At a glance.
- Marketing data developed to profile users from their browsing behavior exposed.
- BlueLeaks dumps twenty-six years of stolen police files.
- Amnesty reports NSO Group tools likely to have been used against Moroccan journalist.
- Privacy of COVID-19 contact-tracing and symptom-logging apps questioned.
- Arrest made in a 2014 theft of personally identifiable information.
- An update on the strange case of goonism in Natick, Massachusetts.
Tracking, then spilling.
TechCrunch has reported that data collected on behalf of clients by Oracle's BlueKai unit, which uses cookies and "other tracking tech" to follow users as they browse the web, the better to develop profiles for marketing purposes, were exposed in unsecured servers. Security researcher Anurag Sen found the exposed data and shared it with TechCrunch, which confirmed that in addition to browsing activity (including such actions as purchases and requests to unsubscribe from newsletters) the information included names, home addresses, email addresses, and a range of other data that could identify individual users.
Oracle told TechCrunch that it was a misconfiguration issue on the part of two of its customers: “While the initial information provided by the researcher did not contain enough information to identify an affected system, Oracle’s investigation has subsequently determined that two companies did not properly configure their services. Oracle has taken additional measures to avoid a reoccurrence of this issue.” The company declined to say whether it had notified affected individuals (the number of whom is unknown but apparently very large), and also declined to say whether it had notified data privacy regulators of the incident.
It's not clear from early reports where responsibility for the incident lies, with Oracle or with the two unnamed companies who misconfigured the databases in which they stored BlueKai's marketing feeds. In any case, the Electronic Frontier Foundation commented to TechCrunch that the sort of data BlueKai collects is extremely attractive to marketers. “Fine-grained records of people’s web-browsing habits can reveal hobbies, political affiliation, income bracket, health conditions, sexual preferences, and — as evident here — gambling habits. As we live more of our lives online, this kind of data accounts for a larger and larger portion of how we spend our time.”
BlueLeaks drops 270 gigabytes of stolen police files.
Distributed Denial of Secrets, a group described variously as hacktivist and as an alternative to WikiLeaks, has posted "ten years of data from over 200 police departments, fusion centers and other law enforcement training and support resources. Among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more." The files are available, KrebsOnSecurity reports, in a searchable database. The National Fusion Center Association (NFCA) in an internal June 20th assessment confirmed that the data were indeed valid, and that the files in the leak were compiled between August 1996 and June 19, 2020, which covers almost sixteen more years than the ten DDoSecrets claimed in their tweeted communiqué.
The data include "names, email addresses, phone numbers, PDF documents, images, and a large number of text, video, CSV and ZIP files." The NFCA said in its internal alert, “Additionally, the data dump contains emails and associated attachments. Our initial analysis revealed that some of these files contain highly sensitive information such as ACH routing numbers, international bank account numbers (IBANs), and other financial data as well as personally identifiable information (PII) and images of suspects listed in Requests for Information (RFIs) and other law enforcement and government agency reports." The incident appears to be a case of damage inflicted through a third party. NCFA believes the data were probably taken from Netsential, a contractor widely used by state fusion centers, by a threat actor who used compromised Netsential credentials to facilitate data exfiltration.
We've received comments on the breach from several industry experts. Ilia Kolochenko, Founder & CEO of web security company ImmuniWeb, commented on the breach in an email. "[BlueLeaks] will jeopardize legally protected people, like witnesses, who helped investigators convict dangerous criminals. The disclosure will now literally cause the death of the witnesses if their identity is revealed to the criminals or their bloodthirsty accomplices. Finally, it will substantially hinder the performance of daily law enforcement operations across the entire country, bolstering street crimes and violent crime, exposing thousands of helpless people to the risk of serious bodily injuries and death."
Bill Santos, President and COO, Cerberus Sentinel, said, "This incident highlights the importance of assuring the security of your vendors as well as your own infrastructure. Some of the larger incidents in recent history, in addition to this incident specifically, can be tied to a third-party not handling or securing information appropriately. A regular review of your vendor ecosystem, as well as contractual obligations for security, are an important part of creating a true culture of security."
And Javvad Malik, Security Awareness Advocate, at KnowBe4, commented, "This is a huge breach both in terms of size, the nature of data, and the length of time it spans. While details are not clear as to how the breach occurred, it does look like it stems from a third party, which serves as a reminder for organisations of all sizes that ensuring security across the complete supply chain is vital. Not only is up front due diligence necessary, but so is ongoing assurance. Smaller organisations which provide services, should also be aware that they are legitimate targets and should not consider themselves to be 'too small to attack'."
Amnesty reports NSO Group tools likely to have been used against Moroccan journalist.
Moroccan journalist Omar Radi's iPhone was infected with spyware in a network injection attack that Amnesty International says looks like an application of NSO Group intercept technology. Amnesty says it had seen the technique, which requires the attacker to either use a rogue cell tower (like a Stingray) or to exploit access to the mobile carrier's internal infrastructure, used against at least one other Moroccan journalist. "Whereas previous techniques relied to some extent on tricking the user into taking an action," Amnesty's report says, "network injections allow for the automatic and invisible redirection of targets’ browsers and apps to malicious sites under the attackers’ control, most likely unknown to the victim. These will rapidly leverage software vulnerabilities in order to compromise and infect the device."
Amnesty believes the spyware installed was NSO Group's Pegasus. The group notes with displeasure that the incident with Radi's phone occurred just some three days after NSO Group announced a new policy designed to control abuse of its lawful intercept technology by authoritarian regimes.
COVID-19 contact-tracing and symptom-logging apps' privacy safeguards questioned.
Researchers at GuardSquare conclude that many of the contact-tracing apps being deployed by governments fall short in terms of privacy safeguards. They examined seventeen Android apps used in seventeen different countries and found that most lacked root detection, name obfuscation, string encryption, emulator detection, asset and resource encryption, or class encryption. Only one of the seventeen was "fully obfuscated and encrypted."
The International Digital Accountability Council, while acknowledging that most of the contact-tracing apps were developed with the best of intentions, found that eight apps they studied tend to overshare data with third parties. Some of that sharing is with companies like Branch, Crashlytics, and Facebook, and seems intended, the Washington Post notes, to optimize performance. Other sharing is less obviously related to performance optimization. The symptom-logging apps Kencor Covid-19 and Care19, as well as the smart-thermometer app Kinsa seem to be sharing data of the sort normally used for marketing.
An unknown actor (nom-de-hack "Database Shopping") is selling on the Raid Forum souk personally identifiable information of Indonesians who've been tested for COVID-19. AsiaOne reports that the information leaked from a government database.
Arrest made in 2014 PII theft.
BleepingComputer says that a Michigan man has been arrested in connection with the 2014 hacking of the University of Pittsburgh Medical Center (UPMC). Justin Sean Johnson was taken into custody last Tuesday on forty-three US Federal counts of conspiracy, wire fraud, and aggravated identity theft. Mr. Johnson is alleged to have improperly accessed UPMC's Oracle PeopleSoft human resource management system at the beginning of December 2013. Between January 21 and February 14, 2014, Mr. Johnson is alleged to have repeatedly accessed that system's data, extracting an unspecified set of personally identifiable information and W-2 tax forms.
Mr. Johnson is alleged to have sold the stolen data in various dark web souks. Trading under the noms-de-hack "TDS" and "DS," the Government says he worked such criminal-to-criminal markets as AlphaBay Market and Evolution. His clientele is said to have used the data to fraudulently file US Federal income tax returns that yielded $1.7 million in refunds. What happened to the money affords an interesting look at the operations of criminal remittances and the monetization of stolen data. The US Attorney for the Western District of Pennsylvania said that those who committed the tax fraud converted their refunds into Amazon gift cards, which they used to purchase various goods, which goods were in turn shipped to addresses in Venezuela.
The data stolen belonged to employees, not patients. UPMC is the Commonwealth of Pennsylvania's largest healthcare system, and information of more than 65,000 employees was taken during the incident.
What eBay's former CEO says he was thinking, at the time.
Recode has heard from eBay's former CEO Devin Wenig on the very strange case (a literal criminal case against five former eBay employees, some relatively senior, and one eBay contractor) of an elaborate effort to harass two bloggers in Massachusetts whose posts were generally less than positive about the online market. “On Monday, I read the charges along with everyone else, and was shocked and outraged. It is important for me to reiterate, and an independent investigation confirmed, that I had nothing to do with and no knowledge of the activities alleged to have occurred. There was no direction, no knowledge, no private understanding, no tacit approval. Ever.”
The blog the alleged corporate goons allegedly targeted, EcommerceBytes, reports business news to an audience of small merchants who trade in big online platforms. Some of its coverage and a lot of the chatter in its comment section were unfavorable to eBay in general and Mr. Wenig in particular. Mr. Wenig, who has not been charged in the case, but court documents include records of texts he sent his then-Chief Communications Officer, Steve Wymer (also not charged), twice telling Mr. Wymer to “take her down,” "her" being Ina Steiner, owner of and writer at EcommerceBytes. Mr. Wenig explained to Recode that his texts “have been wildly misinterpreted and taken completely out of context in some media reports," adding, “I was speaking off the cuff to a communications executive about my desire to be more aggressive in our PR effort; never in my wildest dreams would I fathom that, later, someone might associate that communication with the type of activity mentioned in the Massachusetts complaint."
Court documents also show that Mr. Wymer had hired a consultancy that recommended a benign and commonplace PR campaign that would “promote company-friendly content that would drive the Newsletter’s posts lower in search engine results.” But Mr. Wymer also texted (court documents say) such apparent glosses on that strategy as, “We are going to crush this lady."
Mr. Wenig regrets what the couple endured. “I am genuinely sorry for the couple that had to endure these obscene acts," Recode quotes him as saying. "No one should have to experience that, especially not a journalist. What happened isn’t representative of the company culture I spent 8 years building, or the employees I knew there.”
Thus it would seem to be the Henry II defense. When the King asked, in frustration, "Will no one rid me of this troublesome priest?" he didn't actually order four knights to travel from Normandy to Canterbury to hack St. Thomas à Beckett to death. The knights just took his question out of context. Similarly, when Mr. Wenig texted "Take her down," he wasn't actually ordering people to travel to Natick, send bloody pig masks, think about installing a GPS tracker in her car, etc. They took his warm expression (repeated at least once) out of context.
Management gurus and teachers of leadership take note: intent can be communicated in various ways. Sometimes it's miscommunicated, at least in retrospect. And the details of execution may sometimes go too far.