Cybersecurity, Online Privacy, & Big Data

  • Google Updates Enabling Dishonest Behavior Policy

    Spyware and technology used for intimate partner surveillance including but not limited to spyware/malware that can be used to monitor texts, phone calls, or browsing history; GPS trackers specifically marketed to spy or track someone without their consent; promotion of surveillance equipment (cameras, audio recorders, dash cams, nanny cams) marketed with the express purpose of spying.

    Wowzers! Maybe the Goog is turning over a new leaf? Else looking for a way to keep much of that market cornered?

  • @toby
    Google isn't changing anything but rules against their competition (as you pointed out).

    Privacy is a thing of the past if you use technology in your daily life. Tracking me is a joke, I don't go many places, except grocery store & pharmacy.

    If the trackers are onto my Amazon purchasing and other internet sellers, then they know I am a utilitarian by nature and don't buy much other than the basic necessities of life.

    If they sell this information and profit from it, then I should get a share. I think I will Copyright myself. I could use the extra do re mi.

  • Twitter Hacked - Again

    Twitter's security holes are now the nation's problem

    Wednesday’s Twitter hack has exposed a gaping weakness for the U.S. and its most powerful leaders — their reliance on a private company to secure their communications with the public.

    The latest bipartisan uproar comes as intelligence officials warn that foreign government hackers and trolls are using social networks to stir up controversy and spread disinformation ahead of November’s elections. This misuse of Facebook, Twitter and other large platforms, which reached a zenith during the 2016 presidential campaign, has led to extensive congressional oversight.

    And we're acting surprised? Like this is new information?

    Senate Intel Committee Releases Bipartisan Report on Russia’s Use of Social Media .

    The thing is.... I can empathize with Twitter. Nothing is secure against dedicated attackers given enough time, funding, and motivation. Nothing is absolute. The war is lost before the first battle. Hence, all one can do is to do their best to raise the bar sufficiently high enough to make the costs outweigh the benefits and hope the bad guys set their sites on softer targets. But Twitter? Google? Facebook? Ho man! Those guys are continually under siege. Despite hiring the best and the brightest security engineers it should be no surprise the bad guys win one every once in a while.

    So what to do? Well, the obvious "solution" is to legislate. It is what politicians do. Or at least supposed to be doing. Since these companies have already hired the cream of the crop and, with some notable exception, making best faith efforts to thwart said black hats, I doubt legislation is the answer. At best, maybe a bit of PPP to give us a warm fuzzy feeling and something the politards can puff up their chests about and act like they're actually doing something.

    Yep. Color me jade.

  • @toby said in Online Privacy, Security & Big Data:

    So what to do?

    What to do? Well, the first thing is to stop believing anything you see on Twitter, Failbook, or any other online source.

    Yeah, okay, that works for you and me, but how do we stop the great unwashed (or whatever the current descriptor is) from believing what they see on their Twitter feeds or FB pages?

    Answer? Sorry, there is no answer. They will continue to believe whatever Trump's media buddies feed them. All we can do is whatever we can to encourage sane people to vote in November.

    Edit to add: And I ain't even American.

  • @David-Harris The issue is much larger than he who must not be named as this is happening globally - Germany, France, UK, Jamaica - grossly skewing and disrupting world politics and global stability. I guess we may take some small comfort in that it is not as bad as last US presidential circus. Yet. Either that or the bad actors have become even yet more sophisticated and not been discovered/caught. Yet.

    Ah, the drama of the 24x7 click bait stream....

  • Solarium Hack

    We Can Take Advantage of the Russian Hack. Here’s How

    The more complex and ultimately more disturbing lesson is that, as currently structured, neither the federal government nor even the most sophisticated corporations can repel expertly crafted foreign cyberattacks.

    That’s the bad news. The good news is that we can halt cyber mischief by other countries, but it will take bolder action than is currently on the table.

    Which, of course, is the same old song and dance we always get from "the powers that be" whenever something like this happens. Hopefully this time egregious enough to elicit a response a bit more proactive than the usual spin from the talking heads.

    I am hoping the incoming administration is able to restore enough of some semblance of normalcy with our allies that we, the World, UN or whatever are able to censure Russia (& other bad actors, e.g. China) in a meaningful manner that does not also prompt WWIII.

  • Now that our bromance with authoritarian dictators is over seems we're both ready and willing to stop ignoring and/or making excuses for North Korea. I was aware of North Korea's government sponsored cyber warfare/terrorism but thought it a distant third to China and Russia. Not. Turns out now Cyber Public Enemy #1.

    North Korean hackers are ‘the world’s leading bank robbers,’ U.S. charges

    Federal prosecutors on Wednesday announced charges against three North Korean government hackers accused of participating in a wide range of cyberattacks, including the destructive 2014 assault on Sony Pictures Entertainment hack, the global WannaCry ransomware attack in 2017 and a range of digital bank heists.

    The newly unsealed indictment, building on earlier charges against Park for his alleged role in Pyongyang’s cyberattacks, adds new information about multiple criminal schemes, including a series of breaches of banks targeting more than $1.2 billion; infections of ATMs with malware that allowed unlimited withdrawals; digital extortion schemes using ransomware; and the development and distribution of fake, malware-laden cryptocurrency apps that opened backdoors into victims’ computer networks.

    And on a related note, US-CERT Cybersecurity and Infrastructure Security Agency (CISA) has several advisories hitting my inbox this morning on the cryptocurrency front. I will just list them below in case any of you are into crypto. If so, I advise reviewing the full notices. A search on any of the strings below should get you there.

    • AA21-048A: AppleJeus: Analysis of North Korea’s Cryptocurrency Malware
    • AR21-048A: MAR-10322463-1.v1 - AppleJeus: Celas Trade Pro
    • AR21-048E: MAR-10322463-5.v1 - AppleJeus: CoinGoTrade
    • AR21-048G: MAR-10322463-7.v1 - AppleJeus: Ants2Whale
    • AR21-048C: MAR-10322463-3.v1 - AppleJeus: Union Crypto
    • AR21-048F: MAR-10322463-6.v1 - AppleJeus: Dorusio

    Be interesting to see what shakes out in the wash. And rinse. Repeat? Inquiring minds are curious.

    Update: Couple more additions just hit my inbox:

    • AR21-048D: MAR-10322463-4.v1 - AppleJeus: Kupay Wallet
    • AR21-048B: MAR-10322463-2.v1 - AppleJeus: JMT Trading

  • At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software

    At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.

    Well, now isn't that special? Who is still on M$ Exchange, the worldwide leader in worst security track record in the history of software development? Seems like post Windows10 and M$ transitioning to the SAAS (Software As A Service) model Exchange would be on its way out? Evidently not.

    Speaking on condition of anonymity, two cybersecurity experts who’ve briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over “hundreds of thousands” of Microsoft Exchange Servers worldwide — with each victim system representing approximately one organization that uses Exchange to process email.

    Meanwhile... CISA has released Energency Directive 21-02:

    CISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action.

    Yippie, skippie!! More state sponsored cyber warfare/terrorism from our good friends in China. 🇨🇳

    Wash, rinse, repeat.... Will we ever learn? 👊 🤕 🤦

    tl;dr?? That is a lot of Exchange servers and even more email accounts. Be wary.

  • It seems that hacking security is by far the easier of hacking vs. building less easily hacked security.

    It also seems that developers need pay more attention to this. Maybe hire a bunch more breakers to supplement the makers?

  • @zBrown said in Cybersecurity, Online Privacy, & Big Data:

    It seems that hacking security is by far the easier of hacking vs. building less easily hacked security.

    Yes. And they have lots more time in which to do it.

    It also seems that developers need pay more attention to this. Maybe hire a bunch more breakers to supplement the makers?

    Some devs just don't care that much and/or ignorant. Others do but succumb to the pressures of "Rapid Development". Read PHB management wants it yesterday so they postpone fixing bugs until "someday" when they have a chance to come up for air. Only that someday never comes and the software at hand accumulates huge "technical debt" that, like our national debt, becomes too formidable to even begin to tackle. So they don't. Meanwhile, PHB management is hoping and praying that their five year "exit strategy" of selling to a larger corp pans out before something major happens and it all blows up in their faces.

    We might be tempted to blame 'em. Howesomever, the market is only responding to market demands. And in this age of instant gratification...

    Heh, yeah, color me jade.

    Moving on... In related news, and not to be outdone by the U.S.;

    Exchange email hack: Hundreds of UK firms compromised

    The hacking campaign was first announced by Microsoft on 2 March and blamed on a Chinese government-backed hacking group called Hafnium.

    Microsoft said the group was using four never-before-seen hacking techniques to infiltrate the email systems of US companies.

    According to cyber-security researchers at Eset, as many as 10 different hacking groups are now actively using the zero-days exploits to target companies in 115 different countries.

    Cyber-researchers at FireEye also confirmed they had detected multiple groups, likely to be based in China, using the exploit in different waves.

    "As always, it is complex but it is very likely that Hafnium gifted these 'zero days' to government-sanctioned groups to actively use the flaws once they were rumbled," Jake Moore at Eset said.

    "The race is now on for all of those affected to patch immediately and then painstakingly check for any recent compromises and make sure no webshells are installed on the servers."

    This is going to be a really big deal. Nation State sponsored cyberwarfare against the World's democracies. First Russia. Now China. Should be an interesting bucket of worms for POTUS and a few other heads of state in the "free world".

    Incidentally, Eset Nod32 is my preferred antivirus/malware/internet security vendor. Their VB100 track record is stellar. And unmatched. Toby recommended. 👍🐕

  • Half a billion Facebook users' information posted on hacking website

    The personal information of about half a billion Facebook users, including their phone numbers, have been posted to a website used by hackers, cybersecurity experts say.

    Glad I am not among them. I was an early adopter of FB way bitd but soon got clued into their amoral sociopath practices. I bailed and never looked back. Good luck and best wishes to their latest victims.

  • 533 Million Facebook Users Personal Data Breached

    Well, @zBrown asked for it.. now ya' got it... older news from earlier this spring that I did not expand upon previously since there did not seem to be a whole lot of interest. A few links:

    533 million Facebook users' phone numbers and personal data have been leaked online

    The exposed data includes the personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and, in some cases, email addresses.
    "A database of that size containing the private information such as phone numbers of a lot of Facebook's users would certainly lead to bad actors taking advantage of the data to perform social-engineering attacks [or] hacking attempts," Gal told Insider.

    And since some in the community favor NPR:

    After Data Breach Exposes 530 Million, Facebook Says It Will Not Notify Users

    Facebook decided not to notify over 530 million of its users whose personal data was lifted in a breach sometime before August 2019 and was recently made available in a public database. Facebook also has no plans to do so, a spokesperson said.

    Well, cuz after all, Zuckerberg and fellow criminals must control the message lest a foobar of such magnitude negatively affect their stock prices. That dude is sure one piece of work sociopath.

    Bot Lets Hackers Easily Look Up Facebook Users' Phone Numbers

    A user of a low-level cybercriminal forum is selling access to a database of phone numbers belonging to Facebook users, and conveniently letting customers look up those numbers by using an automated Telegram bot.
    "It is very worrying to see a database of that size being sold in cybercrime communities, it harms our privacy severely and will certainly be used for smishing and other fraudulent activities by bad actors," Alon Gal, co-founder and CTO of cybersecurity firm Hudson Rock, and who first alerted Motherboard about the bot, said.

    Leaked data to feed SMS phishing attempts

    Be extra wary of phone scams, eh?

    What is the biggest, most worrying implication of this data? Its usefulness for SMS phishing. Scammers looking to impersonate actual services to steal your money and data can now match the names and the phone numbers of 89.01% of people exposed in the leak.

    The data set also allows matching names and phone numbers with additional data like location (60.58%) and employer name (18.30%) that helps to both choose the targets (especially for spear-phishing attempts targeting specific companies) or to make hacking attacks more believable.

    Holy, holy, guacamole!! 🥑 🥑

    Are we having fun yet? 🐕

  • @toby
    You and me both.

  • Facebook paid billions extra to the FTC to spare Zuckerberg in data suit

    Facebook conditioned its $5 billion payment to the Federal Trade Commission to resolve the Cambridge Analytica data leak probe on the agency dropping plans to sue Facebook CEO Mark Zuckerberg individually, shareholders allege in a lawsuit.

    In suits made public Tuesday, two groups of shareholders claimed that members of Facebook’s board allowed the company to overpay on its fine in order to protect Zuckerberg, the company’s founder and largest shareholder. The complaints, which cite internal discussions among Facebook’s board members, were filed in Delaware Court of Chancery last month.

    “Zuckerberg, Sandberg, and other Facebook directors agreed to authorize a multi-billion settlement with the FTC as an express quid pro quo to protect Zuckerberg from being named in the FTC’s complaint, made subject to personal liability, or even required to sit for a deposition,” one of the suits alleged.

    .... The Senate Commerce Committee said last week that it was opening a probe into how the company downplayed its own research on how Facebook's photo-sharing app Instagram worsens mental health and body image issues for teens.

    (Emphasis added)

    Well, well, well.. Told myself I was going to take a break from this but.... surprise, surprise, surprise... Heh, not too difficult to dig dirt on FB and Zuckerfuck. All you need to do is wait a week or three. And pay attention. Pretty much proof positive (as if we needed more) that we do indeed have a two tiered justice system: One for the Aristocracy, and another for "we the sheeple".

    We now return you to your regularly scheduled mind numbing programming. 📺

  • Drown 'em in ambiguous data?

    An interesting tactic. I remember way bitd, circa early Millennium, adding various random terms to emails destined for Gmail users so as to confuse the goog's algorithms. The idea may remain the same but the methods have advanced. Considerably.


    ... while it offers some protection, cryptography does not challenge the main assumption at the core of Big Data ideology, and to some degree it even strengthens it. We go online not to hide, but to communicate and to express ourselves. Crypto Culture is presented as a counter-culture movement but its resistance to the powers that be only goes so far. At the end of the day both the NSA and crypto-activists share a similar perspective. The former believes we can be reduced to a set of signals and therefore attempts to collect as much of it as possible, the latter also believes we can be reduced to a set of signals and therefore attempts to conceal as much of it as possible.

    So what is a body to do? Well, re-ambiguate and confuse the fsck out of big data driven AI algorithms.

    Engineering Privacy and Protest: a Case Study of AdNauseam

    Abstract—The strategy of obfuscation has been broadly applied—
    in search, location tracking, private communication, anonymity—and
    has thus been recognized as an important element of the privacy
    engineer’s toolbox. However, there remains a need for clearly articu-
    lated case studies describing not only the engineering of obfuscation
    mechanisms but, further, providing a critical appraisal of obfusca-
    tion’s fit for specific socio-technical applications.
    In this paper we present challenges faced in attempting to apply
    obfuscation to a new domain, that of online tracking by advertisers.
    We begin with the goals of the project and the implemented features
    to which they map. We then present our engineering approach, the
    set of tensions that arose during implementation, and the ways in
    which these tensions were addressed. We discuss our initial evaluation
    efforts on both technical and ethical dimensions, and some of the
    challenges that remain. We conclude with thoughts on the broader
    issues facing privacy tools that must operate within complex socio-
    technical contexts—especially those dominated by actors openly
    resistant to them—informed by our experience with AdNauseam’s
    ban from Google’s Chrome store.

    (Emphasis added).

    And hence the impetus for the title of this post. But I wonder if drowning Big Data in data is viable over the long term in the never ending big data versus privacy arms race. Yes, obfuscation via injecting large quantities of ambiguous data adds noise to the signal but AI will only continue to get "smarter". Hence the need for tools such as uBlock Origin. Plus a raft of other privacy oriented plugins, the cumulative effects of which may well increase web browser uniqueness and hence actually more readily identifiable via Web Browser Fingerprinting. And, hence, on a related note... Cover Your Tracks results may prove startling for the unwary:


    Heh, full circle tail chasing. We're damned if we do. Damned if we don't. Technological solutions are not the holy grail. We need to demand more of our governments. Starting by rejecting the now broad accepted "We the Sheeple" culture. 🐑 🐑 🐑

  • Interview With A Ransomware Criminal

    An interesting read:

    Ransomware crim: Yeah, what I do is bad. No, I don't care. Yes, infosec bods are all mouth and no trousers

    Someone claiming to be a former contractor for the REvil ransomware gang has given an interview to a security firm, saying he struggles to sleep at night but isn't ashamed of what he does.

    The unnamed person was interviewed by Russian news outlet Lenta as part of a series focusing on the mostly Russia-based scourge of modern times. US infosec firm Flashpoint obtained the full transcript of the interview and translated it into English.

    "In the normal world, I was called a contractor – doing some tasks for many ransomware collectives that journalists consider to be famous," said the threat actor, using the handle Antivirus. "Money is being stolen or extorted with my hands. But I'm not ashamed of what I do."

    Well, hey, I guess we can always say; "It's a living....". Better than being on welfare? Maybe if we had UBI fewer folks would be driven to desperate measures? Or mayhaps not, since there is also the matter of conscience and moral compass. Of which our traditional role models, i.e. successful types like CEO's, Senators, Presidents and various "religious" leaders of modern times seem to be sorely lacking. Hmmm... 🤔

  • @zBrown You asked for it, you got it...

    Facebook whistleblower Frances Haugen testifies before Senate committee

    Meh.. puppy fluff and only beginning to scratch the surface. Some sick 'chit in the link that follows...

    Facebook Whistleblower Reveals Censorship Guidelines for Moderators - WARNING!

    Are we having fun yet? Once again, interested parties do not have to look to long, nor hard cuz the FB shit train just keeps on coming... 😠 😧 ✌

Log in to reply