Archive for Privacy

AdultFriendFinder Hacked… 3.5 Million Accounts Compromised

Posted in Commentary with tags , , on May 24, 2015 by itnerd

If you find your dates or whatever it is you’re into on AdultFriendFinder…. Not that there’s anything wrong with that…. You might have a reason to worry. About 3.5 million personally identifiable records were leaked from systems belonging to the adult oriented website which confirmed the breach after the hack first surfaced in April:

Word of Adult Friend Finder’s problems first surfaced last month. An IT consultant and Darknet researcher, who prefers to be known as Teksquisite, discovered the files on a forum in April. Salted Hash, looking to confirm her findings, discovered the same posts and files in short order.

The hacker claiming responsibility for the breach says they’re from Thailand, and started boasting about being out of reach of U.S. law enforcement because of location alone. As for local law enforcement, they’re confident they can bribe their way out of trouble, so they continued to post Adult Friend Finder records.

Using the handle ROR[RG], the hacker claims to have breached the adult website out of revenge, because a friend of theirs is owed money – $247,938.28. They later posted a $100,000 USD ransom demand to the forum in order to prevent further leaks.

In all, across 15 different CSV files, ROR[RG] posted 3,528,458 records. The files are database dumps with 27 fields in total; the most important being IP address, email, handle, country, state, zip code, language, sex, race, and birth date. Dates confirm that the data is at least 74-days old.

Here’s what AdultFriend Finder had to say:

“FriendFinder Networks Inc. has just been made aware of a potential data security issue and understands and fully appreciates the seriousness of the issue. We have already begun working closely with law enforcement and have launched a comprehensive investigation with the help of leading third-party forensics expert, Mandiant, a FireEye Company, the law firm of Holland & Knight, and a global public relations firm that specializes in cyber security.

“Until the investigation is completed, it will be difficult to determine with certainty the full scope of the incident, but we will continue to work vigilantly to address this potential issue and will provide updates as we learn more from our investigation. We cannot speculate further about this issue, but rest assured, we pledge to take the appropriate steps needed to protect our customers if they are affected.”

Sure you will. Either you were covering things up until you were forced to admit it, or you were asleep at the switch or your IT security sucks. That’s bad any way you slice it and users of the website should be outraged. The only good thing that they did was that they got Mandiant to look into this. Maybe they will whip your website into shape.

So, why am I being so harsh on AdultFriendFinder? Simple, this hack hurts people who really didn’t need the fact that they surf the Internet looking for Mr./Ms. Right or Mr./Ms. Right Now. Let me illustrate how this hurts people:

The problem that came to light was that, buried in the data, people were using their work email address to register for Adult Friend Finder. It was noticed by some folks I spoke with who were familiar with the data, that there were email addresses for folks serving in the US Army, US Airforce, Australian military as well as members of the Colombian, Brazilian and the Canadian Forces. That was just based on a cursory search.

Further to that end, according to the leaked data, government related email addresses showed that staffers from around the world had registered with their work email. Rather amazing that people would do such a thing.

So, why is this a problem? Well, an enterprising sort could track a person back through some simple searches. In one scenario someone would be possibly able to find a military personnel’s home address, current station, and…the names of his wife and children just as an example scenario.

Now, I could say that anyone who is dumb enough to use their work e-mail address to register on this site deserves to have their privacy invaded. But that’s wrong. Nobody needs to have their privacy invaded. Ever. Hopefully the low lives who are responsible get caught and jailed as hacks that violate the privacy of people should not be tolerated.

Woman Gets Fired Because She Deleted App From Her Workplace That Tracked Her 24/7

Posted in Commentary with tags on May 11, 2015 by itnerd

A California woman is suing her former employer for invasion of privacy, labor infractions, and wrongful termination after she was fired. Here’s the shocking part. She was fired because she installed a GPS-enabled app called Xora that tracked her every move. As in 24/7 around the clock even when she was not working.

Wow.

Here’s a snippet from ARS Technica who broke the story:

Plaintiff Myrna Arias, a former Bakersfield sales executive for money transfer service Intermex, claims in a state court lawsuit that her boss, John Stubits, fired her shortly after she uninstalled the job-management Xora app that she and her colleagues were required to use. According to her suit (PDF) in Kern County Superior Court:

After researching the app and speaking with a trainer from Xora, Plaintiff and her co-workers asked whether Intermex would be monitoring their movements while off duty. Stubits admitted that employees would be monitored while off duty and bragged that he knew how fast she was driving at specific moments ever since she installed the app on her phone. Plaintiff expressed that she had no problem with the app’s GPS function during work hours, but she objected to the monitoring of her location during non-work hours and complained to Stubits that this was an invasion of her privacy. She likened the app to a prisoner’s ankle bracelet and informed Stubits that his actions were illegal. Stubits replied that she should tolerate the illegal intrusion…..

Intermex did not immediately respond for comment.

She’s looking to get something north of $500K from her ex-employer.

My take? If this isn’t the ultimate in invading someone’s privacy, I don’t know what is. I really hope that Intermex comes out on the wrong end of this lawsuit and/or the bad press that this is generating hurts them financially. There’s no way that this can be considered to be acceptable behavior by an employer.

You can bet that I’ll be watching this for further developments.

Bell Stops Tracking Its Users For Profit

Posted in Commentary with tags , on April 14, 2015 by itnerd

You might remember that Canadian telco Bell Canada was tracking their users online activities unless they opt out of the program so that they could create detailed profiles about them for advertisers. And to make a few bucks off of that as well. That seems to have come to an end for now. The Canadian Privacy Comissioner has told Bell that what they’re doing is not cool:

In a report made public last Tuesday, [Privacy Commissioner Daniel] Therrien’s office ruled the program violated federal privacy laws, and should be limited to only those customers who explicitly volunteer to be tracked.

Bell initially blew the commissioner off. But they changed their tune when the report was made public. The telco is now going stop tracking users and delete the data that they’ve collected. That’s cool. Except for the fact that Bell is also going to reintroduce the program and ask users to opt in. Honestly, I would never do that and I cannot see why anyone else would. Which is why Bell made it an opt out program rather than an opt in program. But at least its legal now. Hopefully the Privacy Commissioner is keeping an eye on them to make sure that they don’t do anything else that violates privacy laws in Canada.

New Zealand Customs Officials Want Your Passwords And Encryption Keys

Posted in Commentary with tags on March 20, 2015 by itnerd

Seeing as I just came back from that part of the world a week ago, news that New Zealand Customs officials wanting to have the power to compel travelers to hand over passwords to electronic devices as well as encryption keys. The thing that has got people upset is that they would not require reasonable suspicion to do so. Though the person who runs NZ Customs says that’s not its intention. Here’s what New Zealand Customs Services chief executive Carolyn Tremain had to say:

“The reality is we have 11 million people crossing the border and a limited amount of resources which we are always going to prioritise by taking a risk-assessment approach. We are not saying every 10th person would be inspected.”

She also goes on to say that countries including Canada do this now. My understanding is that in Canada, this is only done if there are reasonable and probable grounds to do so. So it’s not quite the same thing. But perhaps someone in the know could clarify this.

Here’s why this isn’t going to have the desired effect for New Zealand or anyone else who thinks this is a good idea. People will just travel with clean computers, smartphones, etc, and download anything they need while in the country from their Dropbox account or some other cloud service. Or they will back up their laptop or smartphone to the cloud, wipe the devices, cross the border, and restore it in their hotel room. That’s very easy to do these days. Either way, Customs will never see it and they will not stop a single evil doer.

Now I don’t have a problem if you give customs officials the ability to get access to laptops and smartphones when you suspect that someone has done something wrong. But to have the blanket ability to do so is the wrong approach. New Zealand really needs to rethink this as it’s really not a good idea.

Office Of Auditor General Loses Sensitive Data On USB Drives…. Yikes!

Posted in Commentary with tags , on March 19, 2015 by itnerd

It’s bad enough that there are hackers and other evil doers out there trying to break into your IT infrastructure to get their hands on data that they can use for whatever evil purposes that they have in mind. But what’s worse is when you lose some form of removable media with sensitive data on it and you have no idea where it might be. Here’s a case in point served up from the Office Of The Auditor General here in Canada who lost a bunch of encrypted USB drives:

An internal investigation at the Office of the Auditor General found that about 22 per cent of the encrypted USB drives entrusted to employees were lost, according to newly released documents.

The Star obtained a briefing note through an access to information request that details how the encrypted portable data storage devices were handled by workers at the office of the federal government watchdog, with little done to ensure information technology security measures were followed.

“The management of these USB drives was not strictly enforced. Employees were given IT Security information sessions on how to report stolen or lost devices but there was never any real accountability if a USB drive was lost,” says the Sept. 22, 2014 memo prepared by Jean-Charles Parisé, chief information officer and departmental security officer with the Office of the Auditor General.

The Office Of The Auditor General for their part says there’s nothing to see here:

“We have always encrypted (since 2008), so we were not worried about losing the data. We couldn’t lose data, but it became a bit troublesome to have to manage those (devices). They’re easy to lose . . . . So, we decided we had to do away with (them),” Parisé said in a telephone interview Wednesday.

The institution has since moved mostly to using a secure file transfer (secure FTP) site to exchange information with outside institutions and has recalled all the USB devices, except for those currently being used in ongoing audits, such as the investigation into Senate expense claims.

Well, at least the drives are encrypted. That will stop the casual user from getting access to that data. But a more skilled user may have a shot at getting to that data. After all, nothing is hacker proof. And according to the story, the data on those drives is likely information containing identifying information about individuals or institutions that is not secret or classified. That’s not good. As for them moving to methods like secure file transfer services, at least there’s no physical media to lose. But it leaves them wide open to social engineering attacks and password cracking attempts unless they use some form of two factor authentication to stop that from happening. That’s because all that usually stands between a hacker and the data is a password. Thus I’m implying that they might have traded one problem for another.

Clearly there needs to be a major shift in terms of how data is handled and secured to stop situations like this from happening. Hopefully, it doesn’t take a major negative event for that shift to take place.

Canadian Arrested For Not Unlocking His Phone For Border Services

Posted in Commentary with tags , on March 5, 2015 by itnerd

Canadian smartphone users need to keep an eye on this as it’s going to be important from the standpoint of your privacy. A resident of the province of Quebec returned from the Dominican Republic recently. Here’s what happened next:

The case of a Quebec man charged with obstructing border officials by refusing to give up his smartphone password has raised a new legal question in Canada, a law professor says.

Alain Philippon, 38, of Ste-Anne-des-Plaines, Que., refused to divulge his cellphone password to Canada Border Services Agency during a customs search Monday night at Halifax Stanfield International Airport.

Philippon had arrived in Halifax on a flight from Puerto Plata in the Dominican Republic. The charge against him carries a maximum penalty of $25,000 and a year in prison.

Lovely. Here’s the key thing: Canada Border Services Agency may say that they have the right to search your electronic devices. But this has never been tested in court. Thus this could really backfire on the Canada Border Services agency. I would say that Canadians should keep an eye on this as I suspect that case law is about to be made.

Secret Memo Slams RCMP On ISP Request Records

Posted in Commentary with tags , on March 2, 2015 by itnerd

Well, this does not inspire confidence. Law enforcement in Canada routinely ask ISP’s for all sorts of data in the process of conducting criminal investigations. According to Michael Geist who is a noted Canadian privacy and digital rights advocate, those request are inaccurate and incomplete according to a secret memo:

The memorandum specifically references a 2010 RCMP document that purported to list tens of thousands of warrantless subscriber information requests. The document indicated that 94 per cent of requests involving customer name and address information was provided voluntarily without a warrant.

The Privacy Commissioner of Canada auditors apparently expected that document, which was previously released under the Access to Information Act, to serve as the starting point for their review of RCMP practices. The internal memorandum notes that “we expected that these statistics would be accurate, complete, and up-to-date and that they would allow us to review RCMP files related to such warrantless requests.”

Once the auditors began examining the data, however, they found something entirely different. The internal memorandum states that “based on the evidence below we found, on the contrary, that the statistics provided for 2010 (and later for 2011-2013) were inaccurate, incomplete, not current, and they were not useful identifying PROS files for review.”

The internal memorandum continues by citing specific problems with the RCMP evidence, acknowledging that “problems with the reliability of data were also provided by way of interviews with senior officials.” The details of those interviews are redacted, however, the memorandum states that “from these discussions we also found that statistics for warrantless access are inaccurate because of lack of reporting, multiple reporting or overlapping reporting.”

The conclusion leaves little doubt about the problems the auditors encountered. It goes far further than the publicly released report, noting that “based on our review of statistics and interviews with senior officials at the RCMP we were unable to rely upon the numbers provided for warrantless access requests, nor was there any linkage between reports of such requests and the actual operational files containing such requests.”

In short, the Privacy Commissioner of Canada set out to audit the RCMP in the hope of uncovering the details behind requests for subscriber information. What it encountered instead was inaccurate data and an effort to downplay the problems within the public report.

The timing of this kind of sucks if you’re the Government of Canada. There is a bill in front of The House Of Commons right now called C-51 that would give Canada’s spies and law enforcement more powers to combat terrorism with questionable oversight. What this story highlights is that if you don’t have real oversight, you get this sort of situation. So one wonders what would happen if bill C-51 actually gets passed. Would this sort of situation happen more often?

The solution is either force more stringent and meaningful oversight on law enforcement, or if they can’t follow the existing rules, then they don’t get the ability to get info like this. Clearly this is a huge problem that needs to be addressed if Canadians are to have confidence in law enforcement.

Follow

Get every new post delivered to your Inbox.

Join 325 other followers