Verizon Enterprise Breach Leads to 1.5 Million Customers Records Up For Sale

It’s not been a good year for Verizon. Earlier this month we reported on the fact that the company had been fined by the FCC for “supercookie” tracking, and now it would seem that Verizon Enterprise has been breached resulting in 1.5 million customer records being put up for sale.

The revelation comes as a seller has begun advertising the sale of a database with information for 1.5 million customers of Verizon entertainment, all being offered for the price of $100,000. If you feel like that is a little much you can buy 100,000 records for just $10,000. The thread also contains the option to buy information about security vulnerabilities in Verizon’s website, leading people to question just how safe their data is.

In response, Verizon stated that they had “recently discovered and remediated a security on our enterprise client portal”. Regarding the data itself they state that “an attacked obtained basic contact information on a number of our enterprise customers”.

This would appear to authenticate that the data is real although it may not be as juicy and chock filled with information as some might hope it is. This only looks bad for Verizon Enterprise as they are the ones commonly finding flaws and reporting on breaches like these every year. If you were wondering just how much that could have an impact on people, Verizon’s Enterprise client list includes 99% of Fortune 500 companies.

Denver Police Caught Using Database For Personal Gain

In this day and age, we like to think that our information is well protected. We know that isn’t always true though with companies like TalkTalk and even children’s toy company VTech having their data exposed in hacks. So what about the people who have access to our information? Well, it would seem that Denver police could be in trouble after it was revealed that some of their officers have used their access to information for personal gain.

The report outlining this was created by independent monitor Nicholas Mitchell and lists not just one but multiple “wrongful searches” where an officer used their access to find out information beyond work needs. An example of this was when a female hospital employee spoke with an officer, only to return home and find a message on her personal phone. To make matters worse she had never given her contact details to the officer, who it turns out, used their access to the database to find out her contact details.

In another example, an officer received a call from a woman who was in a custody dispute with her boyfriend over their teenage daughter. The women learned that her ex and their daughter had been given a lift by another individual and asked an officer to run the licence plate of the individual, even providing the women with information from the search. The women in question than rang the individual and revealed that she had personal information, including his home address.

What is the worst part about all of these situations? It would appear that the officers in question were never truly punished, with the most someone suffered because of this was a few days suspension without pay. The misuse of government property and information, and, in fact, breaching people’s data privacy and security, is by all means criminal in nature and goes to show that sometimes when people are afraid of who has access to their data, they have more than a right to be worried.

Microsoft Bringing SQL Database Software To Linux

Microsoft is well-known for three things, their hardware (such as the Microsoft Surface series), their operating systems and their software. The problem being is that a lot of these are closely tied together, their hardware uses their operating system and normally come pre-installed with their software. You can get their operating systems or software alone, but putting their software on another operating system tends to work quite badly (or if you are using the Mac version of Windows Office, you may be missing some of the features available on Windows). This is set to change with Microsoft announcing that their SQL database software will be coming to Linux soon.

For clarification, at least, some of Microsoft’s SQL server’s core capabilities will be coming to Linux, with what parts being heavily influenced by demand and feedback. With Microsoft looking to build their own Linux distro and even opening up their .NET framework for Linux and Mac OSX users, maybe we could see a more and more open approach regarding their software.

With open source software being a big part of companies and governments, Microsoft may be looking to not only get community support in increasing their software capabilities but possibly winning back some of the markets that are going to open source solutions.

Child Tracking Firm uKnowKids Accuses Security Researcher of Hacking

Digital security is important in this day and age, with access from across the world to your information meaning not only you can access all that information. With big companies like TalkTalk finding out the hard way that even a single breach can cause your company untold harm to both your image and credibility. The issue is only made worse though when the information relates to the young.

VTech found out the hard way when it was revealed that their hacked data included photos and chat logs. This time up it’s the software firm known as uKnowKids. uKnowKids is a subscription-based service designed to help parents track their children’s online activity. The supposed hack is the work of none other than security researcher Chris Vickery. Vickery states that all he did was use the search engine Shodan and he managed to locate millions of text messages and images, amongst the data was around 1,700 “detailed child profiles”.

The information was apparently obtained from a database which hadn’t been password protected, meaning that it was freely accessible from the web. uKnownKids disagrees and says that the “vulnerability” was patched within 90 minutes of Vickery notifying them. The worse part is that they claim they haven’t been able to identify him as a “white hat” security researcher, someone who will identify a vulnerability and then report them and help fix the issues they find.

Steve Woda is the chief executive of uKnowKids and posted a blog stating that one of their databases “was breached by a hacker” and that “Twelve minutes after the final breach… and after taking screenshots of our intellectual property, business data, and customer data, Mr Vickery notified uKnow of his breach of our private systems”.

uKnowKids tracks youngsters online activity from text messages to social media, letting parents keep close tabs on their activity and be aware of any alerting content that could be upsetting or dangerous. It comes as no surprise then that the BBC reports that the data included a family photo, usernames and email address.

Vickery was surprised when they responded in such an aggressive way, saying that other firms would thank you for alerting them to these issues or even hire you to help fix and make sure their security was up to date.

Patent Troll to Pay Legal Fees

Patents are legal pieces of documentation to say that you are the creator or mind behind an idea or design, they are kinda like copyright although they can be a wider range of things such as the concept behind a piece of technology, rather than the exact components and designs needed to implement it. More often than not we find that there are groups or companies seeking to use these documents to gain money where none is due, these groups of individuals are called “Patent Trolls”. In a first, a District Judge in the US has asked a group to pay the legal fees of various companies it sued.

The concept is simple, claim you have the rights to a patent for a design or idea and then request that they pay you for anything they might have used that design for, this is especially common with things like software.

Judge Rodney Gilstrap has stated that due to the exceptional circumstance of the case eDekka LLC should be made to pay the legal fees from the various companies it sued. eDekka used a patent to sue more than 200 companies in 160 separate cases, the basis from which was their use of a database which eDekka claims their patent would reduce the time needed to retrieve information, however, when they were pressed more they began to explain the technology as a teaching tool that would help improve people’s ability to program databases and the systems that use them.

With it being considered an easy win by many patent trolls tend to hope for an early payment or a long drawn of battle resulting in the opposition not being able to continue the case. Hopefully this will deter people from trying to claim others works in exchange for an early payday.

Image courtesy of Book Masters.

Wetherspoons Reveals Extent Of Hack

From phone calls made to and from prisons, to the details of thousands of children and their parents, hacks seem to be everywhere and are affecting everyone these days. The latest one to reveal they’ve been hacked is  JD Wetherspoons, the popular pub chain.

Revealing that its old website was hacked between the 15th and 17th of June, but only learning about the attack on the 1st of December, Wetherspoons called in security specialists before informing customers on the 3rd of December. Yet again the hack seems to have revealed a database containing numerous customer details, currently put at around 656,723 customers.

The details included in the database were the first name, surname, date of birth and contact details such as mobile phone numbers and email addresses.

If you purchased a voucher before August 2014, the last four digits of your credit or debit card could have been accessed, although they are keen to express that no other details, such as security codes or the remainder of your card details, were exposed.

Don’t pay by card? How about not using your card when you go to Wetherspoons? This doesn’t affect me? Did you sign up for their free wifi, or maybe even used the Contact us form? If you did then your data could be included in that which was revealed.

Amongst TalkTalk, Vodafone and VTech, more and more companies are finding their systems breached. Maybe now is a good time to avoid handing out any details to any company or person.

Data on Thousands of Children Exposed in VTech Hack

It has come to light that earlier this month, popular children’s computer company VTech were the victims of an attack by an unnamed hacker. The hacker was able to gain access to around 5 million user’s credentials, including the 200,000 children whose data was stored by VTech’s Learning Lodge online service.

The data was leaked as parts of the credentials may include details such as their names, email addresses and home addresses. Additionally included in the leak were the security questions and answers of the users, meaning cracking of the users passwords would not be necessary to compromise accounts and if the same password reset information was used on another site, those accounts would also be vulnerable. The scariest part is that the details of the children recorded by VTech included their names, birth dates and genders and could be used to link them to their parent’s accounts, providing those with sinister motives access to the locations of countless children. According to the site Have I Been Pwned, a reputable repository of data breaches, this breach is the fourth largest leak of consumer data to date.

Thankfully, in an interview with Motherboard, the hacker, when asked what he intended to do with the data replied with “nothing”. And while he intends to do nothing with it, warned that others may have extracted data from the site before him, due to the ease of attack. The technique used to break into the site was an SQL injection, an old and simple way of attacking vulnerable websites, typically executed by inputting malicious code into the forms on a website, to manipulate it into performing an attackers desired operations. After using this to gain full access to the systems and databases, the attacker had free access to all of the data within.

And while VTech has responded to the breach by promising to “look at additional ways to strengthen our Learning Lodge database security.” However, this may not be enough. Following the attack, security expert Troy Hunt, as well as examining the data to assess the extent of the leak, went on to do a cursory security review of Vtech’s Learning Lodge site. He warned that the lack of encryption anywhere on the site as well as the site’s databases and APIs had the tendency to leak data mean that there didn’t even need to be a data breach for user information to be at risk.

If you are a user of the Learning Lodge site and wish to enquire further with VTech, they have set up a series of email accounts to handle them, which can be found here.

It should be considered fortunate that the perpetrator of this attack was willing to bring the breach to light and has no ill intentions for the data acquired, however, it is still unacceptable for a company that handles data, especially on vulnerable parties such as children, to engage in such poor security practice.

WHSmith Contact Us Sends Email To Companies Mailing List

Online shopping is a big thing, and companies like to keep track of what you’re buying and even send you the odd offer here or there, you brought a TV so why not buy a sound system for 20% less? Normally these offers mean we sign up with some sort of password and email combination, and you expect them to store these and be safe. In recent years we’ve seen some sites hacked and their details published online, but today it would seem that WHSmiths has taken it a step further with their contact us form emailing everyone who had registered for magazines with the company!

In a statement, WHSmiths stated that “I-subscribe [the company responsible for their magazine subscriptions] have immediately taken down their ‘Contact Us’ online form which contains the identified bug, while this is resolved”. They stressed in their discussion with the Guardian newspaper that it was “a bug not a data breach”.

The emailed not only included the information such as the person’s name and the message they wished to send but was sent to a large list of contacts, thus exposing their details to a wider than wanted audience.  Some of the earlier messages contained not only their real names and emails but also postal addresses and phone numbers.

With data security at its highest and customers, both paying, and interested parties, worried about the extensive breaches and accidents, will companies soon look at different ways of storing information where these accidents could happen less?

Thank you The Guardian for the information.

Image courtesy of Corporate Marks and Spencers

Government Looking for Exploits in Anti-Virus Software to Use Against You

Snowden’s latest leaked documents point to government agencies such as the NSA and GCHQ taking an interest in tracking user activity and spying on networks. However, to do that, they have to get one piece of software out-of-the-way; the anti-virus. This also seems to link with an earlier incident at Kaspersky Lab, where their headquarters was hacked by an unknown and well-equipped group.

The government agencies are said to be using a process named Software Reverse Engineering to gain access to vulnerabilities still present in current anti-virus products. One of the latest warrants GCHQ wants to approve, according to The Intercept, even states that Kaspersky poses a threat to its SRE program.

Other methods of intercepting and gaining access to anti-virus software databases consist of finding and exploiting employee emails that work in anti-virus companies. In addition, user PCs are targeted for HTTP requests sent to anti-virus headquarters, containing relevant security vulnerabilities found by their anti-virus suites.

To support the above claim, The Intercept also came across a GCHQ presentation where it shows that around 100 million malware events are flagged daily by the government agencies. The same approach might be found in every government agency, so at least we get another peek at what’s going on and how ’secure’ we are.

In the end, is targeting and ‘cracking open’ anti-virus software really a good solution? From my point of view, the GCHQ should hire Kaspersky Lab to design their network security if they are as good as they say they are. What do you think?

Thank you TechCrunch and The Intercept for providing us with this information

OPM Hack Believed To Be Worse Than First Revealed

publically exposed hacks are almost an everyday occurrences in modern times, with everything from cloud storage hacks revealing personal pictures to large time security software companies being hacked. These can be anywhere from personally and professionally devastating to something which can become on a whole new level, such as the hack that took place on the Office of Personal Management (OPM) in America.

The Office of Personal Management is basically the human resources division for the American government, and while the government first addressed the breach they stated that details for approximately four million people were exposed, including dates of birth, addresses and the social security numbers.

The problem is, it may be a lot worse. SF-86 forms are used to conduct background checks for security clearance, and like you would expect on these forms they contain a whole spread of sensitive information, not only about the applicant but also their family and friends. This means the level of information revealed, accessed and possibly copied in the breach could be a lot worse than first admitted.

Initial reports stated that EINSTEIN, the governments hack detection software detected the breach. According to the Wall Street Journal today, however, it would seem that the breach was actually discovered during a sales demonstration by a company looking to show off its forensics product. So not only was the breach undersold to the public, but it looks like the governments detection software was beaten in a sales presentation.

If the new reports are true, everything from a person’s family’s names and addresses and  medical details could be in the hand of the very people they are meant to be protected from. This could be the start of a very painful message that governments need to work harder to protect the people they serve, both offline and online.

Thank you Wall Street Journal and Wired for the information.

Image courtesy of PCWorld.

Machine Vision Algorithm May Be the next Art Critic

Art historians still find defining art and its creative qualities tricky even today. Art has always been considered something that a human mind can understand and appreciate, but is it really?

A simplified definition of what makes one of the best pieces of art stand out is that they need to have a key element which inspired later artists to use in their own work.

Two researchers at the Rutgers University tend to disagree that humans are the only ones who can judge art. Based on a machine vision algorithm, they proved that paintings can be studied and judged by computers too.

The researchers put it to a test and fed the code a database of about 62,000 pictures of fine art paintings. The results achieved consisted in the computer recognising Monet’s Haystacks at Chailly at sunrise as being one of the most influential paintings in history.

Art critics would agree with the above and state that Rodin’s 1889 sculpture Danaid is not as influential as the machine deems too. But does this really mean a computer can judge fine art now?

The truth is that arguments between critics on determining the most influential pieces of art have been going on for ages now, but this algorithm could prove to be a basis on which they can agree upon.

The algorithm uses visual concepts that analyses both low-key elements, such as colour, texture and simple objects, as well as high-key elements like walking, smiling and so on. A computer then applies the algorithm to a database pool and comes up with the paintings which influenced other authors.

Also, the researchers tell us that the algorithm has bigger potential than just showing a list of paintings. They say that the algorithm can be used in other areas, such as literature, sculpture and even in science.

Thank you MIT Technology Review for providing us with this information

Image courtesy of hdwallpaperpc

University of Toronto Creates Online Database of Leaked Snowden Documents

The University of Toronto, in partnership with Canadian Journalists for Free Expression (CJFE), has created an online searchable database of every document leaked by NSA whistleblower Edward Snowden that has been subsequently been published in the media. The Snowden Digital Surveillance Archive aims to “provide a tool that would facilitate citizen, researcher and journalist access to these important documents.”

Edward Snowden, a former NSA data analyst, leaked documents related to massive and pervasive illegal global surveillance programs run by the US National Security Agency (NSA) in conjunction with UK intelligence service GCHQ.

The CJFE is an organisation that “monitors, defends and reports on free expression and access to information in Canada and abroad.” The creation of the Snowden Archive is part of its remit to promote “free media as essential to a fair and open society” and the “free expression rights of all people”.

“We are extremely proud to launch the Snowden Archive as a tool for Canadians, and the world, to better understand the scope and scale of mass surveillance programs,” said CJFE Executive Director Tom Henheffer in a press release. “We believe this tool is just the start of many important stories to come, and hope this will help the public engage in conversation about government surveillance practices.”

The archive allows users to search by the following criteria:

  • Agency that created the document in question;
  • Journalist and media outlet that first broke the story from the document;
  • Full text of the document;
  • Keywords, surveillance program names and more.

Source: Canadian Newswire

Almost 10,000 UK Driving License Details Leaked Online

It looks like the NSA or other government agencies might not be the only ones that have access to your personal details. Everyone with Internet access could have seen your address, name, email and photo just by navigating to a website. This is the case of a private parking ticket company by the name of PaymyPCN.net, who allegedly published one of their clients’ database online. It is said that a security flaw on the private parking firm’s website allowed public access to around 10,000 motorists.

“[The] breach at PaymyPCN.net demonstrates that even with basic IT security measures in place, perimeters are still permeable.” said Sol Cates, CSO at security vendor Vormetic. “In this case, it appears that, while motorists’ data and fine payments were encrypted once inputted into the PaymyPCN.net website, a backdoor link left the computer database wide open – providing access to private information provided to PaymyPCN.net by the DVLA. Although the information was encrypted, just as important is the control of access to the encrypted information – and this is where PaymyPCN.net appears to have failed,” he added.

Michael Green, a consumer activist, is said to be the one who uncovered the flaw after it had been “sent to a motorist in error”. The site is said to have been taken offline by PaymyPCN.net immediately after the breach, but it has since returned. PaymyPCN.net activities involve the collection of parking charge notices, acting as an agent of both private and public sector parking operators.

Thank you The Register for providing us with this information

Access IBM’s Watson Supercomputer for Free

IBM has opened up its Watson supercomputing platform to everybody for free. The decision to open up a public beta for the data analytics platform means that we now all have partial access to a supercomputer, anytime, anywhere.

Using what is described as “the most powerful natural-language supercomputer in the world”, you can upload a dataset and let Watson analyse it all in incredibly accurate detail – producing correlations, predictive analyses, graphs, charts and even infographics that represent your data.

It’s a very interesting concept and is probably the first time anybody and everybody has been able to access a supercomputer for free. You can access Watson at IBM’s website here, where you will be required to set up a free account.

I know what some of you are wondering. Can it run Crysis?

Source: Gizmodo

British Government Want to Build a ‘Super Database’ To Help Run the Country

Even with all its power, the UK government has admitted that it’s at a point where simple tasks, such as sharing information or data between two different departments, has become a burden. This is mostly due to the fact that there are a wide range of databases controlled by each government department.

However, the cabinet’s data sharing policy team came up with a plan back in April that would have all departments link all of their databases. This means that local authorities, emergency services, schools and even government departments would merge their databases into a single ‘super database’.

The resulting database then said to be able to handle huge amounts of data and provide more accurate information. Other benefits that might follow are said to include a saving of up to £37 billion in error, dump and fraud.

Another beneficial outcome from all of this is the government’s ability to understand a person’s life and help him with their money problems. For example, if an individual is in debt to various departments, the payment can then be structured and manageable on a low-income.

To be noted is that the policy is still just a proposal and the government is now looking for the people’s opinion in order to find out if they support the plan or not.

Thank you Engadget for providing us with this information
Image courtesy of Engadget

UK Police Trials The World’s Fastest Face Recognition System

Britain is dubbed the most watched country in the world, with over 6 million CCTV cameras watching everything that moves. This is why the London police aims to further improve its CCTV network use by adding body-worn cameras to help identify ‘criminal activities’ faster.

The new technology is said to still undergo some trials in London, having Leicestershire police already confirming that it has become the first police force in the UK to test NEC’s NeoFace face recognition software in hopes that it will “transform the way criminals are tracked down”. NeoFace aims to identify faces by analysing “dozens” of facial figures from digital images captured by the CCTV system or body cameras and comparing them to the 90,000 photos stored in the Leicestershire Police database.

[youtube]https://www.youtube.com/watch?v=hfFl6w3vRTw[/youtube]

NeoFace is said to have its strength present in processing power, being able to analyse the figures in a matter of seconds compared to manually searching for possible matches (which is said to take hours to do). While the new tech is just debuting in the UK, it is said to have proven invaluable in the US. Chicago Police Department has stated that the system helped them sort through 4.5 million booking photos in order to find evidence and convict a suspected armed robber.

Thank you Endgadget for providing us with this information

Face Recognition Technology Currently Being Tested by the FBI

Face recognition technology is nothing new, having agencies such as the National Security Agency denying the use of such technology on people, images and most likely anything that has a human face on it. However, the FBI looks like they are not trying to hide the technology or its use at all.

The Federal Bureau of Investigation has stated that it is in the process of building a database called the “Next Generation Identification database” by feeding portraits from local law enforcement agencies into the system.

It is said that the software is being built by MorphoTrust, a company which has been stated to have helped the State Department create its own face recognitions database. However, MorphoTrust and the State Department cannot currently join databases.

However, FBI Director James Comey appears not to rule out the possibility of eventually merging both databases in the near future. An estimated 52 million images have been said to be imported in the database by next year, having the Electronic Frontier Foundation already alarmed by the gigantic figure.

The EFF states that there is a strong possibility of many innocent people slipping into the pool. Despite the EFF warning, Director Comey apparently was unable to deny or at least assure people who will not be the case and that their driving license photos will be ‘safe’. Furthermore, the FBI director has also stated that he is not even sure if the EFF’s claims are accurate.

Having been asked specifically about the driving licenses, Director Comey related to possible circumstances in which pictures of people who are being granted special driving licenses to transport children or explosive material are being sent by state departments, thus having a high chance of eventually ending up in the database as well.

Thank you Endgadget for providing us with this information
Image courtesy of Endgadget

eBay Admits User Data Was Hacked Into – Two Months Ago

eBay, one of the most popular websites globally is urging users to change their passwords after it was discovered that their corporate network was attacked and a small number of employee login credentials was stolen. Following the discovery, eBay are stressing that no financial data was accessed and until users passwords have been changed, no activity is permitted on their account.

What is shocking however is the revelation that this attack happen two months ago in the late part of February to early March although they have said that the discovery of the unauthorised access was only made a couple of weeks ago after the compromised employee credentials was discovered. Additionally eBay has spoken out stating that they take customer privacy and security very seriously and they are performing a deep analysis into how the attack was performed and how the data was accessed, with the aim to ensure that this does not happen again.

Starting from now, each and every eBay user will be notified via email that they will need to change their passwords and that any associated PayPal accounts are also safe and secure as this is all stored securely on an encrypted network separate to that of eBay’s user databases.

Whilst users are in the process of changing their passwords, some users will face the error message as seen below whilst the eBay network is put under a very heavy load, however users are reassured that they can try again later and their accounts cannot be used until the passwords are changed.

Whilst this is one of the worst attacks to happen to the business, as with all sites we strongly advise that your passwords are changed on a regular basis and if you use the same password on other sites, you should look into changing these as well to prevent any further issues down the line.

 

Say Goodbye To SkyDrive And Welcome To OneDrive

Microsoft is apparently attempting to change the name of their popular cloud storage platform, SkyDrive, to a more ‘combined’ name, specifically OneDrive. This comes as a response to the dispute lost back in July when Microsoft lost its trademark right of using “SkyDrive” to UK British Sky Boradcast.

The change is set to occur sometime in the following weeks, however no official launch date has been revealed. Microsoft is reportedly going to move all current SkyDrive and Skydrive Pro accounts, along with their user data, over to the OneDrive database once the platform is finished. We just have to hope nothing goes ‘wrong’ and people start losing data from their accounts. As previous migrations from various companies went in the past, it is also recommended to save any important data on your SkyDrive accounts in other places as well to avoid any ‘unwanted’ incidents.

Besides the trademark change, Microsoft is reportedly going to add some new features to the upcoming platform: “Get ready for an even better place to store and share your favorite things across all your favourite devices,” as it states on the developing OneDrive page. However, getting excited about new features at this point is probably useless, since Microsoft is known for their ‘new’ features being just refreshed versions of old ones.

[youtube]http://www.youtube.com/watch?v=e4NsPPUDjyU[/youtube]

But if indeed new features are coming to OneDrive, it will most probably be photo and video sharing, as Microsoft’s promo video points out. The concept and vision of OneDrive is fairly simple, one place for everything you want to save, either music, video, photos or files, all in ‘One’ place, one ‘Drive’.

“One place for all of your photos and videos. One place for all of your documents. One place that is seamlessly connected across all the devices you use. You want OneDrive for everything in your life.” as the OneDrive blog states.

Thank you PC World for providing us with this information
Image and video courtesy of PC World