The McSweeney Effect: Writer Offers Up Personal Data (Direct Purchase Only)

October 16, 2018 by Marc Handelman in Security Humor, Data Leakage, By Design

Lucas Gardner, writing at the mildly superlative McSweeney's is the culprit on this data-access-missive. With a Sliding Scale package structure, and certainly The-Best-Data-Slup-Deal-On-The-Market; ranging from the smallest dataset level for Mr. Gardner's atomic-level datum - monikered 'The Grain of Salt" package (currently quoted at a single Buck) all the way up to "The Jackpot" data package (at twenty Large). All, of course, are truly Today's MustRead!

In today’s “digital landscape” (a phrase that I came up with by myself), everyone’s personal information is for sale. Internet service providers, search engines, and social networks are selling everything there is to know about someone to companies every day so that they can use it for marketing. It’s a really solid business model and I respect it, but if any companies out there are trying to buy my personal information I would prefer they do it from me directly. - via Lucas Gardner, writing a McSweeney's

Serial Dataleak Offender mSpy Spouts A New(ish) River of Data

September 06, 2018 by Marc Handelman in Data Leakage, Information Security

Brian Krebs's prose sums this issue up with cheerful alacrity: Examine - if you will - his blog post detailing the multiple offender mSpy Data Leakage Debacle. Simply Astounding.

PowerHammer, The Mains Exploitation →

April 16, 2018 by Marc Handelman in Information Security, Cybersecurity, Data Leakage, Education, Security Science, Security Research, State of Israel, Must Read, Security Leadership

A new research paper has attracted my attention at arXiv.org; and from Mordechai Guri, Boris Zadov, Dima Bykhovsky, Yuval Elovici, all from the astonishingly prolific Ben-Gurion University of the Negev, in southern Israel's blooming desert - the Negev. Interestingly, all working in the Cyber-Security Research Center a component - if you will - of the Department of Software and Information Systems Engineering.

This is one of those seemingly easy to grasp, easy to execute (for the right entities, and with the apropos hardware and software exfiltration tools) in which, data may be slurped-up, with minimal invasive telltale artifacts left behind, simply from sampling the modulated goodness of the electrical power connection to the targeted device.

Importantly, this form of attack would be devestating to the target, of which, has essentially no in-built incusion defense watching over the electrical power flow into the machies PDU (other than the usual gatekeeping set up around and amongst whatever payload is being sought (think diretory services, database passwords, API security, tokens, et cetera). Certainly, today's Must Read.

What, Me Worry? Car Data, Where Does It Go... →

February 25, 2018 by Marc Handelman in Data Classification, Data Leakage, Data Driven Security, Data Science, Data That Wants To Be Big, Database Security, Information Security

Where does all of that data gathered by car manfacturers while we drive? Perhaps Jonathan M. Gitlin, reporting for everyone's beloved Ars Technica can fulfill that data request in a speedy manner! Shouldn't the driver/owner of the vehicle make that decision? Enjoy.

Ubuntu, The Collector →

February 17, 2018 by Marc Handelman in Data Leakage, Linux, Linux Security, Must Read, Information Security, Demise of Privacy, Privacy

Martin Brinkmann, writing at gHacks, illuminates the questionable data gathering efforts by Canonical, producers of Ubuntu Linux. Read Martin's concise examination of the issue, of which - most certainly - is Today's Must Read.

Fast Times At Grammarly High... →

February 07, 2018 by Marc Handelman in All is Information, Code Review, Code, Data Leakage, Information Security, OpenSAMM, SAMM

Tavis Ormandy (a member of Google’s Project Zero organization) has found, reported and the offending Grammarly code fixed by Grammarly (reportedly by Tavis) in record time). A small bit of advice for Grammarly, and others: Have your code thoroughly examined by systems adhereing to the OpenSAMM or SAMM model. It may save your hocks someday... Today's Must Read over at Graham Clueley's blog. Thanks Graham and Trey!

Becca Rick's 'How Paypal Shares Your Data' →

January 22, 2018 by Marc Handelman in Accountability, Bulk Data Collection, Complexity, Corporate Evil, Data Mining, Data Leakage, Data Discovery, Information Security

Rebecca (Becca) Rick's has published a highly informative interactive graphic (along with the data source) detailing the Paypal data sharing efforts, in which, your data is published to a multitude of said entities. Astonishing.

Folks, the easiest method to explore this super-graphic is to click this post's title, or the "published" link above, and magically visit the interactive graphic on Ms. Rick's site. Rated Highly Entertaining by Infosecurity.US!

Thanks for the H/T!

The Banning →

October 12, 2017 by Marc Handelman in Data Leakage, Data Loss Prevention, Information Security, Mobile Security, Mobile Networks, Mobile Telephony

Behold, the top banned (i.e., blacklisted by the Enterprise) iOS and Android mobile applications with data generated by Appthority.

'According to Appthority’s proprietary Mobile Threat Risk Score, Uber, WhatsApp Messenger and Facebook Messenger are the riskiest Android apps commonly found in enterprise environments. The riskiest iOS apps found in enterprises are Facebook, Pandora and Yelp.' - via Helpnet Security

Bot, The Lip Reader →

September 07, 2017 by Marc Handelman in Data Leakage, Bots, Information Security

Holy Mackerel, what next? Traversing the ubiquitous Drive-Thru with the kids in tow whilst a bot gazes upon your lips and commences cogitating upon same - when ordering the biter in back the McNugget of choice - no sauce, please? Luckily, the sturm und drang of the sign-mounted intercom will likely remain, thus facilitating the notion of participation in a silicon conversation... via ZDNet's Robin Harris comes Today's Must Read.

In the paper Lip Reading Sentences in the Wild, researchers Joon Son Chung, of Oxford University, Andrew Senior, Oriol Vinyals, and Andrew Zisserman, of Google, tested an algorithm that bested professional human lip readers. Soon, surveillance videos may not only show your actions, but the content of your speech. - via ZDNet's Robin Harris

The Disingenuous →

August 15, 2017 by Marc Handelman in All is Information, Data That Is Big, Data Security, Data Leakage, Data Driven Security, Information Security

Do you unequivocally trust iRobot with your personal data, including internal mapping of your home? Read this post to learn more.

Deep Root Analytics Twitter Account...

GOP Contractor Exposes 198 Million US Voter Records

June 20, 2017 by Marc Handelman in Blatant Stupidity, Data Leakage

Decisions. Deeply Rooted (apparently) in Incompetence

News, via El Reg staff reporter Shaun Nichols, detailing the deep security ignorance on part of Republican Part contractor research firm Deep Root Analytics. Storing nearly 200 million voter registration records in an unencrypted form, on an accessible S3 bucket certainly sets the bar to a new low in custodial security oversight, don't you think? Harsh you may ask? Read the El Reg post for the full details... H/T

Clouding Up →

June 01, 2017 by Marc Handelman in All is Information, Data Classification, Data Driven Security, Data Leakage, Data Security, Espionage, Government, Information Security, Information Technology, USNGA

via Gizmodo investigative reporter Dell Cameron, comes the astounding news of the systemic incompetence in properly handling secret documents and other artifiacts stored within the cloud (in this case, AWS S3 Buckets) by a well established contractor to the National Geospatial-Intelligence Agency (NGA). Certainly, a first-rate example of an Expanding Cloud of Lethal Stupidity (ECOLS).

Where does the organization in question fall within the Noel Burch Hierarchy of Competence model?. Should the culprits in this scenario be prosecuted? You be the judge. Truly astounding, indeed.

"A cache of more than 60,000 files was discovered last week on a publicly accessible Amazon server, including passwords to a US government system containing sensitive information, and the security credentials of a lead senior engineer at Booz Allen Hamilton, one of the nation’s top intelligence and defense contractors. What’s more, the roughly 28GB of data contained at least a half dozen unencrypted passwords belonging to government contractors with Top Secret Facility Clearance." - via Gizmodo reporter Dell Cameron

Ad Blocker Data Leakage →

April 18, 2017 by Marc Handelman in All is Information, Data Leakage, Adware, Advertising

Reportedly, there is a method to identify users through the utilization of ad blocking browser plugins and applications. Not particularly surprising, given the already intrusive nature of advertising in general...

Goatse of Cloudbleed →

February 27, 2017 by Marc Handelman in All is Information, Web Security, Information Security, Data Security, Data Leakage, Must Read

via the eponymous Phoneboy, comes his take on the latest security foible of a major backend provider (in this case Cloudflare), entitled 'Cloudflares with a Chance of Goatse', Mr. Welch-Abernathy explains it all, in imitiable form. Today's MustRead.

Mozilla Firefox Certificate Cache Coughs Up Credentials →

February 24, 2017 by Marc Handelman in All is Information, Cruft, Data Leakage, Poor Coding Practices, Application Security, Web Security

Meanwhile, in cruft news...

A Tale of Cruftery

First discovered by security researcher Alexander Klink, and discussed on his shift or die blog, the leakage documentation he has amassed is a tour de force in correct handling of the discovery. Mozilla's response has been a tad lackadaisical and (disappointlingly) still in telemetry data gathering mode as of this post.

The Workaround

Superb work by Alexander; nonetheless, he does suggest regular cleansing your browser user profile (if you are so unlucky as to be using the browser under scrutiny, yet most likely, a good idea on any browser). There are many tools available that deal with the cache cleaning task (both scripted and manual, GUI-based and not, both in-built and otherwise). Enjoy the cruft. H/T

33c3, Wolfie Christl's 'Corporate Surveillance, Digital Tracking, Big Data & Privacy' →

January 26, 2017 by Marc Handelman in All is Information, Conferences, Data That Is Big, Big Data, Data Leakage, Demise of Privacy, Corporate Evil, Surveillance, Bulk Data Collection, Information Security

Leakage

October 13, 2016 by Marc Handelman in All is Information, Data Leakage, Information Security

Competently packaged example of 'social media' data leakage. Hat Tip!

Sophos, Power Grid Workers Expose Sensitive Information →

January 26, 2016 by Marc Handelman in All is Information, SCADA, Data Leakage, Information Security

Originally brought to my beleagured attention by the inimitable Bob Radvanosky at Infracritical's SCADASEC, comes this well-wrought news piece from SOPHOS' NakedSecurity blog author Lisa Vaas. Illuminating the truly idiotic behaviors by workers in the Power Generation business...