A publicly available database containing the personal information of 191 million US voters has been sitting, exposed, in a publicly accessible corner of the Internet, according to security researchers.
The database, which was first uncovered by independent security researcher Chris Vickery and reported today by DataBreaches.net, includes the names, home and email addresses, voter IDs, dates of birth, party affiliations, and voting histories of millions of registered American voters since 2000. Fortunately, it does not expose the voters’ Social Security numbers, driver’s license numbers, or sensitive financial information.
While 191 million records sounds pretty alarming, it’s worth noting that voter registration lists are usually a matter of public record—though many states enforce regulations to control access to the information. Some states charge expensive fees, for instance, for access to such data. South Dakota, as noted by DataBreaches.net, explicitly requires those looking to acquire voter data to sign a statement confirming their understanding that the database “may not be used or sold for any commercial purpose” and “may not be placed for unrestricted access on the Internet.”
Still, this type of data can be extremely valuable, especially to those running campaigns. For one, the information in such databases might be used for targeted mailings.
That’s the reason third-party vendors hawking vast chunks of voter data exist—which is the suspected source of the breach in this case, as well. Both Vickery and Steve Ragan, a security blogger for the risk management website CSO, who also investigated the data, say the style and formatting of the data set point to a vendor called Nation Builder. The company, for its part, says that the IP address where the files were posted did not belong to it or any of its clients.
More likely, the researchers say, the poor configuration of the data set could be an indicator that a customer purchased information then sloppily threw it online without the right security protocols in place.
OK, but should you be panicking? Not quite. As mentioned, a lot of voter information is public record. As much as anything, it’s just weird that this much valuable data was sitting on the Web for so long, unchecked and undiscovered. That said, restrictions around voter data exist for a reason, if only to temper the likelihood of getting more junk mail.
In 2012, Google began notifying its users if it believed those people’s accounts or computers were at risk of a state-sponsored attack. Three years later, Facebook has now followed suit, the latest in a string of security-conscious measures the social network has recently enacted.
Facebook Chief Security Officer Alex Stamos announced the latest protection in a post on the site. “While we have always taken steps to secure accounts that we believe to have been compromised, we decided to show this additional warning if we have a strong suspicion that an attack could be government-sponsored,” Stamos wrote. “We do this because these types of attacks tend to be more advanced and dangerous than others, and we strongly encourage affected people to take the actions necessary to secure all of their online accounts.”
Those steps range from turning on Login Approvals (Facebook’s version of two-factor authentication) to avoid being compromised in the first place to replacing their computers altogether, in the event of a confirmed attack. Stamos also clarified that Facebook will only use this warning “where the evidence strongly supports” a state-sponsored attack. Basically, if you see the message below, you have cause for serious concern.
Facebook may be a few years behind Google, but it’s to date the only other major company to offer that level of alert. The move also joins other significant steps Facebook has taken to ensure user privacy and security. In June, it offered the option to share public encryption keys, to keep email notifications between the site and its users encrypted (though intra-network messages remain unencrypted). A year ago, Facebook launched a “dark web” version of itself on Tor, an important extra layer of encryption and privacy for those trying to avoid surveillance.
There’s always more that could be done. But every layer of protection is important, and Facebook continues to demonstrate its willingness to add more and more.
When the German activist group Intelexit launched a campaign last week to persuade employees of surveillance agencies like the NSA to resign, their tactics started with billboards, online video and sidewalk canvassing. Now they’ve taken their campaign in a more aggressive direction: up into the NSA’s airspace.
On Monday, supporters of the Intelexit group, an offshoot of the Berlin-based activist collective Peng, launched a winged drone over the Dagger Complex, a U.S. military base in Darmstadt, Germany that also houses an NSA outpost known as the European Cryptologic Center. The drone, which the group tells WIRED is a Skywalker x8 remote-controlled hobbyist plane, rained down leaflets over the complex asking NSA employees if they’re “ready to exit?” and listing ethical reasons to quit the intelligence services. The stunt is captured in the video above, complete with a comically heroic NSA-battling score.
“It is very hard to reach the people working in secret services since they are so cloistered off from the rest of society,” says Ariel Fischer, a pseudonymous spokesperson for the group. “This is a really innovative way to reach out to them…It also shows employees that Intelexit is serious about helping them.”
The legality of their pamphlet drop is questionable: At least some German states prohibit flying drones over military bases. The NSA didn’t respond to WIRED’s request for comment about the anti-surveillance group’s drone launch.
Fischer adds that the campaign, which included a video featuring NSA whistleblower Thomas Drake and cryptography guru Bruce Schneier, has been an “immense success” so far. She said that the group has already been contacted by both current and former intelligence workers supportive of their cause, though she declined to say how many. If Intelexit continues its increasingly flashy exploits, it will at least have the intelligence agency’s attention.
Platon
Since his world-shaking collection of NSA leaks first dropped, Edward Snowden has been one of the most important journalistic sources in history and an elusive, occasional interview subject. Now he’s finally speaking for himself.
Can you hear me now?
— Edward Snowden (@Snowden) September 29, 2015
The former NSA contractor and defector joined Twitter Tuesday with the introductory message above. He described himself on his (Twitter-verified) page this way: “I used to work for the government. Now I work for the public.” His profile uses the Platon portrait shot for WIRED’s 2014 cover story, and also offers a shout out to the Freedom of the Press Foundation, the whistleblower-friendly civil liberties group where he serves on the board of directors.
In just the first 30 minutes following his initial tweet, more than 70,000 people had already followed him. As for @Snowden himself, he’s only following one other feed so far: the NSA’s. Stay tuned for some interesting tweet feuds.
The news of government mass surveillance keeps coming, as two more stories reveal that spy agencies in the US and the UK plotted to record the browsing habits of every internet user.
First up is a story from The Intercept about Karma Police, a seven-year-old program launched by the British spy agency GCHQ designed to catalog visits to porn sites, social media and news sites, as well as activity on search engines, chat forums, and blogs. As previously reported, GCHQ has tapped more than 200 undersea cables as part of its spying partnership with the NSA, siphoning gigabytes of data each day. Karma Police describes how some of that data is used to build a profile of a users’ web browsing and search engine histories, Skype calls, and other communications via email, instant messaging and text. The Intercept notes that the surveillance isn’t targeted but instead indiscriminately tracks the activity of many users to uncover patterns and relationships.
In the US, the war over encryption backdoors continues with a new government memo obtained by the Washington Post, which shows that a taskforce explored four possible ways the government might deal with the encryption standoff between law enforcement and spy agencies on the one hand and technology companies and the public on the other.
Among the most controversial options discussed? Exploiting the automatic software updates vendors push out to customers. Under a court order, a company could be compelled to embed spyware in an update to infect a targeted customer’s phone or tablet. The memo warned, however, that this tactic could backfire by calling into question “the trustworthiness of established software update channels,” which could lead customers to opt out of updates, leaving their devices less secure and open to attacks from other sectors. Ironically, that’s exactly the criticism that arose in the security community in 2012 when researchers discovered that Flame, a nation-state spy tool believed to have been developed by the US and Israel, subverted the Microsoft Windows Update system to install itself on targeted machines. Sources told the Washington Post that while the software update option and others were considered by the task force, the government has no plans to pursue them.
Edward Snowden opened the world’s eyes to mass surveillance being conducted by the US intelligence agency and its partners in the UK and elsewhere. Now a new treaty, developed by international legal experts, is asking nations around the world to take a stance on mass surveillance.
The so-called Snowden Treaty asks countries to become signatories to the treaty that requires them to enact local laws against mass surveillance and uphold the right to privacy, establish independent oversight to ensure public transparency and accountability and establish international protections for whistleblowers, obliging them to guarantee the right of residence either inside their borders or in their embassy to people claiming to be persecuted as whistleblowers.
The language of the treaty was developed by experts in international law and Internet freedoms and surveillance at the Electronic Frontiers Federation, with input from journalist Glenn Greenwald and others. The group said they will not be releasing the actual treaty document today, as it’s still being refined and they’ve given it to several governments like Brazil, Germany and Iceland for review, but they did distribute a summary (.pdf).
You can watch a livestream of the press event announcing the treaty and discussing the details here:
Congratulations @libraryfreedom, @torproject, @ACLU_NH, and the Lebanon, NH community for choosing freedom over fear! http://t.co/ungQeUzETv
— ACLU Massachusetts (@ACLU_Mass) September 16, 2015
A library in Lebanon, New Hampshire was the first in the country to provide a particular privacy service to patrons near and far: it enabled a Tor relay node that anyone could use to mask their geographical locations from prying eyes. But the government didn’t like that so much, and Homeland Security issued a warning to the library that Tor could be used by criminals.
In response, the library shut down its Tor program. The outcry from privacy advocates was swift. People pointed out all the many non-nefarious reasons a person might want or need the protection that Tor anonymity provides, among them protection from stalkers, spies, or oppressive governments.
Then last night the library board showed it would not be cowed. After a crowded open meeting, the Valley News reports that the library voted to reinstate the node.
“It came to me that I could vote in favor of the good … or I could vote against the bad,” library board Chairman Francis Oscadal reportedly said.
The motto of New Hampshire is “Live free or die,” after all.
Tor Project Statement on #KiltonLibrary decision
(now in more readable colors) pic.twitter.com/G4vIsQJfCZ
— torproject (@torproject) September 16, 2015
You just know in your bones that the NSA spied on you and shared that data with Britain’s GCHQ spy agency, right? So how can you confirm this? Through a new online tool offered by the British civil liberties group Privacy International.
Thanks to a legal victory Privacy International obtained earlier this year, the UK’s Investigatory Powers Tribunal is now required to search through data the GCHQ obtained from the NSA for information collected on anyone in the world if that person so requests it. If you request the info and the Tribunal finds something, it must let you know. The catch is you have to make the request before December 5, 2015. Privacy International has made this easy with its “Did GCHQ Illegally Spy on You?” online tool.
Earlier this year the Investigatory Powers Tribunal in the UK ruled that British intelligence services acted unlawfully when they accessed the private communications of millions of people that had been collected by the NSA under its mass-surveillance programs known as PRISM and Upstream and shared with the British spy agency. The PRISM program, which began in 2007, allowed the NSA to collect data in bulk from U.S. companies like Yahoo and Google. The Upstream program involved the collection of data from taps placed on hundreds of undersea cables outside the U.S.
The Tribunal will only search for records shared between the NSA and GCHQ prior to December 2014. And, unfortunately, it won’t reveal if the GCHQ obtained data about you on its own and/or shared it with the NSA, or if the NSA spied on you and didn’t share that data with GCHQ. The amount of data the Tribunal will search may also be limited.
“Once a claim is filed, the IPT will usually only search GCHQ’s records for unlawful activity during the year before the claim was submitted,” Privacy International notes. “What this means is that a claim submitted on 14 September 2015 would lead to records being searched for the time period between 14 September 2014 and 5 December 2014.”
There’s one other caveat about the request. The Tribunal can only search its data for information about you if you submit details such as your name, email address and phone number. Of course in submitting your email address and phone number, you’re potentially providing the British government with information it doesn’t already have about you. But, as Privacy International points out in its FAQ about the tool, there’s no way around this.
The good news is that if the tribunal does find information collected about you, GCHQ must delete that data once the investigation into your records is done, along with the request form you submitted.
Jeb 2016
Jeb Bush has been cozying up to Silicon Valley this election season, but his newly announced cybersecurity platform isn’t likely to win him many fans within the tech industry. In a lengthy post detailing his plans today, the former governor advocated for increased government surveillance, writing, “The National Security Agency and Cyber Command are on the front lines of defending the United States against cyberthreats. We must stop demonizing these quiet intelligence professionals and start giving them the tools they need.” But Bush is light on details as to what those tools would be.
Insert much gnashing of teeth by American tech companies and privacy advocates here.
In the post-Edward Snowden era, tech giants like Apple and Microsoft have become increasingly vocal about the need to protect user data from the prying eyes of the government. Meanwhile, privacy experts have panned proposed legislation like the CISA Security Bill, insisting that it creates too many surveillance loopholes for the government. Bush, on the other hand, argues in his new proposal that the President should push Senate Democrats who oppose the bill “to allow this bill to come to the Senate floor for a vote.”
Bush is likely all too aware of the reaction these suggestions might receive from the tech world. That may explain why he also included a promise that seems out of place in a plan about cybersecurity: to “remove barriers to innovation in the tech industry.” This appears to be Bush’s way of softening the blow from the rest of his platform.
Bush is far from alone in this approach to cybersecurity. During last month’s Republican debates, former HP CEO Carly Fiorina emphasized the importance of tearing down the so-called “cyberwalls” that tech companies put up to protect themselves from government requests for data. And new Jersey governor Chris Christie and Florida Senator Marco Rubio have also called for increased intelligence capabilities.
For privacy concerned technologists in search of a conservative candidate, at least there’s always Rand Paul.
Brian Finke
Update: 9:19 am ET 09/09/2015 Several hours after this story was published, John McAfee filed paperwork with the Federal Election Commission to run for President. He also launched an official campaign website.
If you didn’t think the 2016 election season could get any more batshit crazy than it already is, now, John McAfee—the self-described “eccentric millionaire,” who founded the anti-virus software company McAfee, and who once played Russian roulette with a loaded gun while WIRED writer Joshua Davis stood by—says he is considering joining the 2016 presidential race. But first, he says he’s hoping to persuade someone who is “smarter and more charismatic” than he is to run with his backing.
“I personally am still in a quandary about whether to run myself or find someone else for my party,” McAfee tells WIRED. “My advisors are pressing me to run.”
McAfee, who won’t name his advisors or his prospects for stand-ins, says he’s been mulling a run for some time at the urging of his online followers. “I have many thousands of emails saying please run for President,” he says. “It’s not something I would just choose to do on my own.”
But McAfee says he does believe the government is broken, largely because its leaders don’t understand technology as well as, well, he does. He points to the recent hacks of the U.S. Office of Personnel Management and Homeland Security as proof.
“Things like this cannot happen or should not happen,” he says. “It’s clear that the leadership of our country is illiterate on the fundamental technology that supports everything in life for us now, that is cyber science, our smartphones, our military hardware, our communications.”
McAfee argues that the fact that the government is urging tech companies like Apple to create so-called “backdoors” into their systems that would allow the government to collect information on users is another sign that public servants just don’t get it. “That means allowing hackers easy access to anybody’s data,” he says.
The prospect of a President John McAfee may sound absurd to you. If it doesn’t, please recall that McAfee was once arrested in Guatemala after fleeing Belize, where he was wanted for questioning by local police for the murder of his neighbor. No charges were brought against him in the murder case, but McAfee’s backstory is still a tad colorful for politics, even in the age of Trump.
Yet the privacy arguments he’s making aren’t altogether unlike the ones that Apple and other tech companies have been lobbying for in Congress.
Like Lawrence Lessig, the Harvard professor who is running for president to push an agenda for campaign finance reform, McAfee seems far more concerned with having his voice heard on one particular issue than with taking a seat in the Oval Office.
Which may explain why McAfee is seeking a stand-in for his presidential run. He also said he didn’t want to discuss other elements of his platform until he, er, knows whether he or someone else is going to be candidate. That announcement should come within the next 48 hours, according to McAfee. As for whether Donald Trump’s surprising popularity had anything to do with his presidential ambitions, McAfee said, “I have great respect for the man but he has nothing to do with my decision to run.”
The NSA was sloppy about guarding its classified secrets from Edward Snowden, but no one at the agency is in danger of being prosecuted for that security lapse. What Hillary Clinton did with her private email server, however, is criminal, says Snowden.
If any other State Department or CIA employee were using a private email server to send details about the security of embassies, as Clinton is rumored to have done, as well as sensitive meetings with private US government officials and foreign officials over unclassified email systems, “they would not only lose their jobs and lose their clearance, they would very likely face prosecution for it,” the NSA whistleblower said in an interview with Al Jazeera English.
“When the unclassified systems of the United States government, which has a full-time information security staff, regularly gets hacked, the idea that someone keeping a private server in the renovated bathroom of a server farm in Colorado, is more secure is completely ridiculous,” Snowden said, referring to the location of Clinton’s controversial email server, which had been maintained by the Denver-based company Platte River Networks, and to Clinton’s initial assertions that her server was secure and had suffered no security breaches.
Snowden is right about the punishment others would face for mishandling classified information. There have been a smattering of such prosecutions over the last decade, generally involving low-to-mid-level military and government personnel. Former CIA Director General David H. Petraeus is one of the most prominent to be caught up in a case involving the mishandling of classified information. He was charged with mishandling classified materials after an investigation revealed that he had improperly removed and stored top-secret information in eight personal notebooks that he kept in an unlocked drawer in his home study while CIA Director. The information in the notebooks included code words for secret intelligence programs, the identities of covert officers, and notes about discussions with the National Security Council. He eventually pleaded guilty to a misdemeanor charge of mishandling classified materials and was fined $100,000.
It’s been a month since news first broke that cheating site Ashley Madison was hacked. During that time Noel Biderman, CEO of the site’s parent company Avid Life Media, has remained confident in his company’s strength and endurance.
After Biderman refused to bend to the hackers’ demand to take Ashley Madison and another site offline, the perpetrators began to leak data stolen from the company’s networks. At first, the data was only about Ashley Madison’s spouse-cheating customers, but last week, private emails from Biderman’s corporate account hit the web. Today, following stories that Biderman may have engaged in a number of extramarital affairs, as revealed in those emails—ALM announced that Biderman is stepping down as head of the company.
“Effective today, Noel Biderman, in mutual agreement with the company, is stepping down as Chief Executive Officer of Avid Life Media Inc, (ALM) and is no longer with the company,” the company said in a statement. “This change is in the best interest of the company and allows us to continue to provide support to our members and dedicated employees. We are steadfast in our commitment to our customer base.”
The statement didn’t indicate the sudden reason for Biderman’s departure, but it comes days after revelations of Biderman’s alleged infidelities.
Biderman founded the site, whose motto is “Life is short. Have an affair,” in 2001 and often referred to himself as the King of Infidelity. But despite encouraging other people to have affairs, Biderman, a married father with two young children, had long insisted that he had never cheated on his wife, nor did he want to.
“If I wanted to have an affair I would have one,” he told the New York Daily News last year.
But it turns out that Biderman may have been lying. At the time of that interview, the leaked emails suggest he may have already been engaging in a three-year sexual relationship with a Toronto escort who may have been paid for her favors.
Biderman apparently met the woman in 2012 at a spa. She emailed him in July 2012 identifying herself as “Melisa from the spa” and suggested they meet for coffee. Emails between them over the next two years depict a number of assignations at hotels.
The emails show it was the escort, who appears to have been a student at the time, finally broke off their arrangement in September 2014 after she became concerned that her boyfriend might find out.
“He’s very intuitive and almost found out last time,” the woman wrote Biderman in a September 2014 email leaked by the hackers. “I’m sorry. I don’t want to lose him. As much as I need the money. I talked to him this morning and my sense of guilt made me imagine that he knows.”
Biderman appears to have offered her a job with the company, writing her in October that “I will also have a good ‘signing bonus’ for you :).” The woman later declined the job, however.
The leaked emails also show Biderman discussing meetings with other women, including one identified as Mila who gave Biderman a phone number that matched a profile on TheEroticReview.com web site for an escort named Mila.
WIRED was unable to determine if the specific emails suggesting infidelity are legitimate, but they were released with other files that have been verified.
It’s not clear why Biderman would engage so boldly in revealing conversations through his work email account—instead of using a private account. Any system administrator working for the company would have been able to access his emails and view the conversations.
Authors’ note as of 8/25/2015 at 11:40 a.m. ET: One of the sites linked to in this post—Trustify—is embroiled in controversy surrounding how it has been contacting people whose emails are found in the Ashley Madison data dump, as well as how it encourages those people to then pay for its P.I. services. Rather than go into that here in this How To, we have detailed the entire debacle in a separate article that we encourage you to read.
Wait. Stop. Don’t do this. Don’t check these websites1.
Let’s just all take a deep breath and reflect on what has become of us, as a people. A website was created so that married people could easily cheat on each other, and then a reported 40 million people signed up, and then angry hackers stole their data and released it to the world out of righteous vengeance. And now the moral crowd gathers to shame and condemn. To point fingers. To search for spouse’s emails with breath clenched tight. This is the sad state of modern affairs (OK, yes, pun intended). This is the quiet desperation of the masses. This is the pathetic morass of our culture.
We should not play along. We should get off the ride. We should not search this database for our loved ones. We should take our kids to the water park. We should close our computers and walk out into the sunshine of late summer and feel the heat of our glorious life-sustaining superstar on our cheeks.
But if you’re not going to do that, you can search through the data dumped last night by the hackers who hit Ashley Madison by visiting this site, which was launched yesterday by Trustify, an Internet investigation service that tailors to romantic suspicions. Or, if you prefer, you could use this tool. Or this one. All you have to do is enter an email, any email, and see if it was hacked. Finding the email on the list means yes, there was an Ashley Madison account tied to it. But, crucially, Ashley Madison never required email accounts to be verified, so if you find someone’s email here it does not necessarily mean they set up an account for themselves. If you are already a subscriber to “have i been pwned,” a site that alerts people if they have been breached, and you are able to verify the email address you are checking, then that site can also tell you.2
“We are getting about one customer search person second since this morning [via the app],” says Trustify’s Danny Boice. Boice said regardless of what comes up, many of these customers end up booking a Trustify private investigator. “We are getting an even number of men who were using Ashley Madison coming to us to do damage assessment as we are spouses who suspect they are being cheated on.”
When asked about the possibility of doubting significant others checking up on their companions using Trustify’s new tool, Boice says “Trustify is in the business of finding the truth. We do this in an objective and un-biased way. We don’t intervene in how or why people want the truth or answers, we simply use our investigative pool to provide them.”
We checked a few emails we knew were among the stolen, and they came up using every tool linked above, so they appear to be legit.
But again, maybe don’t check. No good can come of this.
1Updated on 8/19/2015 at 3:04 p.m. to Add additional sites that are offering the same service.
2 Updated on 8/19/2015 at 4:45 p.m. to clarify that only subscribers with verified email addresses can search the data on “have i been pwned.”
It’s one thing to talk about security vulnerabilities in a product, but another to provide a proof-of-concept demonstration showing the device being hacked.
That’s what occurred last month when BlackBerry Chief Security Officer David Kleidermacher and security professional Graham Murphy showed how easy it is for hackers to take control of a hospital drug infusion pump by overwriting the device’s firmware with malicious software.
The hack would allow someone to remotely administer a fatal drug dose to patients.
Although the video demonstration, conducted at the Blackberry Security Summit in New York, doesn’t identify the model and brand of the pump being attack, security researcher Billy Rios says it’s the Lifecare PCA drug infusion pump made by Hospira, an Illinois-based firm with more than 400,000 intravenous drug pumps installed in hospitals around the world.
Rios knows this because the demonstration is using vulnerabilities he uncovered in several models of drug infusion pumps made by Hospira—the PCA, PCA3, PCA5, Symbiq, Plum A+, and the Plum A+3.
As previously reported by WIRED, those security problems would allow attackers to raise the software-defined upper limit on the dosage delivered to a patient before then administering a deadly dose.
Although the FDA issued an alert about the PCA3 and PCA 5 pumps earlier this year, it declined to warn hospitals about the other models. And it’s unclear if hospitals have heeded the warning about any of the unsecured devices.
You don’t need to be a Wall Street insider to pull off insider trading anymore. Today, nine traders and hackers allegedly involved in an insider trading scheme were indicted for stealing advance copies of press releases, according to a Justice Department announcement.
The group is accused of hacking into the networks of Marketwired, PR Newswire Association and Business Wire to access copies of press releases that had not yet been published. The traders then used this information, sometimes acquired just minutes before the releases were published, to make their own trades. The scheme—which lasted from February 2010 to August 2015, according to the release—appeared to be a massive success. The feds seized bank accounts holding over $6.5 million in alleged criminal proceeds, as well as $5.5 million worth of property, including a house boat, an apartment building in Georgia and a shopping center in Pennsylvania.
This is the latest example of the web being used to manipulate the stock market. Earlier this year a fake news story attributed to Bloomberg briefly inflated Twitter’s stock price. A similar ploy was used in a scheme to pump and dump Google sock in 2012. And in 2013 the hacker group called the Syrian Electronic Army took responsibility for hacking into the Associated Press’s Twitter account to post messages that caused a stock market panic. But this may be the most elaborate of these schemes yet.
Oracle undoes the problems created by their CSO’s rant by deleting her blog post. Done. PS: http://t.co/EyvsPngufQ pic.twitter.com/Tckm33b91H
— Mikko Hypponen (@mikko) August 11, 2015
If you take apart Oracle’s software and find a hackable vulnerability, don’t tell the company. Or at least not its chief security officer.
“If you are trying to get the code in a different form from the way we shipped it to you…you are probably reverse engineering,” writes Oracle CSO Mary Ann Davidson. “Don’t. Just – don’t. ”
That, in short, is the message of a nearly 3,000-word rant Oracle Chief Security Officer Mary Ann Davidson wrote on her company blog yesterday. The post was deleted sometime before Tuesday morning, but is still visible on the Internet Archive. Davidson rails against customers who report bugs to the company, and complains that she’s increasingly having to write responses to them telling them to stop violating their license agreement, which forbids the reverse engineering of their software.
“Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. ” she writes. “This is why I’ve been writing a lot of letters to customers that start with ‘hi, howzit, aloha’ but end with ‘please comply with your license agreement and stop reverse engineering our code, already.’”
The post set off an immediate firestorm in the security industry, which—aside from Oracle—has increasingly adopted a friendly attitude toward reverse engineers and benign hackers. Standard practice for a company that receives a report of a new vulnerability in their software, a so-called “zero-day” bug, is to credit the researcher or even pay a “bug bounty” monetary reward. Practically every major tech company from Google to Microsoft, and increasingly other companies from United Airlines to Tesla, now run some version of those reward programs.
Davidson, who has a long history of adversarial relationships with security researchers, took a harshly opposite tone. “We will also not provide credit in any advisories we might issue,” she wrote. “You can’t really expect us to say ‘thank you for breaking the license agreement.’”
Oracle vice president Edward Screven explained the post’s deletion in a statement to WIRED Tuesday afternoon. “The security of our products and services has always been critically important to Oracle,” Screven writes. “Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers.”1
Despite that pseudo-apology, here are a few of the response tweets from the security community, many of which excoriate Oracle for rejecting free security advice and make the undeniable point that the company’s real enemies—nation-state hackers and cybercriminals—won’t abide by Oracle’s draconian prohibition on reverse engineering.
When you outlaw reverse engineering, only outlaws will reverse engineer. Oh, and nation states. Don’t forget them.
— David Litchfield (@dlitchfield) August 11, 2015
BREAKING NEWS: APTs and cyber criminals announce they will no longer reverse engineer Oracle because it is a violation of the terms
— George V. Hulme (@georgevhulme) August 11, 2015
Oracle’s crazy don’t-look-don’t-tell policy on vulnerabilities is fun to mock, but also a serious threat to our community.
–
— matt blaze (@mattblaze) August 11, 2015
don’t bother sending @oracle annoying bug reports, they prefer you anonymously drop 0day or sell to the highest bidder.
— Ralf (RPW) (@esizkur) August 11, 2015
1Updated 3pm EST with a comment from Oracle explaining the post’s deletion.
Chris Goodney/Bloomberg/Getty Images
The Stagefright bug has quickly frightened cell phone manufacturers into action. It’s been just over a week since researchers alerted the public to the serious flaw that has been called the worst Android “bug ever discovered,”, and the major Android manufacturers have already taken concrete steps to fix it.
As of yesterday, Google will now roll out regular monthly over-the-air security updates to its devices. And so will Samsung. And LG.
“LG will be providing security updates on a monthly basis which carriers will then be able to make available to customers immediately. We believe these important steps will demonstrate to LG customers that security is our highest priority,” an LG representative told WIRED today in an email.
Yesterday, Samsung announced a similar program in an blog post: “Samsung Electronics will implement a new Android security update process that fast tracks the security patches over the air when security vulnerabilities are uncovered. These security updates will take place regularly about once per month.”
As for Google, its updates will be rolling out to its entire Nexus line. “The first security update of this kind began rolling out today, Wednesday August 5th, to Nexus 4, Nexus 5, Nexus 6, Nexus 7, Nexus 9, Nexus 10, and Nexus Player,” Adrian Ludwig, Lead Engineer for Android Security, and Venkat Rapaka, Director of Nexus Product Management wrote in a blog post.
The first updates from all three companies will address the Stagefright vulnerability, which would have allowed a hacker to gain access to your Android device simply by sending a malicious text message. Though the problem is easy to fix and Google had a patch ready when the news broke last week, getting it out to all of the fragmented Android ecosystem was another story. For most devices, Google depends on the individual phone manufacturers to push updates to their customers. The good news is the reaction to Stagefright was uncharacteristically swift. In addition to these new regular security update programs from Google, Samsung and LG, other major manufacturers such as HTC, Sony and Android One are reportedly sending Stagefright patches out to customers.
If you’re not sure whether your device is vulnerable to Stagefright, the researchers who uncovered it released an app yesterday that can tell you.
A federal court gave new hope this month to victims of data breaches. In the past, most class-action lawsuits filed by victims have been dismissed by courts due to lack of standing—although a victim’s personal data might have been stolen, unless he or she suffered actual damages from identity theft or fraudulent bank card charges—they had no standing to sue under Article III of the Constitution. And since banks promise zero-liability to consumers whose cards are stolen and misused, victims of card breaches suffer no actual losses.
But this month the Seventh Circuit Court, which covers Illinois, Indiana, and Wisconsin, bucked the trend when it ruled that breach victims do have standing, regardless of whether they suffer damages.
The case, Remijas v. Neiman Marcus, involves four consumers who filed a class-action complaint against Neiman Marcus after a breach of its computers in 2013 gave intruders access to card data for some 350,000 customers. About 9,200 of the victims had cards that were subsequently used for fraudulent transactions, but none of them suffered actual losses. Nonetheless, the court ruled that everyone affected by the breach, regardless of whether or not their account numbers were used for fraud, had standing to sue because once a card number got stolen the likelihood that it would be used for fraud was high, and there were “identifiable costs” associated with the effort expended to sort out the issue, seek reimbursement if fraud did occur and update auto-pay accounts with the new numbers on replacement cards.
BREAKING: http://t.co/Q8cXe58njh health website is under attack by anti-abortion extremists.
— Planned Parenthood (@PPFA) July 29, 2015
Planned Parenthood has been at the receiving end of a war of words from activists and GOP politicians in the wake of controversial videos purporting to reveal that the health organization sells body tissue from aborted fetuses. (It doesn’t.) Now the battle has moved from words to hacks. Planned Parenthood tweeted Wednesday afternoon that its site was under attack “by anti-abortion extremists,” suggesting that a coordinated DDoS assault was trying to take the site offline. Though there were reports on Twitter of the site being down for a brief period, it quickly came back up.
“Today, the Planned Parenthood websites experienced a wide scale distributed denial of service (DDoS) attack, a hacker tactic to overwhelm websites with massive amounts of traffic to block any legitimate traffic from getting in,” Dawn Laguens, Executive Vice President of Planned Parenthood, told WIRED in an e-mail.
Planned Parenthood elected to take its site back offline for a day “in order to ensure that we are fully protected,” Laguens wrote. “We’ll be redirecting visitors to our Facebook pages during that time. Planned Parenthood is committed to getting people the information they need to make healthy decisions and meet their goals in life—and we deeply regret that in order to more fully protect our websites from these extremist attacks, our full online content will be temporarily unavailable to people looking for good, accurate health information. We will continue to work to reach people where they are online, and our sites will be back up soon.”
@DrJenGunter it looks like it is: http://t.co/VCtQYuF06F pic.twitter.com/EUqIRegjtJ
— J. Dickinson Goodman (@JessiDG) July 29, 2015
This follows days of controversy for the women’s health organization. Yesterday, a third video was released. Then, Republican Senators said they would vote to defund the organization. Today, Marco Rubio set off a Twitter firestorm after he tried to equate the unrelated story of Cecil-the-lion’s murder to Planned Parenthood. And, after defending the organization earlier, Hillary Clinton today called the latest videos released “disturbing.”
Updated at 11:52 p.m. ET with commentary from Planned Parenthood.
One month after a law was passed ending the NSA’s bulk collection of US phone records, the director of intelligence announced today that records previously collected by the spy agency will be destroyed, according to the Associated Press.
The director of national intelligence did not say when the records would be destroyed, but noted that they must be retained as long as lawsuits around the collection program are ongoing.
After the program was ruled illegal by a court in May, lawmakers passed a bill last month that put an end to the NSA’s bulk phone data collection by having telecoms store the records instead. The legislation would still allow the government to access the records, by obtaining a court order from the Foreign Intelligence Surveillance Act any time it wishes to view them, but would limit this access to records that are relevant to a national security investigation.
The bill gives the NSA a 180-day grace period to end its collection program and develop a new system for requesting permission to access records from the phone companies. But it was always unclear what would happen to the millions of records the NSA had already collected. The director of national intelligence said today that the spy agency would cease using the existing records by November 29, after which they would be destroyed once pending lawsuits have ended.
A United Airlines plane sits on the tarmac at San Francisco International Airport on June 10, 2015. Justin Sullivan/Getty Images
Today, United Airlines grounded all its domestic flights over an “automation issue” with its computer system. United had to ground its domestic fleet last month, too. Passengers aboard affected flights indicated then that it had to do with bad flight plans being automatically uploaded to pilots. Then later in June, a Polish Airline was hit with what seemed like the exact same problem.
No word yet on whether today’s automation issue is also related to flights plans, but as our coverage of the earlier instances suggests, the universal flight-plan protocol is an easy target for tampering.
Here are our full stories on those earlier groundings.
All U.S. United Flights Grounded Over Mysterious Problem
On June 6, all United Airlines flights in the US were grounded for nearly an hour over “dispatching information.”
Though United never indicated the exact cause for the grounding, tweets from onboard passengers suggested it had to do with faulty flight plans.
All Airlines Have the Security Hole That Grounded Polish Planes
Takeaway from our analysis? The problem is systemic.
Kim Zetter writes of the Polish airline incident: Although Polish authorities haven’t provided details about what occurred with the flight plans in that case, the problem with both the LOT planes and United may very well be the protocol for delivering flight plans: It doesn’t require authentication.
However, don’t freak out. Though the problem is troublesome, it is not is not a safety issue. We repeat: it is not a safety issue.
Around 9 a.m. Wednesday, the FAA announced that United Airlines has grounded all flights in the United States over what it is calling “an automation issue.”
United Airlines is down. This is the line at LAX terminal. People basically waiting with no information. @myfoxla pic.twitter.com/RDYPc2BdlP
— Mario Ramirez (@MarioFOXLA) July 8, 2015
Last month, United grounded all domestic flights after what appeared to be an issue with faulty flight plans being uploaded to pilots.
BREAKING: United Airlines flights on regional partners no longer affected by grounding: FAA
— Reuters Top News (@Reuters) July 8, 2015
Flight delays are expected throughout the day. We’ll follow up with more news as we have it.
View original post here –
Reams of US Voter Info Appear to Be Just Sitting Online