US Senate passes CISA, a very bad spying bill dressed up as a cybersecurity bill


CISA won't make you and I any more secure, and it threatens what's left of our online privacy. The very helpful sounding “Cybersecurity Information Sharing Act” will definitely help the government, though: it'll make it a lot easier for technology companies to share your personal data with the government, and everyone knows that this data never ends up in the wrong hands, so you're fine.

The gaping privacy flaws in CISA didn't stop the Senate from passing it by a wide margin today: 74 to 21. CISA now goes to a conference committee between House and Senate.

Here's the EFF's take, by Mark Jaycox:

CISA passed the Senate today in a 74-21 vote. The bill is fundamentally flawed due to its broad immunity clauses, vague definitions, and aggressive spying authorities. The bill now moves to a conference committee despite its inability to address problems that caused recent highly publicized computer data breaches, like unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links.

The conference committee between the House of Representatives and the Senate will determine the bill's final language. But no amount of changes in conference could fix the fact that CISA doesn't address the real cybersecurity problems that caused computer data breaches like Target and the U.S. Office of Personnel Management (OPM).

Read the rest

Ukrainian botmaster who tried to frame Brian Krebs extradited to US


When security-researcher/hornet-nest-kicker Brian Krebs outed Sergey "Flycracker" Vovnenko as administrator of a darknet crime site and botmaster of a 13,000-PC-strong botnet used to attack sites and launder stolen data, Vovnenko allegedly masterminded a plot to frame Krebs by mailing him heroin. Read the rest

What the barcode on your discarded boarding-pass reveals


Mostly it's your record locator and frequent flier number, but with that, an attacker can access the ticket record, see your future flights, your email address, and the details of the emergency contacts you'd added to the reservation. Read the rest

Mystery twitterer linked to Ashley Madison dump


Security blogger Brian Krebs is among those hot on the trail, and he "may have a new lead," according to the New York Times.

On Wednesday, Brian Krebs, the well-known security blogger posited a new theory about who may have hacked the site, which helps arrange extramarital affairs. Mr. Krebs zeroed in on a Twitter user named Thadeus Zu (@deuszu), who posted a link to Ashley Madison’s stolen, proprietary source code before the information was made public this month.

Some apparent problems with this hypothesis have already been noted, but the operator of the @deuszu account is doing his or her best to look guilty.

Reminder: the site was probably just a scam with only a handful of legitimate female participants. Little can be implied about its users beyond stupidity. Read the rest

Claim: Ashley Madison exec "hacked competitor" and stole personal data


Emails sent by the "have an affair" dating network's CEO suggest the firm "hacked" rival in 2012, taking its user database.

Brian Krebs:

“They did a very lousy job building their platform. I got their entire user base,” [Ashley Madison CTO Raja] Bhatia told [CEO Noel] Biderman via email, including in the message a link to a Github archive with a sample of the database. “Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”

Neither Bhatia nor Biderman could be immediately reached for comment. spoke with Bhatia last week after the Impact Team made good on its threat to release the Ashley Madison user database. At the time, Bhatia was downplaying the leak, saying that his team of investigators had found no signs that the dump of data was legitimate,

Alas, it was for real. Ashley Madison charged its users to have their personal data wiped, but did not do so, and now that data is out in the wild. Read the rest

Ashley Madison data dump confirmed


A vast data dump, purportedly exposing millions of users of a hookup service for cheating spouses, has been confirmed.

In a statement, Ashley Madison spokesman Anthony Macri (right) said the dump was a criminal act. He didn't mention that the company had kept the data, for reasons unknown, after charging its users to have it permanently deleted.

This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of, as well as any freethinking people who choose to engage in fully lawful online activities. The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world. We are continuing to fully cooperate with law enforcement to seek to hold the guilty parties accountable to the strictest measures of the law.

The 10GB tranche exposes 37m accounts from a site marketed explicitly at people who wanted to cheat on their partners. It includes names, addresses, emails, card numbers, transactions and other personally-identifying information. Security researcher Brian Krebs says that it's the real deal.

I’ve now spoken with three vouched sources who all have reported finding their information and last four digits of their credit card numbers in the leaked database. Also, it occurs to me that it’s been almost exactly 30 days since the original hack.

Read the rest

Love cheats' hookup site hacked, user data purloined


Ashley Madison is a social network for people who want to cheat on their spouses. It's been hacked and "large caches of user data posted online," reports Krebs on Security.

The privacy of some 37 million account-holders is at stake, though the bulk of the dataset is apparently being withheld and its contents remain uncharted territory.

The social network's boss, bless his stupid nylon socks, thinks that he'll be able to take their "intellectual property" off the 'net.

Reached by KrebsOnSecurity late Sunday evening, ALM Chief Executive Noel Biderman confirmed the hack, and said the company was “working diligently and feverishly” to take down ALM’s intellectual property. Indeed, in the short span of 30 minutes between that brief interview and the publication of this story, several of the Impact Team’s Web links were no longer responding.

“We’re not denying this happened,” Biderman said. “Like us or not, this is still a criminal act.”

The claimed hackers say they were motivated by the site's hypocrisy. Ashley Madison apparently had a "remove your data from our servers for a fee" wheeze going on—a practice unnervingly reminiscent of some revenge porn operators.

The Next Web's Abhimanyu Ghoshal.

The Impact Team said that the ‘full delete’ feature didn’t actually wipe profiles as advertised and that it brought ALM $1.7 million in revenue last year.

The hackers said:

Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.

Read the rest

Crowdfunding medical MDMA and magic mushrooms

An activist couple (she's a neurscientist, he's a psychologist who successfully treated his depression with psychedelics) (they fight crime!) are raising $1M on Indiegogo to fund production of medical-grade MDMA and psilocybin. Read the rest

Sony Hack: Could secretive group of ethnic North Koreans in Japan be to blame?

"A group of ethnic North Koreans residing in Japan known as the Chongryon are critical to North Korea’s cyber and intelligence programs, and help generate hard currency for the regime. "

Brian Krebs's "Spam Nation"

In Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door, Brian Krebs offers a fascinating look at the mass-scale cybercrime that underpins the spam in your inbox and provides an inside peek at a violent fight among its principle players. Cory Doctorow reviews.

Sony hack may have exposed more than movies: sensitive personal data of employees, too.

Screen shot from an internal audit report allegedly stolen from Sony and circulating on file-trading networks.

“The recent hacker break-in at Sony Pictures Entertainment appears to have involved the theft of far more than unreleased motion pictures,” writes Brian Krebs. Read the rest

Afraid of swiping your card at retail stores during holiday shopping? LOL, you should be.

There are many points of security failure along the way that leave your financial data vulnerable to theft.

Cybercrooks sell stolen rewards points at 99.9% discount

Enough Hilton Hhonors points to cover $1200 worth of stays can be bought for $12, and the crooks who're inside your account can use your associated credit-card to buy more points and more hotel rooms for themselves. Read the rest

Antiquated ATMs are easy pickings for "jackpotting" by fraudsters

The older machines -- about half of them running Windows XP, which no longer receives security updates -- are very vulnerable to "jackpotting" attacks where criminals trick the machines into paying out money without correctly debiting any account, to the tune of millions. Read the rest

Counterfeit money up close

Someone sent Brian Krebs an envelope of counterfeit $100 and $50 bills, apparently manufactured by Mrmouse, the counterfeiter whom Krebs outed for selling his notes openly on Reddit. Read the rest

Cyber-crooks turn to Bitcoin extortion

Security journalist Brian Krebs documents a string of escalating extortion crimes perpetrated with help from the net, and proposes that the growth of extortion as a tactic preferred over traditional identity theft and botnetting is driven by Bitcoin, which provides a safe way for crooks to get payouts from their victims. Read the rest

Cops bust cybercrook who sent heroin to Brian Krebs

Sergei "Fly" Vovnenko, a Russo-Ukrainian cybercrook who stalked and harassed security journalist Brian Krebs -- at one point conspiring to get him arrested by sending him heroin via the Silk Road -- has been arrested. According to Krebs, Vovnenko was a prolific credit-card crook, specializing in dumps of stolen Italian credit-card numbers, and faces charges in Italy and the USA. Krebs documents how Vovnenko's identity came to light because he installed a keylogger on his own wife's computer, which subsequently leaked her real name, which led to him. Read the rest

Next page