Cybersecurity, Online Privacy, & Big Data

  • At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software

    At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.

    Well, now isn't that special? Who is still on M$ Exchange, the worldwide leader in worst security track record in the history of software development? Seems like post Windows10 and M$ transitioning to the SAAS (Software As A Service) model Exchange would be on its way out? Evidently not.

    Speaking on condition of anonymity, two cybersecurity experts who’ve briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over “hundreds of thousands” of Microsoft Exchange Servers worldwide — with each victim system representing approximately one organization that uses Exchange to process email.

    Meanwhile... CISA has released Energency Directive 21-02:

    CISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action.

    Yippie, skippie!! More state sponsored cyber warfare/terrorism from our good friends in China. 🇨🇳

    Wash, rinse, repeat.... Will we ever learn? 👊 🤕 🤦

    tl;dr?? That is a lot of Exchange servers and even more email accounts. Be wary.

  • It seems that hacking security is by far the easier of hacking vs. building less easily hacked security.

    It also seems that developers need pay more attention to this. Maybe hire a bunch more breakers to supplement the makers?

  • @zBrown said in Cybersecurity, Online Privacy, & Big Data:

    It seems that hacking security is by far the easier of hacking vs. building less easily hacked security.

    Yes. And they have lots more time in which to do it.

    It also seems that developers need pay more attention to this. Maybe hire a bunch more breakers to supplement the makers?

    Some devs just don't care that much and/or ignorant. Others do but succumb to the pressures of "Rapid Development". Read PHB management wants it yesterday so they postpone fixing bugs until "someday" when they have a chance to come up for air. Only that someday never comes and the software at hand accumulates huge "technical debt" that, like our national debt, becomes too formidable to even begin to tackle. So they don't. Meanwhile, PHB management is hoping and praying that their five year "exit strategy" of selling to a larger corp pans out before something major happens and it all blows up in their faces.

    We might be tempted to blame 'em. Howesomever, the market is only responding to market demands. And in this age of instant gratification...

    Heh, yeah, color me jade.

    Moving on... In related news, and not to be outdone by the U.S.;

    Exchange email hack: Hundreds of UK firms compromised

    The hacking campaign was first announced by Microsoft on 2 March and blamed on a Chinese government-backed hacking group called Hafnium.

    Microsoft said the group was using four never-before-seen hacking techniques to infiltrate the email systems of US companies.

    According to cyber-security researchers at Eset, as many as 10 different hacking groups are now actively using the zero-days exploits to target companies in 115 different countries.

    Cyber-researchers at FireEye also confirmed they had detected multiple groups, likely to be based in China, using the exploit in different waves.

    "As always, it is complex but it is very likely that Hafnium gifted these 'zero days' to government-sanctioned groups to actively use the flaws once they were rumbled," Jake Moore at Eset said.

    "The race is now on for all of those affected to patch immediately and then painstakingly check for any recent compromises and make sure no webshells are installed on the servers."

    This is going to be a really big deal. Nation State sponsored cyberwarfare against the World's democracies. First Russia. Now China. Should be an interesting bucket of worms for POTUS and a few other heads of state in the "free world".

    Incidentally, Eset Nod32 is my preferred antivirus/malware/internet security vendor. Their VB100 track record is stellar. And unmatched. Toby recommended. 👍🐕

  • Half a billion Facebook users' information posted on hacking website

    The personal information of about half a billion Facebook users, including their phone numbers, have been posted to a website used by hackers, cybersecurity experts say.

    Glad I am not among them. I was an early adopter of FB way bitd but soon got clued into their amoral sociopath practices. I bailed and never looked back. Good luck and best wishes to their latest victims.

  • 533 Million Facebook Users Personal Data Breached

    Well, @zBrown asked for it.. now ya' got it... older news from earlier this spring that I did not expand upon previously since there did not seem to be a whole lot of interest. A few links:

    533 million Facebook users' phone numbers and personal data have been leaked online

    The exposed data includes the personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and, in some cases, email addresses.
    "A database of that size containing the private information such as phone numbers of a lot of Facebook's users would certainly lead to bad actors taking advantage of the data to perform social-engineering attacks [or] hacking attempts," Gal told Insider.

    And since some in the community favor NPR:

    After Data Breach Exposes 530 Million, Facebook Says It Will Not Notify Users

    Facebook decided not to notify over 530 million of its users whose personal data was lifted in a breach sometime before August 2019 and was recently made available in a public database. Facebook also has no plans to do so, a spokesperson said.

    Well, cuz after all, Zuckerberg and fellow criminals must control the message lest a foobar of such magnitude negatively affect their stock prices. That dude is sure one piece of work sociopath.

    Bot Lets Hackers Easily Look Up Facebook Users' Phone Numbers

    A user of a low-level cybercriminal forum is selling access to a database of phone numbers belonging to Facebook users, and conveniently letting customers look up those numbers by using an automated Telegram bot.
    "It is very worrying to see a database of that size being sold in cybercrime communities, it harms our privacy severely and will certainly be used for smishing and other fraudulent activities by bad actors," Alon Gal, co-founder and CTO of cybersecurity firm Hudson Rock, and who first alerted Motherboard about the bot, said.

    Leaked data to feed SMS phishing attempts

    Be extra wary of phone scams, eh?

    What is the biggest, most worrying implication of this data? Its usefulness for SMS phishing. Scammers looking to impersonate actual services to steal your money and data can now match the names and the phone numbers of 89.01% of people exposed in the leak.

    The data set also allows matching names and phone numbers with additional data like location (60.58%) and employer name (18.30%) that helps to both choose the targets (especially for spear-phishing attempts targeting specific companies) or to make hacking attacks more believable.

    Holy, holy, guacamole!! 🥑 🥑

    Are we having fun yet? 🐕

  • @toby
    You and me both.

  • Facebook paid billions extra to the FTC to spare Zuckerberg in data suit

    Facebook conditioned its $5 billion payment to the Federal Trade Commission to resolve the Cambridge Analytica data leak probe on the agency dropping plans to sue Facebook CEO Mark Zuckerberg individually, shareholders allege in a lawsuit.

    In suits made public Tuesday, two groups of shareholders claimed that members of Facebook’s board allowed the company to overpay on its fine in order to protect Zuckerberg, the company’s founder and largest shareholder. The complaints, which cite internal discussions among Facebook’s board members, were filed in Delaware Court of Chancery last month.

    “Zuckerberg, Sandberg, and other Facebook directors agreed to authorize a multi-billion settlement with the FTC as an express quid pro quo to protect Zuckerberg from being named in the FTC’s complaint, made subject to personal liability, or even required to sit for a deposition,” one of the suits alleged.

    .... The Senate Commerce Committee said last week that it was opening a probe into how the company downplayed its own research on how Facebook's photo-sharing app Instagram worsens mental health and body image issues for teens.

    (Emphasis added)

    Well, well, well.. Told myself I was going to take a break from this but.... surprise, surprise, surprise... Heh, not too difficult to dig dirt on FB and Zuckerfuck. All you need to do is wait a week or three. And pay attention. Pretty much proof positive (as if we needed more) that we do indeed have a two tiered justice system: One for the Aristocracy, and another for "we the sheeple".

    We now return you to your regularly scheduled mind numbing programming. 📺

  • Drown 'em in ambiguous data?

    An interesting tactic. I remember way bitd, circa early Millennium, adding various random terms to emails destined for Gmail users so as to confuse the goog's algorithms. The idea may remain the same but the methods have advanced. Considerably.


    ... while it offers some protection, cryptography does not challenge the main assumption at the core of Big Data ideology, and to some degree it even strengthens it. We go online not to hide, but to communicate and to express ourselves. Crypto Culture is presented as a counter-culture movement but its resistance to the powers that be only goes so far. At the end of the day both the NSA and crypto-activists share a similar perspective. The former believes we can be reduced to a set of signals and therefore attempts to collect as much of it as possible, the latter also believes we can be reduced to a set of signals and therefore attempts to conceal as much of it as possible.

    So what is a body to do? Well, re-ambiguate and confuse the fsck out of big data driven AI algorithms.

    Engineering Privacy and Protest: a Case Study of AdNauseam

    Abstract—The strategy of obfuscation has been broadly applied—
    in search, location tracking, private communication, anonymity—and
    has thus been recognized as an important element of the privacy
    engineer’s toolbox. However, there remains a need for clearly articu-
    lated case studies describing not only the engineering of obfuscation
    mechanisms but, further, providing a critical appraisal of obfusca-
    tion’s fit for specific socio-technical applications.
    In this paper we present challenges faced in attempting to apply
    obfuscation to a new domain, that of online tracking by advertisers.
    We begin with the goals of the project and the implemented features
    to which they map. We then present our engineering approach, the
    set of tensions that arose during implementation, and the ways in
    which these tensions were addressed. We discuss our initial evaluation
    efforts on both technical and ethical dimensions, and some of the
    challenges that remain. We conclude with thoughts on the broader
    issues facing privacy tools that must operate within complex socio-
    technical contexts—especially those dominated by actors openly
    resistant to them—informed by our experience with AdNauseam’s
    ban from Google’s Chrome store.

    (Emphasis added).

    And hence the impetus for the title of this post. But I wonder if drowning Big Data in data is viable over the long term in the never ending big data versus privacy arms race. Yes, obfuscation via injecting large quantities of ambiguous data adds noise to the signal but AI will only continue to get "smarter". Hence the need for tools such as uBlock Origin. Plus a raft of other privacy oriented plugins, the cumulative effects of which may well increase web browser uniqueness and hence actually more readily identifiable via Web Browser Fingerprinting. And, hence, on a related note... Cover Your Tracks results may prove startling for the unwary:


    Heh, full circle tail chasing. We're damned if we do. Damned if we don't. Technological solutions are not the holy grail. We need to demand more of our governments. Starting by rejecting the now broad accepted "We the Sheeple" culture. 🐑 🐑 🐑

  • Interview With A Ransomware Criminal

    An interesting read:

    Ransomware crim: Yeah, what I do is bad. No, I don't care. Yes, infosec bods are all mouth and no trousers

    Someone claiming to be a former contractor for the REvil ransomware gang has given an interview to a security firm, saying he struggles to sleep at night but isn't ashamed of what he does.

    The unnamed person was interviewed by Russian news outlet Lenta as part of a series focusing on the mostly Russia-based scourge of modern times. US infosec firm Flashpoint obtained the full transcript of the interview and translated it into English.

    "In the normal world, I was called a contractor – doing some tasks for many ransomware collectives that journalists consider to be famous," said the threat actor, using the handle Antivirus. "Money is being stolen or extorted with my hands. But I'm not ashamed of what I do."

    Well, hey, I guess we can always say; "It's a living....". Better than being on welfare? Maybe if we had UBI fewer folks would be driven to desperate measures? Or mayhaps not, since there is also the matter of conscience and moral compass. Of which our traditional role models, i.e. successful types like CEO's, Senators, Presidents and various "religious" leaders of modern times seem to be sorely lacking. Hmmm... 🤔

  • @zBrown You asked for it, you got it...

    Facebook whistleblower Frances Haugen testifies before Senate committee

    Meh.. puppy fluff and only beginning to scratch the surface. Some sick 'chit in the link that follows...

    Facebook Whistleblower Reveals Censorship Guidelines for Moderators - WARNING!

    Are we having fun yet? Once again, interested parties do not have to look to long, nor hard cuz the FB shit train just keeps on coming... 😠 😧 ✌

Log in to reply