« Posts under Privacy

Stratfor: The Numbers Are In

The hacktivist group Anonymous stole more than 50,000 credit card numbers from Stratfor and posted the information to Pastebin, along with a variety of other data. Based on the data that was posted, the following numbers have been determined by the analysis:

  • 50,277 unique credit card numbers, of which 9,651 are not expired.
  • 86,594 email addresses, of which 47,680 are unique.
  • 27,537 phone numbers, of which 25,680 are unique.
  • 44,188 encrypted passwords, of which roughly 50 percent could be easily cracked.
  • 73.7 percent of decrypted passwords were weak.
  • 10 percent of decrypted passwords were less than 5 characters long
  • 13,973 of the addresses belonged to United States victims; the remainder belonged to individuals from around the world

DeSopa for Firefox Bypasses SOPA DNS Blocking

How did I see this coming?

DeSopa is the latest Firefox add-on that can counter the Stop Online Piracy Act (SOPA)’s DNS blocking if the bill passes. The extension gets you through sites censored by DNS and lets you browse them by IP address.

Read more…

U.S. Sources Exposed as Unredacted State Department Cables Are Unleashed Online

An encrypted WikiLeaks file containing 251,000 unredacted U.S. State Department cables is now widely available online, along with the passphrase to open it. The release of the documents in raw form, including the names of U.S. informants around the globe, has raised concerns that dozens of people could now be in danger.

Read more…

AppFence: Protecting User Data from Android Applications

A promising new technology called AppFence is currently being developed to mitigate the risks of misappropriation of the user’s data by today’s Android applications by a team of researchers at the University of Washington. AppFence implements two privacy controls that convertly substitue shadow data in place of data that the user wants to keep private and blocks network transmissions that contain data the user made available to the application for on-device use only. The source code is not available at this time but I’m looking forward to the product of their research.

Of course, if you’re running CyanogenMod7, this capability is available now. In the nightly builds of CyanogenMod7, the CyanogenMod team introduced the ability to revoke app permissions. With the ability to revoke permissions, an application can be installed and it’s access to features such as your contact list revoked, allowing you to use the app without worry about that component of security being exposed. However, revoking their access is likely to cause a force close unless the app is well-coded to handle this scenario.

To accommodate these apps the new feature also supports transparent “spoofing” of access for certain permission such as phone state and phone ID. This allows the system to return false data rather than deny access, which circumvents the force close issue in many cases.

Anyways, take a look at AppFence and the associated research data.

Dropbox Admits it Suffered Serious Password Failure

Cloud file synchronization company Dropbox has admitted that it suffered a serious security lapse that allowed an unknown number of users to log into any account using any password.

Read more…

Citi Credit Card Hack Bigger Than Originally Disclosed

Citigroup has been forced to reveal that a recent hack of its network exposed the financial data of more than 360,000 customers, a much higher number than the bank originally disclosed.

The company said last week that hackers who breached Citi Account Online on May 10 had acquired the personal information of about 1 percent of its 21 million North America customers, or approximately 210,000 credit card holders. But in a note posted to its website late Wednesday, the company revealed the new number, and said that it had known the number of customers affected was much higher as early as May 24.

Read more…

35 Million Google Profiles Dumped Into Private Database

Proving that information posted online is indelible and trivial to mine, an academic researcher has dumped names, email addresses and biographical information made available in 35 million Google Profiles into a massive database that took just one month to assemble.

University of Amsterdam Ph.D. student Matthijs R. Koot said he compiled the database as an experiment to see how easy it would be for private detectives, spear phishers and others to mine the vast amount of personal information stored in Google Profiles. The verdict: It wasn’t hard at all. Unlike Facebook policies that strictly forbid the practice, the permissions file for the Google Profiles URL makes no prohibitions against indexing the list.

Read more…

Google rolls out fix for Android security threat

Google has plugged a security hole that exposed the vast majority of Android phone users’ calendars and contacts when they accessed those services over unsecured networks.

“Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts,” a company spokesman wrote in an email. “This fix requires no action from users and will roll out globally over the next few days.”

Read more…

‘Checkout Your PROFILE Stalkers’ scam spreading on Facebook

So this scam has been going around for the last week. You’ll most likely see the following on your news feed.
facebook stalker scam
If you find the monkey is irresistible then you will be presented with another “copy and paste’ technique. If you read my last post, this is not cross site scripting (xss). This is an attempt to get curious Facebook users to paste in a URL to manually direct their browsers to a malicious website.

Don’t click the monkey!

PlayStation Network hack launched from Amazon EC2

Yeah Cloud!

The hackers who breached the security of Sony’s PlayStation Network and gained access to sensitive data for 77 million subscribers used Amazon’s web services cloud to launch the attack, Bloomberg News reported.

The attackers rented a server from Amazon’s EC2 service and penetrated the popular network from there, the news outlet said, citing an unnamed person with knowledge of the matter. The hackers supplied fake information to Amazon. The account has now been closed.

Read more…