Facebook reports a massive spike in government demands for data, including secret orders

Facebook has published the details of 13 historical national security letters it’s received for user data.

The embattled social media giant said that the letters dated between 2014 and 2017 for several Facebook and Instagram accounts. These demands for data are effectively subpoenas, issued by the FBI without any judicial oversight, compelling companies to turn over limited amounts of data on an individual who is named in a national security investigation. They’re controversial — not least because they come with a gag order that prevents companies from informing the subject of the letter, let alone disclosing its very existence. Companies are often told to turn over IP addresses of everyone a person has corresponded with, online purchase information, email records and cell-site location data. But since the introduction of the Freedom Act, passed in the aftermath of the Edward Snowden revelations, the FBI has to periodically review the gag orders.
Continue reading "Facebook reports a massive spike in government demands for data, including secret orders"

Facebook’s weapon amid chaos and controversy: misdirection

The New York Times’ bombshell report into the past three years at Facebook paint a grotesque picture of the company’s attempts to navigate a string of high-profile controversies by using unsavory, unethical and dark PR tactics.

The Times’ report, citing more than 50 sources, accuses the company of:
  • employing a Republican opposition research firm to “discredit activist protesters,” in part by linking them to the liberal billionaire George Soros;
  • using its business relationships to lobby a Jewish civil rights group to flag critics and protesters as anti-Semitic;
  • attempted to shift anti-Facebook rhetoric against its rivals to soak up the blame by planting stories with reporters;
  • posting “less specific” carefully crafted posts about Russian election interference amid claims that the company was slow to act;

Facebook under pressure over Soros smear tactics

Facebook is facing calls to conduct an external investigation into its own lobbying and PR activities by an aide to billionaire George Soros.

BuzzFeed reports that Michael Vachon, an advisor to the chairman at Soros Fund Management, made the call in a letter to friends and colleagues. The call follows an explosive investigation, published yesterday by the New York Times based on interviews with more than 50 sources on the company, which paints an ugly picture of how Facebook’s leadership team responded to growing pressure over election interference, in the wake of the Kremlin ads scandal of 2016, including by engaging an external firm to lobby aggressively on its behalf. The firm used smear tactics targeted at Soros, according to the NYT report, with the paper writing that: “A research document circulated by Definers [the PR firm engaged by Facebook] to reporters this summer, just a month after the House
Continue reading "Facebook under pressure over Soros smear tactics"

Tech giants take seats on Homeland Security’s new supply chain task force

Homeland Security’s supply chain task force is finally off the ground..

The public-private coalition, set up earlier this year, now has representatives from more than two dozen companies and industry groups signed up to help the government try to combat risks faced by tech companies from threats in the supply chain. Called the ICT Supply Chain Task Force, government officials hope to better understand to address security issues with global technology supply chains and make recommendations. By collaborating, the group aims to better understand the risks that companies face from industrial espionage, government interference, and other cybersecurity issues that could pose a threat to U.S national security. One of those new members is Cisco’s Edna Conway, chief security officer for its global value chain. She told TechCrunch that enterprises and governments “can no longer effectively identify, defend against and mitigate the risks across that global value chain in
Continue reading "Tech giants take seats on Homeland Security’s new supply chain task force"

Mozilla adds website breach notifications to Firefox

Mozilla is adding a new security feature to its Firefox Quantum web browser that will alert users when they visit a website that has recently reported a data breach.

When a Firefox user lands on a website with a breach in its recent past they’ll see a pop up notification informing them of the barebones details of the breach and suggesting they check to see if their information was compromised. “We’re bringing this functionality to Firefox users in recognition of the growing interest in these types of privacy- and security-centric features,” Mozilla said today. “This new functionality will gradually roll out to Firefox users over the coming weeks.” Here’s an example of what the site breach notifications look like and the kind of detail they will provide:

Mozilla’s website breach notification feature in Firefox

Mozilla is tying the site breach notification feature to an email account breach notification service
Continue reading "Mozilla adds website breach notifications to Firefox"

Judge orders Amazon to turn over Echo recordings in double murder case

A New Hampshire judge has ordered Amazon to turn over two days of Amazon Echo recordings in a double murder case.

Prosecutors believe that recordings from an Amazon Echo in a Farmington home where two women were murdered in January 2017 may yield further clues to their killer. Although police seized the Echo when they secured the crime scene, any recordings are stored on Amazon servers. The order granting the search warrant, obtained by TechCrunch, said that there is “probable cause to believe” that the Echo picked up “audio recordings capturing the attack” and “any events that preceded or succeeded the attack.” Amazon is also directed to turn over any “information identifying any cellular devices that were linked to the smart speaker during that time period,” the order said. Timothy Verrill, a resident of neighboring Dover, New Hampshire, was charged with two counts of first-degree murder. He pleaded not
Continue reading "Judge orders Amazon to turn over Echo recordings in double murder case"

Mozilla ranks dozens of popular ‘smart’ gift ideas on creepiness and security

If you’re planning on picking up some cool new smart device for a loved one this holiday season, it might be worth your while to check whether it’s one of the good ones or not. Not just in the quality of the camera or step tracking, but the security and privacy practices of the companies that will collect (and sell) the data it produces. Mozilla has produced a handy resource ranking 70 of the latest items, from Amazon Echos to smart teddy bears.

Each of the dozens of toys and devices is graded on a number of measures: what data does it collect? Is that data encrypted when it is transmitted? Who is it shared with? Are you required to change the default password? And what’s the worst case scenario if something went wrong? Some of the security risks are inherent to the product — for example, security cameras
Continue reading "Mozilla ranks dozens of popular ‘smart’ gift ideas on creepiness and security"

Meet the Magecart hackers, a persistent credit card skimmer group of groups you’ve never heard of

There have been few hacker groups that have been responsible for as many headlines this year as Magecart.

You might not know the name, but you probably haven’t missed their work — highly targeted credit card skimming attacks, hitting Ticketmaster and British Airways, as well as consumer electronics giant Newegg and likely many more sites that have been silently hacked to scrape consumer credit card data at the checkout. Nobody knows those attacks better than Yonathan Klijnsma, a threat researcher at security firm RiskIQ, who’s been tracking Magecart for more than a year. In a new report published with risk intelligence firm Flashpoint, Klijnsma has exposed the inner workings of the hackers — a group of groups, rather than a single entity — all with different modus operandi and targets, which he described as a “thriving criminal underworld that has operated in the shadows for years.” “Magecart is only
Continue reading "Meet the Magecart hackers, a persistent credit card skimmer group of groups you’ve never heard of"

MetaCert’s Cryptonite can catch phishing links in your email

MetaCert, founded by Paul Walsh, originally began as a way to watch chat rooms for fake Ethereum scams. Walsh, who was an early experimenter in cryptocurrencies, grew frustrated when he saw hackers dumping fake links into chat rooms, resulting in users regularly losing cash to scammers.

Now Walsh has expanded his software to email. A new product built for email will show little green or red shields next to links, confirming that a link is what it appears to be. A fake link would appear red while a real PayPal link, say, would appear green. The plugin works with Apple’s Mail app on the iPhone and is called Cryptonite. “The system utilizes the MetaCert Protocol infrastructure/registry,” said Walsh. “It contains 10 billion classified URLs. This is at the core of all of MetaCert’s products and services. It’s a single API that’s used to protect over 1 million crypto people
Continue reading "MetaCert’s Cryptonite can catch phishing links in your email"

Google’s Project Fi gets an improved VPN service

Google’s Project Fi wireless service is getting a major update today that introduces an optional always-on VPN service and a smarter way to switch between Wi-Fi and cellular connections.

By default, Fi already uses a VPN service to protect users when they connect to the roughly two million supported Wi-Fi hotspots. Now, Google is expanding this to cellular connections, as well. “When you enable our enhanced network, all of your mobile and Wi-Fi traffic will be encrypted and securely sent through our virtual private network (VPN) on every network you connect to, so you’ll have the peace of mind of knowing that others can’t see your online activity,” the team writes in today’s announcement. Google notes that the VPN also shields all of your traffic from Google itself and that it isn’t tied to your Google account or phone number. The VPN is part of what Google calls its
Continue reading "Google’s Project Fi gets an improved VPN service"

1-877-KARS4KIDS had a data breach

Bad news: 1-877-KARS4KIDS had a data breach. Worse news: now you’ll have that awful jingle stuck in your head all day. The New Jersey-based charity has plagued the American airwaves for years with the “most hated” jingle to try to get consumers to trade in their car — for the kids! In return, you get to write-off the donation from your taxes, and you’re given a “holiday voucher” to sweeten the deal. But a security lapse left thousands of those donation records exposed for anyone to find. Bob Diachenko, Hacken.io’s director of cyber risk research, found the company’s MongoDB database on a server, wide open and without a password earlier this month. The server contained 21,612 records and climbing — representing weeks worth of data, Dianchenko told TechCrunch, prior to blogging his findings. The data included donor email addresses and donation receipts, which included customized links to a donor’s tax
Continue reading "1-877-KARS4KIDS had a data breach"

Facebook bug let websites read ‘likes’ and interests from a user’s profile

Facebook has fixed a bug that let any website pull information from a user’s profile — including their ‘likes’ and interests — without that user’s knowledge.

That’s the findings from Ron Masas, a security researcher at Imperva, who found that Facebook search results weren’t properly protected from cross-site request forgery (CSRF) attacks. In other words, a website could quietly siphon off certain bits of data from your logged-in Facebook profile in another tab. Masas demonstrated how a website acting in bad faith could embed an IFRAME — used to nest a webpage within a webpage — to silently collect profile information. “This allowed information to cross over domains — essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friends,” said Masas. The malicious website could open several Facebook search queries in a new tab, and
Continue reading "Facebook bug let websites read ‘likes’ and interests from a user’s profile"

Kaspersky starts processing threat data in Europe as part of trust reboot

Security firm Kaspersky Labs has opened its first self-styled ‘Transparency Center’ and begun processing threat-related data from European users in data centers located in Switzerland — flipping the switch on the start of a relocation commitment it announced late last year in the face of suspicion that its antivirus software had been compromised by the Russian government and used to suck up US intelligence. 

The first stage of its fightback strategy to reboot trust, a code review plan, was announced a year ago. Then, in May, the company announced it would be moving some core infrastructure processes to Zurich in Switzerland, saying also that it would arrange for its processes to be independently supervised by a third party qualified to conduct technical software reviews. This facility has now begun processing data, starting with European users. Although this is just the start of the reconfiguration. Software assembly will also
Continue reading "Kaspersky starts processing threat data in Europe as part of trust reboot"

Twitter, those ‘verified’ bitcoin-pushing pillocks are pissing everyone off

Elon Musk’s tweets piss me off for two reasons.

When he’s not accusing actual heroes of sex crimes or trolling the federal government, it’s what comes after that drives me batshit. The top reply to most of his tweets is some asshat impersonating him to try to trick his followers into falling for a bitcoin scam. These “get rich quick” scams are fairly simple. A hacker hijacks a verified Twitter account using stolen or leaked passwords. Then, the hacker swaps the account’s name, bio and photo — almost always to mirror Elon Musk — and drops a reply with “here’s where to send your bitcoin,” or something similar. The end result appears as though Musk is responding to his own tweet, and nudging hapless bitcoin owners to drop their coins into the scammer’s coffers. One of the latest “victims” was @FarahMenswear. The clothing retailer — with some 15,500 followers
Continue reading "Twitter, those ‘verified’ bitcoin-pushing pillocks are pissing everyone off"

Cloudflare rolls out its 1.1.1.1 privacy service to iOS, Android

Months after announcing its privacy-focused DNS service, Cloudflare is bringing 1.1.1.1 to mobile users.

Granted, nothing ever stopped anyone from using 1.1.1.1 on their phones or tablets already. But now the app, now available for iPhones, iPads and Android devices, aims to make it easier for anyone to use its free consumer DNS service. The app is a one-button push to switch on and off again. That’s it. Cloudflare rolled out 1.1.1.1 earlier this year on April Fools’ Day, no less, but privacy is no joke to the San Francisco-based networking giant. In using the service, you let Cloudflare handle all of your DNS information, like when an app on your phone tries to connect to the internet, or you type in the web address of any site. By funneling that DNS data through 1.1.1.1, it can
Continue reading "Cloudflare rolls out its 1.1.1.1 privacy service to iOS, Android"

Hackers stole income, immigration and tax data in Healthcare.gov breach, government confirms

Hackers siphoned off thousands of Healthcare.gov applications by breaking into the accounts of brokers and agents tasked with helping customers sign up for healthcare plans.

The Centers for Medicare and Medicaid Services (CMS) said in a post buried on its website that found that the hackers obtained “inappropriate access” to a number of broker and agent accounts, which “engaged in excessive searching” of the government’s healthcare marketplace systems. CMS didn’t say how the attackers gained access to the accounts, but said it shut off the affected accounts “immediately.” In a letter sent to affected customers this week (and buried on the Healthcare.gov website), CMS disclosed that sensitive personal data — including partial Social Security numbers, immigration status and some tax information — may have been taken. According to the letter, the data included:

Utah man pleads guilty to causing 2013 gaming service outages

A Utah man has pleaded guilty to computer hacking charges, after admitting to knocking several gaming services offline five years ago.

Austin Thompson, 23, launched several denial-of-service attacks against EA’s Origin, Sony Playstation and Valve’s Steam gaming services during the December holiday season in 2013. At the time, those denial-of-service attacks made it near-impossible for some gamers to play — many of which had bought new consoles or games in the run-up to Christmas, including League of Legends and Dota 2, because they required access to the network. Specifics of Thompson’s plea deal were not publicly available at the time of writing, but prosecutors said Thompson — aged 18 at the time of the attacks — flooded the gaming giants’ networks “with enough internet traffic to take them offline.” Thompson would take to his Twitter account, @DerpTrolling, to announce his targets ahead of time, and posted screenshots of downed services
Continue reading "Utah man pleads guilty to causing 2013 gaming service outages"

Security flaw in DJI’s website and apps exposed accounts to hackers and drone live feeds

It took about six months for popular consumer drone maker DJI to fix a security vulnerability across its website and apps, which if exploited could have given an attacker unfettered access to a drone owner’s account.

The vulnerability, revealed Thursday by researchers at security firm Check Point, would have given an attacker complete access to a DJI users’ cloud stored data, including drone logs, maps, any still or video footage — and live feed footage through FlightHub, the company’s fleet management system — without the user’s knowledge. Taking advantage of the flaw was surprisingly simple — requiring a victim to click on a specially crafted link. But in practice, Check Point spent considerable time figuring out the precise way to launch a potential attack — and none of them were particularly easy. For that reason, DJI called the vulnerability “high risk” but “low probability,” given the numerous hoops to jump
Continue reading "Security flaw in DJI’s website and apps exposed accounts to hackers and drone live feeds"