The Data Breach Thread

[Max Peck]

Does one little old hacked email account a data breach make? In this case, maybe it does...

Wikileaks claims release of CIA boss John Brennan's emails

Wikileaks claims to have released some of the contents of CIA director John Brennan's personal email account. Six documents published on the Wikileaks website include a draft security clearance application containing personal information.

A CIA statement said the hacking of the Brennan family account was a crime carried out with malicious intent.

A high-school student claimed he was responsible and told the New York Post that he had found work-related files. The newspaper said he was angry about US foreign policy. His Twitter account, where he is described as 13 years old, has published redacted images of what appears to be government information.

Wikileaks announced in a tweet on Wednesday that it would release some of the information later in the day. The documents - made available a few hours later - also included a draft on national security challenges said to have been created in 2007. The last unfinished paragraph is headed "Damaging Leaks of Classified Information". A 2008 letter about interrogation methods is also included, purporting to be from the vice-chairman of the Senate Select Committee on Intelligence to his fellow board members.

Wikileaks said it would release more documents "over the coming days".

That last paragraph in the 2007 draft sounds like some grade-A irony. Or does it? I can never tell anymore... Thanks Alanis!

The original report on this from Monday also states that the same punk was able to get into an email account belonging to Homeland Security Secretary Jeh Johnson, so keep your eyes peeled for another data dump. If this one is real, I'm guessing so is the other one. What were they using for passwords? 12345?

[Isgrimnur]

UK Telecom TalkTalk

The chief executive of TalkTalk, a British telecommunications provider, said on Friday that she had received a ransom demand from hackers who had claimed responsibility for stealing data on some of the company’s four million customers.

TalkTalk, which offers cable and fixed-line services in Britain, said local authorities had opened a criminal investigation into the widespread data breach. The hackers may have gained access to personal data on the company’s customers, including sensitive information like credit card details, dates of birth and addresses.
...
In a statement, the broadband provider said it did not know how much of its users’ data had been compromised, and that the British police were leading the investigation into the matter. TalkTalk said it had become aware of the breach late on Wednesday.
...
Despite the claims of responsibility, it remained unclear whether the group that had contacted TalkTalk was behind the breach or whether the ransom demands were credible.

[malchior]

This anecdote is data breach adjacent and shows why we are doomed (short-term at least). I am going through a background check right now. I just landed a gig helping a financial client with some cyber security work. They won't rely on my company's attestation about our background check and do their own. Ok - pretty standard for a financial client. The paperwork for the background check has all the information needed to completely steal an identity. Address, SSN, birthdate, etc. Everything. They have a fax and an email address. I elected to fax as it is generally (very hard) to intercept and even if intercepted there are all kind of technical issues to get the data. I can't think of a single commercial breach that relied on attacking the fax channel...ever. Anyway, they claim the fax doesn't go through. I do it again. Doesn't go through. They want me to email it. The exchange below was about 5 minutes into a back and forth about emailing the forms on the phone:

Me: Ok - I'm not too keen on sending all my information over the Internet unencrypted - let's encrypt it...I'll...

BGCG: I don't know how (at this point he is getting exacerbated with me on the phone). Why don't you just email it the way it is?

Me: I'm just not comfortable with that. Would you mind just trying the password? All you have to do is click the file and if it asks for the password we'll put it in over the phone - I can do it right now.

BGCG: I don't think that'll work.

My observation is that they do rather invasive background checks and that this has never come up is astonishing to me. It leads me to believe as a practice most people just send this stuff willy-nilly. Also the background check company is completely unprepared to deal with it and it's a simple reasonable practice that at least ties up the communications channel. I don't want to even think about how they are handling the data after they receive it but I can't control that. I guess the upside - is seemingly endless work.

[Isgrimnur]

Hyatt

Hyatt Hotels Corp said on Wednesday that its payment processing system was infected with credit-card-stealing malware in an attack discovered three weeks ago, the latest in a series of breaches at hospitality firms.

Company spokeswoman Stephanie Sheppard said in an email late on Wednesday that the attack was discovered on Nov. 30.

She did not say if the attackers succeeded in stealing payment card numbers, how long its network was infected or how many of the chain's 627 hotels were affected.
...
Hyatt, controlled by the billionaire Pritzker family, is the fourth major hotel operator to warn of a breach since October.

Hilton Worldwide Holdings Inc and Starwood Hotels & Resorts Worldwide Inc last month disclosed attacks on payment processing systems.. Donald Trump's luxury hotel chain, Trump Hotel Collection, also confirmed the possibility of a data security incident.

FireEye Inc said that Hyatt had hired it to help the company investigate the attack. FireEye's Mandiant unit is one of the biggest providers of response services to companies that are victims of cyber attacks.

Representatives at a Hyatt call center set up to handle inquiries about the breach said the malware was programmed to collect payment cardholder names, card numbers, expiration dates and internal verification codes.

[Moliere]

25 Worst Passwords You Should Never Use (But Probably Do)

Topping the list 2 years in a row:
1. 123456
2. password

[Moliere]

Wendys

Burger chain operator Wendy's Co. said on Wednesday it was investigating reports of unusual activity with payment cards used at some of its 5,700 locations in the United States.

"Reports indicate fraudulent charges may have occurred elsewhere after payment cards were legitimately used at some restaurants," Wendy's spokesman Bob Bertini told Reuters in an email statement.

[Isgrimnur]

Fraternal Order of Police

Private files belonging to America’s biggest police union, including the names and addresses of officers, forum posts critical of Barack Obama, and controversial contracts made with city authorities, were posted online on Thursday after a hacker breached its website.

The Fraternal Order of Police (FOP), which says it represents about 330,000 law enforcement officers across the US, said the FBI was investigating after 2.5GB of data taken from its servers was dumped online and swiftly shared on social media. The union’s national site, fop.net, remained offline on Thursday evening.
...
[Chuck Canterbury, the FOP’s national president] said he was confident that no sensitive personal information or financial details of their members had been obtained. “Some names and addresses were taken,” he said. “It concerns us. We’re taking steps to try to notify our members but that is going to take some time.”

Threads from the FOP’s members-only online forum were also leaked, including some in which officers expressed anger at Obama, supreme court justice Sonia Sotomayor and “illegals” who were in the US without documentation.
...
Canterbury, the FOP president, said the union had called in security contractors to investigate and the hack had been traced to an IP address in the UK. “They were able to feed our system a pseudo-encryption key that the system should not have accepted but did because of software errors,” he said. FOP servers in Tennessee and Ohio were being examined.

In an online posting, a person using the screen name Cthulhu said he or she had released the files after receiving them from a source who wished to remain anonymous and wanted them made public “in light of an ever increasing divide between the police groups and the citizens of the US”. In a statement to the Guardian, Cthulhu added: “Our role is simply to present the material in an unadulterated form for the public to analyse.”

Canterbury blamed “anti-police rhetoric” for the hack. “This is just a group that is negative towards law enforcement,” he said. In the posting, Cthulhu denied being “anti-police”. Cthulhu also claimed to be holding back a total of 18 terabytes of police data, yet Canterbury insisted that nowhere near that amount of information was in the FOP systems.

[Moliere]

Los Angeles Hospital Pays Hackers $17,000 Ransom In Bitcoins

The president of Hollywood Presbyterian Medical Center said on Wednesday that his hospital paid hackers a ransom of $17,000 in bitcoins to regain control of their computer systems after a cyber attack.

Allen Stefanek said in a statement that paying the ransom was the "quickest and most efficient way" of regaining access to the affected systems, which were crippled on Feb. 5 and interfered with hospital staff's ability to communicate electronically.

A dangerous precedent?

[El Guapo]

Los Angeles Hospital Pays Hackers $17,000 Ransom In Bitcoins

The president of Hollywood Presbyterian Medical Center said on Wednesday that his hospital paid hackers a ransom of $17,000 in bitcoins to regain control of their computer systems after a cyber attack.

Allen Stefanek said in a statement that paying the ransom was the "quickest and most efficient way" of regaining access to the affected systems, which were crippled on Feb. 5 and interfered with hospital staff's ability to communicate electronically.

A dangerous precedent?

Of course it is. But at the same time, people might plausibly die if the staff can't get reliable and timely access to medical records - the hospital has to put that ahead of broader systemic concerns.

[Isgrimnur]

FBI: Got hit by ransomware? Pay it.

The FBI wants companies to know that the Bureau is there for them if they are hacked. But if that hack involves Cryptolocker, Cryptowall or other forms of ransomware, the nation’s top law enforcement agency is warning companies that they may not be able to get their data back without paying a ransom.

“The ransomware is that good,” said Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in its Boston office. “To be honest, we often advise people just to pay the ransom.”

Preventative measures

[Moliere]

ISIS

If you're a member of ISIS your data might have been stolen.

Sky News claimed to have received a USB stick containing information on 22,000 IS recruits, including names, addresses, telephone numbers, places of birth and sponsors into the organization.

The data was apparently collected via detailed questionnaire forms by IS as would-be recruits passed into Syria.

It’s said to have been stolen from the head of IS internal security by a disillusioned former Free Syrian Army convert to the cause, who now claims that the movement has been taken over by former soldiers of Saddam Hussein’s Iraqi Baath party.

[ImLawBoy]

They'd better pay for my credit monitoring!

[Isgrimnur]

Beware shortened .gov links

Spam purveyors are taking advantage of so-called “open redirects” on several U.S. state Web sites to hide the true destination to which users will be taken if they click the link. Open redirects are potentially dangerous because they let spammers abuse the reputation of the site hosting the redirect to get users to visit malicious or spammy sites without realizing it.

For example, South Dakota has an open redirect:

http://dss.sd.gov/scripts/programredirect.asp?url=

…which spammers are abusing to insert the name of their site at the end of the script. Here’ a link that uses this redirect to route you through dss.sd.gov and then on to krebsonsecurity.com. But this same redirect could just as easily be altered to divert anyone clicking the link to a booby-trapped Web site that tries to foist malware.

The federal government’s stamp of approval comes into the picture when spammers take those open redirect links and use bit.ly to shorten them. Bit.ly’s service automatically shortens any US dot-gov or dot-mil (military) site with a “1.usa.gov” shortlink. That allows me to convert the redirect link to krebsonsecurity.com from the ungainly….

http://dss.sd.gov/scripts/programredire ... curity.com

…into the far less ugly and perhaps even official-looking:

http://1.usa.gov/1pwtneQ.
...
I generally don’t trust shortened links, and have long relied on the Unshorten.it extension for Google Chrome, which lets users unshorten any link by right clicking on it and selecting “unshorten this link”. Unshorten.it also pulls reputation data on each URL from Web of Trust (WOT).

[Isgrimnur]

Verizon

Verizon Enterprise Solutions, a B2B unit of the telecommunications giant that gets called in to help Fortune 500’s respond to some of the world’s largest data breaches, is reeling from its own data breach involving the theft and resale of customer data, KrebsOnSecurity has learned.

Earlier this week, a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise.
...
It’s a fair bet that if cyber thieves buy all or some of the Verizon Enterprise customer database, some of those customers may be easy marks for phishing and other targeted attacks. Even if it is limited to the contact data for technical managers at companies that use Verizon Enterprise Solutions, this is bound to be target-rich list: According to Verizon’s page at Wikipedia, some 99 percent of Fortune 500 companies are using Verizon Enterprise Solutions.

[Moliere]

Last Week Tonight with John Oliver: Credit Reports

[Max Peck]

A Minecraft-related data breach was discovered recently.

Hackers have stolen login data for more than seven million members of the Minecraft site Lifeboat. Lifeboat lets members run servers for customised, multiplayer maps for the smartphone edition of Minecraft. There is evidence that the stolen information, including email addresses and passwords, is being offered on sites that trade in hacked data. Analysis suggests passwords were very weakly protected so attackers could easily work them out.

[Moliere]

Major Security Breaches Found In Google And Yahoo Email Services

Hundreds of millions of hacked usernames and passwords for email accounts and other websites are being traded in Russia’s criminal underworld, a security expert told Reuters.

The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru <MAILRq.L>, Russia’s most popular email service, and smaller fractions of Google <GOOGL.O>, Yahoo <YHOO.O> and Microsoft <MSFT.O> email users, said Alex Holden, founder and chief information security officer of Hold Security.

[Isgrimnur]

Equifax, ADP W-2s

Identity thieves stole tax and salary data from big-three credit bureau Equifax Inc., according to a letter that grocery giant Kroger sent to all current and some former employees on Thursday. The nation’s largest grocery chain by revenue appears to be one of several Equifax customers that were similarly victimized this year.

Atlanta-based Equifax’s W-2Express site makes electronic W-2 forms accessible for download for many companies, including Kroger — which employs more than 431,000 people. According to a letter Kroger sent to employees dated May 5, thieves were able to access W-2 data merely by entering at Equifax’s portal the employee’s default PIN code, which was nothing more than the last four digits of the employee’s Social Security number and their four-digit birth year.
...
The incident comes amid news first reported on this blog earlier this week that tax fraudsters similarly targeted employees of companies that used payroll giant ADP to give employees access to their W-2 data. ADP acknowledged that the incident affected employees at U.S. Bank and at least 11 other companies.

[Moliere]

Another Day, Another Hack: 117 Million LinkedIn Emails And Passwords

A hacker is trying to sell the account information, including emails and passwords, of 117 million LinkedIn users.

The hacker, who goes by the name “Peace,” told Motherboard that the data was stolen during the LinkedIn breach of 2012. At the time, only around 6.5 million encrypted passwords were posted online, and LinkedIn never clarified how many users were affected by that breach.

Turns out it was much worse than anybody thought.

[Isgrimnur]

Turn on two-step authentication.

[Moliere]

Turn on two-step authentication.

Activated. Good luck trying to hack my dormant mostly useless LinkedIn account now!

[hitbyambulance]

Turn on two-step authentication.

don't have a mobile phone, so i can't.

there should be something like those small RSA token keychain authenticators, with support for multiple accounts.

[Moliere]

Myspace (Which Still Exists) Suffers Major Data Breach

[Isgrimnur]

CiCi's Pizza

CiCi’s Pizza, an American fast food business based in Coppell, Texas with more than 500 stores in 35 states, appears to be the latest restaurant chain to struggle with a credit card breach. The data available so far suggests that hackers obtained access to card data at affected restaurants by posing as technical support specialists for the company’s point-of-sale provider, and that multiple other retailers have been targeted by this same cybercrime gang.

[Isgrimnur]

Netflix becomes proactive:

Netflix.com, for example, sent out a notification late last week to users who made the mistake of re-using their Netflix password at Linkedin, Tumblr or MySpace. All of three of those breaches are years old, but the scope of the intrusions (more than a half billion usernames and passwords leaked in total) only became apparent recently when the credentials were posted online at various sites and services.
...
The missive goes on to urge recipients to visit Netflix.com and click the “forgot your email or password” link to reset their passwords.

Netflix is taking this step because it knows from experience that cybercriminals will be using the credentials leaked from Tumblr, MySpace and LinkedIn to see if they work on a variety of third-party sites (including Netflix).

[Isgrimnur]

Wendy's

When news broke last month that the credit card breach at fast food chain Wendy’s impacted fewer than 300 out of the company’s 5,800 locations, the response from many readers was, “Where’s the Breach?” Today, Wendy’s said the number of stores impacted by the breach is “significantly higher” and that the intrusion may not yet be contained.

On January 27, 2016, this publication was the first to report that Wendy’s was investigating a card breach. In mid-May, the company announced in its first quarter financial statement that the fraud impacted just five percent of stores.

But since that announcement last month, a number of sources in the fraud and banking community have complained to this author that there was no way the Wendy’s breach only affected five percent of stores — given the volume of fraud that the banks have traced back to Wendy’s customers.

What’s more, some of those same sources said they were certain the breach was still ongoing well after Wendy’s made the five percent claim in May.

Today, Wendy’s acknowledged in a statement that the breach is now expected to be “considerably higher than the 300 restaurants already implicated.” Company spokesman Bob Bertini declined to be more specific about the number of stores involved, citing an ongoing investigation. Bertini also declined to say whether the company is confident that the breach has been contained.

“Wherever we are finding it we’ve taken action,” he said. “But we can’t rule out that there aren’t others.”

[Moliere]

Russian government hackers penetrated DNC, stole opposition research on Trump

[Max Peck]

Russian government hackers penetrated DNC, stole opposition research on Trump

Doh! Who could have known that not checking all the possible threads where this could have been posted would bite me in the butt.

[Moliere]

Password Protection Problems

[Isgrimnur]

Wendy's

At least 1,025 Wendy’s locations were hit by a malware-driven credit card breach that began in the fall of 2015, the nationwide fast-food chain said Thursday. The announcement marks a significant expansion in a data breach that is costing banks and credit unions plenty: Previously, Wendy’s had said the breach impacted fewer than 300 locations.

On January 27, 2016, this publication was the first to report that Wendy’s was investigating a card breach. In mid-May, the company announced in its first quarter financial statement that the fraud impacted just five percent of stores. But in a statement last month, Wendy’s warned that its estimates about the size and scope of the breach were about to get much meatier.

Wendy’s has published a page that breaks down the breached restaurant locations by state.

Wendy’s is placing blame for the breach on an unnamed third-party that serves franchised Wendy’s locations, saying that a “service provider” that had remote access to the compromised cash registers got hacked.

For better or worse, countless restaurant franchises outsource the management and upkeep of their point-of-sale systems to third party providers, most of whom use remote administration tools to access and manage the systems remotely over the Internet.

[Isgrimnur]

Breaches cause GoToMyPC reaction:

GoToMyPC, a service that helps people access and control their computers remotely over the Internet, is forcing all users to change their passwords, citing a spike in attacks that target people who re-use passwords across multiple sites.

Owned by Santa Clara, Calif. based networking giant Citrix, GoToMyPC is a popular software-as-a-service product that lets users access and control their PC or Mac from anywhere in the world. On June 19, the company posted a status update and began notifying users that a system-wide password update was underway.
...
John Bennett, product line director at Citrix, said once the company learned about the attack it took immediate action. But contrary to previous published reports, there is no indication Citrix or its platforms have been compromised, he said.
...
It’s a fair bet that whoever perpetrated this attack had help from huge email and password lists recently leaked online from older breaches at LinkedIn, MySpace and Tumblr to name a few. Re-using passwords at multiple sites is a bad idea to begin with, but re-using your GoToMyPC remote administrator password at other sites seems like an exceptionally lousy idea.

[Isgrimnur]

CiCi's Pizza

CiCi’s Pizza, an American fast food business based in Coppell, Texas with more than 500 stores in 35 states, appears to be the latest restaurant chain to struggle with a credit card breach.

130+ locations

Cici’s Pizza, a Coppell, Texas-based fast-casual restaurant chain, today acknowledged a credit card breach at more than 135 locations. The disclosure comes more than a month after KrebsOnSecurity first broke the news of the intrusion, offering readers a sneak peak inside the sprawling cybercrime machine that thieves used to siphon card data from Cici’s customers in real-time.
...
According to Cici’s, “the vast majority of the intrusions began in March of 2016,” but the company acknowledges that the breach started as early as 2015 at some locations. Cici’s said it was confident the malware has been removed from all stores. A list of affected locations is here (PDF).

[Max Peck]

Zero-day hole can pwn millions of LastPass users, all that's needed is a malicious site

A dangerous zero-day vulnerability has been found in popular cloud password vault LastPass, which The Register has been told can completely compromise user accounts.

Many millions of users can right now be compromised by merely visiting a malicious website, we understand.

This allows attackers complete access to user accounts in which hundreds and thousands of passwords are stored.

Little else is known of the flaw, found by proven and prolific white hat security researcher Tavis Ormandy, but the Google Project Zero hacker has form; he has torn apart every major antivirus platform finding horrific bugs including a zero-interaction remote code execution and wormable hole in Symantec kit, vulnerabilities in Avast offerings, server-side pain in Malwarebytes, and failures in Comodo, Kasperksy, and Bromium.

Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap.
— Tavis Ormandy (@taviso) July 26, 2016

Full report sent to LastPass, they're working on it now. Yes, it's a complete remote compromise. Yes, I promise I'll look at 1Password.
— Tavis Ormandy (@taviso) July 27, 2016

The bug will still need to be replayed by LastPass before patches are brewed. There is no news yet of in-the-wild attacks. Ormandy will set sights on popular password vault 1Password after this audit. ®

PS: Mathias Karlsson of Detectify Labs also found a password-extraction flaw in LastPass, which has been fixed.

[Isgrimnur]

SSA TFA

The U.S. Social Security Administration announced last week that it will now require a cell phone number from all Americans who wish to manage their retirement benefits at ssa.gov. Unfortunately, the new security measure does little to prevent identity thieves from fraudulently creating online accounts to siphon benefits from Americans who haven’t yet created accounts for themselves.

The SSA said all new and existing ‘my Social Security’ account holders will need to provide a cell phone number. The agency said it will use the mobile numbers to send users an 8-digit code via text message that needs to be entered along with a username and password to log in to the site.

The SSA noted it was making the change to comply with an executive order for federal agencies to provide more secure authentication for their online services.
...
The SSA does offer other “extra security” options, such as the sending users a special code via the U.S. Mail that has to be entered on the agency’s site to complete the signup process. If you choose to enable extra security, the SSA will then ask you for:

• The last eight digits of your Visa, MasterCard, or Discover credit card;
• Information from your W2 tax form;
• Information from a 1040 Schedule SE (self-employment) tax form; or
• Your direct deposit amount, if you receive Social Security benefits.

[Octavious]

Apparently my BIL just had $4,500.00 dollars stolen out of his account via a bogus transfer. I guess he doesn't have the phone confirmation turned on. I know on my account if you try and login from another computer it will send me a text. He's not having a good day.

[hitbyambulance]

...
The SSA does offer other “extra security” options, such as the sending users a special code via the U.S. Mail that has to be entered on the agency’s site to complete the signup process. If you choose to enable extra security, the SSA will then ask you for:

• The last eight digits of your Visa, MasterCard, or Discover credit card;
• Information from your W2 tax form;
• Information from a 1040 Schedule SE (self-employment) tax form; or
• Your direct deposit amount, if you receive Social Security benefits.

lol, isn't providing your... Social Security number good enough..

[Moliere]

Microsoft singlehandedly proves that golden backdoor keys are a terrible idea

Microsoft leaked the golden keys that unlock Windows-powered tablets, phones and other devices sealed by Secure Boot – and is now scrambling to undo the blunder.

These skeleton keys can be used to install non-Redmond operating systems on locked-down computers. In other words, on devices that do not allow you to disable Secure Boot even if you have administrator rights – such as ARM-based Windows RT tablets – it is now possible to sidestep this block and run, say, GNU/Linux or Android.

What's more, it is believed it will be impossible for Microsoft to fully revoke the leaked keys.

And perhaps most importantly: it is a reminder that demands by politicians and crimefighters for special keys, which can be used by investigators to unlock devices in criminal cases, will inevitably jeopardize the security of everyone.

[Isgrimnur]

If you haven't learned yet not to plug your device into random power cables, this probably won't make you care.

A little-known feature of many modern smartphones is their ability to duplicate video on the device’s screen so that it also shows up on a much larger display — like a TV. However, new research shows that this feature may quietly expose users to a simple and cheap new form of digital eavesdropping.

Dubbed “video jacking” by its masterminds, the attack uses custom electronics hidden inside what appears to be a USB charging station. As soon as you connect a vulnerable phone to the appropriate USB charging cord, the spy machine splits the phone’s video display and records a video of everything you tap, type or view on it as long as it’s plugged in — including PINs, passwords, account numbers, emails, texts, pictures and videos.
...
“Juice jacking” refers to the ability to hijack stored data when the user unwittingly plugs his phone into a custom USB charging station filled with computers that are ready to suck down and record said data (both Android and iOS phones now ask users whether they trust the computer before allowing data transfers).
...
Video jacking is a problem for users of HDMI-ready phones mainly because it’s very difficult to tell a USB cord that merely charges the phone versus one that also taps the phone’s video-out capability. Also, there’s generally no warning on the phone to alert the user that the device’s video is being piped to another source, Markus said.
...
Hopefully, your phone came with a 2-prong charging cord that plugs straight into a standard wall jack. If not, look into using a USB phone charger adapter that has a regular AC/DC power plug on one end and a female USB port on the other (just make sure you don’t buy this keystroke logger disguised as a USB phone charger). Carry an extra charging dock for your mobile device when you travel.

Also, check the settings of your mobile and see if it allows you to disable screen mirroring. Note that even if you do this, the mirroring capability might not actually turn off.

And, given how outlets are becoming crowded, you should probably invest in a portable battery pack charger as well.

[Isgrimnur]

SSA TFA

The U.S. Social Security Administration announced last week that it will now require a cell phone number from all Americans who wish to manage their retirement benefits at ssa.gov.

Or not.

The U.S. Social Security Administration says it is reversing a newly enacted policy that required a cell phone number from all Americans who wished to manage their retirement benefits at ssa.gov. The move comes after a policy rollout marred by technical difficulties and criticism that the new requirement did little to prevent identity thieves from siphoning benefits from Americans who hadn’t yet created accounts at ssa.gov for themselves.
...
“We removed the requirement to use a cell phone to access your account,” the agency noted in a message posted to its mySocial Security portal. “While it’s not mandatory, we encourage those of you who have a text capable cell phone to take advantage of this optional extra security. We continue to pursue more options beyond cell phone texting.”
...
The SSA does still offer the text message feature as part of what it calls “extra security” options. These extra options by the way do include the sending users a special code via the U.S. Mail that has to be entered on the agency’s site to complete the signup process.
...
Because it’s possible to create just one my Social Security account per Social Security number, registering an account on the portal is one basic way that Americans can avoid becoming victims of this scam.

[Isgrimnur]

NSA

After a never-before-seen group announced it was in possession of a trove of malware developed by the elite hacking arm of the National Security Agency early this week, professional security researchers began working to try and determine whether the code the group released was truly developed by the NSA.

Working off of hints they found in the code, which was released by a group calling itself the “Shadow Broker,” researchers guessed it was authentic—but new documentation straight from the source appears to confirm the code’s provenance.

According to NSA documents obtained by Edward Snowden and reviewed by The Intercept, several elements in the released code line up with details in the agency’s own manuals and materials.
...
The tool allows the NSA to execute “man-in-the-middle” attacks, which intercept traffic on a network as it’s traveling from its origin to its destination. The agency used it to redirect users who think they’re browsing safe websites to NSA-run servers that infect their computers with malware—and then back to their destination before they know what happened. In a slide deck, the NSA used “cnn.com” as an example of the sort of site it could exploit to deliver its malicious code.
...
It’s still not clear how the tools leaked from the NSA. Snowden speculated on Twitter that the tools could have been found on a server it used to infect a target, but former NSA staffers interviewed by Motherboard said the leak could be the work of a “rogue insider,” claiming that some of the files in the leak would never had made it to an outside server.