OurMine Strikes Again: Hacks Variety, Floods Readers with Spam

The hacking group OurMine carried out another cyberattack on September 3, 2016. This time it was on the news publication, Variety. In addition to that, the hackers also targeted the readers by bombarding their emails with spam stating that it’s just testing its security. Along with that message, a link was provided to the website ourmine.org and a video; although it does not state what the content was and has been removed. Variety quickly responded to subscribers saying that they are working to resolve the unauthorized communications, and to ignore and delete the messages.

What’s interesting is that OurMine isn’t out to steal data or take down websites. The group states that their purpose is to make “bigwigs in the industry aware of their security flaws by hacking them.” Variety also states that OurMine doesn’t shut down websites and abscond with data. The group positions itself as a cybersecurity group that raises awareness by hacking into prominent people and brands.

Along with Variety, OurMine has also hacked the Quora account of Google CEO Sundar Pichai, the Twitter account of Twitter CEO Jack Dorsey, and the Twitter and Pinterest accounts of Facebook CEO Mark Zuckerberg. They also claim to be the ones responsible for the distributed denial of service attacks on the servers of Pokemon Go in July.

Source: OurMine Strikes Again

-AJ Agena

Way to go VTech.

One month ago a hacker revealed that he had broken into the toymaker VTech and retrieved a lot of information that was disturbing. Apparently, VTech had been storing  images, chat logs, home addresses, emails, names, genders and even birthdays of every customer. This would include the parents and their children who the products were most likely being used by.  Around 4,000,000 parents and 200,000 of the children using the products information was readily available for anyone who knew what they were doing. The hacker did not relinquish the way he was able to break into VTech, probably in an attempt to keep this information secret from people who want it but do not know how to hack, but has commented that he retrieved 190GB worth of photos and shared 3832 images with motherboard, a blogging site, with all the faces blocked out.VTech has yet to concretely say what their exact reasoning was but the wording of their attempt to justify it was so that they can send the password to the user directly. You know because that is such a GREAT idea, instead of just having them reset their password every time they forgot it because the company made it entirely impossible for them to access it on their own and with ease, I will just send you it back. The person that thought this was a good idea should get fired, like, two years ago.

https://nakedsecurity.sophos.com/2015/12/01/photos-of-kids-and-parents-chatlogs-audio-files-stolen-in-vtech-breach/

The Implications of the Paris Attacks in Respect to Consumer Encrypted Communication Services

It is highly probable that the effects of the recent Paris attacks will be seen throughout all aspects of cyber-security and privacy. In particular it is rather interesting to consider the effects in regards to consumer encrypted messaging services. It is often the case that there is change in security policy and measures that commensurate with a terror attack. Therefore it is reasonable and practical to envisage western governments to express interest and attention in encrypted messaging services.

On the market today there is a significant amount services that offer the consumer end to end encryption. Examples of such services are: What’s App, Silent Circle, and Wickr. What end to end encryption is, in respect to communications, is the ability for users to communicate to both end completely encrypted. The result of this technology is that the only users able to read and interpret data are either the sender or the receiver. The implications of this is that there is no method of which any organization has the ability to read and interpret the communications being sent, even the company hosting the service.

In the wake of these attacks, there will be a greater desire of law enforcement agencies of the western civilizations to have access to intercept these messages. Senator Dianne Feinstein from California is calling for a “back door” into these services, stating that it is a problem that these services can “create a product that allows evil monsters to communicate in this way.” It his highly reasonable to extrapolate that this is only the start of a conversation on consumer encrypted communication services.

These government agencies are calling for these “back doors” in the wake of these attacks because it allows terrorists to communicate and coordinate with the messages being completely encrypted. An organization named Middle East Media Research Institute has released a report stating that a significant number of radical groups are using these services to communicate. However it is important to review these reports with caution, because the institute who released these reports are a not for profit political organization located in Washington.  In addition it is dubious how the information was found, because according to the mechanics of end to end encryption this information is impossible to recover. However regardless of the verisimilitude of these reports, it is important to acknowledge the potential implications of these technologies.

In final it is significantly important to consider the technical implications of creating this “back door”. Creating this back door also creating an additional set of probable problems in regards to this topic. Nickolas Weaver, a senior researcher at the International Computer Science Institute, stated “You cannot hack a back door that lets only the good guys in… If you add one, it becomes usable by Chinese intelligence, Russian intelligence, and criminals.” Therefore if following these calls for an intercept-able encrypted messaging, would also ruin the purpose of using these services for communications.

In conclusion the future of consumer encrypted messaging services is uncertain in the wake of these attacks. The conversation in regards to public safety, in respect to these service is just beginning. It is also important to consider the technical consequences of creating a “back door.” The Paris attacks will a have a wide-reaching effect in the realm of information security, consumer encrypted messaging is only one of the many aspects that may be altered in the wake of these attacks.

Michael Henry Boc

 

http://www.nbcnews.com/storyline/paris-terror-attacks/paris-attack-could-renew-debate-over-encrypted-messaging-apps-n464276

http://www.wired.com/2014/11/hacker-lexicon-end-to-end-encryption/

http://www.memri.org/

 

Government vs Corporations: The Battle of Security and Privacy

After Edward Snowden released information that the NSA was tapping into private companies servers and getting their information without their knowledge, corporations have made promises to customers and buffed up security on their servers immensely. Higher levels of encryption, no backdoors, and buffing up servers make it much harder for hackers to break into your sensitive information, but it also keeps the government out.

The United States is currently in or contemplating legal battles with large tech companies such as Apple, Google, and Microsoft to compel them to give them information, break encryptions, or leave them a way in to look at the data themselves. Specifically with Microsoft, the company refuses to hand over data to the government without an Irish warrant because the servers the data is stored in are in Dublin.  Companies aren’t willing to cooperate with the government on this because of the promises they made to their customers and the huge security breaches it could cause leaving possible holes for hackers to steal or tamper with data.

The UK is facing a similar issue where their MI5 is looking for more power from Parliament to keep up with technological advances, and Andrew Parker, Director General of MI5, recently said in an interview that companies have an ethical responsibility to to turn over the information the government wants to them.

Major corporations remain hesitant to readily give over information to the government for fear of backlash from consumers and the fact that the government has not really been truthful with them in the past.  This argument is definitely one that comes down to ethics and we must determine what point we sacrifice too much privacy for the sake of security.  We will have to see what the courts or Congress say on the matter.

Sources:

http://www.nytimes.com/2015/09/08/us/politics/apple-and-other-tech-companies-tangle-with-us-over-access-to-data.html?_r=0

http://www.scmagazine.com/andrew-parker-says-mi5-needs-greater-cyber-security-powers/article/439663/

– Quinn White

Employees Responsible For AT&T Unlocks

AT&T is filing a lawsuit against three of its employees for installing software on company hardware that gives out unlocking codes for AT&T mobile devices. The three employees were hired by a company, Swift Unlocks, to download the malware and were offered $2,000 a week for their compliance.

Many carriers sell smartphones at low prices, but gain back the money by putting locks on the phones that won’t allow them to work on other carriers’ networks, and only give out the locks when customers fulfill their contracts. But, some websites give out phone unlock codes at low prices, which allows them to use their phone on any provider. The prices these websites charge are normally $20 or less, and an unlocked phone is worth substantially more than a locked one. Though, unlocking a cellphone still under contract isn’t illegal, the employees’ involvement in this affair does violate their contracts.

AT&T first discovered something was awry in Sept. 2013, when a large amount of unlock requests were received and caused company suspicion towards the misuse of an unlocking software called “Torch”.

The employees were reportedly contacted by Swift Unlocks to put malware on their company computers so that Swift Unlocks could secretly get unlock codes for phones that were still under AT&T’s contracts. Allegedly, one of the employees made upwards of $20,000 from this affair. AT&T is also filing a suit against Swift Unlocks, saying that it had obtained “hundreds of thousands” of unlock codes. The suits AT&T is filing include computer fraud, breach of loyalty and civil conspiracy. As of now, swiftunlocks.com is still online.

Sources:

http://www.geekwire.com/2015/att-sues-former-employees-alleging-they-were-secretly-paid-to-unlock-hundreds-of-thousands-of-phones/

http://www.infoworld.com/article/2984900/mobile-technology/att-says-malware-secretly-unlocked-hundreds-of-thousands-of-phones.html

-Tory Leo