DHS Stored Bioterrorism Data On Unsecured Servers

September 04, 2019 by Marc Handelman in Government Incompetence, Information Security, Information Insecurity, Must Read

via Emily Baumgaertner, reporting for The Los Angeles Times, tells a tale of deep incompetence at the Department of Homeland Security (additional evidence of stupidity {with requisite bonus points} with revelations that data egress command source and destination are unknown, as is (of course) attribution, thereof. Most certainly Todays Must Read.

'The information — housed on a dot-org website run by a private contractor — has been moved behind a secure federal government firewall, and the website was shut down in May. But Homeland Security officials acknowledge they do not know whether hackers ever gained access to the data.' - via Emily Baumgaertner, reporting for The Los Angeles Times

Hoax'd

August 30, 2019 by Marc Handelman in Information Insecurity, Information Hoaxes, Web Hoaxes, False Information

via Paris Martineau, writing at the eponymous Wired Magazine, comes this fascinating examination of why people are duped by hoaxes, specifically in this case, of the internet-based viral type. Today's Must Read.

Boeing - Say It Ain't So...

August 12, 2019 by Marc Handelman in Corporate Accountability, Information Insecurity, Manufacturing Security, National Security

via Andy Greenberg, comes a particularly troubling piece, written for Wired, in which, Mr. Greenberg details the litany of ineptitude by Boeing Company (NYSE: BA) in securing their code running the company's 787 airframe. Deeply troubling is the operative term in use here, don't you agree? H/T

"...security researcher Ruben Santamarta sat in his home office in Madrid and partook in some creative googling, searching for technical documents related to his years-long obsession: the cybersecurity of airplanes. He was surprised to discover a fully unprotected server on Boeing's network, seemingly full of code designed to run on the company's giant 737 and 787 passenger jets, left publicly accessible and open to anyone who found it. So he downloaded everything he could see." - via Andy Greenberg's, outstanding piece, crafted for Wired

US-Based Company Marketing BlueKeep Exploits, Reportedly Used To Facilitate Pentesting Infected Systems

July 29, 2019 by Marc Handelman in Flogging Evil, Information Insecurity

Sounds Legit.... via Sesin

Facebookery: All The Many Datas of Zuckerberg

May 29, 2019 by Marc Handelman in Facebookery, Zuckerberged!, Information Insecurity, Corporate Evil, Corruption

via Sam Biddle, writing at The Intercept, comes this astonishing story of manifest Facebookery firmly situated within the rarified telecom world of data sharing between and betwixt the telecom leviathans and that scourge of privacy Facebook, Inc. (Nasdaq:FB). h/t

“What they’re doing is filtering Facebook users on creditworthiness criteria and potentially escaping the application of the Fair Credit Reporting Act. … It’s no different from Equifax providing the data to Chase.” - via Sam Biddle, reporting for The Intercept, with this superb article

ASUS Cloud Services: Backdoor In Motion

May 20, 2019 by Marc Handelman in Cloud Security, Information Insecurity, Security Incompetence, Must Read

via the eponymous Dan Goodin, writing at Ars Technica, comes news of a cloud solution gone spuriously out-of-control. Certainly a clear-enough indication the 'Cloud' is not to be trusted, at any time, nor from any vendor - regardless of claims to the contrary. Today's Must Read.

Facebookery, The Hoovering

April 19, 2019 by Marc Handelman in Blatant Incompetence, Information Insecurity, Data Theft, Zuckerberged!

Another day, another data thievery revelation at Facebook, Inc. (Nasdaq: FB). It's time for our national law enforcement agencies to take action and act in the manner they would against any other organized criminal enterprise. Raid the corporate headquarters, arrest, detain, interrogate and incarcerate the C-level personnel (including recently separated personnel) and prosecute. Then there's this well crafted explanaotry post at The Hacker News providing another take on the company's criminal behaviors...

'An anonymous security researcher, who sports the handle e-sushi on Twitter, first noticed that the company was asking some new users to enter their email passwords to verify their identities, a deeply anti-security request even on its own. Business Insider then spotted that if you did this a dialogue box popped up warning you – with no chance to cancel, pause or opt out – that it was importing all your contacts.' - via John Oates reporting for El Reg

Sub-Vocalization Aware Smart Speakers: Little Brother Has Arrived

April 18, 2019 by Marc Handelman in Sarcasm, Death of Privacy, Information Insecurity

In perhaps the singularly snarky (yet fundamentally true) privacy piece posted targeting privacy invading smart devices on El Reg in the past couple of weeks, comes reporter Alistair Dabbs' jaundiced (and highly entertaining) focused, tech-askew-world-view of so-called 'smart speakers', and other detritus emanating out of the 'robber-baron-age-of-tech'. Enjoy.

"Some 14 years after the publication of NASA-linked research on sub-vocal speech recognition, the genre is currently enjoying a bit of a revival. In the near future, you will acquire the valuable skill to accidentally tell Alexa to buy 400 rolls of toilet paper simply by clearing your throat." - via Alistair Dabbs' privacy piece posted at The Register

No-Tel Mo-Tel? Motel 6 Settles State of Washington Lawsuit With $12,000,000 Payment

April 06, 2019 by Marc Handelman in Death of Privacy, Information Insecurity, Governed By Imbeciles, Must Read

via Chris Morris' well-crafted reportage at Fortune, comes the story of illegal data sharing engaged in by Motel 6, and the $12,000,000 price tag the company coughed up in settlement fines to the State of Washington. I guess they might not be 'leaving the light on for you' - for a while... Today's Must Read.

"Motel 6 will take a $12 million hit for allegedly sharing the personal information of about 80,000 guests with immigration officials without the knowledge or permission of those customers. The chain has settled a lawsuit brought by the state of Washington over the controversial policy of seven of its hotels in that state between 2015 and 2017. The company has also said it will stop the practice of handing over guest information without a subpoena or warrant, unless it believes someone is in imminent danger." - via Chris Morris', at Fortune

For Whome The Bells Toll? It Tolls For The 540 Million Facebook Users Whose Data Is Now Public

The Deathknell of Facebook? Nope, Nothing to See Here Except Another 540 Million Users Exposed

April 04, 2019 by Marc Handelman in Information Insecurity, Facebookery

Is this the final outrage, or are there more to come? h/t

Windows 10, IoT Core Test Subsystem Permits Device Control Seizure

March 06, 2019 by Marc Handelman in Information Insecurity, IoT Insecurity

Why of Why Did I Take The Blue Pill... via BleepingComputer writer Sergiu Gatlan comes research output by SafeBreach security research Dor Azouri, that the tests are focused on the ARM based release, and not the x86-64 product. More information is available at the project's Github site. Additionally, Dor's white paper detailing the project is available under the title "SirepRAT: RCE as SYSTEM on Windows IoT Core", a truly outstanding security project; and a H/T to Sergiu Gatlan - for his original superb reporting.

Which Mark Zuckerberg are you listening to today?

The Many Splendored Delusions of Mark Zuckerberg

February 08, 2019 by Marc Handelman in Facebookery, Information Insecurity, Conflation

via Timothy B. Lee, writing at Ars Technica, comes this outstanding, on-target examination of the apparent delusional world Mark Zuckerberg works and lives in... Key Point: The conflation of Facebook (NYSE: FB) and the Internet. Read it and weep my friends, it's the show that never ends...

"Zuckerberg employed one of his favorite rhetorical tricks for defending Facebook: conflating Facebook with the Internet as a whole. It's true, as Zuckerberg writes, that the Internet has made the world more connected and that this has had a lot of positive consequences (as well as some negative ones)." - via Timothy B. Lee, writing at Ars Technica, comes this outstanding story of delusional Facebook leadership.

Malwarebytes Releases State of Malware Report:

January 30, 2019 by Marc Handelman in Malware Research, Information Insecurity

Information theft is now prevalent, according to the 2019 State of Malware Report, created annually by Malwarebytes'. Enjoy!

"While cryptomining died down by the second quarter, a new set of threats were eager to take its place: information stealers. These former banking Trojans— especially Emotet and TrickBot—evolved into droppers with multiple modules for spam production, lateral propagation through networks, data skimmers, and even crypto-wallet stealers." - via Malwarebytes' 2019 State of Malware Report

Japan Government Set To Hack Citizen Owned IoT Devices

January 29, 2019 by Marc Handelman in Information Insecurity, IoT, IoT Security

In preparation for the country's 2020 Olympics (and - ostensibly - in order to avoid catastophic numbers of IoT vectored attacks during the Olympic events)... Probably about 5 years too late, though, as the enormity of fixing the problems may be insurmountable even for the Japanese Governmental Security Groups, who are well-known for attention to detail. Regardless there will certainly be an enormous number of surprises and what-not in their targeted bailiwick of connected devices. H/T

Weak-Kneed GoDaddy Security Implementation Permits Large-Scale Email Bomb Threat Transmissions

January 28, 2019 by Marc Handelman in Blatant Incompetence, Information Insecurity

via the highly respected Dan Goodin - Security Editor at Ars Technica, comes the story of a fundamental design weakness at GoDaddy, Inc. (NYSE: GDDY), whcih permitted thousands of domains registered at GoDaddy, Inc. to be hijacked, leading to bomb-threat emails to be processed and delivered on December 13, 2018 (email-serving related data is contained in DNS records - which is not the flaw specifically).

Perhaps a modicum of diligence in ferreting out flaws (ideally on a continuous basis), instead of focusing on creating bullshit laden advertising touting your company's misaligned-to-reality information security architecture and engineering capabilities is in order GoDaddy, Inc.... Let's get those prioritties aligned correctly, and you'll end up with a posture that's squared-away.