F*c*book Really Hates Security

When F*c*book screws up, they don’t do it in small measures. Facebook: we logged 100x more Instagram plaintext passwords than we thought.

Millions of users, not tens-of-thousands of users were impacted.

The social networking behemoth admitted that it had been logging some passwords in plaintext, saving a record of exactly what your password was, character by character, rather than just keeping a cryptographic hash used for verifying that your password was correct.

This is Data Security 101. It may be Programming 101. Not logging passwords in plaintext, has been around for a very long time. Measured in decades long-time. But given the F*c*book doesn’t care the least little bit about privacy or your security, what the hell do they care?

Facebook is evil and must be destroyed.

Advertisements

The .gov Loves To Collect Data, Not Protect It

But when one agency has 3 breaches in 1 year, there is something wrong. Minnesota DHS Reports Health Data Breach from 2018 Email Hack.

The latest breach bore similarities to those incidents. On Tuesday, DHS officials notified lawmakers of a third data breach caused by a cyberattack on an employee’s email account on or around March 26, 2018.

This one apparently went undetected for some time, as the other 2 were in June and July of last year.

So you’ve proven unable to protect citizens data. Why should you be allowed access to any data? The breach is over a year old. The investigation ended in February of this year, and they only just started notifying people (and legislators) about it.

Amazon Admits They Are Spying on You Via Alexa

That’s not creepy at all. And of course it is covered in the product agreement that everyone reads before opening the package. When you speak to Alexa, Amazon workers may be listening.

Did you honestly think they weren’t going to spy on you? Silly Rabbit, Privacy is a 20th Century concept.

Millions more are reluctant to invite the devices and their powerful microphones into their homes out of concern that someone might be listening.

Sometimes, someone is.

Amazon.com employs thousands of people around the world to help improve the Alexa digital assistant powering its line of Echo speakers. The team listens to voice recordings captured in Echo owners’ homes and offices. The recordings are transcribed, annotated and then fed back into the software as part of an effort to eliminate gaps in Alexa’s understanding of human speech and help it better respond to commands.

Privacy? We don’t need no stinkin’ privacy.

F*c*book Doesn’t Care About Cybercrime

The more things change, the more F*c*book doesn’t give a crap. A Year Later, Cybercrime Groups Still Rampant on Facebook.

So a year ago Brian Krebs (Krebs on Security) searched F*c*book to find groups concentrating on cybercrime. He reported the groups with mixed results, then threatened to publish, and action ensued. A year later, not much has changed.

Researchers at Cisco Talos discovered the groups using the same sophisticated methods I employed last year — running a search on Facebook.com for terms unambiguously tied to fraud, such as “spam” and “phishing.” Talos said most of the groups were less than a year old, and that Facebook deleted the groups after being notified by Cisco.

Talos also re-confirmed my findings that Facebook still generally ignores individual abuse reports about groups that supposedly violate its ‘community standards,’ which specifically forbid the types of activity espoused by the groups that Talos flagged.

Talos also found “limited action” by F*c*book until they talked about publishing.

Facebook deleted all offending groups after researchers told Facebook’s security team they were going to publish their findings. This is precisely what I experienced a year ago.

This just reinforces my belief that F*c*book doesn’t care about security or privacy or fraud or misuse of your data in anyway. They do have a financial interest in the USE of your data. They wouldn’t want to lock it down too much, they might not make as much money. Selling your info. Whether you want them to or not.

Government Data Security (Can you define SNAFU?)

Because after the Office of Personnel Management fiasco there is no reason to expect the government to get better at data security. FEMA Data Leak Exposes Personal Info of 2.3M Disaster Survivors.

The Office for the Inspector General for the DHS issued a report today that detailed how FEMA did not appropriately safeguard the personal information of 2.3 million survivors of hurricanes Harvey, Irma, and Maria and the California wildfires in 2017.

During national disasters, the Federal Emergency Management Agency’s (FEMA) offers a program called Transitional Sheltering Assistance (TSA) that provides shelter to disaster survivors.

SNAFU: Situation normal. All F*cked up. I expect that every single department of the .gov will be hacked in the next few years because they don’t give a damn about you. And the ones that do care, are just going to be underfunded and overworked. But mostly, protecting your data is not their job. Or something.

Not So Private Legal Documents

Lawyers are smarter than you (and they will tell you that if you give them half a chance) so don’t tell them what they need to do for cybersecurity! 257K Legal Documents Leaked By Unprotected Elasticsearch Server.

An unprotected 4.7 GB Elasticsearch cluster found on a US-based Amazon AWS server exposed 257,287 sensitive legal documents that came with a “not designated for publication” label.

Oops.

No one is fessing up to the mistake, and the guy who found the leak isn’t even sure who owns the database, which was completely wide open. No password required. It has since been secured.

You Put a High-end Alarm in Your Car and Get LESS Security

Whiskey. Tango. Foxtrot. Gone in six seconds? Exploiting car alarms.

Pen Test Partners is a group that looks for security problems. In this case they looked at “high end” car alarms. A couple of the major vendors had major security flaws, which would enable

  • The car to be geo-located in real time
  • The car type and owner’s details to be identified
  • The alarm to be disabled
  • The car to be unlocked
  • The immobiliser to be enabled and disabled
  • In some cases, the car engine could be ‘killed’ whilst it was driving
  • One alarm brand allowed drivers to be ‘snooped’ on through a microphone
  • Depending on the alarm, it may also be possible to steal vehicles

This is not the behavior you expect from a system that is supposed to make your car more secure.

The problems were found in alarm systems made by Viper and Pandora Car Alarm System, two of the largest smart car alarm makers in the world. The two brands have as many as 3 million customers between them and make high-end devices that can cost thousands. Like other smart devices, smart car alarms offer people convenience, allowing owners to find their cars from a distance and unlock their doors from their phones.

One of these days people will realize that easily being able to do things via your phone may be fun, but it isn’t secure.

Starting with Signaling System 7, which the Wiki says was developed in 1975, up through 4G LTE, there are security holes in the architecture around your phone. Aside from Signal from Open Whisper Systems, I’m not sure there is anything on my phone I can be 100 percent sure of. I know I can’t be sure of WhatsApp – it has at least one fundamental design flaw, introduced to make it “easy to use.”