Information Security with Occasional Forays into Other Realms
Dan Goodin, wielding the proverbial Pen of Truth, whilst writing of-all-things Security at Ars Technica has published a superlative piece on the privacy and security related foibles of Apple, Inc. (NASDAQ.com: AAPL). This time targeting Apple's suspension (whatever that means) of the WatchOS app monikered 'Walkie-Talkie'. Today's Must Read.
Lucas Gardner, writing at the mildly superlative McSweeney's is the culprit on this data-access-missive. With a Sliding Scale package structure, and certainly The-Best-Data-Slup-Deal-On-The-Market; ranging from the smallest dataset level for Mr. Gardner's atomic-level datum - monikered 'The Grain of Salt" package (currently quoted at a single Buck) all the way up to "The Jackpot" data package (at twenty Large). All, of course, are truly Today's MustRead!
In today’s “digital landscape” (a phrase that I came up with by myself), everyone’s personal information is for sale. Internet service providers, search engines, and social networks are selling everything there is to know about someone to companies every day so that they can use it for marketing. It’s a really solid business model and I respect it, but if any companies out there are trying to buy my personal information I would prefer they do it from me directly. - via Lucas Gardner, writing a McSweeney's
Brian Krebs's prose sums this issue up with cheerful alacrity: Examine - if you will - his blog post detailing the multiple offender mSpy Data Leakage Debacle. Simply Astounding.
A new research paper has attracted my attention at arXiv.org; and from Mordechai Guri, Boris Zadov, Dima Bykhovsky, Yuval Elovici, all from the astonishingly prolific Ben-Gurion University of the Negev, in southern Israel's blooming desert - the Negev. Interestingly, all working in the Cyber-Security Research Center a component - if you will - of the Department of Software and Information Systems Engineering.
This is one of those seemingly easy to grasp, easy to execute (for the right entities, and with the apropos hardware and software exfiltration tools) in which, data may be slurped-up, with minimal invasive telltale artifacts left behind, simply from sampling the modulated goodness of the electrical power connection to the targeted device.
Importantly, this form of attack would be devestating to the target, of which, has essentially no in-built incusion defense watching over the electrical power flow into the machies PDU (other than the usual gatekeeping set up around and amongst whatever payload is being sought (think diretory services, database passwords, API security, tokens, et cetera). Certainly, today's Must Read.
Where does all of that data gathered by car manfacturers while we drive? Perhaps Jonathan M. Gitlin, reporting for everyone's beloved Ars Technica can fulfill that data request in a speedy manner! Shouldn't the driver/owner of the vehicle make that decision? Enjoy.
Martin Brinkmann, writing at gHacks, illuminates the questionable data gathering efforts by Canonical, producers of Ubuntu Linux. Read Martin's concise examination of the issue, of which - most certainly - is Today's Must Read.
Tavis Ormandy (a member of Google’s Project Zero organization) has found, reported and the offending Grammarly code fixed by Grammarly (reportedly by Tavis) in record time). A small bit of advice for Grammarly, and others: Have your code thoroughly examined by systems adhereing to the OpenSAMM or SAMM model. It may save your hocks someday... Today's Must Read over at Graham Clueley's blog. Thanks Graham and Trey!
Rebecca (Becca) Rick's has published a highly informative interactive graphic (along with the data source) detailing the Paypal data sharing efforts, in which, your data is published to a multitude of said entities. Astonishing.
Folks, the easiest method to explore this super-graphic is to click this post's title, or the "published" link above, and magically visit the interactive graphic on Ms. Rick's site. Rated Highly Entertaining by Infosecurity.US!
Thanks for the H/T!
Behold, the top banned (i.e., blacklisted by the Enterprise) iOS and Android mobile applications with data generated by Appthority.
'According to Appthority’s proprietary Mobile Threat Risk Score, Uber, WhatsApp Messenger and Facebook Messenger are the riskiest Android apps commonly found in enterprise environments. The riskiest iOS apps found in enterprises are Facebook, Pandora and Yelp.' - via Helpnet Security
Holy Mackerel, what next? Traversing the ubiquitous Drive-Thru with the kids in tow whilst a bot gazes upon your lips and commences cogitating upon same - when ordering the biter in back the McNugget of choice - no sauce, please? Luckily, the sturm und drang of the sign-mounted intercom will likely remain, thus facilitating the notion of participation in a silicon conversation... via ZDNet's Robin Harris comes Today's Must Read.
In the paper Lip Reading Sentences in the Wild, researchers Joon Son Chung, of Oxford University, Andrew Senior, Oriol Vinyals, and Andrew Zisserman, of Google, tested an algorithm that bested professional human lip readers. Soon, surveillance videos may not only show your actions, but the content of your speech. - via ZDNet's Robin Harris
Do you unequivocally trust iRobot with your personal data, including internal mapping of your home? Read this post to learn more.
Deep Root Analytics Twitter Account...
News, via El Reg staff reporter Shaun Nichols, detailing the deep security ignorance on part of Republican Part contractor research firm Deep Root Analytics. Storing nearly 200 million voter registration records in an unencrypted form, on an accessible S3 bucket certainly sets the bar to a new low in custodial security oversight, don't you think? Harsh you may ask? Read the El Reg post for the full details... H/T
via Gizmodo investigative reporter Dell Cameron, comes the astounding news of the systemic incompetence in properly handling secret documents and other artifiacts stored within the cloud (in this case, AWS S3 Buckets) by a well established contractor to the National Geospatial-Intelligence Agency (NGA). Certainly, a first-rate example of an Expanding Cloud of Lethal Stupidity (ECOLS).
Where does the organization in question fall within the Noel Burch Hierarchy of Competence model?. Should the culprits in this scenario be prosecuted? You be the judge. Truly astounding, indeed.
"A cache of more than 60,000 files was discovered last week on a publicly accessible Amazon server, including passwords to a US government system containing sensitive information, and the security credentials of a lead senior engineer at Booz Allen Hamilton, one of the nation’s top intelligence and defense contractors. What’s more, the roughly 28GB of data contained at least a half dozen unencrypted passwords belonging to government contractors with Top Secret Facility Clearance." - via Gizmodo reporter Dell Cameron
Reportedly, there is a method to identify users through the utilization of ad blocking browser plugins and applications. Not particularly surprising, given the already intrusive nature of advertising in general...
via the eponymous Phoneboy, comes his take on the latest security foible of a major backend provider (in this case Cloudflare), entitled 'Cloudflares with a Chance of Goatse', Mr. Welch-Abernathy explains it all, in imitiable form. Today's MustRead.
Meanwhile, in cruft news...
First discovered by security researcher Alexander Klink, and discussed on his shift or die blog, the leakage documentation he has amassed is a tour de force in correct handling of the discovery. Mozilla's response has been a tad lackadaisical and (disappointlingly) still in telemetry data gathering mode as of this post.
Superb work by Alexander; nonetheless, he does suggest regular cleansing your browser user profile (if you are so unlucky as to be using the browser under scrutiny, yet most likely, a good idea on any browser). There are many tools available that deal with the cache cleaning task (both scripted and manual, GUI-based and not, both in-built and otherwise). Enjoy the cruft. H/T
Originally brought to my beleagured attention by the inimitable Bob Radvanosky at Infracritical's SCADASEC, comes this well-wrought news piece from SOPHOS' NakedSecurity blog author Lisa Vaas. Illuminating the truly idiotic behaviors by workers in the Power Generation business...
