U.S. Courts WIRETAP REPORTS ARCHIVE

Some interesting data in the Statistics section on the U.S. Courts website.   Neat to view different states and their wiretap costs, quantities and type (narcotics, homocide, gambling)

http://www.uscourts.gov/Statistics/WiretapReports/WiretapReports_Archive.aspx

I’m disappointed to see no one has created an app on Data.Gov with the above data.  I couldn’t find anything from the US Courts on data.gov (i.e. bankruptcy).  Who has free cycles!?

Posted in news, privacy | Leave a comment

U.S. Visa questions

Check out some of the US Visa questions (Don’t ask….I’m marrying a Ukrainian bride)….does anyone answer Yes to these?

Click the image below…

US Visa Questions

Posted in news, system7 | Leave a comment

Do they have your dox!?

AboutTheData.com just publicly launched this week. It’s brought to you by Acxiom, one of the web’s advertising heavy hitters. After verifying your identity the site allows you to view all of the marketing data they’ve collected about you (demographics, family, loans, auto/home, employment, education etc). They’re also very nice —- they let you update the information in case it’s not accurate! I found my dox to be lacking — not surprising as I don’t believe I’m any of Acxiom’s target demographics.

More from NYTimes here

Posted in news, privacy | Tagged | Leave a comment

Another breach notification…

Dear valued community members,

On the 22nd of July 2013, it was discovered that unauthorized access to our website and database has been obtained on the 20th of July.
The method is similar to the hacks that were recently conducted at other websites, even though those sites used other software.
One of the admin accounts password was discovered, and from there further escalation wasn’t too difficult considering admin privileges can do just about anything.

Unfortunately, we are 100% sure that our user database has been stolen.
As such we HIGHLY RECOMMEND, even implore you, to:
1.) Change your password on other websites you are using, if you use the same password there. This is very important to do, as it also will help prevent other websites being hacked through your compromised password, if it is compromised.
2.) Change your password here on our website.
3.) If you use the password you use here anywhere else, say for example to login to your webhost, it is highly urged to change it.
4.) Please note that personal messages may have also been compromised. We don’t know for sure if the hacker only downloaded the user tables or not, although that’s the only thing he/she is after. If they did: keep in mind that passwords you shared through PM should now be considered vulnerable. It’s best not to take the risk and gamble, and just change any password you shared through PM as well.
5.) Charter members, current and past, are encouraged to change ALL passwords if they ever sent any in to us. That would include FTP.

Please keep in mind:
This is !!NOT!! a security issue with the SMF software. If you are running the latest SMF version you have nothing to fear from this hack if you use different passwords.

The method used by the hacker is that a database is downloaded from another hacked website, the passwords are attempted to be decrypted and if it is successful: they try to login to other websites using that username & password, or try to cross-reference by using password reset links.
Unfortunately for us, a Administrator used the same password elsewhere on another site and access to our site was obtained when the password from the other hacked site was successfully decrypted. As a result, the hacker was able to login here with admin rights.
Hundreds of websites have been hacked lately by using this method, so you are highly encouraged to change your passwords…

… And remember: don’t use the same password on multiple sites!
It helps to prevent hacks like this.

Thank you for your consideration and we deeply apologize for any inconvenience this causes for you.
By changing your passwords, you will help ensure that other sites do not fall victim to this method of hacking and help put a halt to the hacking spree that has affected hundreds, if not thousands, of websites already.

Any questions, please do feel free to ask.
Please stay on topic.

Kind regards,
Board of Directors
Simple Machines

Announcement URL: http://www.simplemachines.org/community/index.php?topic=508232.new#new

Posted in news, privacy, security | Tagged , , | Leave a comment

AT&T’s new Privacy Policy….

I received an updated AT&T privacy policy in the mail yesterday.  They’re making their policy easier to understand AND “pointing out programs that could help other businesses serve you better”

That’s great, so AT&T isn’t getting enough revenue from our cellular subscription fees — they also have found new ways to generate revenue by undermining our privacy.  Of course it’s not just AT&T, but all big (and smart?) companies.

It sounds like AT&T is now selling cell tower/node registration information to third parties.  Kevin Mitnick was tracked using cell tower triangulation.  This same concept can be bundled as a service and sold to retailers i.e. What time of day/week are the most 25-35year old males in a 1 mile vicinity of our storefront?  Maybe we’ll have a scantily clad woman stand on the street to lure these men into the store.

For example, we might provide reports to retailers about the number of wireless devices in or near their store locations by time of day and day of week, together with the device users’ collective information like ages and gender.

The second program sounds like using location data coupled with advertisements.  If your cell phone is frequently showing up near airports or hotels you’ll get travel focused ad’s.

ATT Privacy Policy Page 2ATT Privacy Policy Page 1

Posted in news, privacy | Leave a comment

eBay’s new Terms of Service and Privacy Policy

I received a notification from eBay over the weekend regarding an update to their User Agreement, Privacy Policy and Buyer Protection Policy.  After skimming the updated policies I did not notice anything invasive or earth shattering.  Companies periodical perform a policy review/refresh and it is a time to try and sneak in anti-privacy clauses.

Some highlights:

Provisions regarding use of eBay’s mobile applications. To cover the growing popularity and use of eBay’s mobile applications and to provide for possible new ways we may display the terms and conditions applicable to them in the future, we added references to these applications throughout.

Updates relating to eBay’s contacts with members. We updated provisions of the User Agreement to provide further clarity regarding the purposes for and circumstances under which eBay or its service providers may contact members using autodialed or prerecorded voice message calls and/or text messages and the circumstances under which eBay may share members’ contact information with members of the eBay corporate family or other parties.

Updates to the Buyer Protection provision. We updated the provision to reflect our ability to remove funds from a seller’s PayPal account in a currency other than the currency of the transaction at issue where the seller does not have sufficient funds available in the transaction currency.

All in all, eBay and its corporate family (PayPal, StumbleUpon, StubHub) have fair policies.  You wouldn’t expect a large company with as many users to get away with substandard user protections for long.

Posted in news, privacy | Tagged , | Leave a comment

Why aren’t more businesses proactive?

Posted in news, security | Leave a comment

Conducting open source intelligence gathering

There’s an excellent article, The Subtle Art of OSINT, that details gathering intelligence from freely available sources.

Some of the sources discussed include:

  • Google hacking
  • Wayback machine
  • Social media
  • WHOIS / Robtex
  • Maltego
Posted in news, privacy, security | Tagged , , | Leave a comment

A Guide to Defending Privacy at U.S. Border

Take a look at the EFF’s latest article “Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices”

Account Passwords vs. Full Disk Encryption:

This distinction makes a major practical difference. Bypassing an account password is a routine operation that can be done automatically with forensic software that bypasses the operating system and looks directly at the disk, your account password is no obstacle for this forensic software. Fortunately, modern computer systems come with comparatively easy full-disk encryption tools that let you encrypt the contents of your hard drive with a passphrase that will be required when you start your computer. Using these tools is the most fundamental security precaution for computer users who have confidential information on their hard drives and are concerned about losing control over their computers — not just at a border crossing, but at any moment during a trip when a computer could be lost or stolen.

Simply deleting data from your hard drive with your normal OS file deletion features is not secure and the data is still present and recoverable on your hard drive. Just because deleted files are no longer visible in your operating system’s file manager does not mean that a forensic expert can’t undelete them or deduce that they were once present.

If a border agent asks you to provide an account password or encryption passphrase or to decrypt data stored on your device, you don’t have to comply. Only a judge can force you to reveal information to the government, and only to the extent that you do not have a valid Fifth Amendment right against self-incrimination.

It’s extremely important that you do not tell a lie to a border agent. If you are absolutely sure that you don’t want to answer a specific question, it’s better to politely decline to answer than to give a false answer.

Be aware that border agents may search your camera, copy its contents, or try to undelete images or videos that you believe you’ve deleted and that are no longer visible from the camera’s user interface.

Posted in news, privacy | Tagged , | Leave a comment

Uncrackable Passwords

The H has an interesting article on storing passwords to prevent unauthorized access and identity theft.  The article discusses the following methods and downfalls associated with each:

  1. Plaintext
  2. Hashing
  3. Hashing with salt
  4. Key stretching
  5. Hashing with multiple rounds
  6. Determining cipher used

Most importantly, don’t reinvent the wheel if you’re building an application requiring authentication.  Rely on tested frameworks such as OAuth or PHPass.

 

 

 

Posted in news, privacy, security | Tagged , , , | Leave a comment