F*c*book Really Hates Security

When F*c*book screws up, they don’t do it in small measures. Facebook: we logged 100x more Instagram plaintext passwords than we thought.

Millions of users, not tens-of-thousands of users were impacted.

The social networking behemoth admitted that it had been logging some passwords in plaintext, saving a record of exactly what your password was, character by character, rather than just keeping a cryptographic hash used for verifying that your password was correct.

This is Data Security 101. It may be Programming 101. Not logging passwords in plaintext, has been around for a very long time. Measured in decades long-time. But given the F*c*book doesn’t care the least little bit about privacy or your security, what the hell do they care?

Facebook is evil and must be destroyed.

Advertisements

The .gov Loves To Collect Data, Not Protect It

But when one agency has 3 breaches in 1 year, there is something wrong. Minnesota DHS Reports Health Data Breach from 2018 Email Hack.

The latest breach bore similarities to those incidents. On Tuesday, DHS officials notified lawmakers of a third data breach caused by a cyberattack on an employee’s email account on or around March 26, 2018.

This one apparently went undetected for some time, as the other 2 were in June and July of last year.

So you’ve proven unable to protect citizens data. Why should you be allowed access to any data? The breach is over a year old. The investigation ended in February of this year, and they only just started notifying people (and legislators) about it.

Remember When Electronic Records Were To Improve Health Care?

It didn’t work out so well in this case. All of records erased, doctor’s office closes after ransomware attack.

The two-doctor medical practice in Michigan has apparently become the first health care provider in the nation to shut its doors for good because of a ransomware attack, according to half a dozen cybersecurity experts contacted in the past week. Hackers are targeting Minnesota hospitals and clinics at an escalating pace, including four breaches involving patient files already reported in 2019, though any interruptions of work have been temporary.

Electronic records are only a good idea if proper controls and safeguards are in place. And that means telling doctors how to run their businesses. (They don’t like that.)

Obama promised a golden age in health care, heralded by the arrival of electronic medical records. Didn’t work out for patients of this practice. And things are going to get worse, before they get better.

F*c*book Doesn’t Care About Cybercrime

The more things change, the more F*c*book doesn’t give a crap. A Year Later, Cybercrime Groups Still Rampant on Facebook.

So a year ago Brian Krebs (Krebs on Security) searched F*c*book to find groups concentrating on cybercrime. He reported the groups with mixed results, then threatened to publish, and action ensued. A year later, not much has changed.

Researchers at Cisco Talos discovered the groups using the same sophisticated methods I employed last year — running a search on Facebook.com for terms unambiguously tied to fraud, such as “spam” and “phishing.” Talos said most of the groups were less than a year old, and that Facebook deleted the groups after being notified by Cisco.

Talos also re-confirmed my findings that Facebook still generally ignores individual abuse reports about groups that supposedly violate its ‘community standards,’ which specifically forbid the types of activity espoused by the groups that Talos flagged.

Talos also found “limited action” by F*c*book until they talked about publishing.

Facebook deleted all offending groups after researchers told Facebook’s security team they were going to publish their findings. This is precisely what I experienced a year ago.

This just reinforces my belief that F*c*book doesn’t care about security or privacy or fraud or misuse of your data in anyway. They do have a financial interest in the USE of your data. They wouldn’t want to lock it down too much, they might not make as much money. Selling your info. Whether you want them to or not.

Another Organization Underestimates Ransomware Complexity

They got hit on Tuesday, and expected to be back on Wednesday. They were not back on Friday. Genesee County, Michigan Recovering from Ransomware Attack.

Genesee County, Michigan was hit with a ransomware attack on Tuesday and the county has been working non-stop to get their systems back online. Unfortunately, this process turned out to be more difficult than expected and system are still down.

And by that they mean, you can’t contact them by email, they can’t process payments, or do most anything that requires a computer.

I wonder how often their IT support organization asked for more money to beef up security/backups/whatever and were turned down.

They hope to have operations back to normal by Monday. At least they didn’t pay the ransom. (If you give a mouse a cookie, he’s gonna want a glass of milk.)

I’m Shocked to Discover GPS Can Be (and is being) Hacked

I’m not so shocked. Russia accused of massive GPS spoofing campaign. (Not an April Fools Joke.)

Technically, GNSS spoofing (as opposed to simpler jamming) is an attempt to send false positional signals to a receiver using global satellite networks such as the US GPS, China’s Beidou, Russia’s GLONASS, and Europe’s Galileo.

In recent years, there have been a flurry of small-scale reports of spoofing plus one major incident in the Black Sea in 2013 when at least 20 ships reported positioning anomalies blamed on the phenomenon.

This is going on today, under the direction of the FSO and the Russian military to protect Russian assets.

They identify 9883 instances in which GPS WAS hacked. This is a threat to both airlines and shipping.

The future was nice while it lasted.

You can find all the details at Above Us Only Stars. It’s a 66 page PDF, so you’ve been warned.

[GPS and other Global Navigation Satellite Systems (GNSS)] attacks are emerging as a viable, disruptive strategic threat.

Tesla Motors, Hackers and “Autopilot”

Calling it “Autopilot” was probably a marketing overreach. Tesla Stock Drops after Chinese Hackers Expose Alarming Vulnerability.

This isn’t the most informative of the articles, but it has enough info to be going on with.

China hackers set their sights on Tesla to expose just how easy it was to manipulate the Model S. Not only were they able to trick the autopilot systems of the luxury vehicles, but they’ve been able to access them remotely.

The cars can be in driving or parking mode.

“successfully implemented remote, aka none physical contact, control on Tesla Model S in both parking and driving modes.”