Like a compromised sewage conduit, Coinhive's morally questionable Monero-mining scripted architecture (as evidenced by the successful DNS attack on the organization's site) is now poisoning the body politic with (both) the inherent evil of their product, and their apparent collective security stupidity. Witness the groups latest DNS breach explanatory blog post. Astounding... Where is Dr. Evil when we need him?
The single most egreious flawed information security decsion (Equifax comes to mind...) by a large company in 2017? Read Chris Davies superlative piece, on SlashGear, detailing the recent Google decision to segment security provisioning. Read it and Weep My Friends, for, it is by far, The Show that Never Ends.
"Google is readying special security tools for its high-profile users, reports claim, going beyond mere two-factor authentication. The development comes as investigations into the political impact of alleged Russian hacking during the US election in 2016 continue, alongside other high-profile attacks on data. However, according to insiders, Google plans to target its new system at a specific subset of users. Those, people familiar with Alphabet-owned Google’s plans tell Bloomberg Technology, are being described as “corporate executives, politicians and others with heightened security concerns.” It will build on the company’s existing USB Security Key support. Rolled out in 2014, the USB-based system demanded a physical dongle be plugged into a computer in addition to a password or secure code before access to a Google account was granted." via Chris Davies writing at SlashGear
via gHacks author Martin Brinkmann, comes the astonishing tale of deeply flawed user data management at Mozilla Foundation. Along with the Foundation' Firefox browser Resource and Web Extension data leakage woes, now comes a highly user antagonistic decision to commence collecting user browsing data in an opt-out decision tree. Truly this weeks evidence that Blatant Stupidity still exists in the browser world.
"Mozilla's Georg Fritzsche published information on the plan to collect additional data yesterday on the Mozilla Governance group. In it, he describes the issue that Mozilla engineers face currently. While Firefox may collect the data when users opt-in, Mozilla believes that the data is biased and that only data collecting with opt-out would provide unbiased data that the engineers can work with. Questions that this data may help answer include "which top sites are users visiting", "which sites using Flash does a user encounter", and "which sites does a user see heavy Jank on" according to Fritzsche." excerpt via Martin Brinkmann writing at gHacks
News - via Rick Falkvinge, writing at Privacy News Online Blog (a blog run by Virtual Private Network company Private Internet Access), regales us with sorry tale of the Kingdom of Sweden's government-data-gone-wild, in this case, the wild is the IBM Cloud infrastructure.
Take heed, my friends in the 'digital transformation' world, do not weep for the Swedish Government and IBM (by the way - as of this writing, while the issues still exist, there is a way out for future efforts, and possibly the noted debacle):
For without the crucial components of attention to detail and truly effective security automation - coupled with meticulous security architecture and the all-important expert execution by competent security professionals, you might as well be hosting your data in the open for all to see - Just Like The Swedes. Simply Astounding. H/T
"At present, these databases are known to have been exposed, by moving them to “The Cloud” as if it were just a random buzzword: The weight capacity of all roads and bridges (which is crucial for warfare, and says a lot about what roads are intended to be used as wartime airfields); Names, photos, and home addresses of fighter pilots in the Air Force; Names, photos, and home addresses of everybody and anybody in a police register, all of which are classified; Names, photos, and home addresses of all operators in the military’s most secret units – equivalent to the SAS or SEAL teams; Names, photos, and home addresses of everybody in a witness relocation program or who has been given protected identity for other reasons; Type, model, weight, and any defects of any and all government and military vehicles, including their operator, which says a ton about the structure of military support units;" via Rick Falkvinge, writing at Privacy News Online Blog
Meanwhile, in incompetent application security testing news, comes this astonishing example of blatant coding stupidity - Microsoft Corporation's (NasdaqGS: MSFT) crack team of questionable-capability-developers (have these people heard of fuzzers?) unleashed a deeply flawed Windows Defender product on millions of customers.
As luck would have it (if you believe in that sort of thing), the product was just patched months after the faulty codebase was wrapped-up-all-pretty-like. The flaw was discovered by security researcher Tavis Ormandy of Google Project Zero fame; his report (and closure of same) on 2017/06/23 is today's proof - at the very least - there are Security Researchers Doing The Right Thing.
Decisions. Deeply Rooted (apparently) in Incompetence
News, via El Reg staff reporter Shaun Nichols, detailing the deep security ignorance on part of Republican Part contractor research firm Deep Root Analytics. Storing nearly 200 million voter registration records in an unencrypted form, on an accessible S3 bucket certainly sets the bar to a new low in custodial security oversight, don't you think? Harsh you may ask? Read the El Reg post for the full details... H/T
via the eponymous Iain Thomson, whilst plying his trade at El Reg, comes this astonishing tale of the profoundly stupifying incompetence at Microsoft Corporation (NasdaqGS: MSFT) in regards to the Redmond, Washington software leveiathan's askew morality... This time, focused on the company's complaints targeting the National Security Agency's stockpiling of exploitation bits, yet also, dancing the stockpile two-step... Simply astounding.
"Most crucially, it's more than a little grating for Microsoft, its executives, and its PR machine, to be so shrill about the NSA stockpiling zero-day exploits when the software giant is itself nesting on a pile of fixes – critical fixes it's keeping secret unless you pay it top dollar. Suddenly, it's looking more like the robber baron we all know, and less like the white knight in cyber armor" - via Iain Thomson writing at El Reg
via Charlie Demerjian, writing at SemiAccurate, tells the tale of probably the single most egregious flaw in Intel Corporation (Nasdaq: INTC) products discovered to date. Reportedly, all Intel Corporation products, from 2008 till the present (Nehalem to Kabylake) possess the remote and local exploitable flaw. Hat Tip Update: Now Fixed.
Further proof that the End-Of-The-World-Is-Near: Microsoft Corporation's (NasdaqGS: MSFT) LinkedIn just released a new update for the Company's already slightly-suspicious mobile app that permits Bluetooth connectivity (for location tracking) to fellow LinkedIn members. Reportedly, the feature does not require the app to be running... What could possibly go wrong?
Ladies and Gentlemen, Girls and Boys: Behold the list of both United States Senators and United States House of Representatives that voted to sell out your personal information while online (i.e., your precious online privacy) for monetary gain.
Each surname noted below, possesses a link to that Senator or Representative's contact page, to make it super-easy to let them know what you think. Oh, and for you parents/grandparents, gaurdians this includes all data requests coming from your home, i.e., your children's' data will also be swept up in this nightmare maelstrom example of the surveillance state. Enjoy
Senate of the UNITED STATES of AMERICA
YEA -- 50
U.S. Senate Roll Call Votes 115th Congress - 1st Session
Question: On the Joint Resolution (S.J. Res. 34 )
HOUSE OF REPRESENTATIVES of the UNITED STATES OF AMERICA
YEA -- 215
McMorris Rodgers (R-WA)
Incroyable, mais vrai. Microsoft Corporation (NasdaqGS: MSFT) owned server platform's at Docs.com's search functionality exposes Personal Identifiable Information of hundreds - perhaps, thousands - of users... Does Microsoft Corporation believe that dropping search functionality will relieve the Corporation of risk?
Why weren't prudent safegaurds put in place to protect the Corporation's users (and the Corporation as well)? At the very least, a check for PII to assist in mitigating the exposure (risk-wise) to the Corporation? Do they check for malware or evil embedded macros in these documents? Who forgot to check for PII? Was the Corporation's well-seasoned Legal Department part of the sign off process to this debacle?