here with industry leaders in order to launch work on the blueprint to realise a $1 trillion Indian IT economy in the next 5-7 years. "We will be shortly laying down the new electronics policy because between the old policy and now, India has changed completely. Therefore, to boost electronics manufacturing, we will come up with new policy," Prasad told reporters here. "There is need to look at inward software market. Therefore, we will come with a new software product policy and we are going to have framework for data security and protection policy," he said. The National Policy on Electronics was drawn up in 2012 and approved by the previous the UPA cabinet in 2013. Noting that India ranks third in the world in terms of the number of start-ups, the Minister said the country needed to have start-up clusters for facilitations. "India needs to have start-up clusters. In coordination with (industry body) Nasscom and the Data Security Council of India, we are working on a framework for a Start-ups Cluster Policy to help create Special Innovative Zones," he said. Besides, such an architecture for the future of Indian information technology (IT) would be incomplete without a dispute resolution mechanism as being demanded by the industry, Prasad said. "Dispute resolution needs a robust mechanism...the industry wants it," Prasad, who is also the Law Minister, said. "We have already set up a procurement policy, and we will certainly look into a framework for having a dispute resolution policy," he added. Earlier, Prasad outlined the government's vision for building the Indian IT sector into a $1 trillion economy by 2022 that would become a global hub of low-cost digital technology. Noting that it already is an industry with an estimated worth of $400-450 billion, he said Indian IT would not take long to became a $1 trillion industry. "India's digital economy has acquired a momentum of its own and its low-cost digital technology is being talked about the world over," he said. "Digital India is the technical empowerment of Indians and our vision is to create an Indian model of development that will bridge the divide between digital haves and have-nots," he added. Pointing out that 72 new mobile manufacturing units have opened in the last three years, the Minister said: "Mobile manufacturing itself will become a Rs 500 crore industry in the next few years." "The Indian IT industry has a clear potential to provide 10.5 million jobs, at a minimum," he added. Article source
  24. All versions of Android are affected by this vulnerability According to a group of security researchers from There's a new Android Researchers from Georgia Institute of Technology and UC Santa Barbara, there's a new Android exploit in the wild, which affects all version of Google's mobile OS. Called Cloak and Dagger, the exploit could allow hackers to steal your information by creating a malicious app that only needs to set two permissions, namely BIND ACCESSIBILITY SERVICE ("a11y") and SYSTEM ALERT WINDOW ("draw on top"), to log keystrokes and steal your passwords and other sensitive information. It's a fact that's not that easy to force users into enabling accessibility permissions, but skilled hackers can trick them into doing so, and once they activate both permissions, they'll be able to install software, steal data from installed apps, and basically take full control of your Android phone without you even knowing. "In particular, we demonstrate how such an app can launch a variety of stealthy, powerful attacks, ranging from stealing user’s login credentials and security PIN, to the silent installation of a God-mode app with all permissions enabled, leaving the victim completely unsuspecting," explained the researchers in their report. Google took the necessary steps to prevent such attacks Shortly after the researchers made this discovery, it appears that Google immediately took action and released an official statement explaining what they did to prevent such attacks for now, which appear to affect all version of the Linux-based Android operating system, including the latest Android 7.1.2 (Nougat) release. "We’ve been in close touch with the researchers and, as always, we appreciate their efforts to help keep our users safer. We have updated Google Play Protect — our security services on all Android devices with Google Play — to detect and prevent the installation of these apps. Prior to this report, we had already built new security protections into Android O that will further strengthen our protection from these issues moving forward." Android security It's very likely that the next Android update to patch the exploit, but that might take a while considering how various Android versions are distributed, so it is better that you always check what apps are installed on your mobile device and what persmisions are enabled. For more details on how the new exploit works, check out the videos below, courtesy of Yanick Fratantonio, one of the researchers involved in this publication. Cloak & Dagger: Clickjacking + Silent God-mode App Install Article source All Android Phones Vulnerable to Extremely Dangerous Full Device Takeover Attack
  25. Both paid and unpaid apps can track your data. The apps pictured may not - but it’s hard to know which do and which don’t. Anyone who spends much time online knows the saying: “If you’re not paying, you’re the product”. That’s not exactly correct. On the internet, you’re nearly always the product. And while most internet users know that some of their personal data is being collected and monetised, few are aware of the sheer scale of the issue, particularly when it comes to apps. In fact, our research suggests a majority of the top 100 paid and free Google Play apps in Australia, Brazil, Germany and the US contain at least one tracker. This means data could be collected for advertising networks as well as for payment providers. This is just the beginning. As voice-activated intelligent assistants like Siri or Google Now evolve and replace the need for apps on our smartphones, the question of what is being done with our data will only grow more complicated. Nothing is free The difference between what apps actually do with user data and what users expect them to do was apparent in the recent Unroll.Me scandal. Unroll.me is a free online service that cleans email inboxes by unsubscribing the user from unnecessary emails. But many were dismayed when the company was recently discovered to be monetising their mail content. For example, UnRoll.me was reportedly looking for receipts of the ridesharing company Lyft in user emails and selling that information to Uber. Unroll.me’s CEO apologised, saying the company needed to do a better job of disclosing its use of data. But who is in the wrong? Consumers for thinking they were getting a service for free? Or the service provider, who should inform customers of what they’re collecting? The question is even more intriguing when it comes to mobile apps. In fact, compared to online services that usually access a few facets of a user’s personal profile, mobile apps can conveniently tap into a range of personal data such as location, message content, browser history and app installation logs. They do this using third-party libraries embedded in their code, and these libraries can be very intrusive. How libraries work Libraries are third-party trackers used by app developers so they can integrate their products with external services. These may include advertising networks, social media platforms and payment gateways such as Paypal, as well as tools for tracking bugs and crashes. In our study, carried out in 2015, we analysed tracking libraries in the top-100 free and top-100 paid apps in in Australia, Brazil, Germany and the US, revealing some concerning results. Approximately 90% of the top free apps and 60% of the top paid apps in Google Play Store had at least one embedded tracker. For both free and paid apps in the study, Google Ads and Flurry were the two most popular trackers and were integrated with more than 25% of the apps. Other frequently observed libraries include Chartboost, Millennial Media, Google Analytics and Tapjoy. The top trackers were also likely to be present in more than one app, meaning these libraries receive a rich dataset about the user. A summary of the study of top-100 free and paid apps in Google Play Store. NICTA, Author provided Of course, these numbers could have changed in the two years since our research was published, although recent studies suggest the trend has largely continued. It’s also possible these libraries are present without collecting data, but it’s nonetheless disturbing to see the presence of so many trackers in paid apps that have an alternative business model. What lies ahead? So what can you do if you don’t want to be tracked? Use your judgement when giving apps permission to access your data by first asking questions such as, “does this game really need to know my phone number?” Consider using mobile anti-virus and privacy advisory apps such as Lookout Security & Antivirus, Mobile Security and Antivirus, and PrivMetrics (this app is a beta release by Data61). Ultimately, however, these solutions barely touch the surface of a much larger issue. In the near future, apps may be replaced by built-in services that come with a smartphone’s operating system. The intelligent personal assistant by Google, Google Now, for example, could eliminate the need for individual transport, messenger, news and weather apps, as well as some financial apps. These services, otherwise known as aggregator platform services, could build extensive profiles that cover several aspects of our online and offline behaviour. When used, they have access to an incredibly broad range of our activities, not to mention our location. Still, app users have so far been willing to exchange their data for convenience. There’s little reason to believe that trend will not continue. Article source
×
×
  • Create New...