Smells Like Incompetence
via journalist Malena Carollo reporting for the eponymous Christian Science Monitor, comes an astonishing news item of what is perhaps the single most egregious failure in federal information security this century (so far...).
"Moving forward, Archuleta assured the committee that OPM would continue to improve their cybersecurity efforts and work on the recommendations given by the Inspector General "to the best of our ability." "That’s what frightens me, Mrs. Archuleta," said Rep. Mick Mulvaney (R) of South Carolina, "that this is the best of your ability." - via Malena Carollo reporting at the Christian Science Monitor
New PayPal User Agreement, Demands Your Firstborn...
or Why-I-Am-Not-A-PayPal-Customer...
via The Washington Post's Brian Fung, comes the unsurprising news of blatant stupidity amongst the cubicles at PayPal. This time, taking the shape and form of the company's new user agreement. How this will play out, once the Federal Trade Commission takes a gander is anyone's guess. Read it and Weep.
House of Drafts →
via AlienVault's Russ Spitler, comes a tale of problematic security hygiene within customer instances at Amazon Web Services. This time, evidenced and bolstered by empirical research, the AlienVault researchers discovered "there is a good chunk of the EC2 users who left their front door open'.
I am fascinated with AlienVault's findings, (consider for a moment the issues are customer-based within their respective virtual environs), the scenario boggles.
Then, there is the recently published Amazon Web Services SOC 1, 2 and 3 Reports (Acronym definition: SOC - Service Organization Control). SOC 1 is one of the component reports that comprise the awkwardly monikered SSAE 16/ISAE 3402 artifact); of which, the SOC 1 and SOC 2 Reports are available to Amazon Web Services customers upon request, whilst the SOC 3 report is available to the public on demand. In this case, the SOC 3 report targets the WebTrust and SysTrust reviews. SysTrust is germaine to the AlienVault research, as it encompasses standard information security tenets of Integrity, Availability, Security and Confidentiality; which, apparently, many customers of the AWS EC2 product are blissfully unaware (at least those that are running the offending listeners).
Top Ten List of Most Exposed Software →
via Anthony M. Freed, writing at InfosecIsland comes this unfortunate, and unsurprising story of the top ten exposed applications currently on a majority of computational devices hereabouts, and the ramifications thereof.
Über Alles? →
Interesting Uber vs. John Doe (in this case GitHub) case, whence Uber issues what is fundamentally a Your Papers Please subpoena through a magistrate and demands records closely held by GitHub through the courts.
In this case, access has been granted by the magistrate permitting examination of the two Gists at GitHub, containing the unfortunate error made by Uber employees (whence an Uber developer/dba included internal passwords on a very public Gistto internal databases.
Uber argued (successfully - mh) during the hearing that the two Gist posts (both of which have been offline since the lawsuit was filed) should have had very little traffic, and the data on who visited them "should generally reveal people, who were affiliated with Uber and who worked on the Uber code near the time of the unauthorized download." - via El Reg's Kieren McCarthy
Bad Decisions At Oracle
Meanwhile, in idiotic-decisions-made-by-a-Fortune-500-Company news... Quite likely one of the world's largest software publishers - Oracle Corporation (NYSE: ORCL) has been installing adware along with the JAVA SE Runtime and other JAVA applications on user machines. Evidence of Greed or just Bad Decisions, you be the judge. In this case, when installing the JAVA bits, the ASK.com toolbar is loaded onto the unfortunate victims machine (users can opt-out, but it is not an easy choice to make).
"Tests on a Mac running the latest OS X release proved Oracle's newest Java installer will tack on the Ask extension to both Google's Chrome browser and Apple's Safari, using what some may consider deceptive practices. The option to install Ask is selected by default, meaning users proceeding through installer pop-ups are unlikely to notice the adware until they open a new browser window. Once installed, Ask's extension points the browser's homepage to Ask.com and inserts the Ask toolbar just below the address bar." - via AppleInsider
Uber's Private DB Key On Public GitHub Page →
Meanwhile, in Blatant Stupidity news, ArsTechnica's Dan Goodin writes of the latest Uber mistep. This time, Uber decided to store an encrypted database's PRIVATE KEY (anecdotally, the DB contained sensitive data for at least fifty thousand of the company's drivers) on a GitHub public page. Apparently, there may have been a wee bit of confusion as to what a PRIVATE KEY is, in relation to a PUBLIC KEY within Uber's apaprently crack IT department... Oops.
Superfish Samoleans
Superbly minimalist posting via Uncrunched by the inimitable Michael Arrington, detailing the VCs, board members and others behind Superfish. As interesting, but for different reasons, are the information security (in this case anti-virus flogger Lavasoft) businesses also utlizing the SSL MITM module (aka Redirector) from Komodia. Ooops.
Meanwhile, in Blatant Stupidity News...
Lenovo, the Peoples Republic of China based PC manufacturer manages to both shoot itself in the foot, and simultaneously launch a massive MITM attack targeting it's own customers. All caused by some deep seated need to serve-up adverstising on individual laptops sold to the company's customers. Astounding.
Regardless, Ars Technica has the solution for PC afficiandos that have or are experiencing this issue: Re-install with a clean version of your OS of choice; or, Lenovo has posted an Uninstall Superfish page.
GoDaddy, Compromised Again... →
What, really? Apparently, GoDaddy security has failed to measure up, yet again. via Swati Khandelwal writing at HackerNews, comes the sorry tale of failed code (in the form of XSRF vulnerabilities), obvious failed quality control, and on top of all of that, no security checks pre-deployment. Astounding.
Trust, Lack Thereof... →
Information is Beautiful has created a diagrammatical tour de force, carving the litany of questionable security competence within the compromised companies, onto like-minded information security architects, engineers and researchers.
Read it and weep my friends...
Department of State, The Breach →
Astonishing proof, in the form of breaking news, of questionable competence within the network security realm, at the United States Department of State... The successful thwarting of States' Maginot Line was revealed in news published by the New York Times. Remarkable...
Grail of Tracking →
via ProPublica, comes word of a decision at AT&T, Incorporated (NYSE: T) ; of plans to drop the use of the dreaded Permacookie (fundamentally, a method to permanently track your web usage, regardless of the co-called browser do-not-track parameters). Certainly a first world problem, yet quite vexing, particularly for our right to privacy...
Pernicious privacy violators, permacookies are not the already aggravating cookies we all love to hate; as such, users can set browsers to delete normal cookies in a variety of ways and methods - yet not permacookies. As objects, co-called permanent cookies are are typically maintained and manipulated by the Carrier/ISP, and not the user, therefore not permitting deletion. Welcome to your new Surveillance Overlords.
Unfortunately, Verizon Communications, Inc. (NYSE: VZ) users are not so lucky, as the company continues to utilize permacookies in daily operations... Our advice: Get thee to a VPN, why woulds't thou be an enabler of trackers?
SwiftKey, iOS 8's Key Logger Extraordinaire
via MacDrifter's Gabe, revealing les couilles of the developers of SwiftKey. Evidently, a very popular iOS 8's key logger, for sale on the AppStore, mon Dieu.
Apologies to the good ship Peter Iredale...
Dread Pirate Roberts, Leaking Data...
Today's MustRead - via the inimitable Brian Krebs at Krebs on Security - targets the nefarious Dread Pirate Roberts. Allegedly the Master of the Silk Road, and the ramifications to the configuration of the sites' conceptually flawed CAPTCHA configuration (utilizing data from the open interweb, rather than the apparently less-than-dark web). Enjoy!
The Shaming →
Evidently, Public Shaming, a la 16th Century European public pillorying and taunt, is the vogue, when targeting mindless, and therefore vulnerable, web deployments. The latest body incarnate example of this manouevre, is HTTP Shaming, a Tumblr blog dedicated to exposing the less-than-well-planned-sites floating around our interweb.