This week in computer security

Twitter got pwned.
https://edition.cnn.com/2020/07/15/tech/twitter-hack-elon-musk-bill-gates/index.html
Twitter (TWTR) accounts belonging to Joe Biden, Bill Gates, Elon Musk and Apple, among other prominent handles, were compromised on Wednesday and posted tweets that appeared to promote a cryptocurrency scam.
The accounts, along with those of former President Barack Obama, Kanye West, Kim Kardashian West, Warren Buffett, Jeff Bezos and Mike Bloomberg, posted similar tweets soliciting donations via Bitcoin to their verified profiles on Wednesday.
"Everyone is asking me to give back, and now is the time," Gates' tweet said, promising to double all payments to a Bitcoin address for the next 30 minutes.
Click to expand...
 
Joined
Apr 12, 2009
Messages
23,459
Trumps account was not infected err affected ?
 
Joined
Nov 5, 2006
Messages
21,955
Location
Old Europe
Joined
Nov 8, 2014
Messages
12,085
Joined
Oct 1, 2010
Messages
36,351
Location
Spudlandia
I thought this was worth a watch, on Ransomware.



Some slight adult content. Maximum points for the phrase, "Arseholes are like opinions - it's a really bad idea to put the Internet in charge of yours." :p
 
Joined
Nov 8, 2014
Messages
12,085
I figured it would be a good idea to run a log4j scanner on our server, given all the news about it. But it wasn't really needed as Java is not installed on our server.
Then again, log4j might be somewhere on the server but not running and would start to run once Java would be installed, for whatever reason, but I suppose the log files would have a report of failing to run log4j and there wasn't anything.
Better safe than sorry, I decided to run the scanner anyway and it found no security issues.

So, for now we continue to be safe. Onwards to the next security issue.
 
Joined
Aug 30, 2006
Messages
11,223
5yd3by.jpg


Ive been doing it for two weeks now, im not even an IT person by trade, just the guy in the office that has access to some affected servers.
 
Joined
Nov 3, 2021
Messages
35
Location
In the middle of USA - Oklahoma
It is not so difficult to create functionality, it is quite difficult to do it in a secure way.
 
Joined
Aug 30, 2006
Messages
11,223
I read that this little program (the original Java thing) was writen by a lone guy for Open Source who had not even get paid for that ?
In that article, it was described by an xkcd comic of a huge, insanely fragile pyramid which is standing upside down, on a single, little thing.
 
Joined
Nov 5, 2006
Messages
21,955
Location
Old Europe
Joined
Aug 30, 2006
Messages
11,223
Myrthos said:
It is not so difficult to create functionality, it is quite difficult to do it in a secure way.
Click to expand...

This is so true and why I eventually had to move out of IT in my job. Not because I asked to be but because of time.

I kept getting other duties as assigned and so I had less and less time to manage the code on our web server, database, and other IT areas.

People would ask - why can't you make this simple … form? collect this data? make this interactive and dynamic?

And I would explain, yes those things are easy to make functionally but making, and keeping, them secure is very difficult and time consuming … and you need to always stay up on patches, the code, etc.

As I kept getting more work I had less time to focus on doing coding, let alone keep up on security. So finally had to tell the bosses that either we move everything over to central IT resources or they would need to free up my time again.

Everything got moved to central IT :p Not complaining though as keeping up with security was a never ending and frustrating battle for me. I know some really enjoy it … and when I was younger I did. Now at 58 I just want to survive another few years and retire.
 
Joined
Jun 4, 2008
Messages
3,971
Location
NH
Data shared with advertisers: European users' data: 376 times a day, users in the US: 747 times per day.
ICCL report: The Biggest Data Breach ICCL report on scale of Real-Time Bidding data broadcasts in the U.S. and Europe:
Real-Time Bidding (RTB) operates behind the scenes on websites and apps. It tracks what you are looking at, no matter how private or sensitive, and it records where you go. Every day it broadcasts this data about you to a host of companies continuously, enabling them to profile you. This report presents the scale of this data breach for the first time.

. RTB is the biggest data breach ever recorded. It tracks and shares what people view online and their real-world location 294 billion times in the U.S. and 197 billion times in Europe every day.
. On average, a person in the U.S. has their online activity and location exposed 747 times every day by the RTB industry.
. In Europe, RTB exposes people's data 376 times a day.
. Europeans and U.S. Internet users' private data is sent to firms across the globe, including to Russia and China, without any means of controlling what is then done with the data.
. The RTB industry generated $117+ billion in the U.S. & Europe in 2021.
Click to expand...

Just a random English site about that report:
Europeans users' data shared with advertisers 376 times per day
Real-time bidding is the 'biggest data breach ever recorded,' says ICCL
Data about an average European internet user, including their geolocation and what they are reading online, is shared with advertisers and data broking firms 376 times per day, according to the latest report by the Irish Council of Civil Liberties (ICCL).

The figure jumps to 747 times per day for users in the United States.

According to the ICCL report [pdf], the real-time bidding (RTB), the online ad-targeting industry that analyses internet users' personal information, transmits information to third-party firms around 178 trillion times every year in the United States and Europe alone.

The online behaviour and whereabouts of US internet users are tracked and shared 107 trillion times a year, whereas the data of Europeans is shared 71 trillion times per year.

"RTB is the biggest data breach ever recorded," says the ICCL.

"It tracks and shares what people view online and their real-world location 294 billion times in the US and 197 billion times in Europe every day."

According to the report, the figures reported for RTB broadcasts are a low estimate.

"Real-time bidding (RTB) is a $117+ billion industry that operates behind the scenes on websites and apps. It tracks what you are looking at, no matter how private or sensitive, and it records where you go," ICCL states.

According to the ICCL report, Google and Microsoft are the world's biggest RTB firms. Index Exchange, PubMatic and Magnite are other significant players.

The figures in the ICCL report do not include numbers from two advertising behemoths, Meta and Amazon. The data came from a Google feed over a 30-day period. That data is made available to the industry, but not the general population.

Google, the largest player in the RTB ecosystem, allows 4,698 firms to receive RTB data about the US-based users, while Microsoft says it may send similar data to 1,647 firms.

Per the report, Google transmits 19.6 million broadcasts about the online behaviour of German internet users every minute they are online.

Private data of European and American internet users is sent to companies all around the world, including China and Russia, with no way of knowing what happens to it in those countries.

For years, privacy campaigners have raised concerns about RTB, particularly in Europe, where rules are in place to prevent such a systematic abuse of people's data.

Dr Johnny Ryan, an ICCL senior fellow, is currently fighting the Data Protection Commission of Ireland (DPC) in the High Court, accusing the regulator of years of inactivity on RTB complaints.

In his complaint, Ryan expressed concern that the RTB systems of Google and IAB Europe (the digital advertising industry body) involve unauthorised and potentially unrestricted sharing and processing of personal data.

In numerous cases, he believes that Google and IAB have violated the EU GDPR.

ICCL has also complained to the EU Ombudsman about the European Commission's failure to adequately oversee implementation of the legislation, prompting the EU Ombudsman to initiate an investigation into the Commission's claims to the contrary early this year.
Click to expand...
 
I'd even put that into the "Internet Security" thread ...
 
Joined
Nov 5, 2006
Messages
21,955
Location
Old Europe
Maybe not directly security but seems to be related somewhat:

https://restofworld.org/2022/google-meta-underwater-cables/

Google and Meta’s new subsea cables mark a tectonic shift in how the internet works, and who controls it.

...

These two new pieces of infrastructure will connect Africa to the global internet more robustly than ever, but they will also place an unprecedented level of control in the hands of the U.S.-based tech giants. Google and Meta’s ambitions to build and own global data links mark a tectonic shift in how the internet works and who controls it.

The internet’s initial promise was to decentralize telecommunications, releasing consumers from the monopoly grip of telecomms incumbents. Over the last 30 years, the internet has done that, and much more. But undersea cables, owned by the internet’s behemoths, hint at a return to where we started: a near future in which a select group of massive corporations have not merely tightened their hold on our online activity but have deliberately rebuilt the internet for their own use, according to their own specifications, from the ocean floor up.
 
Joined
Jun 4, 2008
Messages
3,971
Location
NH
This was big news in my country ten days ago. I don't know about the rest of the world, so here it is, just in case:

Thousands of Popular Websites See What You Type - Before You Hit Submit

WHEN YOU SIGN up for a newsletter, make a hotel reservation, or check out online, you probably take for granted that if you mistype your email address three times or change your mind and X out of the page, it doesn't matter. Nothing actually happens until you hit the Submit button, right? Well, maybe not. As with so many assumptions about the web, this isn't always the case, according to new research: A surprising number of websites are collecting some or all of your data as you type it into a digital form.

Researchers from KU Leuven, Radboud University, and University of Lausanne crawled and analyzed the top 100,000 websites, looking at scenarios in which a user is visiting a site while in the European Union and visiting a site from the United States. They found that 1,844 websites gathered an EU user's email address without their consent, and a staggering 2,950 logged a US user's email in some form. Many of the sites seemingly do not intend to conduct the data-logging but incorporate third-party marketing and analytics services that cause the behavior.
[. . .]
If there's a Submit button on a form, the reasonable expectation is that it does something - that it will submit your data when you click it," says Gunes Acar, a professor and researcher in Radboud University's digital security group and one of the leaders of the study. "We were super surprised by these results. We thought maybe we were going to find a few hundred websites where your email is collected before you submit, but this exceeded our expectations by far."
[. . .]
They point out that, at its core, the behavior is similar to so-called key loggers, which are typically malicious programs that log everything a target types. But on a mainstream top-1,000 site, users probably won't expect to have their information keylogged. And in practice, the researchers saw a few variations of the behavior. Some sites logged data keystroke by keystroke, but many grabbed complete submissions from one field when users clicked to the next.
[. . .]
"The privacy risks for users are that they will be tracked even more efficiently; they can be tracked across different websites, across different sessions, across mobile and desktop," Acar says. "An email address is such a useful identifier for tracking, because it's global, it's unique, it's constant. You can't clear it like you clear your cookies. It's a very powerful identifier."
Click to expand...

Luckily I have a different e-mail address for every website I need to log in to.
 
The impending demise of Internet Explorer now has its own doomsday clock:

https://www.microsoft.com/en-us/edge/business

(I kinda wish the old Active Desktop system was still around so I could change a few managers' desktops into that clock.)
 
Joined
Aug 3, 2008
Messages
8,253
Location
Kansas City
Zloth said:
The impending demise of Internet Explorer now has its own doomsday clock:

https://www.microsoft.com/en-us/edge/business

(I kinda wish the old Active Desktop system was still around so I could change a few managers' desktops into that clock.)
Click to expand...

That's for the best, it didn't implement the HTML / CSS correctly and was not very secure. The new version Edge is based on Blink / V8, like most browsers are these days (except Firefox I think), and it's a much better implementation.

Of course it depends how they modified it with their "security and innovation".
 
Joined
Aug 29, 2020
Messages
10,305
Location
Good old Europe
Joined
Nov 5, 2006
Messages
21,955
Location
Old Europe
You must log in or register to reply here.
Back
Top Bottom