The biggest flaw in Internet history affecting as many as two-thirds of the world's websites.
German developer Dr Robin Seggelmann admitted he wrote the code. It was then reviewed by other members and added to OpenSSL software. This addition led to the Heartbleed flaw in the open-source program
Code was added in December, 2011, and no-one picked up the error.
As if the fact that we all have to change our passwords yet again were not bad enought, Bloomberg reports NSA Said to Exploit Heartbleed Bug for Intelligence for Years
Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.
“It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. “They are going to be completely shredded by the computer security community for this.”
“We’ve never seen any quite like this,” said Michael Sutton, vice president of security research at Zscaler, a San Jose, California-based security firm. “Not only is a huge portion of the Internet impacted, but the damage that can be done, and with relative ease, is immense.”
The potential stems from a flawed implementation of protocol used to encrypt communications between users and websites protected by OpenSSL, making those supposedly secure sites an open book. The damage could be done with relatively simple scans, so that millions of machines could be hit by a single attacker.
Ace comments What the hell. What the unholy hell.
This is scary. I'm not even so much bothered by the NSA itself preserving a backdoor into my private stuff. I always figured they could do that anyway, if they wanted.
But they've also exposed everyone to criminal hacking and even compromise by foreign intelligence services.
What the hell. What the unholy hell.
'Changing your password on a vulnerable site makes little difference because the site is still open to attack….'This means your old password would have been at risk, but you're also giving hackers access to your new password - a double whammy.
Affected sites include a number of Google services, including Gmail and YouTube, Facebook, Tumblr, Yahoo and Dropbox. All of these sites have been patched and security experts are advising people to change their passwords on these accounts, even if the sites themselves aren't issuing the advice.
Business Insider Find Out Instantly If A Site Has Been Infected By 'Heartbleed'
I never knew that some smartphone apps
contain computer code that allow the app developer to use the cell phone’s camera or microphone at any time, and record cell phone conversations at any time. Listening to a cell phone conversation in the past would require that the police take evidence to a court and ask a judge to sign a warrant allowing a police wiretap. Yet today, many apps effectively usurp the privacy of downloaders at the push of a phone button.
Right now these rights can be taken away by the state only after a long and arduous legal process. A convicted felon, for example, will lose his right to vote.
Up to now, a person could give away copyright rights to a photograph, for example, only by physically signing a photo release. Or he could sign away the copyright protections for a piece of music to a record company. But apps today could sneak in language that states that any music transmitted by a smartphone becomes the property of the person who developed the app. This was all made possible because written signatures were replaced by the e-signature, and now only a click of the "accept" button is required.
The product is called Cognizant, a free to download app for Android mobile phones and tablets. It protects those devices by empowering the user to be fully aware of all the permissions that applications have been granted on a device, knowingly or not.
In a non-descript Montreal office building, McAfee demonstrated how one popular chat application in particular had by default been granted what can only be described as excessive permissions. The application has access to things like: all call history, contacts, GPS, camera access, the ability to silently make calls and even turn off notifications of these activities to the user. I install the app on my own phone to see this and sure enough, it’s pretty shocking. If you think about it, if one were to describe a program that did all of these things on a PC, it could be called malware. McAfee states that there are thousands upon thousands of apps out there doing the exact same thing, taking more permissions than are clearly necessary or that you may be comfortable with.
While awaiting a similar app for the iPhone, I just got rid of a bunch of apps that I never used.
Just as the Pew Research Center released a survey showing Americans would give up TV before they would give up the Internet.
53 percent of US Internet users would find it "very hard" to give up Web access, up from 38 percent in 2006….
35 percent of all US adults television would be very hard to give up, compared with 44 percent in 2006…..
Using the Web -- browsing it, searching it, sharing on it -- has become the main activity for hundreds of millions of people around the globe," Pew said.
A cybersecurity firm has uncovered stolen credentials from 360 million accounts that are available for sale on cyber black markets…they warn the discovery could represent more of a risk to consumers and companies than stolen credit card data because of the chance the sets of user names and passwords could open the door to online bank accounts, corporate networks, health records and virtually any other type of computer system….'The sheer volume is overwhelming.'….
Alex Holden, chief information security officer of Hold Security LLC….believes the 360 million records were obtained in separate attacks, including one that yielded some 105 million records, which would make it the largest single credential breaches known to date.
He said he believes the credentials were stolen in breaches that have yet to be publicly reported. The companies attacked may remain unaware until they are notified by third parties who find evidence of the hacking, he said.
'We have staff working around the clock to identify the victims,' he said.
Do you think this will change anyone's mind?
Michael Ollove, a reporter for Stateline, noted that 43 percent of identity-theft incidents in the United States are medical-related, “a far greater chunk than identity thefts involving banking and finance, the government and the military, or education. The U.S. Department of Health and Human Services says that since it started keeping records in 2009, the medical records of between 27.8 million and 6.7 million people have been breached.”
Regardless, as many as 31 states do not conduct background checks on Obamacare navigators, who have access to enrollees’ names, Social Security numbers, financial records, and health information. A recent NR report found that in California, at least 43 navigators approved by the state health exchange had prior convictions, including for forgery and welfare fraud.
Every credit card in the U.S. will be replaced by October 2015 with new cards that contain the chip-and-PIN technology that the rest of the world has had for years, according to the Wall Street Journal. Both Visa and MasterCard are committed to the switch, which will render extinct the plastic in your wallets and purses right now.
No more black magnetic stripes; no more signing on the dotted line.
Americans who have traveled to Europe in recent years will know that the U.S.'s credit card system is embarrassingly old-fashioned by comparison. It's often difficult to use American credit cards abroad because the Europeans abandoned magnetic stripes and signatures years ago — they were too easily hacked. Credit and debit cards in the U.S. are about 10 years behind the rest of the world.
The new cards contain a microchip and require the owner to enter a PIN into a payment machine at checkout. They are more secure for a couple of reasons.
First, requiring the PIN prevents checkout staff from handling your card — they will simply hand you the point-of-sale device and customers will insert their cards and verify payment themselves.
Second, the chip replaces the magnetic stripe, which is easily copied and therefore vulnerable to hackers, as the Target sting proved. In France, chip-and-PIN allegedly reduced credit-card fraud by 80% (although the sourcing for this number is vague).
Senate cybersecurity report finds agencies often fail to take basic preventive measures against even modestly skilled hackers.
The report…paints a broader picture of chronic dysfunction, citing repeated failures by federal officials to perform the unglamorous work of information security. That includes installing security patches, updating anti-virus software, communicating on secure networks and requiring strong passwords. A common password on federal systems, the report found, is “password".
The report levels particularly tough criticism at the Department of Homeland Security, which helps oversee cybersecurity at other federal agencies. The report concluded that the department had failed even to update essential software — “the basic security measure just about any American with a computer has performed.”
Report: 4 in 10 Government Security Breaches Go Undetected DHS, DOJ, DOD, EPA, NASA, Energy, State routinely hacked
Nearly every agency has been attacked, including the Departments of Homeland Security, Justice, Defense, State, Labor, Energy, and Commerce. NASA, the EPA, the FDA, the U.S. Copyright Office, and the National Weather Service have also been hacked or had personal information stolen.
In one example, hackers breached the national Emergency Broadcast System in February 2013 to broadcast “zombie attack warnings” in several midwestern states.
Even worse, nearly four in 10 intrusions into major civilian agencies go undetected….
The Nuclear Regulatory Commission, which contains volumes of information on the nation’s nuclear facilities, “regularly experiences unauthorized disclosures of sensitive information,” according to the report.
The agency has “no official process for reporting” breaches, cannot keep track of how many laptops it has, and kept information on its own cybersecurity programs, and its commissioner’s “passport photo, credit card image, home address, and phone number,” on an unsecure shared drive.
“Weaknesses in the federal government’s own cybersecurity have put at risk the electrical grid, our financial markets, our emergency response systems, and our citizens’ personal information,” Coburn, ranking member of the Homeland Security and Governmental Affairs Committee, said in a statement. “While politicians like to propose complex new regulations, massive new programs, and billions in new spending to improve cybersecurity, there are very basic—and critically important—precautions that could protect our infrastructure and our citizens’ private information that we simply aren’t doing.”
Photographer Jennifer Greenburg, an assistant professor of photography at Indiana University, has been photographing the Rockabilly culture for 10 years.
People that not only dress like it’s the Fifties, but also drive perfectly preserved Cadillacs and decorate their homes with furniture to rival the retro sets of Mad Men.
'At first I thought the culture was about fashion,' the 36-year-old photographer told MailOnline. 'Then I realized it was much, much, more than that. I realized that this was a culture of people who functioned as a community.'
The community of people Ms Greenburg has documented, she believes, usually have a desire for this kind of joyousness that was lost in the 21st Century. 'Happiness, I believe, is everyone’s primary full-time job. And living a life that resembles, visually, the 1950’s helps make that just a little easier,' she said.
From re-wiring a lamp, to re-sewing the seams of a Fifties cocktail dress, Ms Greenburg added that most true participants of the culture are skilled at repairing and restoring most of their possessions.
'I realized what a special and lovely thing I found myself a part of,' she said. 'I have a friend in every city in America that I can call today and go visit tomorrow. That friend will open up his door to me, and, help me with anything that I need -- a laugh, a drink of water, a shoulder to cry on -- just like only the best of friends do.'
From Reflections of a Paralytic » Sperm Donor Recalls Meeting His Donor-Daughter Decades Later
All Narelle Grech from Australia knew of her father was that his code name was T5, he was brown-haired and brown-eyed with O-positive blood type. “When I was a teenager, I carried that information around with me on a scrap of paper, the way other kids carried a photograph of their dad,” she said. “It was my way of keeping a link to him because I had nothing else.”
Born in 1983, Narelle started searching for her biological father fifteen years ago. That search became even more urgent when she was diagnosed her with advanced bowel cancer in 2011, a disease which doctors said might kill her within the next five years. The disease is genetic and she didn’t get it from her mother’s side. Shortly after her diagnosis, Grech has also discovered that she has eight half-siblings created with her biological father’s sperm: “Each one may be a genetic time bomb waiting to go off and it’s probable that they don’t know anything about it.”
Narelle was finally united with her biological father in February of 2013, she passed away just one month later at the age of 30. Last October Ray Tonna was a guest on an Australian talk show to discuss his experience with anonymous sperm donation. In this teaser video for the episode, he recalls what it was like meeting his daughter for the first time:
It’s complicated Human ingenuity has created a world that the mind cannot master. Have we finally reached our limits?
We are now living with the unintended consequences: a world we have created for ourselves that is too complicated for our humble human brains to handle….a world where nearly self-contained technological ecosystems operate outside of human knowledge and understanding. As a scientific paper in Nature in September 2013 put it, there is a complete ‘machine ecology beyond human response time’ in the financial world, where stocks are traded in an eyeblink, and mini-crashes and spikes can occur on the order of a second or less. When we try to push our financial trades to the limits of the speed of light, it is time to recognize that machines are interacting with each other in rich ways, essentially as algorithms trading among themselves, with humans on the sidelines.
ever since the Enlightenment, we have moved steadily toward the ‘Entanglement’, a term coined by the American computer scientist Danny Hillis. The Entanglement is the trend towards more interconnected and less comprehensible technological surroundings. Hillis argues that our machines, while subject to rational rules, are now too complicated to understand. Whether it’s the entirety of the internet or other large pieces of our infrastructure, understanding the whole — keeping it in your head — is no longer even close to possible.
Intellectual surrender in the face of increasing complexity seems too extreme and even a bit cowardly, but what should we replace it with if we can’t understand our creations any more?
The examples Samuel Arbesman uses include: the Traffic Alert and Collision Avoidance System (TCAS), financial trading, software, our legal system which includes the tax code and Obamacare and evolutionary programming.
In Wired, How the NSA Almost Killed the Internet
Google, Facebook, Microsoft, and the other tech titans have had to fight for their lives against their own government. An exclusive look inside their year from hell—and why the Internet will never be the same.
The hard-earned trust that the tech giants had spent years building was in danger of evaporating—and they seemed powerless to do anything about it. Legally gagged, they weren’t free to provide the full context of their cooperation or resistance. Even the most emphatic denial—a blog post by Google CEO Larry Page and chief legal officer David Drummond headlined, “What the …”—did not quell suspicions. How could it, when an NSA slide indicated that anyone’s personal information was just one click away? When Drummond took questions on the Guardian website later in the month, his interlocutors were hostile:
“Isn’t this whole show not just a face-saving exercise … after you have been found to be in cahoots with the NSA?”
“How can we tell if Google is lying to us?”
“We lost a decade-long trust in you, Google.”
“I will cease using Google mail.”
“The fact is, the government can’t put the genie back in the bottle,” says Facebook’s global communications head, Michael Buckley. “We can put out any statement or statistics, but in the wake of what feels like weekly disclosures of other government activity, the question is, will anyone believe us?”
At an appearance at a tech conference last September, Facebook’s Zuckerberg expressed his disgust. “The government blew it,” he said. But the consequences of the government’s actions—and the spectacular leak that informed the world about it—was now plopped into the problem set of Zuckerberg, Page, Tim Cook, Marissa Mayer, Steve Ballmer, and anyone else who worked for or invested in a company that held customer data on its servers.
“At first we were in an arms race with sophisticated criminals,” says Eric Grosse, Google’s head of security. “Then we found ourselves in an arms race with certain nation-state actors [with a reputation for cyberattacks]. And now we’re in an arms race with the best nation-state actors.” Primarily, the US government.
Research estimates that as much as $180 billion could be lost due in large part to overseas companies choosing not to patronize the American-based cloud. “American companies are feeling shellacked by overeager surveillance,” says US senator Wyden. “It reduces our competitiveness in a tough global economy.”
“I was naive,” says Ray Ozzie, who as the inventor of Lotus Notes was an early industry advocate of strong encryption. “I always felt that the US was a little more pure. Our processes of getting information were upfront. There were requests, and they were narrow. But then came the awakening,” he says. “We’re just like everybody else.”
Gizmondo offers advice on How to Erase Yourself from the Internet, especially from the four largest social media sites: Facebook, Twitter, Google+, and LinkedIn
Until now 13 to 17-year olds barred from making posts visible to all users. But Facebook removed that protection and images can be shared publicly. Move condemned as a 'disaster' by campaigners.
A new study shows that Facebook may help people feel connected, but it doesn’t make them any happier. In fact, according to the research, which was conducted by the University of Michigan, Facebook use actually predicts a decline in a person’s well-being.
Report suggests Facebook recently lost active users in the U.S and UK. The majority of people quitting the site blamed concerns over privacy. Other reasons included fear of addiction, and shallow conversations
A Facebook data scientist studied the HTML code of 3.7 million profiles to discover 71% of users regularly type comments and statuses before deciding not to post them. The study, also found men are more likely to abandon a post on the social network site, than women.
From Neatorama Facebook Security Simulator
Google's latest terms and conditions are more difficult to understand than Anglo-Saxon saga Beowulf, say researchers
If you always wanted to see your shining face next to Google ads, your wish will soon be granted. Today Google announced plans to roll out “shared endorsements,” which will augment its own advertisements with information from users who rated, reviewed, or gave a +1 to the service or location in question.
The move echoes Facebook’s “sponsored stories,” where the social network started turning users’ likes or check-ins into ads on its site, all without asking permission or even notifying them. A public outcry, class-action lawsuit, $20 million settlement, and limitations on the use of users’ content followed.
Google revealed its shared endorsements scheme in a change to its terms of service. The updates state that going forward, friends, family, “and others” may see a user’s Google profile name, photo, and any endorsement they’ve created for a company alongside ads for that company.
Users are opted in to Google's new scheme by default. In the past, Google gave itself permission to use users’ +1s alongside advertisements unless the user specifically opted out. The new “shared endorsements” are an extension of that setting, wherein Google gives itself permission to take even more of a user’s content and place it alongside ads.
To opt out of being a shared endorsement, Google users must go to the “shared endorsement” settings page, which is currently not linked anywhere from either their Google+ account or privacy settings (the ads have yet to go into effect, so Google may be waiting to integrate the page until the feature is live). At the bottom of the page is a checkbox next to the phrase “Based upon my activity, Google may show my name and profile photo in shared endorsements that appear in ads.”
MIT Technology Review The Real Privacy Problem
As Web companies and government agencies analyze ever more information about our lives, it’s tempting to respond by passing new privacy laws or creating mechanisms that pay us for our data. Instead, we need a civic solution, because democracy is at risk.
Our instincts for privacy evolved in tribal societies where walls didn't exist. No wonder we are hopeless oversharersm‘. Thinking about online privacy doesn’t come naturally to us,’ Loewenstein told me when I spoke to him on the phone. ‘Nothing in our evolution or culture has equipped us to deal with it.’
When a boy hit puberty, he disappeared into the jungle, returning a man. In today's digital culture this is precisely the stage at which we make our lives most exposed to the public gaze
The need for privacy remains, but the means to meet it — our privacy instincts — are no longer fit for purpose.
Over time, we will probably get smarter about online sharing. But right now, we’re pretty stupid about it. Perhaps this is because, at some primal level, we don’t really believe in the internet. Humans evolved their instinct for privacy in a world where words and acts disappeared the moment they were spoken or made. Our brains are barely getting used to the idea that our thoughts or actions can be written down or photographed, let alone take on a free-floating, indestructible life of their own. Until we catch up, we’ll continue to overshare.
With less than three weeks to sign up for insurance or pay a penalty, problems with the healthcare.gov website are still unresolved. It is impossible to imagine the anxiety and suffering of the millions who lost their health care policies and who don't want to put their identities at risk by going online to healthcare.gov.
“It doesn’t appear that any security fixes were done at all,” David Kennedy, CEO of the online security firm TrustedSec, told the Washington Free Beacon.
Kennedy said fundamental safeguards missing from Healthcare.gov that were identified by his company more than a month ago have yet to be put in place.
After warning Americans when testifying before Congress on Nov. 19 to stay away from Healthcare.gov, Kennedy now says the situation is even worse.
“They said they implemented over 400 bug fixes,” he said. “When you recode the application to fix these 400 bugs—they were rushing this out of the door to get the site at least so it can work a little bit—you’re introducing more security flaws as you go along with it because you don’t even check that code.”
Get this. The Federal Government doesn't have to notify anyone if the site is hacked.
“States are required to notify in the event of a breach, the federal government is not,” he added. “So in the event that Healthcare.gov gets compromised and all their information gets taken out of it they don’t have to notify anybody.”
Kennedy said the team working on Healthcare.gov is more likely to hide its security flaws than address them. When it was revealed that the most popular searches on the website were hack attempts—confirmed by entering a semicolon in the search bar—the website simply removed the tool.
The White House won't even give classified briefings to Congress about the security problems of healthcare.gov. Chairman of the House Intelligence Committee Mike Rogers said,
“They could not even provide someone — CMS and HHS, the two folks responsible for the HealthCare.gov website — in a classified setting to come up and talk about the breaches that they know have happened. That’s just unconscionable.”
He warned that there is currently no coordinated effort within the administration to test the website’s newly-written code which was completed over the past two months of repairs, leaving it vulnerable to breaches. “You’re encouraging people to go to a site that our own government knows doesn’t meet safety standards when it comes to security of private information.”
The latest IBD/TIPP Poll finds that 78% say Americans should be worried about the security of the ObamaCare exchange website, and 53% say they should be "very concerned." This view was shared across parties, with 69% of Democrats saying security concerns are warranted.
More worrisome for the law's success, 82% of those aged 18-24 say concern is justified. These are among the people ObamaCare most desperately needs to enroll to keep overall premiums from spiraling out of control.
John Podhoretz writes in Commentary, No, Healthcare.Gov Isn’t Working. Much of the backend hasn't been constructed yet.
There is no such thing as a functioning website if the “back end” isn’t working. The “back end” is the catchall phrase for everything you don’t see when you visit a website. It refers to the software that translates pictures and words into what you see here. It refers to the software that mediates the relationship between 1) users who enter information, 2) the servers that store the website’s information, and 3) third parties hired to take some (but not all) of the information and process it on their servers and computers. It refers to the security systems put in place so that the website cannot be disabled by an outside attack and so that the data entered cannot be stolen or otherwise compromised.
In other words, the back end is the website. What many people are seeing now at healthcare.gov is a visual demonstration of a sign-in. If the sign-in data are not transferred to a database, nothing has happened. It’s like taking a practice test; it’s not scored and it’s not registered and it means nothing.
Obama administration officials acknowledged today that some of the roughly 126,000 Americans who completed the torturous online enrollment process in October and November might not be officially signed up with their selected issuer, even if the website has told them they are.
While the front-end of the website has been vastly improved, the back-end glitches remain a serious concern, IT experts and industry officials say.
For those who thought they enrolled in a plan through the federal exchange since October, the Obama administration now advises that individuals contact their insurance company to verify coverage and if none exists, to start all over again.
The Washington Post is reporting the bad news for Obama; about ⅓ of consumers enrolled through healthcare.gov have serious errors in the plans they chose.
The mistakes include failure to notify insurers about new customers, duplicate enrollments or cancellation notices for the same person, incorrect information about family members, and mistakes involving federal subsidies.
The spying by the government on American citizens is so far beyond what anyone thought was possible, it's hard to comprehend its scope. Except that it gets bigger and bigger.
New York Times. N.S.A. Said to Search Content of Messages to and From U.S.
To conduct the surveillance,’ reads the report, ‘the NSA. is temporarily copying and then sifting through the contents of what is apparently most e-mails and other text-based communications that cross the border…[the] computer searches the data for the identifying keywords or other “selectors” and stores those that match so that human analysts could later examine them.’
By identifying the recipient of the emails or text messages as the target of the surveillance instead of the sender, the NSA sidesteps a 2008 law that allows spying on domestic soil without warrants as long as the target was a noncitizen abroad.
The official said the remaining emails, those not selected by the software, are deleted. Nonetheless, privacy proponents were in disbelief.
‘The program described by the New York Times involves a breathtaking invasion of millions of people's privacy,’ American Civil Liberties Union deputy legal director Jameel Jaffer said in a statement. ‘The NSA has cast a massive dragnet over Americans' international communications, collecting and monitoring virtually all of them, and retaining some untold number of them in government databases. This is precisely the kind of generalized spying that the Fourth Amendment was intended to prohibit.’
Reuters. Exclusive: U.S. directs agents to cover up program used to investigate Americans
A secretive U.S. Drug Enforcement Administration unit is funneling information from intelligence intercepts, wiretaps, informants and a massive database of telephone records to authorities across the nation to help them launch criminal investigations of Americans.
Although these cases rarely involve national security issues, documents reviewed by Reuters show that law enforcement agents have been directed to conceal how such investigations truly begin - not only from defense lawyers but also sometimes from prosecutors and judges.
The undated documents show that federal agents are trained to "recreate" the investigative trail to effectively cover up where the information originated, a practice that some experts say violates a defendant's Constitutional right to a fair trial. If defendants don't know how an investigation began, they cannot know to ask to review potential sources of exculpatory evidence - information that could reveal entrapment, mistakes or biased witnesses.
"I have never heard of anything like this at all," said Nancy Gertner, a Harvard Law School professor who served as a federal judge from 1994 to 2011. Gertner and other legal experts said the program sounds more troubling than recent disclosures that the National Security Agency has been collecting domestic phone records. The NSA effort is geared toward stopping terrorists; the DEA program targets common criminals, primarily drug dealers.
"It is one thing to create special rules for national security," Gertner said. "Ordinary crime is entirely different. It sounds like they are phonying up investigations."
In a follow-up article Reuters reports Exclusive: IRS manual detailed DEA's use of hidden intel evidence
Details of a U.S. Drug Enforcement Administration program that feeds tips to federal agents and then instructs them to alter the investigative trail were published in a manual used by agents of the Internal Revenue Service for two years.
The practice of recreating the investigative trail, highly criticized by former prosecutors and defense lawyers after Reuters reported it this week, is now under review by the Justice Department. Two high-profile Republicans have also raised questions about the procedure.
“It’s a very common complaint about N.S.A.,” said Timothy H. Edgar, a former senior intelligence official at the White House and at the office of the director of national intelligence. “They collect all this information, but it’s difficult for the other agencies to get access to what they want.”
“The other agencies feel they should be bigger players,” said Mr. Edgar, who heard many of the disputes before leaving government this year to become a visiting fellow at Brown University. “They view the N.S.A. — incorrectly, I think — as this big pot of data that they could go get if they were just able to pry it out of them.”
The federal government has demanded that major internet companies turn over users’ stored passwords, two sources told the respected tech website CNet.
“If the government is able to determine a person’s password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user,” the report says. “Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.” But it doesn’t end there. The government is not only requesting the passwords, but its also asking for algorithms and even security questions:
At the same time, the government is doing everything it can to protect its own secrets, today's example, the EPA
The EPA's Game of Secret Science The agency pursues rules that will cost billions but refuses to reveal its research.
As the Environmental Protection Agency moves forward with some of the most costly regulations in history, there needs to be greater transparency about the claimed benefits from these actions. Unfortunately, President Obama and the EPA have been unwilling to reveal to the American people the data they use to justify their multibillion-dollar regulatory agenda.
To cite a few examples of where the EPA would like to take the country, the agency is moving forward with strict new limits on ozone that by its own estimates will cost taxpayers $90 billion per year, which would make the regulation the most costly in history. Other examples include a Mercury and Air Toxics Standard for power plants (previously known as "Utility MACT") that the EPA estimates could cost up to $10 billion a year. Yet more than 99% of the EPA's health-based justifications for the rule are derived from scientific research that the EPA won't reveal. Taxpayers are supposed to take on faith that EPA policy is backed by good science.
When the acclaimed television drama series Homeland climaxed with a devious plot by terrorists to kill America’s vice-president by hacking into his electronic pacemaker, critics scoffed at the ludicrousness of the idea.
But the outrageous storyline was thought credible by many in the world of computer security. Among those was the New Zealand-born computer hacker Barnaby Jack. The 35-year-old — who, unlike many in the business, used his skills ‘ethically’ — had spent his career demonstrating the dangers posed by unscrupulous hackers combined with computer manufacturers’ failure to install proper safety devices on equipment.
Jack thought it highly plausible that a terrorist could hack into someone’s pacemaker and speed up their heartbeat until it killed them. He also believed it was possible to infect the pacemaker companies’ servers with a bug that would spread through their systems like a virus.
‘We are potentially looking at a “worm” with the ability to commit mass murder,’ he said. ‘It’s kind of scary.’ Jack certainly knew what he was talking about — having become famous after demonstrating how he could sabotage cash machines and make them dispense large sums of money (a trick he called ‘Jackpotting’) by hacking into a bank’s computer system.
Another stunt was to reveal how a diabetic’s insulin pump — which is designed to deliver insulin to the body day and night — could be hacked from 300ft away, so it could dispense a fatal dose.
Jack, who had been obsessed with computers since childhood, emigrated to the U.S. at the age of 21 and joined a firm specializing in computer security issues.
In recent years, he had developed a specific interest in what is known as ‘embedded’ technology, the hardware and software built into everyday objects such as cars, banking systems, home appliances and medical devices. Jack thought it plausible that someone could hack into a pacemaker and speed up their heartbeat until it killed them
He was preparing to demonstrate his work two days ago at a major computer-hacking convention in Las Vegas.
In an address to the Black Hat convention titled ‘Implantable medical devices: hacking humans’, Jack was due to show an audience of hackers and cyber security experts at Caesar’s Palace how he could hack into devices such as pacemakers and defibrillators.
However, he was never to give the demonstration. A week beforehand, Jack was found dead in his flat in the San Francisco neighborhood of Nob Hill. His body was believed to have been found by his girlfriend, Layne Cross, a 31-year-old model. According to friends, he was found dead in bed.
To say his sudden death remains shrouded in mystery is putting it mildly.
Predictably, for someone who worked in such a shadowy world, there have been countless theories about how he was killed. Hackers are a suspicious bunch who have become even more paranoid since the U.S government’s efforts to silence whistleblowers such as ex-soldier Bradley Manning (who faces jail for leaking secret government cables to WikiLeaks). The absence of even the most basic details about Barnaby Jack’s untimely death has ignited a firestorm of speculation that foul play could be involved.
A prolific gang of foreign hackers stole and sold 160 million credit card numbers from more than a dozen companies, causing hundreds of millions of dollars in losses, federal prosecutors charged on last Thursday in what they described as the largest hacking and data breach case in the country.
The scheme was run by four Russian nationals and a Ukrainian, said the United States attorney for the District of New Jersey, Paul J. Fishman, who announced the indictments in Newark.
The victims in the scheme, which prosecutors said ran from 2005 until last year, included J. C. Penney; 7-Eleven; JetBlue; Heartland Payment Systems, one of the world’s largest credit and debit processing companies; and the French retailer Carrefour.
“It is a really potent reminder of what researchers have been saying: The bigger threat is coming from criminal gangs, most of which are coming from Russia,” said Fred H. Cate, director of the Center for Applied Cybersecurity Research at Indiana University in Bloomington. “It’s far more immediately impactful than threats coming from China.”
In a scam that dated back to 2005, the suspects first targeted retailers, surreptitiously visiting their checkout counters and exploiting vulnerabilities in the payment systems they used. By 2007, they were hacking into the financial systems of Nasdaq, the largest US electronic stock market, and major corporations like 7-Eleven, France’s Carrefour SA, JCPenney and the Hannaford Brothers supermarket chain.
They hit the real paydirt, authorities allege, when they hacked directly into some of the biggest credit card payment processors themselves to steal literally oceans of personal financial data.
Once inside the network, they used malware (malicious code) to create a “back door” that gave them return access, even after some companies identified breaches and thought they had fixed them. Then they installed “sniffers,” or programs to identify, collect and steal vast amounts of personal financial data, individually known as dumps, that they secreted in a network of computers around the world.
John Fund reports on Obamacare’s Branch of the NSA Community organizers will use a Federal Data Hub to sign up people for subsidies — and even ballots.
The Department of Health and Human Services is about to hire an army of “patient navigators” to inform Americans about the subsidized insurance promised by Obamacare and assist them in enrolling. These organizers will be guided by the new Federal Data Hub, which will give them access to reams of personal information compiled by federal agencies ranging from the IRS to the Department of Defense and the Veterans Administration. “The federal government is planning to quietly enact what could be the largest consolidation of personal data in the history of the republic,” Paul Howard of the Manhattan Institute and Stephen T. Parente, a University of Minnesota finance professor, wrote in USA Today. No wonder that there are concerns about everything from identity theft to the ability of navigators to use the system to register Obamacare participants to vote.
This spring, House Oversight and Government Reform Committee lawyers were also told by HHS that, despite the fact that navigators will have access to sensitive data such as Social Security numbers and tax returns, there will be no criminal background checks required for them. Indeed, they won’t even have to have high-school diplomas. Both U.S. Census Bureau and IRS employees must meet those minimum standards, if only because no one wants someone who has been convicted of identity theft getting near Americans’ personal records. But HHS is unconcerned. It points out that navigators will have to take a 20–30 hour online course about how the 1,200-page law works, which, given its demonstrated complexity, is like giving someone a first-aid course and then making him a med-school professor.
Indeed, voter registration is among the goals of the folks hawking Obamacare. The People’s World newspaper reports: “California’s Secretary of State Debra Bowen is designating the state’s new Health Benefit Exchange, Covered California, as a voter registration agency under the National Voter Registration Act. That means Covered California will be incorporating voter registration into every transaction — online, in-person and by phone — it has with consumers.” It seems as if some Obama supporters have found a new way to fill the void left by the bankruptcy of ACORN, the notorious left-wing voter-registration group that saw dozens of its employees in multiple states convicted of fraud.
“Giving community organizers access to the Federal Data Hub is bad policy and potentially a danger to civil liberties,” House Budget Committee chairman Paul Ryan told me recently. “But it’s one of the most underreported stories I’ve seen. If people only knew about this Data Hub program, it would touch off a huge public outcry.”
"It's the greatest collection of private identification information ever assembled on Americans that will be put into one place," said Rep. Patrick Meehan, who chairs a House cybersecurity subcommittee. "It is every bit of sensitive information one would need to know to completely take over the identification of a person," said the Pennsylvania lawmaker.
The Obamacare data hub, he added, "creates a honey pot and the day that it goes online it is going to be a target for hackers and others and they are unprepared to protect the system."
To combat wide spread skepticism, ‘Obamacare’ National Marketing Campaign To Cost Nearly $700 Million
Study: Obamacare could cause 1 million low-income Americans to move from work to welfare
Hackers aren't going anywhere any time soon, so Russian spies are wising up and taking their most sensitive intelligence offline. Not offline like off the internet. Offline like off computers altogether.
The Russian state procurement agency FSO recently announced that it was interested in spending up to 486,000 rubles (about $14,800) on at least 20 old fashioned typewriters to handle top secret documents. After all, cyber security isn't an issue when ink and tree are involved.
Web-users who want to protect their privacy have been switching to a small unheard of search engine in the wake of the 'Prism' revelations.
DuckDuckGo, the little known U.S. company, sets itself aside from its giant competitors such as Google and Yahoo, by not sharing any of its clients' data with searched websites. This means no targeted advertising and no skewed search results.
Aside from the reduced ads, this unbiased and private approach to using the internet is appealing to users angered at the news that U.S. and UK governments (the National Security Agency (NSA) in the U.S. and GCHQ in the UK), have direct access to the servers of big search engine companies, allowing them to 'watch' users.
Entrepreneur Mr Weinberg had the idea for the company in 2006….From there he had the idea to develop a 'better' search engine, that does not share any user information with any websites whatsoever.
Search data, he told the paper, 'is arguably the most personal data people are entering into anything. You're typing in your problems, your desires. It's not the same as things you post publicly on a social network.'
DuckDuckGo, named after an American children's tag game Duck Duck Goose (though not a metaphor), was solo-founded by Mr Weinberg in 2008, in Valley Forge, Pennsylvania. He self-funded it until 2011 when Union Square Ventures, which also backs Twitter, Tumblr, Foursquare and Kickstarter, and a handful of angel investors, came on board.
The 33-year-old CEO, who lives in Paoli, a suburb of Philadelphia, PA, with his wife and two children, explains that when other search engines are used, your search terms are sent to that site you clicked on; this sharing of information is known as 'search leakage'.
'For example, when you search for something private, you are sharing that private search not only with your search engine, but also with all the sites that you clicked on (for that search),' he points out on his website.
'In addition, when you visit any site, your computer automatically sends information about it to that site (including your User agent and IP address). This information can often be used to identify you directly.
'So when you do that private search, not only can those other sites know your search terms, but they can also know that you searched it. It is this combination of available information about you that raises privacy concerns,' he says.
A computer virus that steals bank details and empties money from accounts has been found on Facebook.
Eric Feinberg, who controls the U.S National Football League Facebook page, discovered the malicious links were being posted on his brand's page by fake profiles.
The links are believed to be controlled by the Russian Business Network - an online criminal gang accused of stealing internet users' identities and private information.
The link discovered by Feinberg was for a page called 'Bring the N.F.L to Los Angeles'. The page has since been removed.
Security firm Trend Micro claim that there may be many more hidden on pages, or even being spread inadvertently by Facebook friends.
When a Facebook user clicks the links the Trojan - which gets its name from the Trojan horse the Greeks used to enter the city of Troy undetected - is installed on their computer. It then scans all the personal files and steals any private information.
The malware is also able to collect login details, even if they aren't stored in documents on your PC, by using keystroke logging. Keystroke logging, also known as keylogging, can record which keys on a keyboard are being pressed. It can then wait until the user types in their online banking address and login details and steal them.
Once they have the logins, the cybercriminals can enter your online accounts and steal your money.
It is a six-year-old malware program that has seen a resurgence recently on Facebook and other social network sites. The Zeus Trojan, also known as ZBOT, has infected millions of computers worldwide - with reports claiming 3.6 million are in the U.S alone - and can sit in the background dormant and virtually undetected.
‘If you tell me your date of birth and where you’re born on Facebook, I’m 98 per cent of the way to stealing your identity,’
'World's greatest conman' Frank Abagnale says social network is rich seam for identity thieves. He said children in particular need to be made aware of the serious risks of unwittingly revealing information online…..‘Technology breeds crime.’
‘What I did 40 years ago as a teenage boy is 4,000 times easier now,’ said Mr Abagnale, who is known as one of the most successful impostors of all time, assuming the identities of pilots, doctors, lawyers, and even a U.S. prison agent.
"Something seemingly innocent, like posting our birthday on Facebook, can provide thieves with just enough information to access bank accounts, credit cards, sign up for credit and more."
You also give away a few more pieces of the identity puzzle by sharing whom or what you "like" or "follow." When you like a particular store or your neighborhood bank, for instance, you are giving a potential thief one more link to steal your information.
Hackers utilize the following distribution "touch points" to deceive users: malicious links and code, spam, friend requests, private messaging, user groups, gaming forums, videos and music.
"Social networking scams are 10 times more effective in spreading malware than email" is, said George Waller, executive vice president and co-founder of StrikeForce Technologies in Edison, N.J.
Blanton, who was once a police officer, added that people have always used personal information to commit crimes.
"The Internet just makes it easier," she said. And now social media has provided a gold mine for bad guys.
1. Change your name. If you tweak your name just a little, or use a nickname, life will be easier for you after the inevitable hack.
2. Stop geotagging your photos.
3. Lie about your age. While it's fun to get birthday greetings on your wall, it's a key piece of information needed to steal your identity. At least post the wrong year.
4. Don't store your credit card information on the site. Facebook has several services that require a credit card. Buyer beware.
5. Have some boundaries. When Facebook asks you where your photo was taken, keep it to yourself.
6. Less is more (peace of mind). …. Go through your timeline and remove posts that provide personally identifiable information.
7. Deactivate your account.
Bonus Pro Tip: Don't use your Facebook password anywhere else. That's making it way too easy for the bad guys.
Suicide is now the leading cause of injury deaths. Too many people are living lives of despair as the miserable economy takes its toll.
More people commit suicide than die in car crashes. A report in the American Journal of Public Health says suicide ranks first followed by car crashes, poisoning, falls and murder.
"Suicides are terribly undercounted; I think the problem is much worse than official data would lead us to believe," said study author Ian Rockett, a professor of epidemiology at West Virginia University…. For the study, Rockett's team used data from the U.S. National Center for Health Statistics to determine the cause of injury deaths from 2000 to 2009.
Deaths from intentional and unintentional injury were 10 percent higher in 2009 than in 2000, the researchers noted. And although deaths from car crashes declined 25 percent, deaths from poisoning rose 128 percent, deaths from falls increased 71 percent and deaths from suicides rose 15 percent, according to the study.
In 2009, more than 37,000 Americans took their own lives, and more than 500,000 were at risk of suicide, according to Pamela Hyde, administrator of the U.S. Substance Abuse and Mental Health Services Administration.
Medical errors kill enough people to fill four jumbo jets a week. A surgeon with five simple ways to make health care safer.
All of them have to do with transparency
A staggering 94 million Americans exposed to potential identity theft through breaches in government agencies. And it's probably much worse.
Furthermore, out of 268 breach incidents reported since 2009, the 67 of the public agencies responsible (and I use that term loosely) couldn't even figure out how many records were lost. That fact alone will tell anyone with basic math skills and a lick of common sense that this epidemic is much worse than we know. …..
Premeditated attacks by hackers accounted for only 40 breaches since 2009, a mere 15 percent of the total….Plain and simple stupidity and negligence caused most of the rest.
the sad truth is that our own government's security policies -- or lack thereof -- have put us all at risk. …The GAO's report found that out of 24 major government agencies, 18 had inadequate information security controls….the Department of Veterans Affairs and the Department of Health and Human Services, each of which have met just over 50 percent of the law's requirements.
Robert Morgenthau: The Death of Peter Wielunski
For every soldier killed in combat, 25 veterans are dying by suicide. It's time to broaden efforts against PTSD.
Online storage service Dropbox has admitted to a security breach that led to many of its members receiving unsolicited emails. A stolen password had been used to access an employee's accounts and copy a 'project document' containing user emails addresses.
The US company said that usernames and passwords stolen from other sites had also been used to sign in to some of its members' accounts.
'The Dropbox incident underlines the necessity of having different passwords for every website,' said Graham Cluley, senior technology consultant at Sophos. 'As people pile more confidential information onto the web, hackers are being given a greater incentive to penetrate accounts.
Matt Honan over at Wired tells how his entire digital life was destroyed.
In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.
In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.
Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and e-mails that I had stored in no other location.
An amazing illusion that I found here.
Speaking of illusions, how safe are you from identity theft?
A report by the Treasury Inspector General for Tax Administration (TIGTA) reveals that that taxpayer identity theft more than doubled in 2011, skyrocketing to 641,052 taxpayers affected as compared to 270,518 the prior year.
As Eileen Ambrose of the Baltimore Sun explains, once a fraudster has someone's Social Security number, all they have to do is "make up W-2 information, submit a return before the legitimate taxpayer files and receive a refund directly deposited on a debit card."
That, said Taxpayer Advocate Nina Olson during a July 10th House Judiciary Committee hearing, can mean a nightmare for victims. "Identity theft wreaks havoc on our tax system in many ways," explained. "Victims not only must deal with the aftermath of an emotionally draining crime, but may also have to deal with the IRS for years to untangle the resulting tax account problems. Identity theft also impacts the public …(Treasury)… as Treasury funds are diverted to pay out improper refunds claimed by opportunistic perpetrators….Identity theft is not a problem the IRS can solve on its own."
Phishing emails, stolen Social Security numbers, and fraudulent tax preparers are all cited as potential pathways for taxpayer identity fraud to occur.
Amy Feldman, writing for Reuters, says that "Fighting taxpayer identity theft is a bit like going after Nigerian email scammers, a constant battle that seems unlikely to be won anytime soon."
Cary Doctorow in Technology Review, The Curious Case of Internet Privacy, Free services in exchange for personal information. That's the "privacy bargain" we all strike on the Web. It could be the worst deal ever.
What we agree to participate in on the Internet isn't a negotiated trade; it's a smorgasbord, and intimate facts of your life (your location, your interests, your friends) are the buffet.
Why do we seem to value privacy so little? In part, it's because we are told to. Facebook has more than once overridden its users' privacy preferences, replacing them with new default settings. Facebook then responds to the inevitable public outcry by restoring something that's like the old system, except slightly less private. And it adds a few more lines to an inexplicably complex privacy dashboard.
People don't value privacy until they lose it.
You aren't the customer, you're the product being sold says Michael van der Gallen in The 8 ways Big Brother's Facebook's New Changes Alienate Its Users
Most of the changes aren’t meant to make life easier for users — that means: for you and me — but for advertisers. The goal clearly is to make it easier for them to target people whose Internet behavior implies they may be interested in a company’s products. If that means that you and I have a more difficult time using the world’s largest social network, so be it. Facebook has more important things to consider, namely money.
I am horrified to learn that Facebook is asking users to share their medical history, that the new profiles are "The biggest Breach of Your Privacy in Facebook's History" and that its new "Open Graph" creates a permanent record over which the user has no control.
Lauren Weinstein — an expert on the Internet and privacy – adds rather succinctly: Biggest fans of Facebook’s new Open Graph:
FBI, CIA, NSA, TSA, + (all Department of Homeland Security departments and assets)
Local Law Enforcement
Your medical and life insurance companies
Your auto insurance company
Department of Motor Vehicles
All lawyers (especially divorce and personal injury)
Anyone else who might want to know how you’ve spent your time, at any point in the future, based on the permanent data record created automatically by your activities at vast numbers of sites, all collected in one place for ease of court orders.