U.S. No Fly List Left on Unprotected Airline Server

In remarks to the Daily Dot, crimew said that they had made the discovery while searching for Jenkins servers on the specialized search engine Shodan. Jenkins provides automation servers that aid in the building, testing, and deployment of software. Shodan is used throughout the cybersecurity community to locate servers exposed to the open internet

Source: U.S. No Fly List Left on Unprotected Airline Server

Login With Facebook data hijacked by JavaScript trackers

When a user grants a website access to their social media profile, they are not only trusting that website, but also third parties embedded on that site” writes Englehardt. This chart shows that what some trackers are pulling from users. Freedom To Tinker warned OnAudience about another security issue recently, leading it to stop collecting user info.

Source: Login With Facebook data hijacked by JavaScript trackers | TechCrunch

Don’t use Facebook.

The Equifax Hack Has the Hallmarks of State-Sponsored Pros

The average American had no reason to notice Apache’s post but it caught the attention of the global hacking community. Within 24 hours, the information was posted to FreeBuf.com, a Chinese security website, and showed up the same day in Metasploit, a popular free hacking tool. On March 10, hackers scanning the internet for computer systems vulnerable to the attack got a hit on an Equifax server in Atlanta, according to people familiar with the investigation.

Source: The Equifax Hack Has the Hallmarks of State-Sponsored Pros – Bloomberg

The massive breach occurred even though Equifax had invested millions in sophisticated security measures, ran a dedicated operations center and deployed a suite of expensive anti-intrusion software. The effectiveness of that armory appears to have been compromised by poor implementation and the departure of key personnel in recent years. But the company’s challenges may go still deeper. One U.S. government official said leads being pursued by investigators include the possibility that the hackers had help from someone inside the company. “We have no evidence of malicious inside activity,” the Equifax spokesperson said. “We understand that law enforcement has an ongoing investigation.”

Equifax Breach Response Turns Dumpster Fire

I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived as the one coming right now from big-three credit bureau Equifax, which rather clumsily announced Thursday that an intrusion jeopardized Social security numbers and other information on 143 million Americans.

Source: Equifax Breach Response Turns Dumpster Fire — Krebs on Security

Configure Windows telemetry in your organization (Windows 10)

Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user’s device. If we determine that sensitive information has been inadvertently received, we delete the information.

Source: Configure Windows telemetry in your organization (Windows 10)

Encrypted Messaging Apps Face New Scrutiny Over Possible Role in Paris Attacks

Security experts counter that such arguments ignore the fact that even end-to-end encrypted technology leaves a trail of metadata behind that can be used to parse who is talking to whom, when and where. “Encryption is really good at making it difficult to hide the content of communications, but not good at hiding the presence of communications,” said Matt Blaze, a computer security expert at the University of Pennsylvania.

Source: Encrypted Messaging Apps Face New Scrutiny Over Possible Role in Paris Attacks

South Korea-backed app puts children at risk

In April, Seoul required new smartphones sold to those 18 and under to be equipped with such software, a first-of-its-kind move, according to Korea University law professor Park Kyung-sin. The Korean Communications Commission has promoted Smart Sheriff and schools have sent out letters to parents encouraging them to download the app, which is free.

Source: APNewsBreak: South Korea-backed app puts children at risk – Houston Chronicle

Children’s phone numbers, birth dates, web browsing history and other personal data were being sent across the Internet unencrypted, making them easy to intercept. Authentication weaknesses meant Smart Sheriff could easily be hijacked, turned off or tricked into sending bogus alerts to parents. Even worse, they found that many weaknesses could be exploited at scale, meaning that thousands or even all of the app’s 380,000 users could be compromised at once.

Almost None of the Women in the Ashley Madison Database Ever Used the Site

When you look at the evidence, it’s hard to deny that the overwhelming majority of men using Ashley Madison weren’t having affairs. They were paying for a fantasy.

Source: Almost None of the Women in the Ashley Madison Database Ever Used the Site

The question is, how do you find fakes in a sea of data? Answering that becomes more difficult when you consider that even real users of Ashley Madison were probably giving fake information at least some of the time. But wholesale fakery still leaves its traces in the profile data. I spoke with a data scientist who studies populations, who told me to compare the male and female profiles in aggregate, and look for anomalous patterns.

Online Cheating Site AshleyMadison Hacked

In a long manifesto posted alongside the stolen ALM data, The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.

According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed.

Source: Online Cheating Site AshleyMadison Hacked — Krebs on Security

Encryption “would not have helped” at OPM, says DHS official

But when pressed on why systems had not been protected with encryption prior to the recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors, she said, “It is not feasible to implement on networks that are too old.” She added that the agency is now working to encrypt data within its networks.

Source: Encryption “would not have helped” at OPM, says DHS official | Ars Technica

A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project “was in Argentina and his co-worker was physically located in the [People’s Republic of China]. Both had direct access to every row of data in every database: they were root.