privacy - Page 7

  • Facebook scrapes stolen passwords online and notifies its users - why not others

    "Facebook is looking for your stolen passwords. On Friday, the social network announced that it built a system that will actively search sites for stolen credentials and then reference that data with its own records. "This is a completely automated process that doesn't require us to know or store your actual Facebook password in an unhashed form," Facebook security engineer Chris Long wrote in a post. "In other words, no one here has your plain text password." If there is a match, users will be notified by Facebook.
    http://www.nbcnews.com/tech/security/facebook-hunting-your-stolen-passwords-n228296

    there are other volunteer and commercial services that say that they are doing the same thing but you have to trust them that they scrape everything instantly and that they don't miss out one publication on websites that are under watch (because they are on holiday for example). 

    It is a system I have been trying to sell as an idea to the cert.be and to dns.be to do for the .be emailadresses and domains that were leaked, but each had doubts if it would fall within their mission (but publishing blablabla websites was no problem). It is even not that expensive and the hosting websites will even be happy because you can notify them of illegal information on their sites.

    At the least I think the two big ISP's in Belgium should do it for their domainnames and dns.be for the belgian .be domainnames. That would already cover a big part of the stolen identities market.

    And speed is important. One has to notify the sites, people and hosters as fast as possible after publication. This is the rat race.

    Facebook has now shown that it can be done. Maybe facebook should make its code accessable to other partners (Gmail, yahoo, microsoft, aol, etc....)

     

  • the Chinese government put some espionageware in the new iphones

    Normally when you start the iphone you will still get a warning but if you ignore this because you don't understand it, than in fact you are giving everything away to the Chinese government

    "This is clearly a malicious attack on Apple in an effort to gain access to usernames and passwords and consequently all data stored on iCloud such as iMessages, photos, contacts, etc. Unlike the recent attack on Google, this attack is nationwide and coincides with the launch today in China of the newest iPhone. While the attacks on Google and Yahoo enabled the authorities to snoop on what information Chinese were accessing on those two platforms, the Apple attack is different. If users ignored the security warning and clicked through to the Apple site and entered their username and password, this information has now been compromised by the Chinese authorities. Many Apple customers use iCloud to store their personal information, including iMessages, photos and contacts. This may also somehow be related again to images and videos of the Hong Kong protests being shared on the mainland.
    https://en.greatfire.org/blog/2014/oct/china-collecting-apple-icloud-data-attack-coincides-launch-new-iphone

  • if you use TOR you should upgrade your tor client NOW

    "The first release of the 4.0 series is available from the Tor Browser Project page and also from our distribution directory.

    This release features important security updates to Firefox. Additionally, due to the POODLE attack, we have also disabled SSLv3 in this release.

    The primary user-facing change since the 3.6 series is the transition to Firefox 31-ESR.
    https://blog.torproject.org/blog/tor-browser-40-released

    especially if you are living in a dictatorship, you should download the latest update because there are too many vulnerabilities in the older ones

    https://www.torproject.org/download/download-easy.html

  • Korea may have to rebuild a totally new Electronic Identity card system after hack

    "After an avalanche of data breaches, South Korea's national identity card system has been raided so thoroughly by thieves that the government says it might have to issue new ID numbers to every citizen over 17 at a possible cost of billions of dollars.
    http://abcnews.go.com/Technology/wireStory/south-korea-identity-thefts-forces-id-overhaul-26175238?singlePage=true

    and it is for this reason that one has to be prepared for the worst

    if in belgium our EID system would get hacked we would have to change the whole DB because the Rijksregister- numbers aren't really strong enough

    but there is even no clear documentation about what one should do if one loses all of its digital information online, inclusive the EID information. Does one get a new EID and a new Rijksregister (unique) number ?

    when half a million data of belgians were stolen and we didn't know what has effectively stolen, nobody knew what should and would happen if the hacker would have published the EID information online and how these EID's could have been replaced

     

  • privacyrights of customers of banks in the US is enforced with fines of millions

    "In a sanction that can serve as a wake-up to the financial industry, Verizon Communications last week agreed to pay $7.4 million to end an investigation that found it failed to tell two million new customers about their privacy rights before using their information for marketing purposes, the Federal Communications Commission said.

     

    The privacy probe highlights the vigilance that must be paid to consumer privacy rights to meet regulators’ requirements. Although the financial industry mostly answers to different regulators, it too is subject to laws and regulations protecting the privacy of its customers.

     

    The FCC said its investigation found that these phone customers, starting in 2006, did not receive proper privacy notices in their first bills. The notices would have told consumers how to opt out of having their personal information used to tailor marketing offers, which the company later sent to them. Compounding the lapse, the FCC learned, Verizon failed to discover these problems until September 2012 and failed to notify the FCC of these problems until January 18, 2013 — 126 days later.
    http://blogs.reuters.com/financial-regulatory-forum/2014/09/19/safeguard-customers-personal-information-regulators-are-watching/

    take that - you didn't comply - you pay

  • 25.000 people use TOR in Belgium (look up your country)

    you can look this up for any country

    source : http://darktor.com/users.cgi

    but when watching the trend for some big countries, you see that the number of users is decreasing since the beginning of the year which could be the result of the closure of some very popular drugmarkets or because the Snowden scandal is losing interest

  • whisper is not anonymous and doesn't protect your privacy - period

    "User data, including Whisper postings that users believe they have deleted, is collated in a searchable database. The company has no access to users’ names or phone numbers, but is storing information about the precise time and approximate location of all previous messages posted through the app. The data, which stretches back to the app’s launch in 2012, is being stored indefinitely, a practice seemingly at odds with Whisper’s stated policy of holding the data only for “a brief period of time”.

    • A team headed by Whisper’s editor-in-chief, Neetzan Zimmerman, is closely monitoring users it believes are potentially newsworthy, delving into the history of their activity on the app and tracking their movements through the mapping tool. Among the many users currently being targeted are military personnel and individuals claiming to work at Yahoo, Disney and on Capitol Hill.
    • Whisper’s policy toward sharing user data with law enforcement has prompted it on occasions to provide information to both the FBI and MI5. Both cases involved potentially imminent threats to life, Whisper said, a practice standard in the tech industry. But privacy experts who reviewed Whisper’s terms of service for the Guardian said the company appeared to require a lower legal threshold for providing user information to authorities than other tech companies.
    http://www.techworm.net/2014/10/whisper-tracking-its-users.html

    do not believe what they say but what they do and especially after someone proofs it and they don't deny it - only change their privacy rules

  • the other Darkweb : freenet plans a massive upgrade

    https://www.noname-ev.de/wiki/uploads/9/9b/FreenetSlides.pdf

    this is a very interesting set of slides about the technology and the future of freenet that wants to start a massive upgrade to make surveillance a lot more difficult

  • hacked and leaked lovero.nl - also belgians

    the passwords are too short even encrypted not to be broken

  • hacked and leaked (also belgians) gepl.net

    also belgians didn't test the socalled encrytption

  • hacked and leaked : tourism Canada

    login and password withoiut emailaddress

  • hacked and leaked (with belgians) hairbox.fr

    logins published

  • European Right to forget in Google is used by spies to push information about them deep down

    this is one example 

    but there are thousands of them 

    now the number of results doesn't really differ so it is not clear what was removed

    so either you go to bing or to Google.com or google.ca but when you are doing some serious research, you can't use Google with an European domainextension because you will miss something out

    maybe there is a tool to compare all the results of the two researches to find the differences

    the differences between the two search terms would be very interesting (and it would make the decision to have only a right to forget in Europe as stupid as it was - even if for 70% of the searches in Europe it works because Google automatically tries to send you to their national portal and not their international one (you have to set Google.com in default to be sure that you aren't redirected).

    The next move from the defenders of the right to forget is that anyone with an European IP address will automatically always see only the results of the European versions of the searchengine

    that will be the day we can leave Google behind and go to Bing or any other searchengine who doesn't want to comply and still indexes the web - or a specialised search engine that only looks for the things that are deleted in Google. If you count the right to forget together with the millions of links to copyrighted files you have millions of links and so a very attractive database for a very large public (because those copyrighted files are still there and that is the only reason why they are retired from Google because for the firms it is the fastest way to limit access to these files) 

    rught to forget.PNG

  • hacking a Belgian hospital for a Belgian tv programma is illegal and stupid but....

    First the Belgian computercrime law is pretty clear is some-one has not the permission to attack your computer or your network than it is illegal. Even for securityresearchers and reporters like me it is extremely difficult to do much more than to google or use external sources and copy them. The moment we would test the real possiblities to get at the data it is possible for the subject of our article to attack us. The fact that they wouldn't hesitate for one moment to do so makes it extremely difficult to do so and has resulted in the last ten years in sometimes very difficult and extremely stressful situations for me and some other securitybloggers. In the end we could prevent the complaints and investigations but the very vague terms of the Belgian computercrime law makes it the most efficient censor after all. I know that some securitytests in Brussels against public wifi-installations were abandoned because - contrary to the situation in other European countries - the legal hurdles were so great that it wasn't worth it. Because in the end it all depends on the interpretation of the judge of your intent and there is no way that you can foresee how any judge would react, even if you think that on paper you have done everything possible to proof that all your intentions were good. 

    This is also the reason why we need to have a 'responsable disclosure policy' for which normally the CERT would have to be responsable but for the moment I don't think they are doing anything. It would change a lot of things and it would for example make it easier to disclose to the people responsable for the security the things they have to fix and if they don't answer or take much too long than you have the right to disclose it to the public - putting the pressure on the securitypeople to respond and act on the problems. We don't even want any money for it (for now) - just the possiblitiy to give this kind of information and to be sure that it would be treated would already be a great improvement.

    So the hacker on TV was illegal and the journalist was illegal because he was an accomplish and the fact that it was on TV shouldn't make it legal. Every time a journalist decides to get a hacker and tries to hack something would make it legal and all right ? This is not journalism. A journalist can't try to rob a bank just to see if it is possible. He would be arrested and prosecuted. Well this is the same. Maybe it is time for the Organisation of Journalists to have guidelines about this because this isn't the first and won't be the last incident. 

    But anyone of the 26.000 victims of which the personal information was downloaded, the hospital and its IT-firms or any other victim can go to the FCCU and file an complaint because some-one who wasn't authorized entered the ITsystem and got access to his files and received them on a computer that wasn't authorized to have them. 

    And maybe some-one ought to do this, this will make it mandatory for the big newsorganisations, for the organisations of journalists to have guidelines and for the hospitals and those responsable for itsecurity to get their act together. 

    The action of the tv-programmers was also stupid stupid stupid 

    Stupid because how can you really guarantee that by this hacking or penetration no things were changed so that the installation at the hospital or the other installations became more vulnerable, that the hacker created other backdoors, that there is a copy somewhere of the data and that not all data has been destroyed ? The only way to be sure is that the hacking is done on a special computer and that the transport of the data is under full control. The other thing is that if you do a penetration test (because this is in fact what it is - only you don't really download 26.000 datasets over the network to proof your case, the moment you can show that you have the data and that from the whole database you can download one testset with dummydata that has the same rights as the other data is proof enough of success). It is also for this reason that penetration tests are always done in the presence of security and Networkpeople of the infrastructure that will be tested because you are never sure that something that isn't foreseen will happen or will have unforeseen consequences. In this case the people at the other end who are watching the network and the securityinstallation (and see the penetration happen but won't intervene) will be able to contact the penetrationtester and the securitypeople if there are such problems or when it is interfering with other situations. It makes it also possible to intervene if one see that at the same time another hacker is penetrating or trying to penetrate the network with the same methods (that weren't monitored before). In this case the test can be called off and the operation changes in a discovery and cleanup operation because you have a real incident and eventually hacking. When the resecurisation has been done afterwards, you can do a new test - even if this one should be harder. 

    So no, I don't think that those conditions were met and so I think there are multiple risks with this operation.  

    Another question I have in my mind is if the securitypeople at the VRT were informed and if they have been consulted for advice because if this test is not following the standards and the VRT is responsable and brought before the courts than this is another of the questions that will be asked. As a good journalist and as a good housefather have you taken advice from different people from different perspectives to be sure that enough care and time has been given to the different operational aspects of this investigation. 

    And if the securitypeople of the VRT didn't give the advice as described above when they were contacted than the VRT has a problem ..... 

    but it shows another time that itsecurity in Belgium is build upon the fear for a very vague law and a very powerful and competent FCCU and investigations that make a headline to disappear afterwards totally. Everybody thinks that our medical data and ehealth networks are safe because we suppose that this is the case and we suppose that this is the case because we suppose that there is enough money, enough ITsecurity people, enough external controls and enough guidelines and laws to make it secure. 

    it is another proof that this is NOT the case (and now I will hear all the ehealth defenders and businessinterests say that this is the new world, that this makes it more efficient, that they are doing everything that is possible, that I am paranoid and so on....  (hurting Belgian industry interests and jobs is another one) 

    but I know three things 

    * medical data is for the moment the most valuable data on the black market (and a real business in the US where certain firms buy or consult them without leaving any fingerprints in the official explanations (for example why you don't get an insurance) 

    * medical installations are as buggy and full with securityleaks as any other new technology or hardware because nobody worries in the beginning about security, that comes always much later

    * I only believe what I see and the e-healthprocess is not transparant and there are not enough external controls and audits (and if there were, they surely didn't go to this place)

    we already mentioned to the privacycommission that there are websites with a logon from doctors and pharmacies that were hacked or hackable and we have found some Belgian medical information online and transferred that to the cert and the FCCU. (this was a file from a bloodtransfusion center) 

    because of the law on computercrime we didn't test anything and didn't go any further and wouldn't advise you to do so to (because you aren't protected by a camera) - even if this leaves our medical data and infrastructure vulnerable because there are not enough mandatory independent audits and tests. 

  • funrave.com hacked and data leaked online

    on pastebin

  • privacycommission starts an investigation into the databreach of 9lives.be (and how to complain)

    It is confirmed that the Belgian privacycommission has opened an investigation into the databreach of 9lives.be

    hardly impossible not to do this

    and the second thing is

    it is confirmed that if you want to file a complaint (and we would say that this may have some impact as it will convince the Privacycommission that more action is needed and that this kind of thing may not happen again in this way if we are talking about such important social gateways on the web)

    you simply have to send an email to the privacycommission  commission@privacycommission.be 

    with the subject 

     

    Klacht hacking 9lives.be

    met je contactgegevens en dat je lid was van en dat je wilt dat de privacycommissie onderzoekt waarom je persoons- gegevens en het forum niet beter waren beveiligd

     

    each drop is important because together we can make waves....

  • who is responsable for 9lives.be (we are talking about the data of thousands of people)

    well who is hosting it (because the hoster has to install the necessary security - like a good housefather so it becomes more difficult to attack and hack the sites that are hosted on its servers that itself it secures permanently)

    and who owns the domainname 9lives.be ?

    well it is a firm so they have insurance if they get sued ..... should have ......

    but who is itaf.eu, let's look at the propaganda

    okay so there are two more firms who could be held responsable - the owner of the domainname and the firm that was held responsable

    we have posed them some questions and we are looking forward to their responses .... if any

    because some-one will be held responsable

     

  • hacked 9lives.be if this a sensible breach notification, than this is a makebelieve operation

    from the new forum http://naajn.be/forum/viewtopic.php?f=1&t=2&start=150

    well there were 100.000 members according to some resources but some say that they never got any notification

    if this would have been a serious hacker, the dataset would have been already sold and the data would already been in use, or added to some other datasets to make profiles of people (future victims)

    but according to this post the notification was only sent to the people who were subscribed to their mailing list, not everybody who was impacted and for which they had an emailaddress

    if this is so, than there may be problem with the breach notification because the breach notification according to the Belgian Privacycommission has to be done to everybody that is impacted within 48 hours (that is 100.000 people if the rumours are right)

    if it was only sent to the people subscribed to the mailinglist (and in the absence of much other information from the serviceprovider) one can doubt that they have done exactly what had to be done

  • 1 million .nl passwords and emails were sold on the darkweb ? Check yours (and what is the Belgian CERT doing for the .be emails)

    Dit is de verklaring van de Nederlandse CERT

    Het Nationaal Cyber Security Centrum (NCSC) heeft van Hold Security de beschikking gekregen over de domeinnamen en e-mailadressen met een .nl-extensie. Hold Security gaf eerder via mediaberichten aan een dataset met 1,2 miljard inloggegevens wereldwijd verkregen te hebben, afkomstig van 420.000 kwetsbare websites. Vanuit haar coördinerende rol en CERT-taak heeft het NCSC direct na ontvangst van de gegevens actie ondernomen en licht samen met partners getroffen partijen in
    https://www.ncsc.nl/actueel/nieuwsberichten/ncsc-verkrijgt-nederlandse-gegevens-van-hold-security.html

    So out of a database of 1.2 billion data from hold on Security a million had an .nl emailaddress which made it clear that you have some connection to Holland

    you can check if yours is here https://emailcheck.xs4all.nl/

    this is why it is important that emailproviders like Yahoo and Google nationalise their domains so that instead of hundreds of millions generic .com emailaddresses it would be easier to identify those that belong to a certain country (and so a certain CERT). 

    It is not clear what the other CERTS are doing and it is not clear if the 42.000 hacked domains have been notified and if the generic domains are participating also (Google.com and Yahoo.com for example among many others)

    as we have said before when he made this press declaration, the firm doesn't have the right to keep that data, that data should have been transferred to the dataprotectors (the CERT and the other institution to set up a coordinated action to notify the victims and to block their accounts if necessary to limit the damages)

    they even set up an online form in which you could check if your personal logindetails were sold online or not (even if this may be very late as the information was made public in august and the 42.000 emptied

    but there are other questions

    * Holdon security said it was finding every week new datasets they were adding to their database, does this mean that the Dutch cert will receive new .nl logins if they find them ?

    * what happens with the data about the .nl people that Holdon security has - and that now has been officially recognized that they have ? Because they are holding on to illegal information they have from citizens who didn't give them the right to keep that data for themselves. If I interpret the privacy régulations that I didn't give them any right to collect and surely not to keep this information.

    And what is even more incredible is that they are asking money for it to check for me if my emailaddress is in the old and new datasets they are colleding

    Reminder : if we take all the datasets together that have been stolen the last 2 to 3 years than yes we arrive at nearly a billion (what is more I even know there are several older Datadumps online on TOR). But we should also mention some quality information with the information. If it is an old leak from 2011 than there is little you can do, if the leak is from last week, than there is a big problem and you can still do some things.

    at the other side, Holdon security has been the biggest lowhanging fruit on the internet, collecting all that data. I hope that their security is so strict and monitored that they can keep that information.

  • the hack of 9lives.be shows how important datadestruction is

    this is something that firms don't want to do ever

    destroy the data from people who didn't log in the last year

    or destroy the data from people that just ask for it because they prefer you do that

    or to publish what to do if you are family of the person and the person is dead and you want to keep a copy, mention that he or she is dead or destroy the data because it has no sense anymore

    destroying data over time will make many databreaches much smaller and less important

    at the other side it will make the job of the identifythieves easier because the dead wood is no longer in the database but these professional datathieves have enough other tools to clean their datasets - if it was only because those datasets are only worth some real money if they are cleaned wihich makes the datacleaning worthwhile

    DESTROY that data

    No logins for a year and just block the account or just destroy it

    and imagine how much less data you would have to backup, keep running on your servers, protect and transfer

    after the right to forget the duty to forget