An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of Americans has infiltrated computers at some of America’s largest consumer and business data aggregators, according to a seven-month investigation by KrebsOnSecurity.
The Web site ssndob[dot]ms (hereafter referred to simply as SSNDOB) has for the past two years marketed itself on underground cybercrime forums as a reliable and affordable service that customers can use to look up SSNs, birthdays and other personal data on any U.S. resident. Prices range from 50 cents to $2.50 per record, and from $5 to $15 for credit and background checks. Customers pay for their subscriptions using largely unregulated and anonymous virtual currencies, such as Bitcoin and WebMoney. Until very recently, the source of the data sold by SSNDOB has remained a mystery. That mystery began to unravel in March 2013, when teenage hackers allegedly associated with the hacktivist group UGNazi showed just how deeply the service’s access went.
Hacked Identity Theft Service Reveals Breaches of Numerous Consumer Data Aggregators
We're all up for sale online. From Krebs on Security:
Spain to Criminalize Linking
Coming off a recent proposal to tax sunlight, the government of Spain appears to be on a roll, and is poised to criminalize linking to allegedly infringing copyrighted content. From ZDNet:
Spain is introducing tough new penalties for owners of websites that link to pirated versions of copyrighted material, after pressure from the US over its piracy record.
Under new legislation introduced as part of a wider reform of the country's penal code, owners of sites found to be making money from linking to pirated material will face prison sentences of up to six years and the closure of their site.
Sophos: Firefox Voted Most Trustworthy Browser
What's your preferred browser? A Sophos survey finds Firefox in the lead. From Naked Security:
About a month ago I asked Naked Security readers Which web browser do you trust? Your answer was emphatic: it's Firefox. I asked this question because trustworthiness has become an important selection criteria for web browsers and there is no objective test for it.
Modern web browsers are mature and complex products and, despite inflated version numbers and conspicuously busy release cycles, their feature sets evolve quite slowly.
Selecting the right web browser is no longer a question of what the software can do, it's about whether or not it can do the things we expect it to do quickly, securely and with due regard for our privacy.Image source: The Bandwidth Blog.
Our poll offered readers the chance to vote for one of the six most popular web browsers - Chrome, Firefox, Internet Explorer, Opera, Safari and Chromium - and asked which you trusted the most.
LinkedIn Accused of Hacking Users Address Books to Spam Their Contacts
Is anyone else sick and tired of getting spammed with email requests to join LinkedIn from family, friends and co-workers? It appears that LinkedIn users are now sick and tired of having their contact lists surreptitiously mined and exploited by the service. From Bloomberg:
LinkedIn, owner of the world’s most popular professional-networking website, was sued by customers who claim the company appropriated their identities for marketing purposes by hacking into their external e-mail accounts and downloading contacts’ addresses.
The customers, who aim to lead a group suit against LinkedIn, asked a federal judge in San Jose, California, to bar the company from repeating the alleged violations and to force it to return any revenue stemming from its use of their identities to promote the site to non-members, according to a court filing . . .
Copyright Extremists Seek Censored Search
Copyright extremists and their lobbying organizations such as the MPAA and the RIAA are at it again. From Tech Dirt:
Remember how back after SOPA ended, the MPAA's Chris Dodd kept going on and on about how he was going to take a more conciliatory and partnership-based approach to the tech industry (which he mistakenly seems to believe is defined by "Google")? Apparently that's out the window. Today both the MPAA and the RIAA have launched a one-two punch on Google, which is clearly designed to do one thing: get Google to start censoring its search results so that it no longer returns what people are looking for, but instead returns what the MPAA and RIAA think should be the right search results. The fundamental problem, of course, is that the MPAA and RIAA both seem to think that Google is supposed to deliver the answers they want the public to see, when everyone else recognizes Google's role is to return the results its users are searching for.
Research Group Cracks Taiwan's National "Smart Card" Digital Certificates
Ironically, it is often the ineptitude and incompetence of our security protocols that leave us the most insecure. Is there anyone more vulnerable to attack that the person who thinks they are invulnerable because they have received reassuring platitudes and slogans from those running the security racket? From Smart Facts, a report by a group of international researchers:
An attacker can efficiently factor at least 184 distinct 1024-bit RSA keys from Taiwan's national "Citizen Digital Certificate" database. The big story here is that these keys were generated by government-issued smart cards that were certified secure. The certificates had all the usual buzzwords: FIPS certification from NIST (U.S. government) and CSE (Canadian government), and Common Criteria certification from BSI (German government).
These 184 keys include 103 keys that share primes and that are efficiently factored by a batch-GCD computation. This is the same type of computation that was used last year by two independent teams (USENIX Security 2012: Heninger, Durumeric, Wustrow, Halderman; Crypto 2012: Lenstra, Hughes, Augier, Bos, Kleinjung, Wachter) to factor tens of thousands of cryptographic keys on the Internet.
The remaining 81 keys do not share primes. Factoring these 81 keys requires taking deeper advantage of randomness-generation failures: first using the shared primes as a springboard to characterize the failures, and then using Coppersmith-type partial-key-recovery attacks. This is the first successful public application of Coppersmith-type attacks to keys found in the wild.
Blue Jay: Police Twitter Surveillance App
Ars Technica has a lengthy and interesting piece on Blue Jay, a Twitter live feed scanner intended for use by law enforcement officers, from a company with connections deep inside the US intelligence bureaucracy. From Ars:
. . . the "Law Enforcement Twitter Crime Scanner," which provides
real-time, geo-fenced access to every single public tweet so that local
police can keep tabs on #gunfire, #meth, and #protest (yes, those are
real examples) in their communities. BlueJay is the product of
BrightPlanet, whose tagline is "Deep Web Intelligence" and whose board is populated with people like Admiral John Poindexter of Total Information Awareness infamy.
. . . the "Law Enforcement Twitter Crime Scanner," which provides
real-time, geo-fenced access to every single public tweet so that local
police can keep tabs on #gunfire, #meth, and #protest (yes, those are
real examples) in their communities. BlueJay is the product of
BrightPlanet, whose tagline is "Deep Web Intelligence" and whose board is populated with people like Admiral John Poindexter of Total Information Awareness infamy. BlueJay allows users to enter a set of Twitter accounts, keywords, and locations to scan for within 25-mile geofences (BlueJay users can create up to five such fences), then it returns all matching tweets in real-time. If the tweets come with GPS locations, they are plotted on a map. The product can also export databases of up to 100,000 matching tweets at a time.
Subscribe to:
Posts (Atom)